Lecture Notes in Computer Science 4922 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MassachusettsInstituteofTechnology,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Manfred Broy Ingolf H. Krüger Michael Meisinger (Eds.) Model-Driven Development of Reliable Automotive Services SecondAutomotive Software Workshop,ASWSD 2006 San Diego, CA, USA, March 15-17, 2006 Revised Selected Papers 1 3 VolumeEditors ManfredBroy TechnischeUniversitätMünchen,InstitutfürInformatik Boltzmannstr.3,85748Garching,Germany E-mail:[email protected] IngolfH.Krüger UniversityofCalifornia,SanDiego,ComputerScienceandEngineering 9500GilmanDrive,LaJolla,CA92093-0404,USA E-mail:[email protected] MichaelMeisinger UniversityofCalifornia,SanDiego CaliforniaInstituteforTelecommunicationsandInformationTechnology 9500GilmanDrive,LaJolla,CA92093-0436,USA E-mail:[email protected] LibraryofCongressControlNumber:2008930781 CRSubjectClassification(1998):C.2.4,C.3,C.5.3,D.4,H.3-5,J.7 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ISSN 0302-9743 ISBN-10 3-540-70929-0SpringerBerlinHeidelbergNewYork ISBN-13 978-3-540-70929-9SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. SpringerisapartofSpringerScience+BusinessMedia springer.com ©Springer-VerlagBerlinHeidelberg2008 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12444144 06/3180 543210 Preface Softwaredevelopmentforthe automotivedomainhasbecomethe enablingtech- nologyforalmostallsafety-criticalandcomfortfunctionsofferedtothecustomer. Ninetypercentofallinnovationsinautomotivesystemsaredirectlyorindirectly enabled by embedded software. The numbers of serious accidents have declined in recent years, despite constantly increasing traffic; this is correlated with the introduction of advanced, software-enabled functionality for driver assistance, such as electronic stability control. Software contributes significantly to the au- tomotivevalue chain.By2010itis estimatedthatsoftwarewillmakeup 40%of the value creation of automotive electrics/electronics. However, with the large number of software-enabled functions, their inter- actions, and the corresponding networking and operating infrastructure, come significant complexities both during the automotive systems engineering pro- cess and at runtime. A central challenge for automotive systems development is the scattering of functionality across multiple subsystems, such as electronic control units (ECUs) and the associatednetworks. As an example, consider the central locking systems (CLS), whose functionality is spread out over up to 19 different ECUs in some luxury cars. Of course, this includes advanced function- ality,such as seatpositioning andradio tuning accordingto driver presets upon entry, as well as unlocking in case of a detected impact or accident. However, thisexampledemonstratesthatmodernautomotivesystemsbridgecomfort-and safety-critical functionality. This induces particular demands on safety and se- curity, and, in general, software and systems quality. The resulting challenges and opportunities were discussed, in depth, at the second Automotive Software Workshop San Diego (ASWSD) 2006, on whose results we report here. Automotive systems are prime examples of the class of cyber-physical sys- tems, i.e., systems that combine IT infrastructure and functionality with the control of physical processes. Consequently, the development process for auto- motive systems has to take into account both the physical environment and its representation in digital systems that get deployed in the vehicle. As an ex- ample, cars have a broad spectrum of timing requirements, ranging from hard real-timeconstraintsatthelevelofmotorcontroltosoftreal-timeconstraintsat the levelofinfotainmentsystems.Automotivesystemsspanthe entirespectrum from time- and value-continuous, to mixed continuous and discrete, to discrete systems. The engineering processes used for automotive software have to take these and other domain-specific constraints into account – seamlessly from re- quirements elicitation to deployment and quality assurance. Increasingly, industry and academia try to address this challenge by intro- ducing comprehensive requirements and architecture models that capture key domain aspects and enable exploitation in terms of code synthesis, simulation and, more generally, verification, and validation. A further goal in adopting a VI Preface model-based approach to automotive systems engineering is seen in the oppor- tunity to decouple the logical from the deployment architecture of the vehicle. This decoupling holds the promise for a true product-line approach where