Certkitiec Mbd

8/11/2019 Certkitiec Mbd

1/46

IEC Certification Kit

Model-Based Design for ISO 26262

R2012a


2/46

How to Contact MathWorks

www.mathworks.com Webcomp.soft-sys.matlab Newsgroupwww.mathworks.com/contact_TS.html Technical Support

[email protected] Product enhancement [email protected] Bug [email protected] Documentation error [email protected] Order status, license renewals, [email protected] Sales, pricing, and general information

508-647-7000 (Phone)

508-647-7001 (Fax)

The MathWorks, Inc.3 Apple Hill DriveNatick, MA 01760-2098For contact information about worldwide offices, see the MathWorks Web site.

IEC Certification Kit Model-Based Design for ISO 26262

COPYRIGHT 2012 by The MathWorks, Inc.The software described in this document is furnished under a license agreement. The software may be usedor copied only under the terms of the license agreement. No part of this manual may be photocopied orreproduced in any form without prior written consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentationby, for, or through the federal government of the United States. By accepting delivery of the Programor Documentation, the government hereby agrees that this software or documentation qualifies ascommercial computer software or commercial computer software documentation as such terms are usedor defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms andconditions of this Agreement and only those rights specified in this Agreement, shall pertain to and governthe use, modification, reproduction, release, performance, display, and disclosure of the Program andDocumentation by the federal government (or other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions. If this License fails to meet thegovernments needs or is inconsistent in any respect with federal procurement law, the government agreesto return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. Seewww.mathworks.com/trademarks for a list of additional trademarks. Other product or brandnames may be trademarks or registered trademarks of their respective holders.

Patents

MathWorks products are protected by one or more U.S. patents. Please seewww.mathworks.com/patents for more information.

Revision History

March 2012 Online only New for Version 1.6 (Release 2012a)
http://www.mathworks.com/trademarkshttp://www.mathworks.com/patentshttp://www.mathworks.com/patentshttp://www.mathworks.com/trademarks


3/46

Contents

Introduction

Model-Based Design for ISO 26262 . . . . . . . . . . . . . . . . . . 1-2

Reference Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

ISO 262626: Applicable Model-Based DesignTools and Processes

Initiation of Product Development at the SoftwareLevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Software Architectural Design . . . . . . . . . . . . . . . . . . . . . . 2-3

Software Unit Design and Implementation . . . . . . . . . . . 2-13

Software Unit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Software Integration and Testing . . . . . . . . . . . . . . . . . . . 2-30

ISO 262628: Applicable Model-Based Design

Tools and Processes

3

Confidence in the Use of Software Tools . . . . . . . . . . . . . 3-2

iii


4/46

iv Contents


5/46

1

Introduction

Model-Based Design for ISO 26262 on page 1-2

Reference Workflows on page 1-3


6/46

1 Introduction

Model-Based Design for ISO 26262This documentation provides annotated versions of method tables that appearin the ISO 262626 and ISO 262628 standards. The annotated tables providesuggestions on how to use Model-Based Design products from MathWorks toapply the methods listed in the standard for different Automotive SafetyIntegrity Levels (ASILs).

Chapter 2, ISO 262626: Applicable Model-Based Design Tools andProcesses

Chapter 3, ISO 262628: Applicable Model-Based Design Tools andProcesses

The IEC Certification Kit provides additional support when usingModel-Based Design for ISO 26262 applications, including referenceworkflows for verifying and validating models and generated code.

1-2


7/46

Reference Workflows

Reference Workflows IEC Certification Kit: Embedded Coder Reference Workflow

IEC Certification Kit: Polyspace Client/Server for C/C++ ReferenceWorkflow

IEC Certification Kit: SimulinkDesign Verifier Reference Workflow

IEC Certification Kit: Simulink Verification and Validation ReferenceWorkflow

1-3


8/46

2


9/46

2

ISO 262626: ApplicableModel-Based Design Tools

and Processes

Initiation of Product Development at the Software Level on page 2-2

Software Architectural Design on page 2-3 Software Unit Design and Implementation on page 2-13

Software Unit Testing on page 2-24

Software Integration and Testing on page 2-30


10/46

2 ISO 262626: Applicable Model-Based Design Tools and Processes

Initiation of Product Development at the Software LevelTable 1 Topics To Be Covered By Modelling and Coding Guidelines

ASILTopics

A B C D

ApplicableModel-BasedDesign Toolsand Processes

Comments

1a Enforcement oflow complexity

++ ++ ++ ++

1b Use of languagesubsets

++ ++ ++ ++

1c Enforcement ofstrong typing

++ ++ ++ ++

1d Use of defensiveimplementationtechniques

o + ++ ++

1e Use of establisheddesign principles

+ + + ++

1f Use of unambiguousgraphical

representation

+ ++ ++ ++

1g Use of style guides + ++ ++ ++

1h Use of namingconventions

++ ++ ++ ++

Simulink Modelingguidelines

The Modeling Guidelines forHigh-Integrity Systems

and the MathWorks

Automotive Advisory Board

Control Algorithm

Modeling Guidelines Using

MATLAB, Simulink, and

Stateflow can be used to

address topics listed in thistable. The guideline subsetused for a project shouldaddress a combination oftopics applicable for the

ASIL under consideration.

