The state-of-the-art in software abstraction is model-driven engineering. It provides system architects with abstract representations of complex system functionality, complementary views of a given system (e.g., behavioral versus structural), and vertical refinement of high-level system requirements models into design models and eventually down to (automatically-generated) executable code. However, the complexity caused by the many models used in large-scale projects might give place to significant sources of uncertainty due to (implicit and explicit) dependencies, consistencies, and correlations among the modeling artifacts. Keeping such models consistent during the development process requires spelling out the change requirements that enforce well-thought-out change propagation and co-evolution plans.
In this talk, I will survey threats, challenges, and misconceptions that occurred in the context of an industry-scale project in the domain of computer-based interlocking systems. In particular, the different kinds of model relations required managing several forms of (epistemic) uncertainty emerged in various scenarios, including roundtripping among modeling notations and several forms of co-evolution involving metamodels, models, and transformations. To this end, a megamodel is given to better characterize the identified solutions that required devising specialized tools and notations for leveraging automation and translating uncertainty into variability models.
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
Uncertainty and variability in industry-scale projects: Pearls, perils and pitfalls of Model-Driven Engineering at work
1. Alfonso Pierantonio
Uncertainty and variability in
industry-scale projects
Pearls, perils and pitfalls of Model-Driven Engineering at work
Università degli Studi dell’Aquila / Italy
Keynote VaMoS’22 – February 25, 2022
2. 2
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The state-of-the-art in software abstraction is Model-Driven Engineering
What is model-driven engineering
3. 3
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The state-of-the-art in software abstraction is Model-Driven Engineering
◦ Domains are formalized with modeling notations (metamodels)
◦ Automation underpins different forms of model management
What is model-driven engineering
4. 4
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The state-of-the-art in software abstraction is Model-Driven Engineering
◦ Domains are formalized with modeling notations (metamodels)
◦ Automation underpins different forms of model management
model-to-model transformations
code generations
model synchronization
consistency management
model differencing & comparison
What is model-driven engineering
coupled evolution
model repair
(repository) analysis & analytics
quality assessment
etc
5. 5
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The state-of-the-art in software abstraction is Model-Driven Engineering
◦ Domains are formalized with modeling notations (metamodels)
◦ Automation underpins different forms of model management
model-to-model transformations
code generations
model synchronization
consistency management
model differencing & comparison
What is model-driven engineering
coupled evolution
model repair
(repository) analysis & analytics
quality assessment
etc
Models are leveraged to a first-class status!
6. 6
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Introduction
◦ What is MDE
Modeling Ecosystems
◦ Co-evolution and consistency management
The ERMES Project
◦ Architecture and objectives
◦ Track plan and control board notations
◦ Bidirectionality and uncertainty
◦ Meta-templating for enforcing metamodel change resilience
Conclusions
Roadmap
8. 8
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Code generation has been one of the most abused selling arguments
for Model-Driven Engineering
Code generation
9. 10
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Code generation has been one of the most abused selling arguments
for Model-Driven Engineering
Whether it held promise, it is uncertain
Niche domains benefit from automated code generation, but that is not
homogenous and often related to domain characteristics rather than
the methodology
Code generation
10. 11
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Code generation is a monolithic process based on computationally
deterministic models (e.g., Java-like programs)
Code generation vs Software development
11. 12
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Code generation is a monolithic process based on computationally
deterministic models (e.g., Java-like programs)
Software development implies the adoption of a life-cycle model that
must deal at different levels with different forms of uncertainty about
◦ understanding user needs
◦ assessing the technical problems emerging during
design and implementation
◦ handling change requirements due to technological
changes and changes in user needs
Code generation vs Software development
12. 13
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Projects are characterized by different forms of complexities induced by
the domain and user needs
How Complexity affects MDE projects
13. 14
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Projects are characterized by different forms of complexities induced by
the domain and user needs
◦ Domain complexity impacts on the intricacy of the
metamodel structure and granularity
◦ User needs complexity impacts on the computational
complexity of the model management
How Complexity affects MDE projects
14. 15
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Projects are characterized by different forms of complexities induced by
the domain and user needs
◦ Domain complexity impacts on the intricacy of the
metamodel structure and granularity
◦ User needs complexity impacts on the computational
