ABSTRACT
The current trend in Model Driven Architecture is to use model transformation to refine a model from a platform-independent model to a platform-specific model, resulting in a linear development process. With the advent of commercially available realtime and safety critical Java implementations as a basis for platform neutral realtime systems, one could raise the level of reuse in modeling realtime systems by keeping platform independent information completely separate from platform specific information, so that model refinement is done by adding modeling aspects and maps between aspects rather than by model transformation. The result is a modeling process that is less order dependent, thereby supporting the full flexibility of Java Technology even for realtime system design.

Categories and Subject Descriptors
D.2.4 [Software Engineering]: Software/Program Verification

General Terms
Algorithms, Performance, Reliability, Theory, Verification

Keywords
Realtime Java, UML, MDA, modeling, verification

1. INTRODUCTION
Embedded Systems are becoming ubiquitous in daily life around the globe. For instance, they are essential to the modern features now available in washing machines, TVs, automobiles, airplanes, and medical devices. The automotive industry is a good example to summarize the trends in the development of embedded systems, where one can see an increasing share of software in products and processes. Much of the innovation and the competitive differentiation is based on software. Embedded systems are often distributed realtime systems integrated in an environment of other hardware and software systems and are characterized by timing and memory constraints. A modern car contains more than 50 embedded controllers coupled by multiple networks. More than 600.000 lines of code implement the functionality of the software. All in all, automotive systems, as those in other industries, are experiencing ever increasing complexity of systems and processes.

1.1 Challenges of Modeling Realtime Systems

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The 5th Workshop on Java Technologies for Realtime and Embedded Systems—JTRES ’2007 Vienna, Austria
Copyright 200X ACM X-XXXX-XX-X/XX/XX ...$5.00.
state-of-the-art programming languages. Rather, a more abstract view of the systems required to manage complexity and to enable developers to focus on, and solve, one problem at a time. In addition, the properties of a system should be verified and analyzed as early as possible in the development process to avoid costly changes in later stages [11]. The verification of the systems properties and constraints, supported by an integrated tool chain, is the basis for the development of high quality embedded systems.

Software models, such as those expressed in the Unified Modeling Language (UML) from the Object Management Group (OMG), provide such an abstract view of a system; however, developing software based on these abstract models is still a complicated and error prone task. Model Driven Development (MDD) tackles this issue by using abstract descriptions in the form of models to generate the actual system implementation; or at least as much as can be generated from these models. MDD is thus, a prime candidate for helping to cope with the complexity of software system development.

1.2 Model Driven Architecture

OMG has standardized one approach to MDD under the name of Model Driven Architecture (MDA) [6]. One of its main goals is separating design from infrastructure and implementation technologies. Using the MDA methodology, system requirements may first be defined as a computation independent model (CIM). In a second step the CIM is refined into a platform independent model (PIM) expressed in UML. The PIM represents a conceptual design implementing the functional requirements and thus is independent of the specific technological platform used for implementation. In contrast, the platform specific model (PSM) represents a model of a software or business system that is linked to a specific technology (e.g. a specific programming language, operating system or database). The translations between PIM and PSM can be performed using tool support, for example model transformation tools compliant with the OMG standard QVT [7, 11]. The verification of non functional properties (NFP) of a system can thus be more easily specified for each stage of the software development process. This model of development is shown in Figure 1.

Promising though they are, the current standards for UML and MDA do not fully consider the capabilities of architecturally neutral real-time systems (ANRTS) [3] design that languages such as Java can provide. In particular, when such a language is used in critical systems, where non functional constraints such as response time and timeliness are critical aspects of correct system behavior, the current standards do not provide for adequate separation of design, topology, operating environment, and computational environment to ensure minimal redesign and reanalysis when any aspect of a system changes. As certification, or at least requirements based product life cycle control, becomes more prevalent, such flexibility will be crucial for minimizing costs and maintaining a competitive edge.

