ODE Profile V1 D4.1

www.deis-project.eu

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant

agreement No 732242 (DEIS).

ODE Profile V1

Page 1 of 24

Table of Contents

1 Publishable Executive Summary ............................................................................................................ 4

2 Introduction - The ODE Meta-Model overview ..................................................................................... 5

3 Related work ......................................................................................................................................... 6

4 ODE - Technical concept ........................................................................................................................ 8

4.1 ODE Tool Usage Scenarios ............................................................................................................. 8

4.2 EMF as ecosystem for DDI exchange ........................................................................................... 11

5 Demonstrators: State of ODE implementation in the DEIS Tools ........................................................ 12

5.1 ACME ........................................................................................................................................... 12

5.1.1 Assurance Case Editing ........................................................................................................ 12

5.1.2 Argumentation Editing ........................................................................................................ 12

5.1.3 Artifact Editing ..................................................................................................................... 12

5.1.4 Terminology ........................................................................................................................ 13

5.2 ComposR ..................................................................................................................................... 14

5.3 Hip-Hops ...................................................................................................................................... 16

5.3.1 ODE Integration with HiP-HOPS........................................................................................... 18

5.4 safeTbox™ ................................................................................................................................... 19

6 Summary and Outlook ......................................................................................................................... 22

7 References ........................................................................................................................................... 23

ODE Profile V1

Page 2 of 24

List of Figures

FIGURE 1 ABSTRACT ODE META-MODEL .................................................................................................................................. 5

FIGURE 2 DEVELOPMENT APPROACH FOR TOOL INTEROPERABILITY ................................................................................................ 8

FIGURE 3 ODE PROFILE BUILD WITH EMF ................................................................................................................................ 9

FIGURE 4 ACME ARTIFACT EDITING ....................................................................................................................................... 12

FIGURE 5 ACME ARTIFACT REFERENCING ............................................................................................................................... 13

FIGURE 6 ACME TERMINOLOGY ASSET CREATION ................................................................................................................... 13

FIGURE 8 ACME USING A TERMINOLOGY TERM IN THE ARGUMENTATION ................................................................................... 14

FIGURE 9 SYSTEM MODELING USING COMPOSR ....................................................................................................................... 15

FIGURE 10 FLM MODELING IN FORM OF A COMPONENT FAULT TREE (CFT) USING COMPOSR..................................................... 15

FIGURE 11 MODELING GSN USING COMPOSR ...................................................................................................................... 16

FIGURE 12 HIP-HOPS MODELING WITH MATLAB/SIMULINK ................................................................................................ 17

FIGURE 13 FTA WITH HIP-HOPS ....................................................................................................................................... 18

FIGURE 14 ODE-HIP-HOPS INTEGRATION PROCESS .............................................................................................................. 19

FIGURE 15 EXAMPLE OF A COMPONENT NETWORK MODELED WITH SAFETBOX. .......................................................................... 20

FIGURE 16 EXAMPLE OF A COMPONENT FAULT TREE. .............................................................................................................. 20

FIGURE 17 EXAMPLE OF A GSN .......................................................................................................................................... 21

ODE Profile V1

Page 3 of 24

Abbreviations

Abbreviation Long Version

AADL Architecture Analysis and Design Language

ACME Assurance Case Modelling Environment

CFT Component Fault Trees

DDI Digital Dependability Identity

EMF Eclipse Modeling Framework

FMEA Failure Mode and Effect Analysis

FTA Fault Tree Analysis

GSN Goal Structuring Notation

MDE Model Driven Engineering

ODE Open Dependability Exchange Meta-model

OCL Object Constraint Language

SACM Structured Assurance Case Meta-model

SAE Society of Automotive Engineers

XMI XML Metadata Interchange

XML Extensible Markup Language

Authors

Name, Partner E-mail

Daniel Schneider

Santiago Velasco

Daniel.schneider@iese.fraunhofer.de

Santiago.velasco@iese.fraunhofer.de

Ran Wei ran.wei@york.ac.uk

Ioannis Sorokos i.sorokos@hull.ac.uk

Marc Zeller marc.zeller@siemens.com

Eric Armengaud, AVL Eric.armengaud@avl.com

ODE Profile V1

Page 4 of 24

1 Publishable Executive Summary

The open and cooperative nature of CPS poses a significant new challenge in assuring dependability. The

