SAFE RTP: An open source reference tool platform for

the safety modeling and analysis

S Voget

To cite this version:

S Voget. SAFE RTP: An open source reference tool platform for the safety modeling and analysis.
Embedded Real Time Software and Systems (ERTS2014), Feb 2014, Toulouse, France. �hal-02271290�

HAL Id: hal-02271290

https://hal.science/hal-02271290
Submitted on 26 Aug 2019

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est

archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
 SAFE RTP: An open source reference tool platform for the safety
modeling and analysis
S. Voget1

1: Continental, Siemensstraße 12, 93055 Regensburg, [email protected]

Abstract

Seamless modeling and implementation from requirements down to SW code-generation of safety critical systems in
the automotive industry is still a challenge. Often, neither the modeling principles nor the tools are consistent.
This paper will introduce Eclipse based platform implementations Artop, EATOP and SAFE RTP and will show how a
seamless modeling of a safety related automotive system can be realized by using the composite of all three
platforms.

Keywords:

automotive; reference tool platform; safety modeling; safety analysis

Introduction

Modern vehicles are extremely complex embedded systems that integrate software and hardware from a large set of
contributors. In order to cope with this complexity during development, it is getting more and more common to use
suitable abstractions, i.e., models that allow for an early validation of important properties. In particular, hardware
models are used for analysis. Functional models, like Matlab/ Simulink or ASCET, are used in software development, in
order to allow for an early validation of software. On Electric/ Electronic (E/E) architecture level, domain specific
architecture description languages like EAST-ADL [5], SysML or the AUTOSAR [1] standard enable properties of the
system architecture to be modeled which facilitates system wide analysis, design space exploration, reuse of
development artifacts and change management.

For safety related aspects, in 2011 a new standard - the ISO26262 [9] – were finalized. The standard is an adaptation
of the functional safety base norm IEC 61508 [8] for specific needs of related E/E systems in road vehicles. This
adaptation applies to all activities during the safety lifecycle of safety-related systems related with electrical,
electronic, and software elements that provide safety-related functions.

It is still not clear how the artifacts and models necessary for safety documentation and analysis can and should be
integrated in order to minimize modeling effort, to keep consistency between artifacts and to enable effective
reusability and change management. Methods which allow automotive products developed according to the
ISO26262 have to be applicable to such an integrated model. Furthermore, tool chains – or better – tool platforms are
necessary to support the developer keeping the consistency.

Current research and standardization activities are on the way to develop methods, meta-models and domain specific
languages (DSL’s) to enable integrated modeling through the whole development life cycle [10] [12] [15]. Important
activities are driven by the EAST-ADL association [3], the MAENAD project [5], the SAFE project [6] and by AUTOSAR.
The EAST-ADL provides a DSL based on abstraction levels from functional modeling through system architecture to
detailed HW- and SW-design. AUTOSAR supplements this DSL by a meta-model for software configuration of
electronic control units.
Several activities are on the way to develop associated tool platforms. ARTOP [2] is an industry driven user group to
develop a tool platform for the AUTOSAR meta-model. A similar project for providing a technology reference platform
for EAST-ADL is the Eclipse project EATOP [4]. To enable and push the realization of this technology platform it had
been introduced by the Eclipse industry automotive working group “I-AWG” [13]. In addition utilities from Sphinx [7]
are closely related. Sphinx is an Eclipse project that develops necessary extensions of EMF based platform support to
enable ARTOP, EATOP and others.
The ITEA2 project SAFE (Safe Automotive software architecture) [6] is a European funding project. It provides methods
for integrated safety modeling and safety analysis [12], e.g. efficient capturing of safety goals and requirements or
safety evaluation. The results ensure and speed up the efficient development of safety features in cars. To allow
evaluation of the methods within significant industrial case studies, a reference technology platform (RTP) is defined
and extended with a set of appropriate plug-Ins [14]. The DSL provided by SAFE is related to EAST-ADL and AUTOSAR
and extend these with safety related information. The RTP provided by SAFE is based on EATOP and ARTOP.

In the remaining paper we will give a short overview about the mentioned DSL’s and will introduce the Eclipse based
tool platforms EATOP, ARTOP and SAFE RTP. An use case with the SAFE RTP demonstrator illustrates the relationships
between the three platforms and how it can help to model seamless in the development of safety related electronic
control units.

The DSL’s EAST-ADL and AUTOSAR

EAST-ADL is a domain specific language to model functional-, system-, software-, and hardware-architecture in the
automotive domain. EAST-ADL has been initiated in 2001 by the ITEA funded project EAST/EEA. Further development
has been done in two funded projects ATESST and ATESST2. Since 2010 a European funded project MAENAD [5]
maintains and extends the language with respect to electrified vehicles and safety development lifecycle modeling.
For long-term maintenance and dissemination, the EAST-ADL association [3] has been founded. It maintains the
meta-model definition and makes the latest version available to the public.

