Model Evolution

Why is Model Evolution needed?

Seldomly, an Aspect Model can be created completely in one step from ideation to conceptualization.

Authoring an Aspect Model is comparable to the creation of a software artifact. At first, a domain model draft or concept map is created to capture the understanding of the respective domain experts (cf. domain-driven design), which is then formalized into an actual Aspect Model. After multiple iterations, each of which improves the modeled concepts and the overall quality of the model, a first "complete" version is created. This first version might contain the minimal subset of relevant Properties complete with correct Characteristics and proper descriptions.

This "Version 1.0" of the model can then be used to implement the first version of the corresponding Aspect. Imagine that the service is running and delivers data that corresponds to the "Version 1.0" of the Aspect Model. Clients are developed as well, possibly by different parties, and happily consume the Aspect data. However, sooner or later there will be a need for change in the Aspect Model. For example, it could be missing relevant Properties, existing Properties could use wrong Characteristics, descriptions or names, or could be missing localizations. This can happen for many reasons:

The modelled device or asset changes,
Clients find that they need certain pieces of data that were originally deemed unimportant and thus excluded from the Aspect Model, or that should have a different structure,
In the original model, something was modelled in the wrong way,
As part of the natural evolution of the model when the initial minimal subset of Properties is expanded to a comprehensive description of the domain,
etc.

It is to be expected that an Aspect Model is continually improved upon (to a certain point, when it is considered "finished"). The model maintainers can change the Aspect Model as they see fit and release a new version. But what happens with the running Aspects and clients? Do all of them have to be changed immediately every time?

Decoupling of Models and Payload

The first measure towards a graceful evolution of Aspect Models in a living system (i.e., the models don’t live in a vacuum but are actually used by Aspects and Clients) is the decoupling of models and payload. In the section that describes the mapping of Aspect models to corresponding JSON payloads, you can see that the JSON payloads have no indication of the Aspect Model that describes them. In particular, they do not contain a reference to the URN of the corresponding Aspect Model. This is similar to how the structure of a JSON document can be validated against a JSON Schema.^[1]

Therefore there are changes that can be made in the Aspect Model so that the structure of the corresponding JSON payload does not change. We will call this type of changes safe changes. When a new version of an Aspect Model is released that contains only safe changes and a corresponding Aspect delivers only data that is valid in regards to the new version of the Aspect Model, the data is also still valid in regards to the previous version of the Aspect Model. The Aspect can therefore still be used by clients built using the previous version without having to be changed.

At the place used to look up the Aspect, the previous version of the Aspect Model and the updated version can and should both be associated simultaneously with the same Aspect endpoint. This allows clients that only understand the previous version of the Aspect Model to still consume data from the Aspect (although they do not benefit from the updates introduced in the new model version), while clients that are updated to use the new Aspect Model can benefit from the update.

At some point, older versions of the model can be removed from the Aspect. However, the exact conditions of when this can be done depend heavily on the concrete use case and are therefore out of scope of this document.

Safe Changes for Graceful Model Evolution

Every change to the Aspect Model that is backwards compatible in the sense that it permits all previously permitted JSON payloads and keeps semantics (see below) is a safe change.

The following table gives an overview of the safe and unchanges that mainly concern the structure of the data.

Safe Changes Unsafe Changes

Safe Changes	Unsafe Changes
Adding, removing or changing attributes that are never part of payloads, e.g., `samm:preferredName`, `samm:description` and `samm:see` Adding a new Property Making a mandatory Property optional Changing a data type a to type b when a can be cast to b Removing values from an Enumeration	Renaming an existing Property Making an optional Property mandatory Changing a data type a to type b when a can not be cast to b Adding values to an Enumeration Changing values in an Enumeration

Adding, removing or changing attributes that are never part of payloads, e.g., samm:preferredName, samm:description and samm:see
Adding a new Property
Making a mandatory Property optional
Changing a data type a to type b when a can be cast to b
Removing values from an Enumeration

Renaming an existing Property
Making an optional Property mandatory
Changing a data type a to type b when a can not be cast to b
Adding values to an Enumeration
Changing values in an Enumeration

Deciding whether a change to a Characteristic is safe depends on the change itself. Basically, a change that adds restrictions on the value range is safe, while removing restrictions is unsafe, if and only if the effective value range was equivalent in the first place. For example, adding a Regular Expression Constraint that restricts values on a Text Characteristic is safe, because an Aspect that delivers data which is valid for both the previous version of the Aspect Model (without the Constraint) and for the new version (with the Constraint) will only ever deliver data that clients using the previous version of the Aspect Model can understand. Adding the constraint in the model just makes the previous implicit assumption explicit and visible. If the Constraint on the other hand signifies an actual change, i.e., values that were previously valid are no longer valid in the new version, this is an unsafe change.