complexity of the model management
How Complexity affects MDE projects
The more a project is complex, the more sophisticated are the metamodels and
the associated management (transforms, generators, editors)
15. 16
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Projects are characterized by different forms of complexities induced by
the domain and user needs
◦ Domain complexity impacts on the intricacy of the
metamodel structure and granularity
◦ User needs complexity impacts on the computational
complexity of the model management
How Complexity affects MDE projects
The more a project is complex, the more sophisticated are the metamodels and
the associated management (transforms, generators, editors)
Complexity typically implies
uncertainty in consistency
restoring procedures
16. 17
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Similarly to the difference between programming in the large and
programming in the small, we need to consider separately the activities
of modeling in the small and modeling in the large
Modeling in the small / large
17. 18
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the small typically refers to a simple ecosystem: a limited
number of metaclasses, attributes, references, and (linear)
transformations
Modeling in the small
CIM
Computation
Independent Models
PIM
Platform
Independent Models
PSM
Platform
Specific Models
Code
18. 19
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Advanced model-driven techniques applied to an ecosystem consisting
of a coordinated set of metamodels and artifacts that must be kept in a
consistent state
Modeling in the large
19. 20
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Advanced model-driven techniques applied to an ecosystem consisting
of a coordinated set of metamodels and artifacts that must be kept in a
consistent state
◦ change requirements occurs at architectural and system specification levels
◦ consistency management must be designed
Modeling in the large
20. 21
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Advanced model-driven techniques applied to an ecosystem consisting
of a coordinated set of metamodels and artifacts that must be kept in a
consistent state
◦ change requirements occurs at architectural and system specification levels
◦ consistency management must be designed
complex co-evolution techniques must be devised with an explicit management of
(epistemic) uncertainty, variability models are highly recommended
whenever possible resilient techniques must be introduced to make processes cost-
effective and reduce ripple effects
Modeling in the large
21. 22
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
◦ complex application domain
Modeling in the large / complex domain
22. 23
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / multiple metamodels
Metamodel MM1
Metamodel MM4
Metamodel MM2
Metamodel MM3
◦ complex application domain
◦ multiple interconnected metamodels
23. 24
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / consistency management
Metamodel MM1
Metamodel MM4
Metamodel MM2
Metamodel MM3
D
D
Delta changes
Propagated changes
D
◦ complex application domain
◦ multiple interconnected metamodels
◦ non-univocal consistency restoration
24. 25
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / consistency management
Metamodel MM1
Metamodel MM4
Metamodel MM2
Metamodel MM3
D
D
Delta changes
Propagated changes
D
D
D
D
orientation
model
◦ complex application domain
◦ multiple interconnected metamodels
◦ non-univocal consistency restoration
25. 26
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / consistency management
Metamodel MM1
Metamodel MM4
Metamodel MM2
Metamodel MM3
D
D
Delta changes
Propagated changes
D
D
D
D
orientation
model
◦ complex application domain
◦ multiple interconnected metamodels
◦ non-univocal consistency restoration
26. 27
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / consistency management
Metamodel MM1
Metamodel MM4
Metamodel MM2
Metamodel MM3
D
D
Delta changes
Propagated changes
D
D
D
D
orientation
model
◦ complex application domain
◦ multiple interconnected metamodels
◦ non-univocal consistency restoration
Stevens, P.: Towards sound, optimal, and flexible building
from megamodels. In: ACM/IEEE 21th International Conference on
Model Driven Engineering Languages and Systems (MODELS’18), ACM (2018)
27. 28
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
28. 29
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo conformsTo
29. 30
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
30. 31
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Generated from the Metamodel
and Concrete Syntax Specification
31. 32
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Editor MM2
basedOn
authoredBy
32. 33
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Editor MM2
basedOn
authoredBy
Code generator
generates
dependsOn
33. 34
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Editor MM2
basedOn
authoredBy
Code generator
generates
D
dependsOn
34. 35
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Editor MM2
basedOn
authoredBy
Code generator
generates
D
Metamodel changes might compromise
the integrity and consistency of the
modeling ecosystem
dependsOn
35. 36
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Modeling in the large / Modeling ecosystems
Metamodel MM1 Metamodel MM2
transformsTo
conformsTo
Editor MM1
authoredBy
basedOn
conformsTo
Editor MM2
basedOn
authoredBy
generates
D
Di Ruscio, D., Iovino, L., & Pierantonio, A.: Evolutionary togetherness:
how to manage coupled evolution in metamodeling ecosystems. In
International conference on graph transformation (ICGT’12). Springer
Metamodel changes might compromise
the integrity and consistency of the
modeling ecosystem
Code generator
dependsOn
36. 37
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
What MDE can offer besides code generation?