con- ceptualizationsofautomotivesystemsstructureandbehavioraresystematically reusedacrossdifferentcarmodels.Forinstance,CLSsexistinalmostallmodern cars.Yet,weknowthatmostsoftwarefunctionsaredevelopedafreshinthetran- sition from one car model to the next. Furthermore, automotive manufacturers and suppliers hope to have models that help them contain the enormous space of variants and configurations that emerges from the possible combinations of software-enabledfunctions and their parameterizations. Ofcourse,due to the traditionallydistributedengineeringprocessesbetween OEMs(originalequipmentmanufacturers,suchascarmakers)andmultipletiers ofsuppliers,modelsareneededthatincreasethe precisionandunderstandingin the communication between OEMs and suppliers. Consequently, to be of value, the models chosen need to be unambiguous to the highest degree possible, yet allow a broad spectrum of properties of structure and behavior to be specified. Itisthis tradeoffbetweenprecisionandexpressivenessthatis arecurringtheme throughmanyof the contributionscontainedin this post-proceedingsvolume of ASWSD 2006. Advanceddevelopmentmethodssuchastailoreddevelopmentprocesses,struc- tured systems and softwarearchitectures,model-drivendevelopmenttechniques andnotationsaswellasformalizedtechniquesofqualityassurancehaveemerged asanapproachtodealingwiththementioneddemandsandcomplexities,inpar- ticular during the analysis, specification and design phases of the development process. Such advanced development approaches have numerous benefits and advantages, including: – They provide a basis for traceability from requirements specifications to implementation artifacts. This enables model-based requirements tracing, verification and validation approaches,and addresses systematic changes to models during the development process. – They hold the promise of reduced turn-around times in iterative and incre- mentalsoftwareandsystemsdevelopment.They enableengineerstoexplore model changes before changing the actual system. – Theysupportproduct-linesoftwaredevelopmentbyseparatingdifferentfunc- tionsforproductlinealternativesinanotherwisecommon,integratedmodel. – Models,descriptiontechniquesandassociateddevelopmentprocessescanbe coordinated to provide contiguous, gap-free refinement and transformation steps from requirements to code. Models are connected and integrated to span all abstraction levels. This enables design tools, test and verification tools and code generators to work from the same sets of models to provide improved software quality. On the infrastructure side, service-oriented architectures and automotive middleware platforms, such as AUTOSAR, are emerging as a means to manage the complexdependenciesbetweenvehicularfunctions,to providestandardized, scalable, and validated infrastructures. Preface VII Mastering the complexities of future-generation automotive software devel- opmentposesanumberofimportant,cross-disciplinaryresearchchallenges.The transition from monolithic to flexible, service-oriented solutions requires ad- vances in all aspects of the development process; this includes, in particular, the selectionofanadequateservicemodelandcorrespondingdevelopmenttech- niques, together with supporting software infrastructures. The goal for ASWSD 2006 was to bring together experts from industry and academia who work on highly complex, distributed, reactive software systems relatedtothe automotivedomain,andto discussandfurther theunderstanding of the following focus areas: – Automotive models and model-driven development – Automotive software and systems architectures – Automotive domain architectures – Automotive software services and service-orienteddevelopment – Automotive hardware, middleware, and software platforms – On- and off-board ad-hoc networking – Networked automotive services – Mobile sensor networks – Reliability, security and privacy for automotive software – Enabling technologies for telematics applications TheworkshoptookplaceMarch15–17,2006inLaJolla,CA,USA,attheCal- ifornia Institute for Telecommunications and Information Technology (Calit2). Itcontributedtofosteringadeeperunderstandingoftheresearchchallengesand agendas in this area. Potentials for cross-disciplinary research, as well as perti- nentcurriculaandtrainingprogramstoaddressthesechallenges,wereidentified and discussed. The workshop program consisted of five keynote presentations, 13 technical paper presentations, a poster session and two panel discussions. The workshop spanned 2 1/2 days and was divided into the following topical sessions: Quality Assurance (QA), Real-Time Control(RT), Services and Components (SC), and Model-Based Development and