Model-based software development uses a model as the centerpiece of the development process. Software engineers create a model of the system behavior that can then be translated into different languages such as C or Ada by the appropriate code generator. The model is continually refined throughout the development process and can even be executable. For maximum benefit, the generated code should not be modified by software engineers; when changes are desired, the model is revised and code is generated from the revised model.
Both the modeling tool and the code generation tool are part of a toolset that makes up the model-based development system, referred to in this guidance as MBDS.
Efficiency is a key benefit of using MBDS, but there are many considerations to be reviewed when deciding whether MBDS is the right choice for a project. For a list of pros and cons, see the
This document addresses guidance for projects that desire to use MBDS. This guidance addresses:
- Identifying the need for MBDS.
- Choosing an appropriate MBDS.
- Practices to avoid.
- Recommended practices.
Approves MBDS acquisition
Software Project Lead
MBDS analysis and selection, project procedure development
Carrying out recommended practices
Receive, verify and validate MBDS tools, auto-generated code
2. Determining the need for MBDS
Before automatically assuming that MBDS is the right choice, it should be determined whether this type of system is appropriate for the project. The following questions should be addressed when making this determination:
3. Choosing MBDS
Once the decision has been made that MBDS is appropriate for a project, the actual system needs to be selected. When choosing a system, the following considerations should be included in the decision-making process:
- How much of the code can the tool generate?
- How much will have to be hand-coded?
- Look at the MBDS's history/track record.
- Determine what, if any, analysis exists to verify the software produced by the MBDS.
- Choose the right tool for the development environment.
- Choose the right method for the problem to be solved.
- Choose tools and methods that will work together.
- Choose MBDS that allows focus to be on the model/design, which is the problem, not the code.
- Choose MBDS in which the domain knowledge is made explicit for the development team, being captured in the modeling language and its tool support.
- Consider importance to project of being able to use different input models.
- Consider how much flexibility is needed to meet project requirements for generated code.
- If each mission can impose its own coding standards for the code being generated, then the flexibility of the output of the generator is important.
- Consider whether the project has a need for generating multiple forms of code from the same input, such as 1) C/C++ code, 2) a model representation that can be run through a model-checking tool and 3) a model that can be executed in simulation.
4. Issues and Pitfalls, Practices to Avoid
As with any development methodology, there are issues associated with MBDS and practices that can result in unintended consequences. To ensure the best outcome for a project using MBDS, the following recommendations should be part of the process of developing associated procedures:
- MBDS which are maintained internally (e.g., project or center) can have customizations and/or bug fixes that may not be documented or that may have side effects.
- One advantage of MBDS is moving some of the testing activities earlier in the life cycle. If major problems are found, they can be resolved with less impact on the budget or schedule of the project.
- Disadvantages include a reliance on the automatically generated source code (which may not be generated correctly) and the difficulty of knowing how well the model conforms to reality. Interactions between parts of the system may not be evident until the system is operational.
5. Recommended Practices
The following practices, collected from a variety of sources, are recommended practices when using MBDS in a project. These practices should be considered when developing project or center procedures for the use of MBDS:
- Including instrumentation, such as internal or intermediate check points, in production code is problematic as that code has the potential for inadvertent execution.
- Including instrumentation and then removing it is also problematic as it changes the production code from the tested, verified code.
- Invalid models should be rejected by the generator while correct models should be translated properly into code.
- Correct functioning of the generator can be ensured if the test model and the generated code behave the same when subjected to the same stimulus/test data.
- Keep the model as simple as possible
- Keep the model semantically well-defined
- Keep the model organized and manageable
- Use a practical point of view: if you aren't going to use it, don't model it
- Include system engineers and software engineers in joint reviews to identify misunderstood or unclear requirements.
- Use separate folders/directories for generated code.
- Include commentary at the beginning of generated code to clearly identify it as generated.
- Code which is 100 percent generated should neither be changed nor checked into the repository.
- Code which is 100 percent generated is a disposable good - the important artifacts are the models.
- The only time it can make sense to check-in generated code is when, for some reason, it is impossible to integrate the generator run into the build process.
- Generated code should satisfy the same quality requirements that apply to manually written code.
- Generated code should follow applicable coding styles and use well-established design patterns.
- Make an effort to understand what details are being abstracted and make a conscious choice as to whether the team will be comfortable with the level of abstraction provided.
- A good practice is to maintain a controlled library of accepted, reusable model elements and limit developers to using only approved libraries.
- A mechanism should exist for getting additional model elements into the approved library.
- Each project may need to review the library set for suitability for that application. For example, a model element that is acceptable for processing data on the ground may not be acceptable on a real-time flight control system.