AUTomotive Open System ARchitecture (AUTOSAR) [1] is a worldwide development partnership of car manufacturers,
suppliers and other companies from the electronics, semiconductor and software industry. It facilitates the exchange
and update of software and hardware over the service life of the vehicle. So, AUTOSAR is thought for implementation
needs rather than architectural planning.

EAST-ADL serves on a more abstract level than AUTOSAR. It provides the possibility to model systems on different
abstraction levels. It is much like the well-known, Uniformed Modeling Language (UML) but as an automotive specific
specialization in an own DSL. UML for example defines six different structure diagrams and seven behavior and
interaction diagrams whereas EAST-ADL only defines class diagrams, which capture the structure of the relevant
concepts.

The EAST-ADL specifies four levels of abstraction to model an automotive electronic system: Vehicle Level (VL),
Analysis Level (AL), Design Level (DL) and Implementation Level (IL) as shown in Figure 1.

Figure 1: Structure of EAST-ADL (see also [3])

At the vehicle level the system is described from a very abstract position with the means of features. These describe,
'what' is included in the system, not 'how' it is realized. The features are organized in a feature model and which
relates to requirements and use cases.
The analysis level realizes the features from a functional view point. Abstract functions and devices are defined and
their interaction with the environment is specified. The technical view point is allocated to the design level. It provides

2
means to model concrete hardware architecture and a function-to-hardware allocation. The previous defined models
are now more implementation-oriented.
Finally, the implementation level is reserved for the software-based implementation of the system. EAST-ADL does not
define an own meta-model for this level but refers and connects to AUTOSAR.

The goals of modeling with EAST-ADL are to handle complexity and improve safety, reliability, cost, and development
efficiency through model-based development.

The SAFE project

Model based safety analysis is in scope of current automotive system and software engineering. The international
research project SAFE has the goal to enable the ISO26262 compliancy of an model based development process. SAFE
started in July 2011 and will end in December 2014. The concepts, an integrated meta-model, the technology platform
and a process model are already published in 2013 (see [6]). Evaulations will follow mid of 2014.

The three main objectives of SAFE are:

 Extension of EAST-ADL and AUTOSAR, to enable effective integration of artifacts associated with the
application of ISO26262. The extended model is implemented in a reference technology platform (SAFE RTP).
 Methods, e.g. for efficient capturing of safety goals and requirements as well as for safety evaluation, are
enhanced in order to benefit from the integrated model. The SAFE RTP is extended with a set of appropriate
plug-Ins.
 An ISO26262 compliant process is defined on top of model-based development and evaluated in realistic and
measurable industrial case studies.

Due to the complexity of the challenge and the need to define interfaces between the industrial parties, this can only
be tackled effectively in a joint initiative that includes carmakers, their tier-1 suppliers, chipmakers and tool suppliers
– as well as research organizations which provide a significant background in relevant fields.
One of the main contributions of SAFE for the automotive industry is a high impact on the standards and regulations
as the SAFE project is strongly connected to EAST-ADL, AUTOSAR and ISO26262. Strongly connected is meant in two
levels:
1) To prevent double work there is a strong organizational coordination of the activities with a main moderation
role at the I-AWG,
2) The SAFE meta-model extends the other DSL’s and minimizes the overlap.

Figure 2: Scope of the SAFE meta-model. The red bordered actions are supported by the SAFE RTP

Figure 2 illustrates the relationship between the three DSL’s taking part in the safety modeling and analysis story. The
architecture and implementation of the functionality is done via EAST-ADL and AUTOSAR – this is illustrated in the left
column of Figure 2. The safety information of the SAFE meta-model are closely related to the abstraction level
structure of EAST-ADL – which is shown in the vertical structure. An important aspect is to ensure at each level of
abstraction that the safety requirements are still fulfilled. To express this, a satisfy link can be drawn on each level of
abstraction, i.e. the horizontal links between the SAFE meta-model on the one end and EAST-ADL resp. AUTOSAR on
the other end.