Tools (MD). The pre-proceedings, consisting of the presentation slide sets, were made available at http://aswsd.ucsd.edu/2006. To foster discussion on cross-cutting and interdisciplinary topics, the orga- nizers decided to have five keynote presentations – three from industry and two from academia, as well as two panel discussions as integral parts of the work- shop program. Bruce Emaus (Vector CANtech), Rajesh Gupta (University of California, San Diego), Jeff Greenberg (Ford Motor Company), Thomas Kropf (RobertBoschGmbH), andAlberto Sangiovanni-Vincentelli(University of Cal- ifornia, Berkeley) were recruited as keynote speakers. Professors Frieder Seible (Dean,JacobsSchoolofEngineering,UCSD)andLarrySmarr(Director,Calit2) delivered opening remarks on the first day of the workshop. The first keynote presentation, opening the Model-Based Development and Tools session, was given by Bruce Emaus (President of Vector CANtech). It was titled “Model-Based Development in the Upcoming Automotive Embed- dedSoftwareArchitectureofAUTOSAR.”Asautomotiveproductarchitectures VIII Preface continue to migrate toward higher levels of distribution with increasing system and software complexity, the use of model-driven automotive embedded soft- ware development is rapidly changing as the industry pushes forward with a new automotive software architecture called AUTOSAR. This presentation dis- cussedboththeessentialbusinesscaseforAUTOSARandthe designchallenges of model-based software development in the automotive distributed embedded system domain. RajeshGupta (UniversityofCalifornia,SanDiego)presentedinsightintonew approachesforhardwaredesigninhistalk“MetaModelingforComponentCom- positions:AHardwareGuy’sView.” He statedthatnovelcomputationalfabrics are approaching intrinsic silicon efficiencies, imposing challenges to ensure pro- grammability and program models. Currently, a methodology evolution occurs fromchip design to embedded softwaredesign. The availabilityof programming models,methodsandlanguagesupportforbuildingembeddedsystems(onchip) will be critical to exploiting the enormous technology capacities. New methods will mature that enable systematic modeling and exploitation of meta-data in design,verification,andsynthesis.Guptashowedanapproachtodevelopingcom- positional,verifiablesystem-on-chipspecificationsinSystemC.Healsohintedat opportunitiesformarryingservice-orienteddevelopmenttechniquesincreasingly popular in software with a traditional system on chip development. Jeff Greenberg (Manager of the VIRTTEX driving simulator at Ford Motor CompanyandFord’sSeniorTechnicalLeaderforautomotiveHMI)explainedthe challenge of automotive systems engineering from multiple angles. He focused on the necessity to create a simulation platform that not only is able to incor- porate the emerging advanced software-enabled automotive systems, but also allowsevaluationoftheresultinghumanmachineinterface(HMI)concerns.The latterbecomesincreasinglyimportanttoensurethatthebenefitsofdriversafety brought about by novel electronic features outweigh the increasing distraction drivers are exposed to (e.g., cell phone use during vehicle operation.) Thomas Kropf (Vice President for system and software engineering, Driver Assistance Systems, Robert Bosch GmbH) delivered the keynote presentation “Driver Assistance Systems: Challenges for Automotive System and Software Design.” He explained recent developments in the domain of driver assistance systems and described the challenges automotive suppliers are facing today in systemandsoftwaredesign.Hepresentedexamplesfornewdesignmethods,tools andprocesseswhichareusedtoovercomethecurrentdesignlimitations.Kropf’s presentationpointedoutthedifficultyinapplyingtraditionalformalmethodsin the rich requirements spectrum of automotive systems outlined above. AlbertoSangiovanni-Vincentelli (UniversityofCalifornia,Berkeley)discussed thequestion“IsEmbeddedSoftwareforSafetyCriticalAutomotiveSystemsRe- ally a Software Problem?” in his presentation, delivered by Manfred Broy. He stated that embedded software design is one, albeit critical, aspect of the more general problem of embedded system design, which is about the implementa- tion of a set of functionalities satisfying a number of constraints ranging from Preface IX performance to cost, emissions, power consumption, and weight. Sangiovanni- Vincentelli’s presentation illustrated the main challenges and opportunities of verticaldesignchainintegration.Inaddition,itpresentedplatform-baseddesign asanimportantapproachto meeting challengesandtakingadvantageofoppor- tunities in automotive systems development. Platform-based design is a