2. UML FOR EMBEDDED SYSTEMS

UML provides a great degree of freedom in expressing design elements and their relationships. It is designed to be usable for as wide a range of applications in computational systems as possible. Unfortunately, to be able to cover many different applications, the base semantics is quite weak; therefore, the concept of a profile has been included to be able to adapt the semantics of UML to a specific domain. When using UML models as the basis for MDA, the specification of the semantics becomes even more important. Though much work has been done to provide profiles for many interesting areas, the work for embedded and real-time systems has not been very successful in producing an adequate profile, particularly for systems where portability is an issue.

In order to provide profiles, UML provides means for being extended. Construction of a UML Profile enables the user to build specific UML models for any particular domain. To this end, UML offers mechanisms such as stereotypes and tagged values that can be applied to all available UML elements (e.g. attributes, methods, links) without changing the metamodel itself. A UML profile is then a collection of such extensions that describes a particular modeling problem or domain based on a set of well defined stereotypes and tagged values.

Profiles have been developed using these mechanism both within and external to the OMG.

2.1 Current Profiles

There are only a hand full of profiles which take real-time consideration into account at all. The OMG produced the UML Profile for Schedulability, Performance and Time (USPT) which they expect to be replaced by the Modeling and Analysis of Real-Time and Embedded systems (MARTE) profile in the near future to address missing concerns and update to UML 2.0. The IST Project HIDOORS based its profile on USPT. The Systems Modeling Language (SysML) is also of interest for real-time. Though none is completely applicable for ANRTS development, each has interesting features.

The USPT[9] profile defines several constructs for specifying timing relationships and provides modeling techniques for resources, time, concurrency, scheduling, and performance. These features proved to be useful; however, USPT is quite large which gives too many different ways to express the same feature. In addition, there are no semantics for supporting MDA based real-time verification and code generation. The other main drawback of USPT is that it is not compatible with UML 2.0 (the currently used UML version).

<table>
<thead>
<tr>
<th>Profile</th>
<th>USPT</th>
<th>MARTE*</th>
<th>HIDOORS</th>
<th>SysML</th>
</tr>
</thead>
<tbody>
<tr>
<td>Annotations</td>
<td>light</td>
<td>weight</td>
<td>light</td>
<td>weight</td>
</tr>
<tr>
<td>Schedulability</td>
<td>-</td>
<td>+</td>
<td>-</td>
<td>+</td>
</tr>
<tr>
<td>Performance Analysis</td>
<td>+</td>
<td>+</td>
<td>+</td>
<td>+</td>
</tr>
<tr>
<td>Quality of Service</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>Supports Defining Metrics</td>
<td>(explicitly)</td>
<td>-</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>Fault Tolerance</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>Formal Semantics</td>
<td>-</td>
<td>(time, resources)</td>
<td>+</td>
<td>+</td>
</tr>
<tr>
<td>Supports Modeling Embedded Systems</td>
<td>(explicitly)</td>
<td>-</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>Supports Modeling Real-time Systems</td>
<td>+</td>
<td>+</td>
<td>+</td>
<td>+</td>
</tr>
<tr>
<td>Supports Engineering Equivalents</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>Supports MDA</td>
<td>(explicitly)</td>
<td>+</td>
<td>+</td>
<td>+</td>
</tr>
<tr>
<td>UML 2.0 Compatible</td>
<td>-</td>
<td>+</td>
<td>-</td>
<td>-</td>
</tr>
<tr>
<td>OCL 2.0 Compatible</td>
<td>-</td>
<td>+</td>
<td>-</td>
<td>-</td>
</tr>
</tbody>
</table>

Table 1: Overview features in existing profiles
and it lacks a formal semantics. It also does not provide techniques for modeling system hardware and due to its huge size it is also not easily applicable \[5, 2\].

When the OMG became aware of these problems, it started to work on a new profile, MARTE\[10\]. The main goal of the currently running proposals is addressing the above mentioned problems of USPT. Since the current status of MARTE is a “revised proposal” it cannot be considered stable yet.