DEIS project addresses this important and unsolved challenges by developing technologies that form a

science of dependable system integration. In the core of these technologies lies the concept of a Digital

Dependability Identity (DDI) of a component or system. DDIs are composable and executable in the field

facilitating (a) efficient synthesis of component and system dependability information over the supply chain

and (b) effective evaluation of this information in-the-field for safe and secure composition of highly

distributed and autonomous CPS. In order to make this vision reality, it is necessary to build the tools that

would allow engineering and executing DDIs. In this document it is therefore presented the initial version

of the Open Dependability Exchange (ODE) meta-model, which is the meta-model for the DEIS core concept

of Digital Dependability Identities (DDI). Consequently, the work results described here are very tightly

interrelated with the work being carried out in WP3 and the upcoming D3.1. At the same time, this work is

building directly on the requirements, use cases and demonstrators described in D2.1, D5.1, D6.1 and D6.2.

The ODE is a central artifact for the project, this textual description complement and assist in its

comprehension. Thus, we describe our approach to derive and design the ODE and, in particular, provide

details with respect to the current initial version of the ODE. Moreover, we describe the respective

developments that have been conducted on the four tools of the DEIS consortium: ACME (UoY), ComposeR

(SAG), HiP-HOPS (UoH) and safeTbox (IESE). For each tool in particular, we describe which aspect of the

ODE has been currently implemented and provide corresponding screenshots and (if presently

possible/feasible) a download link for the respective tool.

ODE Profile V1

Page 5 of 24

2 Introduction - The ODE Meta-Model overview Cyber-Physical-Systems (CPS) provide the potential for vast economic and societal impact in domains such

as automotive, health care and home automation. The open and cooperative nature of CPS poses a

significant new challenge in assuring dependability. The DEIS project addresses this important and unsolved

challenge by developing technologies that enable a science of dependable system integration. A key

innovation is the concept of the Digital Dependability Identity (DDI). A DDI contains all the information that

uniquely describes the dependability characteristics of a CPS or CPS component. DDIs are used for the

integration of components into systems during development as well as for the dynamic integration of

systems into systems of systems in the field. Some of the objectives we pursue in DEIS are:

• Objective 1: An open model for specifying Digital Dependability Identities enabling the efficient integration of modular dependability assurance cases

• Objective 2: Semi-automated framework for the generation and evaluation of DDIs • Objective 3: A framework for the in-the-field dependability assurance in CPS • Objective 4: autonomous and connected CPS use cases

The ODE is the meta-model for the DEIS core concept of the DDI and thus a central artifact of the project.

It needs to be fit for the DEIS core challenges and objectives as described in the proposal and refined in

D2.1, D5.1 and D6.1. The general concept of the ODE as well as its refinement based on engineering stories

is presented in deliverable 3.1.

In Figure 1, an abstract presentation of the current version of the meta-model can be observed. Many

entities and relationships have been removed or abstracted for ease of comprehension. The detailed

version is presented in Figure 3.

Figure 1 Abstract ODE meta-Model

ODE Profile V1

Page 6 of 24

The current structure of the meta-model includes several packages. At the highest level of abstraction, it is

possible to observe the ODE as a central container. It aggregates other major packages, namely: the

Dependability, Requirements, Hazard and Risk Assessment (HARA), Domain, Architecture, Failure-logic, and

Base packages. The first four mentioned packages aggregate the artifacts that are created/required during

early phases of the development process, such as determining the relevant system development standards,

identifying functional and non-functional requirements, as well as their prioritization through early safety

activities like the HARA, which can have a large impact on the rest of the development. With this

information, the design process is then carried out. Towards this end, the architecture package has been

conceived. Through this package, it is possible to define the primary entities of the system, how they relate

to each other with respect to composition as well as how they interact. Once a design is established, fault

analysis can be performed. The overall aim is to evaluate whether the design avoids, removes or mitigates

the identified Hazards. To investigate this relationship, the sources of Hazards – failures of the system’s

functions – are traced via analysis to progressively more refined, lower-level elements of the architecture.

In the current version of the ODE three different fault analysis techniques have been considered as relevant

for the industry and have been included in the meta-model, namely: Fault Tree Analysis (FTA), Failure Mode

and Effects Analysis (FMEA) and Markov analysis.