If the value range is effectively the same and has the same meaning, for example by replacing a Regular Expression Expression on a Text Characteristic with an Enumeration that has the same values as those that would be parsed by the Regular Expression, or vice versa, this is a safe change as well. Changes such as this can be made when an Aspect Model is refactored to be better readable or understandable. Another example is changing a Characteristic with a string-like value space into a Structured Value: The payload does not change, but the meaning is specified in greater detail by describing all logical parts of the value.

If the value range is effectively the same but the meaning is different, this is not considered a safe change, because the domain semantics captured by the Aspect Model are not the same. For example, if the unit of a Measurement Characteristic is changed from unit:metre to unit:inch but both versions use xsd:int as a data type, values have obviously different meanings. This means that a specific Aspect endpoint using this Aspect Model must not be associated with both versions of the Aspect Model simultaneously. Of course, the Aspect can implement both versions and make them available on different endpoints.

When only safe changes are made to the Aspect Model, the model author can choose between increasing the MINOR part of the version (e.g. from 1.0.0 to 1.1.0) or the PATCH part of the version (e.g. from 1.0.0 to 1.0.1). Otherwise, the model author can choose between increasing the MINOR part or the MAJOR part of the version (e.g. from 1.0.0 to 2.0.0). The latter change should be used to indicate structural and semantic incompatibility between versions.

Example: Evolution of an Aspect Model

Let’s consider a simple Aspect Model MachineOnlineStatus that describes a Property onlineStatus which represents the information about whether a machine is online, offline, starting up or undefined (if the current status can not be retrieved).

@prefix : <urn:samm:com.mycompany.myapplication:1.0.0#> .
@prefix samm: <urn:samm:org.eclipse.esmf.samm:meta-model:2.0.0#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

:MachineOnlineStatus a samm:Aspect ;
   samm:properties ( :machineOnlineStatus ) ;
   samm:operations ( ) .

:machineOnlineStatus a samm:Property ;
   samm:description "The current machine online status. Can be either ON, OFF, BOOTING or UNDEFINED."@en ;
   samm:characteristic [ (1)
      a samm:Characteristic ;
      samm:dataType xsd:string
   ] .

In version 1.0.0 of the model, the modeler decides to first represent the Property itself using an OnlineStatus Characteristic ①. They use the string datatype to be able to represent the four valid states given in the target machine’s data sheet.

@prefix : <urn:samm:com.mycompany.myapplication:1.0.1#> .
@prefix samm: <urn:samm:org.eclipse.esmf.samm:meta-model:2.0.0#> .
@prefix samm-c: <urn:samm:org.eclipse.esmf.samm:characteristic:2.0.0#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

:MachineOnlineStatus a samm:Aspect ;
   samm:properties ( :machineOnlineStatus ) ;
   samm:operations ( ) .

:machineOnlineStatus a samm:Property ;
   samm:description "The current machine online status."@en ;
   samm:characteristic [
      a samm-c:Enumeration ; (2)
      samm:dataType xsd:string ;
      samm-c:values ( "ON" "OFF" "BOOTING" "UNDEFINED" )
   ] .

The modeler decides to reify the possible status values by using an Enumeration as the characteristic ②. Because the Property still has the string datatype, payloads for the previous and the current model version do not differ. Taking into account that the description in the previous model version states the valid values and they do not differ to the Enumeration’s values, this makes the change a safe change. Therefore, the Aspect Model’s version is increased to 1.0.1.

@prefix : <urn:samm:com.mycompany.myapplication:1.0.2#> .
@prefix samm: <urn:samm:org.eclipse.esmf.samm:meta-model:2.0.0#> .
@prefix samm-c: <urn:samm:org.eclipse.esmf.samm:characteristic:2.0.0#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

:MachineOnlineStatus a samm:Aspect ;
   samm:properties ( :machineOnlineStatus ) ;
   samm:operations ( ) .