Besides the OMG’s effort of providing profiles, industry and research institutions frequently publish ongoing improvements and new profiles. One of these profiles, based on USPT, was proposed in the HIDOORS High Integrity Distributed Object-Oriented Realtime Systems project\[4\]. This project advanced the concept of Quality Driven Design (QDD) as a combination of MDA and Model Driven Verification (MDV). The salient feature was to not only generate model refinements and code, but also models for verification. Although it improves the applicability due to its compactness and support for model level verification, it does not sufficiently address timing and has not been updated to be compatible with UML 2.0.

Finally, SysML\[1\] as a domain-specific modeling language for systems engineering applications provides methods that are also interesting for modeling embedded systems. These are mainly used blocks in block diagrams for modeling different purposes. Table 1 gives an overview of the features of the above mentioned profiles.

2.2 Rationale for a New Profile

The currently available UML profiles lack several important features needed to support architecturally neutral development of realtime and critical systems with MDA; therefore, a new profile needs to be developed. As many existing ideas and structures should be adapted from existing profiles as possible. The proposed SuReal profile collects characteristics of all previously mentioned profiles: USPT, MARTE, SysML, and HIDOORS. The main contribution of this profile is twofold: it both provides modeling techniques that support the MDA based separation of PIM and PSM models as well as enabling the modeling of system architectures which is barely addressed in existing profiles and techniques. To fully support ANTRTS design, this new profile provides separate UML modeling views that enable the clear distinction between application and architecture details.

3. SUREAL PROFILE STRUCTURE

The SuReal UML Profile needs to support both ANTRTS development and QDD. The only way to accomplish both goals is to de-emphasize a linear refinement model and consider a more flexible mapping model. By separating function, from topology, from operating environment, from computational environment and using mappings to relate these for describing the intended system, the designer gains more freedom to alter each domain individually. In a pure refinement scheme, this would be much more difficult. This domain mapping is central to the SuReal methodology.

3.1 Separation of System Views

In order to provide the flexibility needed to support ANTRTS design, the SuReal divides a system’s model into four aspects: design, topology, operating environment, and computational environment. The design describes the function of a system, as well as its non-functional constraints. The topology describes how functions are shared out among functional units and what the communication links are. The operation environment describes the software infrastructure on which the system is intended to run, including operating system and middleware. The computational environment is the actual hardware elements that implement the topology and are to host the design. These model aspects are maintained separately so that a design could be easily rehosted on another hardware and a hardware can be reused for another design. Likewise, the operating environment and topology could also be changed without affecting the other aspects of the model. The relationship between these aspects can be described by mappings of elements of one aspect with elements of another. The goal is to minimize the reanalysis necessary for retargeting a design.

UML already supports a variety of diagrams for modeling a system’s design. For instance, class diagrams are used to describe the static structure of the class hierarchy, whereas state diagrams and sequence diagrams provide two different ways of describing the dynamic behavior of a system. This same mechanism can be used to model the four SuReal aspects by using sets of diagrams for each system aspect. A diagram can also be used to describe the mapping between two aspects.

UML models are also used to capture information for the analysis and verification of non-functional properties (NFPs) at different levels of abstraction. The MDA methodology starts with a PIM and refines it into a PSM. The PSM is then refined into an implementation through code generation. While the application aspects represent the platform-independent, conceptual design of a System, the infrastructure aspects provide the specific technology platform on which the system is to run.

Whereas MDA is based on successively refining a model through the production of a new model at each step, the SuReal profile keeps platform-independent information separate from platform-dependent information and relates them via maps. Instead of creating a new refined model at each step, the model is elaborated by associating new aspects to it via maps. These aspect may be newly created or taken from previous models.

One could think of the SuReal modeling space being divided into aspect quadrants, where the horizontal division is between function and architecture and the vertical division distinguishes between application and infrastructure. The result is the four aspects introduced above: design,

![Figure 2: SuReal views](image-url)
topology, operating environment, and computational envi-
ronment. When using an architecturally neutral realtime
programming language, such as realtime or safety critical
Java, code generation can be done directly from the appli-
cation aspects. The rest of the aspects are then only needed
for non functional analysis and system deployment. This
is a natural way to separate system information, providing
clarity and enabling efficient changes and reuse.

