Lukas Märtin

Design for future: managed software evolution

Innovative software engineering methodologies, concepts and tools which focus on supporting the ongoing evolution of complex software, in particular regarding its continuous adaptation to changing functional and quality requirements as well as platforms over a long period are required. Supporting such a co-evolution of software systems along with their environment represents a very challenging undertaking, as it requires a combination or even integration of approaches and insights from different software engineering disciplines. To meet these challenges, the Priority Programme 1593 Design for Future—Managed Software Evolution has been established, funded by the German Research Foundation, to develop fundamental methodologies and a focused approach for long-living software systems, maintaining high quality and supporting evolution during the whole life cycle. The goal of the priority programme is integrated and focused research in software engineering to develop methods for the continuous evolution of software and software/hardware systems for making systems adaptable to changing requirements and environments. For evaluation, we focus on two specific application domains: information systems and production systems in automation engineering. In particular two joint case studies from these application domains promote close collaborations among the individual projects of the priority programme. We consider several research topics that are of common interest, for instance co-evolution of models and implementation code, of models and tests, and among various types of models. Another research topic of common interest are run-time models to automatically synchronise software systems with their abstract models through continuous system monitoring. Both concepts, co-evolution and run-time models contribute to our vision to which we refer to as knowledge carrying software. We consider this as a major need for a long life of such software systems.

Autonomous agents in organized localities regulated by institutions

This paper proposes a new metaphor for constructing systems of systems: Autonomous Agents in Organized Localities (AAOL). An agent-based approach is used for modeling structure and behavior of complex systems that consist of (semi-)autonomous systems, where goals, resources, capabilities are described locally while a need for superordinated ”global” regulation exists. The notion of organized localities is used to describe spatially or logically constrained spheres of influence of regulation bodies. Agents inhabit — and can move across — localities; regulation rules are modeled via computational norms and enforced by electronic institutions. A key objective of our work is to explore and advance applicability of AAOL to constructing mechatronic systems with (at least soft) real-time constraints. We describe requirements for modeling systems of systems, and outline the key pillars of AAOL: a conceptual architecture and a metamodel providing the basic constructs for describing AAOL-type systems. A case study of a decentrally organized airport transportation infrastructure illustrates the concepts and the feasibility of AAOL-based systems of systems design.

A methodology for model-based development and automated verification of software for aerospace systems

Todays software for aerospace systems typically is very complex. This is due to the increasing number of features as well as the high demand for safety, reliability, and quality. This complexity also leads to significant higher software development costs. To handle the software complexity, a structured development process is necessary. Additionally, compliance with relevant standards for quality assurance is a mandatory concern. To assure high software quality, techniques for verification are necessary. Besides traditional techniques like testing, automated verification techniques like model checking become more popular. The latter examine the whole state space and, consequently, result in a full test coverage. Nevertheless, despite the obvious advantages, this technique is rarely yet used for the development of aerospace systems. In this paper, we propose a tool-supported methodology for the development and formal verification of safety-critical software in the aerospace domain. The methodology relies on the V-Model and defines a comprehensive work flow for model-based software development as well as automated verification in compliance to the European standard series ECSS-E-ST-40C. Furthermore, our methodology supports the generation and deployment of code. For tool support we use the tool SCADE Suite (Esterel Technology), an integrated design environment that covers all the requirements for our methodology. The SCADE Suite is well established in avionics and defense, rail transportation, energy and heavy equipment industries. For evaluation purposes, we apply our approach to an up-to-date case study of the TET-1 satellite bus. In particular, the attitude and orbit control software is considered. The behavioral models for the subsystem are developed, formally verified, and optimized.

Quality-oriented Decision Support for maintaining Architectures of fault-tolerant Space Systems

Due to hostile environments, space systems are equipped with hardware redundancies to guarantee proper operation. For reconfigurations beyond redundancies, manual decision making is needed, which results in down times, communication efforts and man hours in maintenance phases. We investigate automated reconfiguration decision support that determines Pareto-optimal architectures w.r.t. variable hardware availability and quality properties. Reconfiguration options for control software according to available sensing and actuation hardware are derived and prioritised w.r.t. predicted qualitative impacts. The knowledge about relations of the systems variations is persisted in a decision model at design time on the level of software architectures. Upon a resources fault, the model is traversed for an alternative architecture. This promotes a transparent analysis of available deployments as well as an acceleration of the reconfiguration process during maintenance. We provide tool support for analysis and a concept for reconfigurations during operation. For evaluation, we inspect a reengineered extension of the attitude control system of the TET-1 micro satellite.