To enable a process that covers all defined abstraction levels, the tools are a critical aspect. So far, often the
refinement and traceability of the requirements, the safety information and the cross correlation cannot be

3
controlled seamlessly due to missing tool interfaces. In the remaining paper we describe a tool platform that provides
basic handling of all three DSL’s in one environment such that the realization of a seamless process can be enabled.
The tool platform is based on three parts
 EAST-ADL is implemented in the Eclipse based tool platform “EATOP”
 AUTOSAR is implemented in the Eclipse based tool platform “Artop”
 SAFE meta-model is implemented in the Eclipse based tool platform “SAFE RTP”

Eclipse based tool platforms

“EATOP”: An Eclipse tool platform for EAST-ADL

EATOP is an Eclipse-based implementation of the EAST-ADL standard. It focus on providing the following main
features:
 Implementation of important versions and revisions of the EAST-ADL meta-model in EMF
 Serialization/de-serialization of EAST-ADL models/files conforming to the EAST-ADL XSD schema
 A tool platform and an exemplary basic IDE experience for creating, managing, editing, validating,
transforming or otherwise processing EAST-ADL models in the Eclipse workspace.

EATOP supports the work of the EAST-ADL association by providing an Eclipse-based tool platform implementation for
the EAST-ADL standard. Up to now, there are multiple initiatives to create Eclipse-based implementations of EAST-ADL
which led to a quite cluttered and redundant tool landscape. The goal of EATOP is to reconcile these initiatives,
consolidate the different implementations and shape like a reference implementation of EAST-ADL under one
umbrella. Since 2013 EATOP is an official Eclipse project and open source available [4].
Due to the complementarity nature and close relation between EAST-ADL and AUTOSAR, EATOP is closely aligned with
Artop.

“Artop”: An Eclipse tool platform for AUTOSAR

Artop is an Eclipse-based implementation of the AUTOSAR meta-model. From features point of view it is similar to the
features implemented in EATOP. Artop is organized by the Artop user group, a cooperation of several companies from
the automotive industry. The availability of Artop is restricted to AUTOSAR members only.
Similar to the goals of EATOP, the goals of Artop are to enable:
 the creation of commercial AUTOSAR tools with shared platform functionality
 the availability of AUTOSAR tools close to the point in time when AUTOSAR specifications are released
 focusing the competition among tool vendors in their area of expertise
 increased interoperability and integration of AUTOSAR tools
The introduction of Artop had been a big success in the automotive industry. Today, the implementation states a
reference and is widely accepted [2].

“SAFE RTP”: An Eclipse tool platform for SAFE meta-model

SAFE RTP is an Eclipse-based Java implementation of the SAFE meta-model that integrates with the AUTOSAR
meta-model from Artop and the EAST-ADL meta-model from EATOP.

It offers a basic authoring experience, i.e., an Eclipse perspective with a tree-based model explorer view for navigating
through SAFE model files and their contents as well as some exemplary form and tree-based editors enabling
safety-related extensions for EAST-ADL and AUTOSAR models to be edited.

An important aspect of the SAFE RTP is interoperability. It supports the integration and exchange of safety-enriched
architecture, dynamic behaviour, execution environment and hardware descriptions with existing non-Eclipse based
engineering tools by defining an appropriate XSD schema-based exchange format. The corresponding
serialize/de-serialize features enable the file based exchange of the data with other tools. As commercial tool vendors
but also university institutes that implement research tools are members of the SAFE project, several implementations
of such tools are already provided.

The SAFE RTP enables the integration with other Eclipse-based tools and plug-ins such as those providing the
implementations of the EAST-ADL and AUTOSAR meta-models as detailed above. Related to this, two main features
are provided:
1. The SAFE meta-model platform is based on Sphinx. Sphinx is an Eclipse project that provides an extensible
platform to ease the creation of integrated modeling tool environments supporting individual or multiple

4
 modeling languages [7]. Using Sphinx simplifies the integration of the SAFE meta-model with EATOP and
Artop.
2. Already the SAFE meta-model encloses links to EAST-ADL elements and AUTOSAR elements. These links are
implemented in the SAFE RTP, such that a user can create an integrated model using EAST-ADL, AUTOSAR
and SAFE DSL’s together in one editor.

SAFE RTP Demonstrator

To show how all three platforms can be composed in one tool and how this behaves, lets consider a simplified
headlight example following step by step the structure illustrated in Figure 3. In that example we will focus on the
software realization only to keep the example simple.