design methodology where reuse and programmability are central. It is an approach that provides unified and harmonious views on embedded software design and hardwarearchitecture,consistingofformaltechniquesattheabstractlevelfacili- tatingearlyverificationwiththecorrectsetoftoolsandmethods.TheMetropolis environment was described as a framework to sustain the methodology. Two panel discussions complemented the keynote presentations. The first panel discussed “Integrated Automotive System Development – Process, Chal- lenges and Opportunities.” Panelists were Jeff Greenberg (Ford Motor Com- pany), Rajesh Gupta (University of California, San Diego), Edward Lee (Uni- versity of California, Berkeley), and Wolfgang Pree (University of Salzburg). The panelists discussed the various phases of the automotive engineering pro- cess,intowhichthesoftware/hardwareco-designprocessisembedded.Themal- leability of software was discussed as a particular challenge in the seamlessness fromearlyrequirementsto simulationto implementationandquality assurance. On the technical side, the panelists discussed the absence of adequate program- ming models that take time (hard- and soft real time) into consideration as a first-class citizen. Consequently, the spectrum from continuous to mixed con- tinuous/discrete to discrete automotive software has yet to be mastered. The panelists formulated this as a challenge for the researchcommunity. The second panel discussed “Model-Based Service Engineering for Automo- tive – Hype and Substance.” Panelists were Bernhard Sch¨atz (Technische Uni- versita¨t Mu¨nchen, Germany), Bruce Emaus (Vector CANtech), Thomas Kropf (Robert Bosch GmbH), Klaus Mu¨ller-Glaser (University of Karlsruhe), and Daniel Gajski (University of California, Irvine). The discussion emphasized the increasinglydistributednatureoffunctionsrealizedbyautomotivesoftware.Sig- nals and information from components are combined in ways that were not intended originally. Service-oriented concepts can effectively help to manage the complexities caused by this heterogeneity. Initial approaches to introducing service-oriented concepts can already be found in industry – sometimes under different names. One of the biggest challenges is the absence of suitable models todescribethefunctionsandtheirdependenciesinaservice-orientedway,inad- dition to existing implementation and hardware-oriented models of automotive controller components. The discussion also emphasized the importance of approaching automotive system design from a user’s view, focusing on the applications that the car as a system provides to its users. Automotive system services should be designed fromthe perspectiveofusersandapplications,notas acombinationofpieces of functionalityfromexistingcomponents.Thedependencyofuser-relevantservices must be captured in suitable models. X Preface In both panels, it was observed that in automotive system design the black- box controller business model, as a hardware/software unit of specification, integration, maintenance, and contract, is still predominant. This defines the OEM–supplier relationship. Providing pure software solutions to OEMs is cur- rently not a viable business model for suppliers. Here, the industry needs to change and research needs to come up with suitable service-oriented business models and system development models. Automotive systems must open up to facilitate addition of new services – inside and outside of the vehicle. Infotain- ment systems were cited as likely first candidates to go in this direction. A poster presentation session provided the opportunity to showcase current researchprojectsforinvitedpresentersfromacademiaandautomotiveindustry. This volume includes a selection of refereed technical and invited papers presented at the workshop. In the following, we give a brief overview of the selected papers and their contents. Thepaper“TheCaseforModelingSecurity,Privacy,Usability,andReliabil- ity(SPUR)inAutomotiveSoftware”byPrasadetal.emphasizestheimportance of the attributes security, privacy, usability, and reliability (SPUR) in creating specifications for embedded in-vehicle automotive software. The paper reviews several real-world use-cases and their functional and non-functional system re- quirements.From there,the authorsderive underlying automotivearchitectural elementsspanningmultiplesoftwareservicedomains.Inparticular,thesuggested approach elevates the SPUR requirements from an afterthought to the earliest requirements and architecture design phases. Neema et al. target the issue of model ambiguities across different tools and methodsintheirpaper“AddressingCross-ToolSemanticAmbiguitiesinBehav- ior