Finally, the Base package has been introduced to the ODE for flexibility purposes. In it, a generic mechanism

has been incorporated such that ODE elements can be annotated dynamically. Thanks to that mechanism,

information not considered during the definition of the ODE can be flexibly added during its instantiation.

As explained in deliverable 3.1, during the instantiation of SACM it will be possible to integrate into it an

instantiation of the ODE package, which at the same time aggregate the instantiation of the other

mentioned packages.

3 Related work In this section, we introduce shortly the work provided by other groups with respect to model-based

development. We present the topic by considering several of the goals DEIS wants to achieve with the

definition of the ODE.

Goal: Support an integrated modeling approach

The traditional document-based (e.g. word and excel) approach for system development has been overrun

by the complexity of today's dependability-related systems. Therefore, the current development trend is

towards model-based approaches, which promise to overcome known problems like traceability,

maintainability and reuse.

In the area of integrated modeling approaches, the Unified Modeling Language (UML) [Object Management

Group - UML] provides the means for the specification, construction and documentation of software. UML

was created with the intention to support the design of software by making use of different modeling

ODE Profile V1

Page 7 of 24

techniques to tackle issues of different nature. E.g. use Class or Components diagrams to define the

structure of the system, or Sequence diagrams to specify the behavior of the system.

However, most systems consist of other parts besides software. For this reason, it became necessary to

extend and adapt UML with concepts that facilitates the specification of other types of systems. For that,

the Systems Modeling Language (SysML) [Object Management Group - SysML] was created. UML and

SysML have been standardized by the Object Management Group, and many tool vendors support the most

current specifications.

While UML and SysML are often used for the system's functional design, they do not provide optimal ways

to specify certain qualities of the system, like safety. For instance, there are no means to specify hazards,

or faults. To tackle this issue, several groups have invested efforts in extending UML or defining their own

modeling languages. For example, the Society of Automotive Engineers (SAE) has produced the

Architecture Analysis and Design Language (AADL) [Feiler, P.H., Gluch, D.P., Hudak, J.J.]. The CHESS project

[Montecchi, L., Lollini, P., Bondavalli, A.] is an effort to create a complete modelling tool chain for

dependable systems, SafeML [Biggs, G., Sakamoto, T. & Kotoku] is a SysML profile designed for modelling

the safety-related concerns of a system. In DEIS these approaches have been used as reference and as a

basis, with the aim to support existing engineering challenges as well as future challenges such as openness

and runtime adaptability.

Goal: tool interoperability

In the area of open systems, it is important to provide the means for participant systems as well as for their

designers to communicate with each other. For this reason, it is necessary to define a common language

that allows exchanging data between tools.

With respect to tool interoperability, the Open Services for Lifecycle Collaboration group (OSLC) [Ryman,

A. G.; Hors, A. J. L.; and Speicher, S. 2013] is making an effort to standardize languages in many areas, e.g.

requirements, architecture management, automation, etc. Unfortunately, there is no language yet defined

for the dependability domain. In general, the OSLC domain specifications define a meta-model including

only the main sources of information to be exchanged. While this increases the chances to exchange at

least of a minimum set of information, it hinders covering a larger set of usages based on meta-models that

are more extensive. In DEIS, it is currently more important to support properly the defined engineering

challenges specified in deliverable 3.1. For this reason, the concrete support for tool interoperability will

be tackled later in the project. For now, the ODE meta-model represents one-step forward towards this

goal, which in the future could be reduced or abstracted to support larger levels of interoperability. This

will be evaluated with the first prototypes of the tools.

Goal: tool support

Modern development approaches for dependability systems have started introducing model-based

solutions for documentation. However due to the complexity of the systems, the models tend to become

ODE Profile V1

Page 8 of 24

large and maintenance error prone. For this reason, proper tool-support is required. Although, there are

several tool vendors supporting the existing safety life cycle, they do not provide the flexibility or the

extension possibilities to make appropriate use of them in the context of the DEIS project. For this reason

within DEIS it has become necessary to drive our own tool solutions. They will serve as prototypes

exemplifying the use of the ODE and DDI approaches. In the future is expected that interested tool vendors

integrate several of the ideas developed in DEIS.

4 ODE - Technical concept

4.1 ODE Tool Usage Scenarios

To support engineering stories in DEIS a basis for communication needs to be defined. For this reason, the

priority has been placed in achieving first a proper mechanism for the exchange of data. The development

steps planned to achieve this are sketched in the following figure.