Figure 2 shows the horizontal and vertical divisions and
the four resulting aspects. The design aspect focuses on sys-
tem functionality. It also covers all possible NFPs on an
abstract level. The topology aspect describes the platform-
dependent system architecture. The two platform-specific
views link the system description to a specific hardware. The
operating environment aspect defines the underlying sup-
port software, e.g., operating system and virtual machine.
The computational environment view contains all the in-
formation of the concrete hardware, e.g., details about the
processor or bus to be used. All platform-dependent infor-
mation necessary to verify the non functional constraints
need to be captured in the operating environment and com-
putational environment aspects for software and hardware
respectively.

Each modeling aspect has its own set of properties asso-
ciated with it. Figure 2 illustrates this association for the
properties necessary for analysis and verification. Following
the MDA paradigm, the system is modeled abstractly (de-
sign and topology) and concretely (operating environment
and computational environment). Using Realtime or Safety
Critical Java as an ANRTS language, code generation can
be done directly out of the PIM with final analysis for a
given target platform done on the PSM.

Figure 3: System analysis and verification results

Analysis results must also be considered. Some analysis is
abstract and can be done on the PIM: design and topology
aspects. The rest is more concrete where platform specific
information is necessary. Care has been taken to distinguish
analysis results from modeling constraints. For instance,
WCET is only used as an analysis result, whereas the term
time budget is used as a modeling constraint. Figure 3 il-
luminates the information that could be obtained through
analysis and its relationship to modeling elements.

3.2 Classification of Modeling Elements

In order to use a modeling process that is divided into
the aforementioned aspects: design, topology, operating en-
vironment, and computational environment; one must know
what information belongs in each of these modeling aspect.
Furthermore, one needs a representation for system concepts
and elements that may be used in each aspect; therefore, not
only must all relevant design element be assigned to an as-
pect, but each element also needs to have an associate UML
representation. Finally, mappings are needed to define so
that analysis tools know what information to use when an-
alyzing an ANRTS design.

4. ANRTS MODELING

Using mapping instead of model transformation has the
advantage of providing greater flexibility. Given the division
of the modeling effort into four aspects: design, topology,
operating environment and computational environment, an
ANRTS developer can model the PIM aspects and the PSM aspects independently and then relate them via maps. There are still parts of the QDD (MDA and MDV) process, such as Java code generation, which require transformation, but these remaining transformations do not bind the model to a given deployment. The generated code itself can be completely platform independent, but since the goal is to support realtime and safety systems, infrastructure information is needed to qualify the performance of the design in the given operating environment.

4.1 Design Modeling

The Design modeling aspect represents an abstract, platform independent view of the application. Thus, it focuses on tasks, messages, data structures and—most important for model checking time behavior—time and other resource budgets.

4.1.1 Stereotypes and Tagged Values

Figure 4: Design Modeling Aspect Extension

The Design subprofile is shown in Figure 4. This subprofile has three main stereotypes: SRTask, SRMessageBudget, and SRExecutionBudget which are further specified by inheritance, leading to the applicable leaves for design modeling. These stereotypes are defined by a UML profile diagram as depicted in Figure 4. As can be seen, the Design subprofile defines eight substereotypes as well.

**Stereotype SRTask.**

**SRTask:** any path through the code, which needs CPU-time and can be scheduled. It has a defined starting point.

Five tagged values support this stereotype.

- **SRExecution budget:** time a task can use on an executing Resource.
- **SRTotal blocking time budget:** time budget which tasks wait for some resources other than the execution resource during a release.
- **SRArrival time budget:** The time from an event until the associated task begins execution. This is an artifact.
- **SRPreemption time budget:** time budget that can be spent waiting for the execution resource during a release.
- **SRDeadline:** the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype **SRTask** cannot be attached to any UML element. It only serves the purpose of combining general tagged values that all siblings have in common.