domain modeling environment
change requirements
validation
38. 40
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The railways domain is one of the most constrained – here are some of the
initial difficulties
no overall system requirements
lack of precise concept definitions
the persons who develop interlocking systems have no knowledge of formal methods
we had no knowledge of interlocking systems
The project started in 2018 with an overall duration of 4 + 3 years and
employing
◦ 2 faculties, 4 postdocs, 1 PhD student, 5 MSc
The ERMES project
39. 41
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The project aims at building an ecosystem for modeling computer-
based interlocking systems and managing the related life-cycle
The ecosystem is formalized in a megamodel consisting of
◦ a coordinated family of industry-scale modeling notations
◦ model management for letting the ecosystem evolve while
preserving the overall consistency
◦ support tools
tooling chains at metamodel and model level
brand-new framework for generating positional / geometric editor
meta-templating for more «resilient» artifact generation
The ERMES project
40. 42
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Architecture
The architecture is arranged in different tiers
ERMES Environment
A meta environment in which the ERMES notation and the related
modeling ecosystem are consistently managed
Modeling Environment
A modeling environment generated from a specific release of the
ERMES notation
Runtime Environment
The deployed operational environment generated for a given station
specified in the Modeling Environment
41. 43
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Architecture
The architecture is arranged in different tiers
ERMES Environment
A meta environment in which the ERMES notation and the related
modeling ecosystem are consistently managed
Modeling Environment
A modeling environment generated from a specific release of the
ERMES notation
Runtime Environment
The deployed operational environment generated for a given station
specified in the Modeling Environment
46. 48
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Runtime Environment
Obtained with the Data
Preparation Process
47. 49
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
It is the overall process followed to fully configure the station
◦ The final outcome is the configuration of the Safety Logic to be deployed
to the station
Data Preparation Process
48. 50
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
It is the overall process followed to fully configure the station
◦ The final outcome is the configuration of the Safety Logic to be deployed
to the station
Data Preparation Process
Manual intervention needed
for certification reasons
49. 51
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
It is the overall process followed to fully configure the station
◦ The final outcome is the configuration of the Safety Logic to be deployed
to the station
Data Preparation Process
52. 54
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Architecture
The architecture is arranged in different tiers
ERMES Environment
A meta environment in which the ERMES notation and the related
modeling ecosystem are consistently managed
Modeling Environment
A modeling environment generated from a specific release of the
ERMES notation
Runtime Environment
The deployed operational environment generated for a given station
specified in the Modeling Environment
53.
54.
55. 57
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The track plan notation is given by a metamodel and an associated
concrete syntax that looks like:
The Track Plan notation
56. 58
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The track plan notation is given by a metamodel that currently looks like
The Track Plan notation
57. 59
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The metamodel is rather complex (as a comparison, UML has 227 classes for 14
diagrams)
The Track Plan notation
58. 60
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The first difficulty is given by the complexity of the visual notation
Resorting to the most advanced meta-editors (eg., Sirius) did not help because
they can manage only topological notations
The notation is positional
◦ the semantics of the model depends on the layout
◦ the layout is constraint-based
The Track Plan notation
Because of the metamodel change rate, a new meta-editor has been
designed and implemented
59.
60.
61.