2-2


11/46

Software Architectural Design

Software Architectural DesignTable 2 Notations for Software Architectural Design

ASILMethods

A B C D

ApplicableModel-Based DesignTools and Processes

Comments

Simulink Model Infoand DocBlock blocks

Simulink Verificationand Validation SystemRequirements block

The blocks can beused to integratearchitecturaldescriptions into amodel.

1a Informalnotations

++ ++ + +

Simulink Verificationand Validation

Requirements

Management Interface(RMI)

The RMI can be usedto link Simulink andStateflow architectural

designs to informaldescriptions inMicrosoft Word,Microsoft Excel, ASCIItext, and PDF files.

1b Semiformalnotations

+ ++ ++ ++ Simulink

Stateflow

Simulink and Stateflowsupport softwarearchitectural designusing semiformalnotations.

1c Formal notations + + + +

2-3


12/46


Table 3 Principles for Software Architectural Design

ASILMethods

A B C D


Comments

Simulink Model block,Ports & Subsystemsblock library

Stateflow

Model blocks(model referencing),subsystems, libraries,

and Stateflow chartssupport hierarchicaldecomposition ofmodels.

Simulink ModelDependency Viewer

When using Modelblocks or libraries tostructure a model, theModel Dependency

Viewer can display agraph of models andlibraries referenced bythe top model.

1a Hierarchicalstructureof software

components

++ ++ ++ ++

Embedded Coder EmbeddedCoder supportsmodularization of code

at the file level.Simulink

Stateflow

Embedded Coder

Software componentscan be structuredhierarchically to limitcomponent size.

1b Restricted sizeof softwarecomponents

++ ++ ++ ++

Simulink Verificationand Validation ISO26262 checks

ISO 26262 ModelAdvisor check Displaymodel metrics and

complexity report

provides informationon the size andcomplexity of modelsand subsystems.

2-4


13/46


Table 3 Principles for Software Architectural Design (Continued)

ASILMethods

A B C D


Comments

1c Restricted size ofinterfaces

++ ++ ++ ++ Simulink Verificationand Validation ISO26262 checks

ISO 26262 ModelAdvisor check Displaymodel metrics and

complexity report

provides information onthe number of inportsand outports of modelsand subsystems.

1d High cohesionwith software

components

+ + + +

1e Restrictedcoupling betweensoftwarecomponents

+ ++ ++ ++

Simulink Simulink provides away to control the rateof block execution andallows specificationof block-based orport-based sampletimes. Models candisplay color codingand annotations torepresent specificsample times.

1f Appropriateschedulingproperties

+ ++ ++

Stateflow Schedulerpatterns

Stateflow providesmultiple schedulerpatterns for controlling

2-5


14/46


Table 3 Principles for Software Architectural Design (Continued)

ASILMethods

A B C D


Comments

execution ofsubsystems.

1g Restricted use ofinterrupts

+ + + ++ Embedded Coder Configuration

Embedded Coder canbe configured to notinsert interrupts intostep function code.

Table 4 Mechanisms for Error Detection at the Software Architectural Level

ASILMethodsA B C D


Comments

Simulink

Stateflow

Simulink and Stateflowcan be used to designrange checks for inputand output data.During simulation,

the Simulation rangechecking diagnosticdetects when signalsexceed specified ranges.

1a Range checks ofinput and outputdata

++ ++ ++ ++

Simulink DesignVerifier

Polyspace

Simulink DesignVerifier and Polyspacecan calculate and verifysignal ranges.

1b Plausibility check + + + ++ Simulink

Stateflow

Simulink and Stateflowcan be used to designplausibility checks.

2-6


15/46


Table 4 Mechanisms for Error Detection at the Software Architectural Level (Continued)

ASILMethods

A B C D


Comments

1c Detection of dataerrors

++ ++ ++ ++ Simulink

Stateflow

Simulink and Stateflowcan be used to detectdata errors.

1d Externalmonitoringfacility

o + + ++

1e Control flowmonitoring

o + ++ ++

1f Diverse softwaredesign

o o + ++ Simulink

StateflowSimulink Fixed Point

Software diversityfor algorithmic partscan be supported byexecuting floating-pointand fixed-pointversions of analgorithm in paralleland comparing theresults.