**Stereotype SRPriorityScheduleParameters.**

**SRPriority Schedule Parameters:** is a range and an order of priorities.

<table>
<thead>
<tr>
<th>Stereotype</th>
<th>PIM</th>
<th>PSM</th>
<th>Base Class</th>
<th>Parent Class</th>
<th>Tags</th>
<th>Inherited Tags</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;&lt;SRPriorityScheduleParameters&gt;&gt;</td>
<td>UMLClass</td>
<td>UMLObjectInstance</td>
<td>SRTask</td>
<td>SRExecutionTimeBudget</td>
<td>SRTotalBlockingTimeBudget</td>
<td>SRActivationTimeBudget</td>
</tr>
</tbody>
</table>

Its six tagged values are as follows.

- **SRPriority:** a rank or index used to determine which task gets to use a resource first.
- **SRExecution budget:** time a task can use on an executing Resource.
- **SRTotal blocking time budget:** time budget which tasks wait for some resources other than the execution resource during a release.
- **SRArrival time budget:** The time from an event until the associated task begins execution. This is an artifact.
- **SRPreemption time budget:** time budget that can be spent waiting for the execution resource during a release.
- **SRDeadline:** the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype **Priority Schedule Parameters** can be attached to an UML Class or UML Object Instance.
SRExecution budget: time a task can use on an executing Resource.

SRTotal blocking time budget: time budget which tasks wait for some resources other than the execution resource during a release.

SRA ctivation time budget: The time from an event until the associated task begins execution. This is an artifact.

SRPreemption time budget: time budget that can be spent waiting for the execution resource during a release.

SRDeadline: the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

Five Tags are defined.

- SRExecution budget: time a task can use on an executing Resource.
- SRTotal blocking time budget: time budget which tasks wait for some resources other than the execution resource during a release.
- SRA ctivation time budget: The time from an event until the associated task begins execution. This is an artifact.
- SRPreemption time budget: time budget that can be spent waiting for the execution resource during a release.
- SRDeadline: the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype SRBackgroundTask can be attached to an UML Class or UML Object Instance.

The stereotype SRTriggeredTask is a Task without own known activation. The activation occurs through a specified trigger (which can be the result of a task).

SRSporadicTask: Task with known activation cycle. The activation has some upper and lower bound for the interarrival time of activations.

Sporadic tasks have eight parameters.

- SRMinimum interarrival time: the minimum time between the arrival of two tasks.
- SRMaximum interarrival time: the maximum time between the arrival of two tasks.
- SRJitter: the maximum variation of some value.
- SRExecution budget: time a task can use on an executing Resource.
- SRTotal blocking time budget: time budget which tasks wait for some resources other than the execution resource during a release.
- SRA ctivation time budget: The time from an event until the associated task begins execution. This is an artifact.
- SRPreemption time budget: time budget that can be spent waiting for the execution resource during a release.
- SRDeadline: the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype SRSporadicTask can be attached to an UML Class or UML Object Instance.
Stereotype SRPeriodicTask.

**SRPeriodic Task**: Task with known activation cycle. The activation will be strictly periodical.

Periodic Tasks have the following tagged values:

- **SRTrigger**: is an event that causes the release of a task.
- **SRMinimum interarrival time**: the minimum time between the arrival of two tasks.
- **SRMaximum interarrival time**: the maximum time between the arrival of two tasks.
- **SRJitter**: the maximum variation of some value.
- **SRExecution budget**: time a task can use on an executing Resource.
- **SRTotal blocking time budget**: time budget which tasks wait for some resources other than the execution resource during a release.
- **SRActivation time budget**: The time from an event until the associated task begins execution. This is an artifact.
- **SRPreemption time budget**: time budget that can be spent waiting for the execution resource during a release.
- **SRDeadline**: the specified point in time by which a task must be finished. It is used explicitly by a earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype **SRPeriodicTask** can be attached to an UML Class or UML Object Instance.

Stereotype SRDataStructure.

**SRData structure**: This is a class without any methods used to describe objects such as data transmission packets.

This stereotype is just a marker so there are no tagged values.

The stereotype **SRDataStructure** can be attached to an UML Class.

