Why the use of domain-specific modeling in airworthy software requires new methods and how these might look like? (extended version)

Abstract

AbstractThe use of domain-specific modeling (DSM) in safety-critical avionics is rare, even though the ever-increasing complexity of avionics systems makes the use of DSM reasonable. DSM shows its advantage especially in capturing complex systems, data and relationships. The reason for the limited use in the (safety-critical) avionics area is mainly due to the high demands on the safety of software and systems. Everything that is to be used in flight operations and development must undergo a rigorous and complex certification process. Any data used in operations must be verified. A reduction of this effort can be achieved using qualified tools. A qualified tool can either replace or support certification activities. This article elaborates different use cases of how DSM could be used in relation to airworthy software. For those use cases, we review the effort of a certification and retrieve the major shortcomings and showstoppers of available frameworks, e.g. infeasible qualification of DSM runtimes and the unavailability of qualification artifacts. Finally, we elaborate possible ways of mitigation and show the concept and first results of a new DSM framework for airworthy applications, called DOMAINES. DOMAINES covers deterministic meta-modeling up to graph-based model transformations and verified visual editing. The concept of DOMAINES and a first functional prototype are presented that indicate that the shortcomings can be mitigated.