Modeling for Vehicle Motion Control.” They provide a model and semantics for behavior specifications in the automotive vehicle motion control (VMC) do- main, facilitating the exchange of finite state machine models across different tools, and leading towards automated correct interpretation. The authors in- troduce an extended finite state machine metamodel (eFSM) with semantics definitions based on a mathematical framework. They show how models devel- oped within commercial tool environments are checked for conformance with eFSM-models, promising higher-confidence software engineering for the VMC domain. The paper “A Software and System Modeling Facility for Vehicle Environ- ment Interactions” by Nelson and Huang describes an advanced modeling facil- ity for system and software design, intended to address the growing complexity of automotive embedded software and the resulting issues for vehicle develop- ment.Increasedcomplexitywillrequireabroaderrangeofmodelingcapabilities beyondfunctional/behavioralmodeling.Theauthorspresentamorecomprehen- sivemodelingprocesswiththecapabilitytomodelvehiclesystemsfrommultiple viewpoints,suchasthetraditionalfunctionalpointofviewandtheviewpointsof software structure, component interactions, and the human-machine interface. All viewpoints are brought together in a common set of models. Preface XI Anand et al. describe an approach for “Generating Sound and Resource- Aware Code From Hybrid Systems Models” in their contribution. The authors propose a framework for generating resource-aware code from hybrid systems modelswithguaranteesofnoswitchingdiscrepancies.Theyproposeanapproach tohandlingfaultytransitionsandcomputeexecutionratesforminimizingmissed transitions. The approach is an effort at bridging the semantic gap between the model and the code due to discretization and resource constraints. This work helps to address remaining issues related to ensuring correctness of the implementation with respect to the model in model-based development of real- time embedded systems. “TowardsVerificationofModelTransformationsviaGoal-DirectedCertifica- tion,” a contribution by Karsai and Narayanan, investigates a technique called ‘goal-directedcertification’thatprovidesapragmaticsolutiontothe problemof verifying the correctness of model transformations within model-based develop- ment approaches. Model transformations include generating code from models, transforming design models into analysis models, and transforming a model be- tween variants of a formalism (such as variants of Statecharts). The authors use conceptsof bisimulationto verify whether acertaintransformationinstance preservedcertainpropertiesandsubsequentlyextendthisideausingweakbisim- ulation and semantic anchoring to a more general class of transformations. Thepaper“AnInstrumentation-BasedApproachtoControllerModelValida- tion”byCleaveland, Smolka and Sims discussestheconceptofinstrumentation- based validation (IBV): the use of model instrumentation and coverage-based testing to validate models of embedded control software. Assertions, formalized requirements,arerealizedthroughmonitorsthatobservethebehaviorofexecut- ingcontrollermodels,whichareinstrumentedwiththeseassertions.Theauthors describeanimplementationwithintheReactistoolsuitefortheautomatedtest- ing and validation of controller models given in Simulink/Stateflow. Grossmann et al.describe “TestML–ATestExchangeLanguageforModel- Based Testing of Embedded Software” in their contribution. TestML supports the exchange of tests between different test notations in a heterogeneous tool environment, for instance, facilitating the reuse of tests between different test levels, such as such as model-in-the-loop (MIL), software-in-the-loop(SIL), and hardware-in-the-loop (HIL) tests. The authors introduce the XML schema of TestML and demonstrate the efficiency of the interchange format by giving examples from the model-based development of electronic control units. Tool support is illustrated by an application with Simulink/Stateflow. Thepaper“TowardsIntegratedModel-DrivenVerificationandEmpiricalVal- idation of Reusable Software Frameworks for Automotive Systems” by Subra- monian and Gill claims that leveraging reusable software frameworks in the development of automotive systems offers significant potential to reduce en- gineering costs and cycle times, caused by rapidly increasing complexity and scale.The authors show the relevance ofreusable softwareframeworks,describe an approach to verification and validation of such frameworks based on timed automata models, and present an evaluation of their approach.