:machineOnlineStatus a samm:Property ;
   samm:description "The current machine online status."@en ;
   samm:characteristic [
      a samm-c:Enumeration ;
      samm:dataType xsd:string ;
      samm-c:values ( "ON" "OFF" "BOOTING" ) (3)
   ] .

By carefully reading the machine’s data sheet, the modeler determined that the UNKNOWN online status can only ever occur before some machine-internal controller is initialized, which only occurs during booting the device. Thus, they remove the UNKNOWN status from the enumeration ③, because BOOTING can always be used in its place. This results in the following points:

The status that is confusing to users and downstream developers is removed. The model more clearly states its purpose.
By removing the machine-specific idiosyncrasy, the model is more generally applicable and can be used with other devices as well.
The implementation of the Aspect can no longer just pass-through the value read from the device but has to clean up the value. In this case this is trivial, but in more complex scenarios this might require according complex logic. However, it is always preferable to perform data clean up in the Aspect and therefore present an interface via the Aspect Model that is as "clean" as possible.

Removal of the UNKNOWN status is a safe change: Clients that can deal with the previous status set, can also deal with the sub-set that does not include UNKNOWN. For this reason, the version is increased to 1.0.2.

@prefix : <urn:samm:com.mycompany.myapplication:1.1.0#> .
@prefix samm: <urn:samm:org.eclipse.esmf.samm:meta-model:2.0.0#> .
@prefix samm-c: <urn:samm:org.eclipse.esmf.samm:characteristic:2.0.0#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix previousVersion: <urn:samm:com.mycompany.myapplication:1.0.2#> .

:MachineOnlineStatus a samm:Aspect ;
   samm:properties ( :onlineStatus ) ;
   samm:operations ( ) .

:onlineStatus a samm:Property ; (4)
   samm:description "The current machine online status."@en ;
   samm:see previousVersion:machineOnlineStatus ; (5)
   samm:characteristic [
      a samm-c:Enumeration ;
      samm:dataType xsd:string ;
      samm-c:values ( "ON" "OFF" "BOOTING" )
   ] .

The modeler decides that the Property name machineOnlineStatus is too long and redundant and renames it to onlineStatus ④. This is an unsafe change, because the JSON payload that corresponds to the Aspect Model is now changed structurally. The Aspect Model version is increased to 1.1.0: The Aspect Model still represents the same data which means that an increase of the major version is not warranted, but payloads are not any longer directly compatible, so the minor version is increased. To indicate the relation between machineOnlineStatus in the previous model version and onlineStatus in the current model version, an explicit link is added using samm:see ⑤. This is optional and purely informational and will show up in the Aspect Model’s generated documentation, but it is not a piece of information that consumers of the Aspect Model programmatically rely on.

@prefix : <urn:samm:com.mycompany.myapplication:1.0.3#> .
@prefix samm: <urn:samm:org.eclipse.esmf.samm:meta-model:2.0.0#> .
@prefix samm-c: <urn:samm:org.eclipse.esmf.samm:characteristic:2.0.0#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

:MachineOnlineStatus a samm:Aspect ;
   samm:properties ( [ samm:property :onlineStatus;
                       samm:payloadName "machineOnlineStatus" ] ) ; (6)
   samm:operations ( ) .

:onlineStatus a samm:Property ;
   samm:description "The current machine online status."@en ;
   samm:characteristic [
      a samm-c:Enumeration ;
      samm:dataType xsd:string ;
      samm-c:values ( "ON" "OFF" "BOOTING" )
   ] .

Renaming the Property in the last step is a change made to demonstrate dealing with unsafe changes. Alternatively, the modeler could rename the Property but still keep this change a safe change by specifying a samm:payloadName ⑥ that corresponds to the effective payload name of the Property in the previous version of the Aspect Model (i.e., 1.0.2). In this scenario, since the change is a safe change, the version is increased to 1.0.3 instead of 1.1.0.

In the example scenario, when associating Aspect endpoints with a Digital Twin, three Aspect entries for the MachineOnlineStatus Aspect could be associated with a Digital Twin (one for each of the versions 1.0.0, 1.0.1 and 1.0.2) with the same Aspect endpoint that only actually implements model version 1.0.2, because payloads are compatible. For model version 1.1.0, a separate endpoint needs to be provided by the Aspect implementation.

1. However, a JSON Schema only describes a document’s structure, not its meaning or content.