62. 64
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Control Board notation
It is an informative panel used by movement managers for supervising
the operations and simulation purposes, looks like
63. 65
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Control Board notation
The notion is based on the track plan notation but with differences that
are both structural (in the metamodel) and visual (in the concrete
syntax and layout)
64. 66
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Architecture
The architecture is arranged in different tiers
ERMES Environment
A meta environment in which the ERMES notation and the related
modeling ecosystem are consistently managed
Modeling Environment
A modeling environment generated from a specific release of the
ERMES notation
Runtime Environment
The deployed operational environment generated for a given station
specified in the Modeling Environment
65. 67
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Release frequency
Notational changes occurred at a critical rate up to represent a
daunting challenge
In the initial stage of the project, our domain knowledge was
limited, and stakeholders conveyed frequent change
requirements
66. 68
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Control Board notation
The notion is based on the track plan notation but with differences that
are both structural (in the metamodel) and visual (in the concrete
syntax and layout)
67. 69
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Control Board notation
The notion is based on the track plan notation but with differences that
are both structural (in the metamodel) and visual (in the concrete
syntax and layout)
Two-tier automated transformation: abstract
and concrete syntax
68. 70
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Control Board notation
The notion is based on the track plan notation but with differences that
are both structural (in the metamodel) and visual (in the concrete
syntax and layout)
Automated editor generation
from the metamodel and
concrete syntax specification
69.
70.
71.
72.
73.
74. 76
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Notational interplay
The track plan notation and the control board counterpart are strictly
related and while the mapping is typically unidirectional there might be
target manual adaptations that must be back-propagated
bidirectional transformation
77. 79
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Keeping a set of related models in a consistent state requires back
propagating changes, ie updates to a source entail updates to the
others
◦ Existing languages: OMG QVT, Triple-Graph Grammars, JTL, etc
Notably, a contributory factor limiting the adoption of BX languages is
the assumption that transformations must be deterministic, i.e. one
source model can generate exactly one target model
This is a too strong assumption as often the transformations are
underspecified
Bidiretionality
F. Abou-Saleh, J. Cheney, J. Gibbons, J. McKinna, and P. Stevens. Notions of
BidirectionalComputation and Entangled State Monads. MPC, 2015.
78. 80
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
79. 81
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
States are propagated
80. 82
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
Outer edges are propagated
81. 83
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
Edges with an inner end are propagated
82. 84
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
83. 85
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
The «error» edge is manually added
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
84. 86
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
A such change can be back-propagated?
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
85. 87
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
A such change can be back-propagated?
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
86. 88
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Flattening Hierarchical State Machines
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
Three valid solutions are possible
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
error1
error2
error3
87. 89
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Such a transformation is non-deterministic that is it does not always
produce a unique solution
◦ the mappings are not injective
◦ multiple update strategies are possible
◦ designers not always hold the information needed for defining a general
consistency-restoration strategy at design-time
It is a form of unknown uncertainty (the designer have not enough
knowledge) that translates into epistemic uncertainty
Bidirectionality
Zan, Tao, Hugo Pacheco, and Zhenjiang Hu.
"Writing bidirectional model transformations as intentional updates." Procs.
36th International Conference on Software Engineering, 2014.
88. 90
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The JTL language provide an explicit support to non-determinism
Implementors only need to specify a consistency relation, allowing the
bidirectional engine to resolve the under-specification non-
deterministically
All valid solutions are generated at once