Figure 3: Elements of demonstrator example

The left column shows the refinement and traceability of requirements. A requirement “Headlamp shall turn on when
requested” is refined on the level of analysis functions to a requirement “Headlamp shall turn on if switch is on” and
on the level of design functions to a requirement “Headlamp switch shall indicate status with LED”. Therefore, the top
level requirement is refined through several steps – i.e. indicated by the vertical arrows defining the flow through the
boxes. On each level we get to know more detailed information about the headlamp switch.
The same abstraction pronciple are followed in the architecture model which is also part of EAST-ADL and AUTOSAR.
This is shown in the second column. A feature that fulfills the requirement on highest abstraction level may be
“Headlamp”. The analysis function is a decomposed, more detailed architecture consisting of a sensor, a controller
and an actuator. The design function encloses further detailed components, i.e. now one gets to know that the sensor
is a hardware element which has an associated AUTOSAR Sensor-SW-Component.
Now we consider the modeling and analysis of safety related information in the SAFE part of Figure 3. In our case the
Item is not the whole headlamp but the switch only as the safety analysis will only be done for the switch in this
example. A critical situation may come up if the switch is on but the headlamp not. This may course an accident, i.e.
an hazard. Therefore, a safety goal is derived: “Indicate if headlamp is not on although switch is on”. On different
architecture levels one has to detail the safety goal, e.g. one adds the information that the indication is done by a LED.
The arrows indicate the information flow of the safety modeling. A different meaning have the arrows that start on
the SAFE model and end in the EAST-ADL or AUTOSAR model. These are “satisfy” links, i.e. they show which
architectural element satifies a dedicated safety requirement. The safety analysis has to ensure that one can trust
such a satisfy link.
Although there already exist integrated tools that are able to handle the functional as well as the safety modeling,
normally an architecture is done in another specialized tool than the safety analysis. To keep this information
consistent is often a problem.

Figure 4 presents a screenshot of the SAFE RTP demonstrator that encloses Artop, EATOP and the SAFE RTP. The
project explorer on the left side shows, that the serialization of the model information is done in separate files. One
for AUTOSAR model, one for EAST-ADL model and one for SAFE model. These serialization / de-serialization is done by
the integration of Artop, EATOP and SAFE RTP. But, the right side displays an editor showing a common model, which
is based on all three languages. This enables to model the architecture and to run the safety analysis in the same tool.
At the end it enables a seamless methodology from requirements down to the software code generation.
The SAFE explorer is based on the basic example Ecore editor from Eclipse. It illustrates the integration aspect but
cannot replace user friendly user interfaces that enable the handling of bigger models. But such user interfaces are no
longer part of the platform development. The implementation of such user interfaces is left to the tool vendors.

5
 Figure 4: Screen shot from SAFE RTP user interface.

Outlook

Of course, the user interface of such a demonstrator is for modeling experts only. Normally the architect or the safety
analyser need a more adequate user interface. As the SAFE RTP is open source, a community already provides
adequate and adapted user interfaces in form of plugins that can be added to the platform easily. Initial plugins are
already implemented within the SAFE [6] and the MAENAD [5] projects. Further contributions are done within the
Eclipse community in the EATOP [4] project.

Acknowledgment

Many thanks to the partners from EATOP, ARTOP and the SAFE project that enable the tool platforms in a common
effort.

This document is based on the SAFE and SAFE-E projects. SAFE is in the framework of the ITEA2, EUREKA cluster
program Σ! 3674. The work has been funded by the German Ministry for Education and Research (BMBF) under the
funding ID 01IS11019, and by the French Ministry of the Economy and Finance (DGCIS). SAFE-E is part of the Eurostars
program, which is powered by EUREKA and the European Community (ID 01|S1101). The work has been funded by the
German Ministry of Education and Research (BMBF) and the Austrian research association (FFG) under the funding ID
E!6095. The responsibility for the content rests with the authors.

References

[1] AUTOSAR; www.autosar.org

[2] ARTOP; www.artop.org
[3] EAST-ADL Association; www.east-adl.info
[4] EATOP; http://projects.eclipse.org/projects/modeling.eatop
[5] MAENAD; www.maenad.eu
[6] SAFE; www.safe-project.eu

6
[7] Sphinx; www.eclipse.org/sphinx
[8] IEC 61508 (1998). International Electrotechnical Commission (IEC): Functional Safety of Electrical /Electronic /
Programmable Electronic Safety-Related Systems.
[9] ISO 26262 (2012) International Organization for Standardization Road Vehicles Functional Safety.
[10] O. Ljungkrantz; Case study about ISO26262 in the EAST-ADL / Autosar context, Experiences with ISO26262-2013
conference, Munich, 2013.
[11] S. Voget; EAST-ADL tool platform “EATOP”; International workshop on challenges in methodology, representation,
and tooling for automotive embedded systems; Berlin/Germany; 2012.
[12] P. Cuenot, T. Peikenkamp; model based development for functional safety; International workshop on challenges
in methodology, representation, and tooling for automotive embedded systems; Berlin/Germany; 2012.
[13] A. Graf, R. Mueller, I. Garro, S. Voget, J. Noack, H. Mackamul; Collaboration in Automotive – The Eclipse
Automotive Industry Working Group; ERTS conference 2012.
[14] S. Voget; The SAFE technology platform – an open source tool platform for safety modeling and analysis; Safe
Trans News 2/2013.
[15] S. Voget; Definition of a standard for model based safety development and analysis compliant to ISO26262;
Safetronic Conference; Stuttgart/Germany; 2013.