Stereotype SRExecutionBudget.

**SRExecution budget**: time a task can use on an executing Resource.

Only one tagged value is defined.

- **SRDeadline**: the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.

The stereotype **SRExecutionBudget** can be attached to an UML Transition or UML Operation.

Stereotype SRReleaseBudget.

**SRRelease budget**: the time budget for triggering some task by some event.

Releases are a bit more complex and so have five tagged values.

- **SRTotal blocking time budget**: time budget which tasks wait for some resources other than the execution resource during a release.
- **SRActivation time budget**: The time from an event until the associated task begins execution. This is an artifact.
- **SRPreemption time budget**: time budget that can be spent waiting for the execution resource during a release.
- **SRDeadline**: the specified point in time by which a task must be finished. It is used explicitly by an earliest deadline first (EDF) scheduler. Usually it is given relative to some event.
• **SRExecution budget:** time a task can use on an executing Resource.

The stereotype **SRReleaseBudget** can be attached to an UML Class, Object Instance, Transition or Operation.

### 4.2 Topology Modeling

The **Topology** modeling aspect is rather simple. It describes the application’s hardware in a platform independent way. It specifies the interconnection between nodes, the links, and specifies the paths for messages. Only the Composite Structure Diagram\(^1\) is needed to model topology.

#### 4.2.1 Stereotypes and Tagged Values

The Topology subprofile is shown in Figure 5. It has two applicable stereotypes: **SRNode** and **SRLink**.

![Figure 5: Topology Modeling Aspect Extension](image)

**Stereotype SRNode.**

**SRNode:** is an abstract execution unit for tasks.

<table>
<thead>
<tr>
<th>Stereotype</th>
<th>PIM</th>
<th>PSM</th>
<th>Base Class</th>
<th>Parent Class</th>
<th>Tags</th>
<th>Inherited Tags</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;&lt;SRNode&gt;&gt;</td>
<td>x</td>
<td>UMLClass</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

The stereotype **SRNode** can be attached to an UML Component.

**Stereotype SRLink.**

**SRLink:** is a common communication platform for multiple nodes.

<table>
<thead>
<tr>
<th>Stereotype</th>
<th>PIM</th>
<th>PSM</th>
<th>Base Class</th>
<th>Parent Class</th>
<th>Tags</th>
<th>Inherited Tags</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;&lt;SRLink&gt;&gt;</td>
<td>x</td>
<td>UMLClass</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

The stereotype **SRLink** can be attached to an UML Component.

\(^1\)only available in UML 2.0

### 4.3 Operating Environment Modeling

The operating environment aspect describes the software part of the target system. The most common element is the operating system itself, though other support software such as network protocols, virtual machines, and middleware may be included here.

#### 4.3.1 Stereotypes and Tagged Values

The following stereotypes are provided in the Operating Environment subprofile: **SRBusProtocol**, **SROS**, and **SRSchedulingParameters**, as shown in Figure 6.

**Figure 6: Operating Environment Modeling Aspect Extension**

**Stereotype SRBusProtocol.**

**SRBus protocol:** specifies the format for data exchange via the bus-system.

<table>
<thead>
<tr>
<th>Stereotype</th>
<th>PIM</th>
<th>PSM</th>
<th>Base Class</th>
<th>Parent Class</th>
<th>Tags</th>
<th>Inherited Tags</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;&lt;SRBusProtocol&gt;&gt;</td>
<td>x</td>
<td>UMLClass</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

The stereotype **SRBusProtocol** can be attached to an UML class.

**Stereotype SROS.**

**SROperating system (OS):** is a set of computer programs that manage the hardware and software resources of a computer. An operating system processes raw system and user input and responds by allocating and managing tasks and internal system resources as a service to users and programs of the system. At the foundation of all system software, an operating system performs basic tasks such as controlling and allocating memory, prioritizing system requests, controlling input and output devices, facilitating networking and managing file systems. Most operating systems come with an application that provides an interface to the OS managed resources. [18]

<table>
<thead>
<tr>
<th>Stereotype</th>
<th>PIM</th>
<th>PSM</th>
<th>Base Class</th>
<th>Parent Class</th>
<th>Tags</th>
<th>Inherited Tags</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;&lt;SROperatingSystem&gt;&gt;</td>
<td>x</td>
<td>UMLClass</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>

The stereotype **SROperatingSystem** can be attached to an UML class.

