HiP-HOPS Gateway. Integrating safety analysis into the development of automotive embedded systems requires translating concepts of the automotive domain to the generic safety and error analysis domain. We assume a model-based development process where automotive concepts are represented by the EAST-ADL2 architecture description language, which supports system design on multiple levels of abstraction. The concepts of the error analysis domain are represented by the safety analysis tool HiP-HOPS. It is assumed that EAST-ADL2 models are built using the UML profile. The HiP-HOPS plugin extensively uses the concepts defined in the EAST-ADL error model, but also other language constructs from the FDA level. We automate the translation from EAST-ADL2 to HiP-HOPS by using model transformations. We leverage the advantages of different model transformation techniques by decomposing the translation into two distinct phases, and using an appropriate technique for each phase: A phase for conceptual mapping between the domains followed by a phase for representing the output in the desired concrete syntax. With the resulting tight integration of the safety analysis tool and the model-based development environment, the automotive safety engineer can perform the safety analysis repeatedly on refined models with minimal effort. This is compliant with the iterative design activities, which require starting the analysis after each change in the system design. The HiP-HOPS Gateway builds on previously developed Model Transformations and Eclipse Plugin, expanding analysis capability and optimization engine of HiP-HOPS, and enhancing the feedback of FMEA/FTA in the design process.
HiP-HOPS Gateway. Support for safety analysis (FMEA, FTA, ASIL decomposition) is provided externally by the HiP- HOPS analysis tool. The link between the modelling environment and the analysis tool is provided by a dedicated gateway plugin that enables the export of EAST-ADL models (annotated with the necessary error modelling information) to the HiP-HOPS format. This can then be read in by HiP- HOPS to perform the analyses. The input to the HiP-HOPS plugin is an EAST-ADL error model annotated with HiP-HOPS- compatible failure propagation logic. The error model provides the structural information about the system while the logic provides the information about the failure behaviour of each system entity, which HiP-HOPS uses to model the propagation of failures through the system. The propagation logic (provided in ErrorBehaviours) takes the form of Boolean expressions that relate output FaultFailures of an ErrorModelType (representing e.g. components, functions etc) to a combination of input FaultFailures and internal failure modes. The model is then transformed by the plugin so that HiP-HOPS can read the information and perform automatic FMEA and FTA. For ASIL decomposition, the exported error model must also contain relevant ASILs assigned to system-level failures (i.e., those which cause hazards). ASILs are provided in EAST-ADL using SafetyConstraints assigned to the FaultFailures (input/output faults) and optionally InternalFaults (component/function failure modes) of the error model. HiP-HOPS uses its internal model of the system failure propagation to determine which low-level failure modes contribute to which system- level failures (and thus which system-level ASILs) and therefore determines which combinations of ASILs can be assigned to the failure modes and input/output faults of the system. At present, EAST-ADL and HiP-HOPS provides a good infrastructure for the support of automatic FMEA/FTA analysis. The support for automatic ASIL decomposition is still being developed but prototype support exists; the intention is for the ASIL decomposition capability to become fully integrated, as with FMEA/FTA support. Future enhancements will include the import of the analysis results back into the model and improvements to the exchange of information between the modelling environment and analysis tool, as well as more scalable and effective ASIL decomposition algorithms. Key points for the analysis • Availability of modelling support for safety oriented analysis in MAENAD Mod...
HiP-HOPS Gateway. Integrating safety analysis into the development of automotive embedded systems requires translating concepts of the automotive domain to the generic safety and error analysis domain. We assume a model-based development process where automotive concepts are represented by the EAST-ADL2 architecture description language, which supports system design on multiple levels of abstraction. The concepts of the error analysis domain are represented by the safety analysis tool HiP-HOPS. There are two separate interfaces to HiP-HOPS that have been developed. The first is a plugin for Papyrus, and the second is a plugin for EPM. Both will be briefly described below.