The JTL language
Cicchetti, A., Ruscio, D. D., Eramo, R., & Pierantonio, A., JTL: a bidirectional and
change propagating transformation language. In International Conference on
Software Language Engineering, 2010
89. 91
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Back-propagation
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
Printing
completed
print
done
Five atomic changes
are performed
90. 92
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Back-propagation
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
Printing
completed
print
done
#error = 3
error1
error2
error3
91. 93
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
Back-propagation
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
Printing
completed
print
done
#error = 3
error1
error2
error3
92. 94
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Back-propagation
Out of Service
Off Idle
Active
shutdown
cancel
fixed
fault
in(card)
startup
in(card)
Out of Service
Off Idle
Active
shutdown
cancel
fixed
startup
fault
error
Printing
completed
print
done
#error = 3
#done = 1
#print = 4
#completed = 4
startup
Out of Service
Off Idle
Self Test
Maintenance
Active
Authentication Selectingtransaction Transaction
failed
done
shutdown
in(card)
cancel
fault
fixed
error1
error2
error3
Printing
print1
print2
print3
print4
completed1
completed2
completed3
completed3
93. 95
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Little changes in one of the source, cause a combinatorial explosion of
alternatives in the other one
◦ in the previous example, 4 atomic modifications produces 48 models
The number of valid models is unknown before the executions of the
transformation
Little changes, big repercussions
Dealing with a solution made of a myriad of generated models is
intrinsically difficult if not impractical
94. 96
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
We need a construction that permits an intensional representation of
the solution space
Instead of generating each individual model in the solution space, we
want to represent the solution space of a non-deterministic
transformation with a model with uncertainty
An intensional solution
95. 97
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Given a (base) metamodel MM, a corresponding metamodel with
uncertainty U(MM) is obtained by an automated transformation
A model with uncertainty is used to intensionally represent all the models
generated by a non-deterministic transformation
An intensional solution
96. 98
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Given a (base) metamodel MM, a corresponding metamodel with
uncertainty U(MM) is obtained by an automated transformation
A model with uncertainty is used to intensionally represent all the models
generated by a non-deterministic transformation
An intensional solution
97. 99
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The JTL engine is based on ASP constraint solver and can derive how
models are related using a deductive process
A fundamental role is played by the tracing information, i.e., the linkage
between the source and target model elements at run-time
Traceability management offers enough information to understand how
the models can be factorized
JTL extention to uncertainty
Eramo, R., Pierantonio, A., & Rosa, G. (2015, October). Managing uncertainty in
bidirectional model transformations. In Proceedings of the 2015 ACM SIGPLAN
International Conference on Software Language Engineering
98. 101
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
◦ The representation encodes all 48 generated models
◦ In general, not all combinations are admissible, predicates
can be needed to specify inadmissible combinations
JTL extention to uncertainty
99. 102
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
◦ The representation encodes all 48 generated models
◦ In general, not all combinations are admissible, predicates
can be needed to specify inadmissible combinations
JTL extention to uncertainty
100. 103
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
◦ The representation encodes all 48 generated models
◦ In general, not all combinations are admissible, predicates
can be needed to specify inadmissible combinations
JTL extention to uncertainty
101. 104
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
◦ The representation encodes all 48 generated models
◦ In general, not all combinations are admissible, predicates
can be needed to specify inadmissible combinations
JTL extention to uncertainty
102. 105
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Introduction
◦ What is MDE
Modeling Ecosystems
◦ Co-evolution and consistency management
The ERMES Project
◦ Architecture and objectives
◦ Track plan and control board notations
◦ Bidirectionality and uncertainty
◦ Meta-templating for enforcing metamodel change resilience
Conclusions
Roadmap
103. 106
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Templating Languages
Templating languages, eg. Acceleo, are used for text-generation
Metamodel MM1
conformsTo
Template
generates
104. 107
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Metamodel/Template co-evolution
Templating languages, eg. Acceleo, are used for text-generation