Figure 2 Development approach for tool interoperability

Initially, the ODE exchange format is created (i.e. ODE Meta-Model). The detailed version of the meta-

model is shown in Figure 3 (For an appropriate explanation of the meta-model and its packages, please

refer to deliverable 3.1). With the given meta-model a common language has been defined. For this task

the Eclipse Modeling Framework (EMF) [Dave Steinberg, Frank Budinsky, Marcelo Paternostro, Ed Merks]

has been chosen. The detailed reasons for the use of EMF are explained in section 4.2. With this language,

tool providers within DEIS can now implement importing and exporting features to serialize and de-serialize

(parse) data from their own tools. Since the ODE Meta-Model has been created with flexibility in mind,

there exists a need to set several rules regarding how information is packaged and unpackaged into ODE

instances (i.e. DDIs). These validation rules enable checking the conformity and coherence of the data

provided. In the final step, tool providers in DEIS are expected to extend the features of their respective

tools to support the different uses of the ODE. Complete support for all usage scenarios provided by the

ODE is not compulsory, but it must be negotiated between all partners with respect to the engineering

ODE Profile V1

Page 9 of 24

scenarios used to evaluate the developed concepts. This will occur at a later point in time. A subset of basic

ODE usages has been documented in table 1.

Figure 3 ODE Profile build with EMF

Package Abstraction

level Usage

Base As an ODE user, I am able to… High

… extend during ODE instantiation dynamically the attributes of existing entities

Low … Define new attributes By means of a key-values Map

Low … Filter dynamically added attributes through its tag attribute

Low … identify uniquely artifacts

Architecture High … structure my system design through different views and abstraction levels

As a Systems Engineer, I am able to… High

... define systems/components modularly and compose them to create larger systems

Low ... create a heterogeneous network including systems, physical and logical components

Low … create a hierarchical network of functions/safety functions for a system/components

ODE Profile V1

Page 10 of 24

Low … specify which functions are realized by which systems/components

Low … define the interfaces of the system/components/functions by means of ports

Low … define the types of interaction between system/components/functions by means of signals

Low … specify the boundary of the system dynamically

Low … specify different configurations of the system based on different compositions.

Low … define Which logical components are deployed in which physical components

Low … define the life time of the physical and logical components for replacing purposes

Failure Logic High … perform Fault Analysis modularly on the basis of the system Design

As a safety engineer, I am able to… High

… select one of many techniques (FMEA/FTA/Markov) to perform the fault analysis for functions/systems/ components

High … create and analyze heterogeneous fault analysis models

High … determine the causes that lead to the occurrence of an undesired event.

Low … specify the failure logic propagation between systems/components/functions

Low … specify Failure modes for Function/system/component ports

Low … analyze Hazards by defining a relationship to output failure modes

Dependability

As a requirements engineer I am able to High

… specify requirements for systems/components/functions and other design artifacts

High … distinguish between safety and non-safety critical requirements and measures

High … identify mechanisms to avoid, tolerate, remove, etc. system faults during development as well as during operation times.

High … document relevant contextual information with regard of the development of the system. E.g. standards

High … organize requirements modularly

High … perform hazard and risk assessments

Low … identify situations in which the system can cause harm

Low … evaluate the criticality of the possible failures of the system

Low … link requirements with identified failures in the fault analysis Table 1. Basic ODE Uses

ODE Profile V1

Page 11 of 24

4.2 EMF as ecosystem for DDI exchange

In the context of Model Driven Engineering (MDE), there are a variety of supporting tools, which are mostly

based on the Eclipse IDE. The Eclipse Modelling Framework (EMF) is an established, well-known framework

for modelling, upon which numerous MDE tools are built. EMF provides a modelling language called ECore,

which is also widely used by MDE tools and practitioners. In addition to ECore, EMF provides a framework

to generate model codes and editors in Java based on meta-models defined in ECore.

Models produced by EMF are naturally supported by the majority of MDE tools relevant to EMF. For

example, for model validation, the Eclipse OCL project provides support for model validation on EMF

models only. The Epsilon platform provides a variety of model management operations such as model

validation, model to model transformation, model to text transformation, model merging, etc. The Eclipse

ATL Transformation Language (ATL), supports model-to-model transformation capabilities for models

defined in EMF.