2-7


16/46


Table 5 Mechanisms for Error Handling at the Software Architectural Level

ASILMethods

A B C D


Comments

1a Static recoverymechanism

+ + + + Simulink

Stateflow

Simulink and Stateflowcan be used to designfault detection,

isolation, and recovery(FDIR) algorithms.

1b Gracefuldegradation

+ + ++ ++ Stateflow Stateflow can be usedto design gracefuldegradation behavior.

1c Independentparallel

redundancy

o o + ++

1d Correcting codesfor data

+ + + +

Table 6 Methods for Verification of Software Architectural Design

ASILMethods

A B C D

Applicable

Model-Based DesignTools and Processes

Comments

1a Walkthrough ofthe design

++ + o o Simulink

Simulink ReportGenerator Web

View, System DesignDescription (SDD)report

Architectural designwalkthroughs can bebased on the model, agenerated Web View, oran SDD report.

2-8


17/46


Table 6 Methods for Verification of Software Architectural Design (Continued)

ASILMethods

A B C D


Comments

Simulink

Simulink Report

Generator WebView, System DesignDescription (SDD)report

Design inspections canbe based on the model,a generated Web View,

or an SDD report.

1b Inspection of thedesign

+ ++ ++ ++

Simulink Verificationand Validation Model

Advisor checks

Design inspectionscan be supportedby ISO 26262,MAAB, Requirements

Consistency, andcustom Model

Advisor checks. AModel Advisor checkconfiguration candefine a set of checksrequired to pass asa prerequisite for

entering a designinspection.

1c Simulation ofdynamic parts ofthe design

+ + + ++ Simulink Simulink supportssimulation of algorithmand environmentmodels.

2-9

2


18/46



ASILMethods

A B C D


Comments

Simulink Coder

Embedded Coder

Simulink Coder can beused to generate codefor rapid prototyping.

Embedded Coder canbe used to generatecode for on-targetrapid prototyping.Software-in-the-loop(SIL) andprocessor-in-the-loop

(PIL) simulation canbe used to executegenerated code in thecontext of a model.

1d Prototypegeneration

o o + ++

Simulink 3DAnimation

Gauges Blockset

Simulink 3D Animationcan be used to animate3-dimensional scenesdriven by signals in a

model.Gauges Blockset can beused to add graphicalinstrumentation tomodels.

2-10


19/46



ASILMethods

A B C D


Comments

Simulink ModelVerification blocklibrary

Simulink DesignVerifier Propertyproving, design errordetection

Model Verificationblocks can be usedto formalize software

safety requirementsand other modelproperties.

Property proving canbe used to verify modelproperties. Designerror detection can

analyze a model todetect design errorsthat might occur at runtime.

1e Formalverification

o o + +

Polyspace Runtimeerror detection

Runtime errordetection can analyzeC code to identifysoftware errors that

might occur during runtime.

Simulink Verificationand Validation Modelcoverage analysis

Simulink DesignVerifier Test case

generation

Model coverageanalysis can helpidentify unreachableportions of a model.

Automatic test case

generation can be usedto detect unreachablemodel constructs,which could result inunreachable code.

1f Control flowanalysis

+ + ++ ++

2-11

2 ISO 26262 6 A l bl M d l B d D T l d P


20/46



ASILMethods

A B C D


Comments

Polyspace Call tree,unreachable codeanalysis

Polyspace can partiallyextract control flowinformation from C

and can create anapplication call tree.Gray checks detectunreachable code.

Simulink Diagnostics

Stateflow Diagnostics

Data Store Memoryblock diagnostics andStateflow diagnosticscan be configured toidentify data flowissues.

1g Data flow analysis + + ++ ++

Polyspace Polyspace supportsstatic verification ofdynamic properties ofgenerated code. Thisverification technique

is based on data flowanalysis.

2-12

S ft U it D i d I l t ti


21/46

Software Unit Design and Implementation

Software Unit Design and ImplementationTable 7 Notations for Software Unit Design

ASILMethods

A B C D


Comments

Simulink Model Info

block, DocBlock block

Simulink Verificationand Validation SystemRequirements block

The blocks can be used

to add natural languageor descriptions of a unitdesign to a model.

1a Natural language ++ ++ ++ ++


Requirements

Management Interface(RMI)

Models representingunit designs can belinked to descriptions

in Microsoft Word,Microsoft Excel, ASCIItext, or PDF files.

Simulink Model Infoblock, DocBlock block

Simulink Verificationand Validation System

Requirements block

The blocks can beused to add informaldescriptions of a unitdesign to a model.

1b Informalnotations

+ ++ ++ ++


RequirementsManagement Interface(RMI)

The RMI can beused to link modelsrepresenting unitdesigns to externalinformal descriptionsin Microsoft Word,Microsoft Excel, ASCII

text, or PDF files.1c Semiformal

notations+ ++ ++ ++ Simulink

Stateflow

Simulink and Stateflowsupport softwareunit design, usingsemiformal notations.