Co-evolution scenarios occurs whenever
metamodels are modified
Manual adaptation is prone to
errors and tedious
Automated solutions presents
severe limitations and human intervention
is unavoidable
Limited corpus of research
Metamodel MM1
conformsTo
Template
generates
D
Template
Co-adaptation generates
105. 108
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
In order to mitigate the difficulties due to the template adaptation in presence
of metamodel changes, we devised a novel technique called meta-templating
It permits to make templates «resilient» to changes, ie. under certain conditions
templates do not need to be adapted
Metatemplates
106. 109
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
In order to mitigate the difficulties due to the template adaptation in presence
of metamodel changes, we devised a novel technique called meta-templating
It permits to make templates «resilient» to changes, ie. under certain conditions
templates do not need to be adapted
Metatemplates
Meta Template
Engine
MM
Metamodel
Meta Template
107. 110
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
In order to mitigate the difficulties due to the template adaptation in presence
of metamodel changes, we devised a novel technique called meta-templating
It permits to make templates «resilient» to changes, ie. under certain conditions
templates do not need to be adapted
Metatemplates
Meta Template
Engine
MM
Metamodel
Meta Template
MM-specific
Template
108. 111
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
In order to mitigate the difficulties due to the template adaptation in presence
of metamodel changes, we devised a novel technique called meta-templating
It permits to make templates «resilient» to changes, ie. under certain conditions
templates do not need to be adapted
Metatemplates
Meta Template
Engine
MM
Metamodel
Meta Template
MM-specific
Template
MM-conformant
Model
Target Artifact
109. 112
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
In order to mitigate the difficulties due to the template adaptation in presence
of metamodel changes, we devised a novel technique called meta-templating
It permits to make templates «resilient» to changes, ie. under certain conditions
templates do not need to be adapted
MetaTemplating
Meta Template
Engine
MM
Metamodel
Meta Template
MM-specific
Template
MM-conformant
Model
Target Artifact
Meta-level Instance-level
110. 113
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
MetaTemplating
Meta Templates are written with a
language that can predicate at both
metamodel and model level
A Meta Template can be applied to a
metamodel if the latter has a syntactical
structure compatible with the navigation
expressions occurring in the Meta
Template
Such requirement defines a
Metamodel Typing concept
113. 116
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Safety Logic must comply with IEC 61508 requirements to minimize
any harmful effects caused by a potential system failure
Safety Integrity Level (SIL 1 – SIL 4) quantifies the reliability degree
achieved by any object that performs a safety-related function
Certification issue
114. 117
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The Safety Logic must comply with IEC 61508 requirements to minimize
any harmful effects caused by a potential system failure
Safety Integrity Level (SIL 1 – SIL 4) quantifies the reliability degree
achieved by any object that performs a safety-related function
Certification issue
Because of such requirement (SIL 4) to generate the Safety Logic
Configuration, only human-written rules can be used
115. Meta Template
Engine
Track Plan
Metamodel
Query Language
Environment
Meta Template
QLE-specific
Template
Track Plan
Model
Query
Language
Environment
Meta-level Instance-level
Condition Table
Metamodel
Safety Logic
Metamodel
Station
Independent
Rules
Safety Logic
Configuration
Instance-level
116. Meta Template
Engine
Track Plan
Metamodel
Query Language
Environment
Meta Template
QLE-specific
Template
Track Plan
Model
Query
Language
Environment
Meta-level Instance-level
Condition Table
Metamodel
Safety Logic
Metamodel
Station
Independent
Rules
Safety Logic
Configuration
Instance-level
The Safety Logic Configuration cannot be generated
in although it would be possible
117. Meta Template
Engine
Track Plan
Metamodel
Query Language
Environment
Meta Template
QLE-specific
Template
Track Plan
Model
Query
Language
Environment
Meta-level Instance-level
Condition Table
Metamodel
Safety Logic
Metamodel
Station
Independent
Rules
Safety Logic
Configuration
Instance-level
In order to comply to SIL 4, the Meta Template in is used to generate the
Query Language Environment in which the domain experts only can customize
the generic rules.
118. Meta Template
Engine
Track Plan
Metamodel
Query Language
Environment
Meta Template
QLE-specific
Template
Track Plan
Model
Query
Language
Environment
Meta-level Instance-level
Condition Table
Metamodel
Safety Logic
Metamodel
Station
Independent
Rules
Safety Logic
Configuration
Instance-level
In order to comply to SIL 4, the Meta Template in is used to generate the
Query Language Environment in which the domain experts only can customize
the generic rules.