Therefore, support for querying, validating, merging, transforming EMF models is readily available for the

Eclipse ecosystem. This provides a good foundation for the DEIS project for its ODE concepts, in the sense

that DDIs (instances of ODE) can be validated, merged at design time/runtime in an automated manner.

In EMF, model elements are organized in Packages, which can import other packages to use the model

elements defined in the imported packages. The ODE components should be modelled into different

packages on a need-to basis to promote modularity, flexibility and re-use. Thus, instead of producing a large

meta-model, the ODE will be a cluster of packages, each of them capable of handling one specific domain

(e.g. the failure logic package constructs failure logic models only but can be used in conjunction with the

architecture package). At the same time, the ODE should keep existing standards intact, thus the importing

mechanism is used to import the SACM package into the overall package, in the sense that system

assurance cases are independent, which are created using SACM.

For the upcoming implementations the concrete exchange mechanism still need to be discussed. In EMF,

models are typically exchanged in either textual or binary XMI format (an extension of XML). However, one

may wish to make use of other exchange mechanisms. This shall be investigated later for the DEIS project

due to requirements in the area of intellectual property protection. Here is an abstract example of the

format:

<DependabilityPackage metaData=„contentDescriptor“ version=„1.0“>

<AssuranceCasePackage>

<TerminologyPackage ref=<systemDesign>>

</AssuranceCasePackage>

<SystemDesignPackage>...</SystemDesignPackage>

<FailureLogicPackage>...</FailureLogicPackage>

<xx>...</xx>

</DependabilityPackage>

ODE Profile V1

Page 12 of 24

5 Demonstrators: State of ODE implementation in the DEIS Tools This Section provides an overview regarding the implementation of the ODE by the corresponding DEIS

tools. It is important to note that not every tool presently implements the complete ODE. ACME is focusing

on the assurance case part and ComposeR and HiP-HOPS are focusing on the failure logic modeling part.

safeTbox implements both to a certain extent.

5.1 ACME

ACME is a graphical editor to create/edit SACM models. For ACME, we provide an EMF (Eclipse Modeling

Framework) based implementation of SACM. ACME provides editing facilities for AssuranceCase,

Argumentation, Artifact and Terminology creations, and then finally output to an EMF based SACM model.

5.1.1 Assurance Case Editing

ACME provides a transitional solution for system safety engineers to construct SACM models (and SACM

compliant models) using the Goal Structuring Notation (GSN). The GSN meta-model used in ACME is an

extension to ACME so all elements in ACME can be created (Such as AssuranceCasePackages,

ArtifactPackages, TerminologyPackages in SACM, as well as Modules in GSN).

5.1.2 Argumentation Editing

ACME provides a tooling to create GSN models in its Module editor. The full specification of GSN can be

found at (http://www.goalstructuringnotation.info/).

5.1.3 Artifact Editing

In the ArtifactPackage editor, ACME provides the means to create all SACM Artifact elements. For Artifact,

the user can link to an external material to organize the evidence of the structured argumentation. See

Figure 4.

Figure 4 ACME Artifact Editing

ODE Profile V1

Page 13 of 24

The newly created Artifact can then in turn be referenced from the structured argumentation. In this

example, a test report for Component X is organized in an Artifact, and then referenced by Sn1 in the

argument package. See Figure 5.

Figure 5 ACME Artifact Referencing

5.1.4 Terminology

But what is System really? The Terminology provides the link to the System. In ACME, the user can define

their terminologies as shown below:

Figure 6 ACME Terminology Asset Creation

ODE Profile V1

Page 14 of 24

After the creation, the term System bears the meaning that it points to a UAV system model in a local file.

This term can then in turn be used by the GSN Goal G1. The keyword System (now in curly brackets) refers

to the UAV system model, which is organized in the Terminology package and can be accessed via the link

stored in the terminology package.

Figure 7 ACME Using a Terminology Term in the argumentation

In this sense, links among the system information, the evidence and the structured argumentation have

been created so that the SACM model in a sense weaves all the information into a system assurance case.

5.2 ComposR

ComposR is a tool to create and maintain system as well as safety and reliability models. Since ComposR is

based on a commercial UML/SysML modeling tool, such as MagicDraw from NoMagic or Enterprise

Architect from Sparx, system modelling is possible using UML, SysML or any domain-specific extensions

(see screenshot Figure 8). Moreover, ComposR enables the creation of dependability analysis models,

which can be interlinked with the system model. These models may be composed of (Component) Fault

Trees and Markov Chains which can be analyzed in a qualitative and quantitative way using industrial-grade

analysis tools such as ZUSIM or Isograph FT+.

