Model transformations are used to automate the development process of Integrated Modular Avi-onics (IMA) configuration. However, the generated configurations are not allowed to be applied in a safety-critical process, as the model transformations are not qualified. This presentation intro-duces a qualifiable model transformation language and engine TRA. The qualification of a model transformation requires substantial effort. Therefore, the user of a model transformation should be supported in the tool qualification process. TRA provides a domain-specific language MetaTRA for defining transformation models. A code generator, TRA generator, generates the executable model transformation code, TRA executor, which is safety-critically implemented. The presenta-tion further demonstrates the integration of a qualifiable model transformation in a model-based tool environment. This tool environment consists of a graphical editor with visualization verifica-tion and a generic model interaction interface. A tool qualification agent supports the tool qualifi-cation process through model-based and automated generation of the tool qualification artifacts. The presentation showcases a proof of concept for a model transformation process.

Model transformations transform a source model into a target model based on transformation rules. TRA is a graph-based model transformation language that applies the formal methods from graph rewritings. TRA consist of the reduced model transformation language MetaTRA, a restrictive language limiting the possibilities for defining transformation models. A transformation model specifies the transformation rules and the rule sequencing. Form the transformation model the TRA generator generates the executable model transformation code. The TRA generator is unqualified as the generated model transformation is fully verified. The presented model transformation is applied to a platform architecture model in the Open Avionics Architecture Model language. The model transformation adds ARINC 653 partition tasks to the platform architecture model for every IMA device in the model and allocates the task. To be qualifiable, the model transformation im-plements safety-critical programming concepts, such as static memory allocation. The model trans-formation code is analyzed using a static code analysis tool.

The presentation shows the integration of the model transformation into a model-based process. The process starts with the creation of a platform architecture model in the model-based graphical editor. Then, the TRA executor applies the model transformation to the architecture model. The transformed model is visualized and the visualization verification tool verifies the correctness of the visualization. All tools operate on a shared model database. For model interaction the tools use the Essential Object Query language (EOQ) in the none - qualifiable PyEOQ3 version. To support the tool qualification process, the tool qualification agent generates the tool requirements for the model transformation.

The model transformation is integrated into the model-based tool environment as part of a demon-strator. The validation confirms that the model transformation process can be executed success-fully. For further research, the depth of integration in the demonstrator can be expanded by devel-oping the transformation model in the graphical editor. The PyEOQ3 language must be replaced by a qualifiable model query language compatible with the tool environment. To further automate the tool qualification process, the tool qualification agent should generate also test cases and test artifacts for the model transformation.