119. 122
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Conclusion
The architecture is arranged in different tiers
ERMES Environment
A meta environment in which the ERMES notation and the related
modeling ecosystem are consistently managed
Modeling Environment
A modeling environment generated from a specific release of the
ERMES notation
Runtime Environment
The deployed operational environment generated for a given station
specified in the Modeling Environment
120. 123
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Conclusions
It is clearly a modeling in the large scenario
While the typical meta-architecture provided by the generic modeling
platforms offers great opportunity, consistent deployment of model-
driven techniques is challenging
The question to answer is whether it is over-design or a cost-effective
way of dealing with complexity
◦ An empirical evaluation would be needed
121. 124
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Complexity is pervasive and occurs at domain and solution level
◦ The railways domain is severely constrained because of a consolidated legacy
practice and safety assurance requirements
◦ The Safety Logic is managed by FBK, a different research group
At the solution level complexity induces uncertainty and variability
◦ In offline processes: uncertainty is managed by a decision-making process
based of domain expertise
◦ In automated processes: uncertainty impact is mitigated by adopting variability
models and by making artifacts more resilient to change requirements
Conclusions
122. 125
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
The technical maturity of the available tools is questionable
Sirius, the state-of-the-art tool for generating editors is completely inadequate;
it has been already clear at month M4 despite efforts and cooperation with the
tool maintainer
Transformation languages have not fully-fledged programming environments
Scalability is an issue, the way the most crucial metamodels (eg. Safety
Logic) are formalized impacts on the performance
Conclusions
The Safety Logic is formalized by domain experts that faced difficulties in
practicing abstraction, consequently accidental complexity occurred
123. 126
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
What about the initial difficulties
no overall system requirements
Stakeholders adopted a strategy to not expose us to the complexity
Stakeholders' objective is to advance the state-of-the-art
lack of precise concept definitions
The complete picture is not always clearly defined
the persons who develop interlocking systems have no knowledge of formal
methods
It considerably improved as domain experts increasingly became fluent with modeling
we had no knowledge of interlocking systems
We keep fighting
Conclusions
124. 127
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
A big part of this presentation is based on the
work (and espressos) of many
Vittorio Cortellessa, Francesco Basciani, Mirco Franzago,
Davide Cingolani, Tiziano Lombardi, Romolo Marotta,
Andrea Perelli, Matteo Ricci, Stefano Di Francesco,
Lorenzo Andreoli
Last but not least
126. 129
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Primary colors
◦
Secondary colors
Terziary colors
Elements / color scheme
Ottanio
#094F6D
Goldpalm
#F6C35A
Gray
#D9D9D9
Light Azure
#90C5E2
Azure
#55A2D8
Azure
#D9D9D9 / 25%
Green
#D9D9D9 / 25%
Red
#D9D9D9 / 25%
127. 130
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Terziary colors
Elements / color scheme / example
Azure
#D9D9D9 / 25%
Green
#D9D9D9 / 25%
Red
#D9D9D9 / 25%
25% trasparency
128. 131
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements
swish
From this morning session:
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
129. 132
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / highlighted boxes
From this morning session:
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
From this morning session:
Many computerized systems have complex continuous facets
of behavior ~ Assaf
Many computerized systems have complex continuous facets
of behavior ~ Assaf
A short sentence on two
lines
A shorter sentence
keyword
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
130. 133
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / disabled boxes
From this morning session:
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
From this morning session:
Many computerized systems have complex continuous facets
of behavior ~ Assaf
Many computerized systems have complex continuous facets
of behavior ~ Assaf
A short sentence on two
lines
A shorter sentence
keyword
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
131. 134
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / outlined boxes
From this morning session:
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
From this morning session:
Many computerized systems have complex continuous facets
of behavior ~ Assaf
Many computerized systems have complex continuous facets
of behavior ~ Assaf
A short sentence on two
lines
A shorter sentence
keyword
Many computerized systems have complex continuous facets of behavior ~ Assaf
Current systems are chaotic but are also event-driven ~ Serge
132. 135
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / arrow set 1
133. 136
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / arrow set 2
134. 137
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / arrow set 3
135. 138
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / arrow set 4
136. 139
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / arrow set 4
137. 140
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / patches
A sentence
A multiline
sentence
A multiline
sentence
A sentence
138. 141
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
A coordinated set of scenes that can be associated with a slide in order
to stress a message, as for instance in the followings
Elements / vignettes 1
140. 143
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / vignettes 3
complexity literature, survey design, data, question, result experiment, empirical
analysis, results cooperation, survey, interview design, execution conclusions, final result
141. 144
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / Extras
142. 145
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / Letter tags
A A A A A A A A
A B C D E F G I
H L M N O
P Q R S T U V W Z
J K X Y
0 1 2 3 4 5 6 8
7 9
A B C D E F G I
H L M N O
P Q R S T U V W Z
J K X Y
0 1 2 3 4 5 6 8
7 9
143. 146
VaMoS ’22 | Alfonso Pierantonio | alfonso.pierantonio@univaq.it
Elements / submerged icebergs