ODE Profile V1

Page 15 of 24

Figure 8 System modeling using ComposR

ComposR implements FLM in form of the Component Fault Tree (CFT) methodology (Kaiser, Liggesmeyer,

& Mäckel, 2003) for large-scale industrial projects (see screenshot Figure 9), e.g. using specific extensions

(Höfig, Zeller, & Heilmann, 2015). Since ComposR allows the creation of safety/reliability analysis models in

a compositional way, safety artifacts can be associated with elements in the system design and reused

systematically in different contexts. Hence, enabling integrated safety analysis to leverage the benefits of

model-based development in context of safety-relevant systems (Zeller & Höfig, 2016).

Figure 9 FLM modeling in form of a Component Fault Tree (CFT) using ComposR

ODE Profile V1

Page 16 of 24

Based on the Component Fault Tree model created using ComposR either a qualitative Fault Tree Analysis

(FTA) in the form of a minimal cut set analysis or a quantitative FTA can be performed using common

algorithms or tools.

Moreover, we implemented a UML-profile to model safety argumentation in the Goal Structuring Notation

(GSN). Figure 10 shows a screenshot of a GSN modeled in ComposR. Since the system and its failure logic

are also available in form of models, specific model elements (or entire models) can be linked with the text

in the GSN model to enable navigation through the safety argument.

Figure 10 Modeling GSN using ComposR

The ComposR is used in WP 5 to model the industrial use case 3 (see Deliverable D5.1). We plan to migrate

ComposR to the ODE meta-model currently developed in WP 3 and enable the synthesis of DDIs within the

DEIS project.

5.3 Hip-Hops

The HiP-HOPS reliability analysis tool is capable of automating Fault Tree Analysis (FTA) and Failure Modes

and Effects Analysis (FMEA), based on an architectural model of a user’s system. This system model is

annotated by the user with component failure logic behavior, which enables the above analyses and more,

e.g. temporal fault tree analysis, architectural optimization, automatic SIL allocation. Currently, HiP-HOPS

is integrated with two commercially available modeling environments:

• MATLAB/Simulink (https://uk.mathworks.com/products/simulink.html)

• SimulationX (https://www.simulationx.com).

ODE Profile V1

Page 17 of 24

HiP-HOPS and more detailed documentation is available online at https://hip-hops.eu, with commercial

and evaluation versions available to download. Figure 11, shows a system model in the MATLAB/Simulink

environment, with the integrated HiP-HOPS menu alongside it. Through this menu, local failure behavior

for the individual system elements can be set, as well as model-wide properties e.g. hazard information.

Figure 11 HiP-HOPS Modeling with MATLAB/Simulink

In Figure 12, the detailed results of the automatic analysis are shown. Specifically, the minimal fault tree

that describes the relationship between component and system failure is seen on the left side. From this

view, the minimal cut sets can also be reviewed via the relevant tab. The right side of Figure 12 depicts

FMEA tabular data, listing the systemic effects of individual component failures.

ODE Profile V1

Page 18 of 24

Figure 12 FTA with HiP-HOPS

Our initial efforts to integrate with the ODE can be found in (Retouniotis, et al., 2017). In the mentioned

publication, we describe extensions to the HiP-HOPS meta-model that enable GSN-style safety

argumentation to be generated based on HiP-HOPS safety analyses. The link between safety argumentation

and analysis established by this process will support DDI generation and integration in the upcoming

development stages. Currently, the meta-model presented in the above publication is being adapted to

ODE proposals discussed between the partners. The aim is to support bi-directional translation from HiP-

HOPS to ODE data structures.

5.3.1 ODE Integration with HiP-HOPS

By design, the ODE shares much common ground with that used internally by HiP-HOPS. Semantic

differences that remain can be addressed by performing a model-to-model (M2M) transformation between

the ODE and HiP-HOPS meta-models. Such a transformation produces an equivalent model from the source

(expressed in the source meta-model) in terms of the target meta-model.