**Stereotype SRSchedulingParameters.**

**SRScheduling Parameters:** Priority, Deadline, Preemption, Time Slot, etc.
The stereotype SRSchedulingParameters can be attached to a UMLPartInstance.

### 4.4 Computational Environment Modeling

The Computational Environment subprofile describes the actual hardware components used in the PSM. It is part of a possible deployment infrastructure of an ANRTS model. It primarily provides the hardware specific information needed to analyze the timing behavior of its model.

#### 4.4.1 Stereotypes and Tagged Values

The following stereotypes are provided in the Computational Environment subprofile: SRProcessor, and SRNetworkSegment, shown in Figure 7.

**Stereotype SRProcessor.**

SRProcessor: is a component in a digital computer that interprets computer program instructions and processes data.

The stereotype SRProcessor can be attached to an UML Class.

**Stereotype SRNetworkSegment.**

SRNetwork segment: is a bus???

The stereotype SRNetworkSegment can be attached to an UML Class.

### 4.5 Mappings

In order to use mappings in place of transformations for model refinement, several mappings are needed. Each mapping represents some step in the refinement process. In accordance with the MDA paradigm, though not a transformation, each refinement step fills the model with the details needed for that refinement step. Mappings are the essential facility for flexible design change in ANRTS models. Three types of mapping are necessary: Application Mapping, Scheduling Mapping, and Architecture Mapping.

#### 4.5.1 Mapping Dependencies

Mappings enhance models by relating different modeling aspects. This means that the corresponding aspects must first exist. Each map require its own model. The application map requires the design and topology model, the scheduling map requires the operating environment model as well, and the architecture map relies on the topology and computational environment model, as depicted in Table 2. Attention must be kept on later model changes after the completion of any mapping. In this case each mapping of the modified models needs to be refreshed.

<table>
<thead>
<tr>
<th>Map From Aspect</th>
<th>To Aspect</th>
</tr>
</thead>
<tbody>
<tr>
<td>Application</td>
<td>design</td>
</tr>
<tr>
<td>Scheduling</td>
<td>operating environment</td>
</tr>
<tr>
<td>Architecture</td>
<td>topology</td>
</tr>
<tr>
<td></td>
<td>computational environment</td>
</tr>
</tbody>
</table>

Table 2: Map Dependencies

---

Application Mapping.

The application map bridges the gap between design and topology at the application level. It maps processes to nodes and messages to links. The process map deploys the processes on the nodes of a topology while the message map specifies the path of a message on a topology.
Scheduling Map.
The scheduling map links topology elements to elements from the operating environment, which is one of the maps that includes a transformation from PIM to PSM. This way the topology model is enhanced with concrete information about scheduling, operating system, and bus protocol. In case of a one processor architecture, it is also possible to implement the scheduling map by mapping the design directly to the operating environment.

Architecture Map.
Finally, the architecture map is the other map that includes a PIM to PSM transformation. It associates topology elements with hardware elements. This map is the last part of a transitive mapping (design-topology-hardware). It maps I/O, nodes to processors, and links to network segments. The node map assigns nodes to concrete processors on the hardware. Together with the application map, it is defined which process will run on which processor. The link map associates links to network segments and thus, specifies the concrete path for every single message.

The profile defined here will be used in the context of the SuReal project to use realtime Java Technology to build robust ANRTS systems. The profile will be the starting point for a full development toolchain including code generation, model verification, timing and memory analysis, and code validation. The profile will be augmented with a library facility to further simplify redesign.

7. ACKNOWLEDGMENTS
Some of the funding for this work was provided through the SuReal project sponsored by the German Government (BMBF) for which the authors are grateful.

8. REFERENCES