Towards self-reconfiguration of space systems on architectural level based on qualitative ratings

In the space domain, complex hardware/software systems have to fulfill strong requirements during operation. Besides functionality, high quality of software subsystems w.r.t. extra-functional properties is an important issue. Especially for long-period missions, the assurance of reliability is critical for mission success. In case of system defects, remote maintenance is only feasible to a limited extent. To support the remote maintenance, techniques for detection and localization of faults (e.g., FDIR) are state of the art in todays space software systems. Usually, such software comprises emergency operation modes to guarantee at least communication with ground control. This results from the fact that the fault recovery is primarily done in a conservative manner by experts on the ground. This may lead to increased mission delays and, e.g., loss of valuable measurement data. In the worst case, a lengthy interruption or insufficient capabilities of remote maintenance harm scientific instruments. Hence, concepts for autonomous fault handling are necessary to increase reliability of such expensively maintainable space systems. In this paper, we propose an approach for handling hardware faults by self-reconfiguration on the level of functional architecture at run time. We use a formal structure to describe multiple configurations of a system continuously adapting to changing environmental circumstances. A system configuration includes the structure of functional components (as part of an architecture) and their relations to corresponding hardware resources. Architectures may differ considerably due to the usage of different subsets of hardware resources. We distinguish between configurations on a higher level of abstraction by means of qualitative ratings for architectures. The rating relies upon an integration of quality attributes. This leads to a timed automaton like graph structure for reconfiguration decisions. Nodes represent quality-rated configurations and edges relate configurations among one another. A transition from one node to another is triggered when a hardware fault occurs. The computation of the ratings for configurations is done at design time to reduce evaluation efforts during operation. Thus, if a hardware resource of the system is no longer available at run time, a suitable alternative configuration is determined at low expenses. The process of triggering, determining, and deploying new reconfigurations is implemented as a control loop. The triggering is supported by the fault localization mechanism of a given FDIR approach. Based on our theoretical framework, we present a concept for prototypical tool support for evaluating and relating architectures. For the evaluation of our approach, we use a subsystem of a realworld space craft. We examine the attitude and orbit control subsystem of the TET-1 micro satellite bus. Our approach is applied to an extended version of the system with multiple redundancies in actuation. In this way, the capability to extend the autonomy of the satellite is analyzed. Additionally, an overview of the conventional FDIR mechanisms of the satellite is given.

Communication-free detection of resource conflicts in multi-agent-based cyber-physical systems

Multi-agent approaches can be applied to model behaviour and relations of entities in cyber-physical systems. Here entities frequently compete on insufficient resources (e.g., hardware) at the same time. Hence, resource conflicts between several agents are one of the most important conflict types in such multi-agent systems. These conflicts can significantly slow the operation of a system down, or in the worst case, might lead to a system halt. In this paper, we investigate the challenge of efficiently detecting resource conflicts. For this purpose, we introduce a conflict detection model based on beliefs of BDI agents. One benefit of our approach is that conflicts are detected using local belief state information of agents without communication. For evaluation purposes we apply our conflict detection model to a multi-agent system representing a transportation service with moving robots on a fictitious airport to measure the rate of collisions and completed transportation tasks. The evaluation study showed that the system deploying the conflict detection model can avoid collisions between moving agents and agents execute tasks successfully.

Guidance of Architectural Changes in Technical Systems with Varying Operational Modes

Technical systems often rely on redundant platforms. One way to increase dependability is to define various QoS modes, applied to different hardware resources. Switching between modes is limited by resource availability and causes costs for structural changes. Hence, selecting appropriate system architectures for specific resource sets and defining cost-efficient mode sequences is challenging. This short paper proposes an approach to support reconfiguration decisions for varying modes. We extend our decision graphs for traversing architectures towards multi-purpose applicability. We optimise reconfigurations within individual modes while reducing costs of mode changes simultaneously. Graph-based differentiations lead to most efficient mode sequences, transition configurations and visualisations. To respect high reconfigurability, we particularly inspect impacts of resource faults. For evaluation, we apply a subsystem of a micro satellite with multiple operational modes.