HiP-HOPS input and output is provided in XML format. XML schema definitions (XSD files) are available for

both input and output formats of HiP-HOPS. Past approaches have made use of model-to-text (M2T)

transformations to convert from HiP-HOPS-compatible meta-models into compatible XML input. This

separated the transformation into two steps, a M2M between the source and an intermediate, HiP-HOPS-

compatible meta-model, and then a M2T transformation between the intermediate meta-model and the

XML input/output format.

For DEIS, our planned prototype tool for parsing and serializing ODE models into and from HiP-HOPS will

integrate the two steps described above, using the open-source library EMF4CPP (Catedra SAES (2010)).

ODE Profile V1

Page 19 of 24

EMF4CPP allows C++ code to parse models conforming to Ecore meta-models (such as the ODE instances)

as well as serialize such models. Once the transformation process is complete, HiP-HOPS can be invoked to

perform the required dependability analysis and its output serialized back into the ODE model. Figure 13

visually describes the above process.

Figure 13 ODE-HiP-HOPS integration process

5.4 safeTbox™

safeTbox is a modeling and analysis tool created with the goal to support dependability engineers in the

development and certification of safety critical systems. It has been developed as an extension of the

commercial tool Enterprise Architect (EA), which supports the standard UML and SysML 1.4 constructs.

safeTbox extends EA by providing a set of specialized modeling languages to support primary safety-

engineering activities. Two aspects characterize most of the techniques integrated in safeTbox: modularity

and component integration. With this, safeTbox aims at facilitating maintainability and reusability of

systems, as well as supplier-OEM interaction and integration of third-party components.

In the current state of the ODE, safeTbox implements quite well the architecture package. Thanks to its

abstract compositional approach, safeTbox can be used to model systems, functions, logical components

and hardware devices similarly as it can be done using SysML. Moreover, the definition of interfaces (ports)

as well as the specification of the interaction between entities (signals) is also possible as defined in the

ODE meta-model, see Figure 3. In the next figure, an example of a network of logical components can be

observed.

ODE Profile V1

Page 20 of 24

Figure 14 Example of a component network modeled with safeTbox.

In the area of Failure logic modeling, safeTbox supports the ODE in the sense that it has an implementation

of component fault trees (Domis, D (2005)), which follow similar concepts with respect to the definition of

compositional failure logic, as well the definition of internal and interface failure modes. In the next figure,

it is possible to see an example of a Component fault tree modeled with safeTbox. Currently there are no

FMEA or Markov capabilities. It is also possible to associate design artifacts (e.g. systems, ports) with failure

modeling artifacts (e.g. failure model, interface failure modes).

Figure 15 Example of a component fault tree.

With respect to the dependability package only the definition of requirements, its modular composition

and refinement is being supported so far. Currently, a flexible implementation of the Goal Structuring

Notation (GSN) supports these features. This implementation was engineered during 2017. The

ODE Profile V1

Page 21 of 24

implementation has followed the standard definition of the technique, which makes it therefore fully

compatible with other tools following the same standard see Figure 16. Other sub-packages, e.g. domain,

and HARA have been still under discussion lately. For this reason, no support has been implemented yet.

Figure 16 Example of a GSN

Similarly as explained for the Hip-Hops tool, the next steps in the development of safeTbox include the

implementation of the import and export of models into the ODE exchange format.

ODE Profile V1

Page 22 of 24

6 Summary and Outlook

In this document, we presented the status of the development of the ODE. Initially, an abstract version of

the meta-model was used to show the more important blocks. This was necessary in order to reduce the

complexity of the explanations and make the concept easier to comprehend for stakeholders outside from

DEIS. In a further section, we introduced the goals that the ODE should tackle from the tool perspective,

together with the reference work used as input for its definition and refinement. In chapter 4, details of

the meta-model as well as of the technology used for its creation were provided. In chapter 5, the current

tool implementations and their support of the ODE was presented. Until now, different members of the

consortium have implemented the tools in isolation (tools are mostly freely accessible. See download links

in the respective section). This is reflected in the overall support of the ODE, in that each tool supports only

a subset of all specified features. This is partially desired in DEIS, since this reflects the current state of the

practice; it cannot be expected that tool-vendors support entirely all aspects in the development of

dependability systems. In this sense, the ODE plays the role of the binding mechanism that would allow

stakeholders to cooperate based on a common language, and serve as basis of the tool interoperability

concept. With this initial version of the ODE, the immediate tool implementation will provide mechanisms

for the exchange of information between the existing tools. Therefore, each partner will provide

import/export functionalities between their own tool specific format and ODE.

According to the planned activities our coming efforts are going to be invested in the deliverable 4.2, in

which the semi-automated synthesis of development time DDIs should be supported.

ODE Profile V1

Page 23 of 24

7 References

Biggs, G., Sakamoto, T. & Kotoku, T. Softw Syst Model (2016) 15: 147. https://doi.org/10.1007/s10270-

014-0400-x

Catedra SAES. (2010). EMF4CPP. Retrieved from Catedra SAES:

https://www.catedrasaes.org/html/projects/EMF4CPP/EMF4CPP.html

Dave Steinberg, Frank Budinsky, Marcelo Paternostro, Ed Merks, EMF: Eclipse Modeling Framework, 2nd

Edition, Dec 16, 2008, ISBN-10: 0-321-33188-5

Feiler, P.H., Gluch, D.P., Hudak, J.J.: The Architecture Analysis & Design Language (AADL): An Introduction.

Tech. rep., Software Engineering Institute, Carnegie-Mellon University, Pittsburgh (2006).

Höfig, K., Zeller, M., & Heilmann, R. (2015). ALFRED: A Methodology to Enable Component Fault Trees for

Layered Architectures. 41st Euromicro Conference on Software Engineering and Advanced Applications

(SEAA)

Jose Luis de la VaraRajwinder Kaur Panesar-Walawege (2013): SafetyMet: A Metamodel for Safety

Standards, MODELS 2013. Lecture Notes in Computer Science, vol 8107. Springer, Heidelberg

Kaiser, B., Liggesmeyer, P., & Mäckel, O. (2003). A new component concept for fault trees. SCS '03:

Proceedings of the 8th Australian workshop on Safety critical systems and software, (S. 37 - 46).

Montecchi, L., Lollini, P., Bondavalli, A.: Dependability concerns in model-driven engineering. In:

Object/Component/Service-Oriented Real-Time Distributed Computing Workshops (ISORCW), 2011 14th

IEEE International Symposium on, pp. 254 –2 63 (2011).DOI 10.1109/ISORCW.2011.32

Object Management Group - UML, Unified Modeling Language (UML) specification, Version 2.5.1,

https://www.omg.org/spec/UML/About-UML/, 2017

Object Management Group - SysML, System Modeling Language (SysML) specification, Version 1.4,

https://www.omg.org/spec/SysML/1.4/About-SysML/, 2015

Oleg Lisagor, (2010): Failure Logic Modelling: A Pragmatic Approach, PHD thesis, University of York

Peter Fenelon, John A. McDermid, (1993):An Integrated Toolset For Software Safety Analysis, Journal of

Systems and Software.

Pohl, K., Broy, M., Daembkes, H., Hönninger, H. (2016): Advanced Model-Based Engineering of Embedded

Systems - Extensions of the SPES 2020 Methodology, springer

Ryman, A. G.; Hors, A. J. L.; and Speicher, S. 2013. OSLC resource shape: A language for defining

constraints on linked data. In Bizer, C.; Heath, T.; Berners-Lee, T.; Hausenblas, M.; and Auer, S., eds.,

Proceedings of the WWW2013 Workshop on Linked Data on the Web. http://ceur-

ws.org/Vol996/papers/ldow2013-paper-02.pdf.

ODE Profile V1

Page 24 of 24

Höfig, K., Zeller, M., & Heilmann, R. (2015). ALFRED: A Methodology to Enable Component Fault Trees for

Layered Architectures. 41st Euromicro Conference on Software Engineering and Advanced Applications

(SEAA).

Kaiser, B., Liggesmeyer, P., & Mäckel, O. (2003). A new component concept for fault trees. SCS '03:

Proceedings of the 8th Australian workshop on Safety critical systems and software, (S. 37 - 46).

Retouniotis, A., Papadopoulos, Y., Sorokos, I., Parker, D., Matragkas, N., & Sharvia, S. (2017). Model-

Connected Safety Cases. In M. Bozzano, & Y. Papadopoulos (Hrsg.), Lecture Notes in Computer Science

(Bd. 10437). Cham, CH: Springer. doi:https://doi.org/10.1007/978-3-319-64119-5_4

Zeller, M., & Höfig, K. (2016). INSiDER: Incorporation of system and safety analysis models using a

dedicated reference model. 2016 Annual Reliability and Maintainability Symposium (RAMS).