1d Formal notations + + + +

2-13

2 ISO 26262 6: Applicable Model Based Design Tools and Processes


22/46


Table 8 Design Principles for Software Unit Design and Implementation

ASILMethods

A B C D


Comments

1a One entry andone exit point insubprograms and

functions

++ ++ ++ ++ Simulink Modelingguidelines

Polyspace MISRACchecker

Adherence can befacilitated by applyingmodeling guidelines

in combinationwith analyzinggenerated code. MAABguideline jc_0511provides correspondingmodelingrecommendations.

Polyspace can assess

compliance withMISRAC:2004 rule14.7.

Embedded Coder Configuration

Embedded Coder can beconfigured to generateC code that doesnot include dynamicobjects.

1b No dynamicobjects orvariables, or elseonline test duringtheir creation

+ ++ ++ ++

Polyspace MISRACchecker

Polyspace can assesscompliance withMISRAC:2004 rule20.4.

2-14



23/46


Table 8 Design Principles for Software Unit Design and Implementation (Continued)

ASILMethods

A B C D


Comments

Simulink IC block,diagnostics

An IC block can specifythe initial condition fora signal.

Setting theUnderspecified

initialization

detection diagnosticto Simplifiedimproves consistency ofsimulation resultsfor models thatdo not specifyinitial conditions forconditional subsystemoutput ports or haveconditionally executedsubsystem outputports connected toS-functions.


Parameters in theOptimization > Data

initialization sectionof the ConfigurationParameters dialogbox can be used tocontrol initialization of

variables in generatedcode.

1c Initialization ofvariables

++ ++ ++ ++

Polyspace Codeverification

Polyspace can checkthe initialization ofvariables in generatedcode. Uninitialized

2-15



24/46

2 ISO 26262 6: Applicable Model Based Design Tools and Processes


ASILMethods

A B C D


Comments

variables are reportedas NIV checks.

1d No multiple use ofvariable names

+ ++ ++ ++ Simulink Diagnostics Setting the Duplicatedata store names

diagnostic to errordetects conditionswhere a lower-leveldata store unexpectedlyshadows a higher-leveldata store with the

same name.

Simulink Usage of Data StoreMemory blocks needsto be reviewed and

justified.

1e Avoid globalvariables or else

justify their usage

+ + ++ ++


Selecting the Enablelocal block outputs

optimization reducesuse of global variablesin generated code.


Embedded Codermay generate pointerarithmetic for certainlanguage features

for example,

lookup tables ormatrix multiplication.Embedded Coderchecks the data typeand range of valuesto avoid corruption ofaddress spaces.

1f Limited use ofpointers

o + ++ ++

2-16



25/46

g p


ASILMethods

A B C D


Comments

Polyspace MISRACchecker, codeverification

Polyspace can assesscompliance withMISRAC:2004 rules

11.1 to 11.5 and 17.3 to17.5, which restrict useof pointers.

Polyspace can checkwhether pointersrefer to valid objects.

Violations are reportedas IDP checks.

1g No implicit datatype conversions

+ ++ ++ ++

1h No hidden dataflow or controlflow

+ ++ ++ ++

1i No unconditional

jumps

++ ++ ++ ++ Polyspace MISRAC

checker

Polyspace can assess

compliance withMISRAC:2004 rules14.4 and 14.5.

2-17



26/46


ASILMethods

A B C D


Comments

Simulink Modelingguidelines

Adherence can befacilitated by applyingmodeling guidelines.

High-integrityguideline hisf_0004provides correspondingmodelingrecommendations.

Avoid using n-D LookupTable and Interpolationblocks and Prelookup

blocks with dimensions> 5.

1j No recursions + + ++ ++

Polyspace Call graph Generated call graphscan be reviewed toidentify recursivefunction calls.

2-18



27/46

Table 9 Methods for Verification of Software Unit Design and Implementation

ASILMethods

A B C D


Comments

Simulink



Unit designwalkthroughs canbe based on a model, a

generated Web View,or an SDD report.

1a Walkthrough ++ + o o

Embedded Coder Codegeneration report

Code walkthroughs canbe based on HTML codegeneration reports orcode generation reportswith an integrated Web

View of the model.

Simulink



Unit design inspectionscan be based on amodel, a generatedWeb View, or an SDDreport.

Simulink Verificationand Validation Model

Advisor checks

Unit design inspectionscan be supportedby ISO 26262,MAAB, RequirementsConsistency, andcustom checks inModel Advisor. A

Model Advisor checkconfiguration candefine a set of checks topass as a prerequisitefor entering modelinspection.

1b Inspection + ++ ++ ++

2-19



28/46

Table 9 Methods for Verification of Software Unit Design and Implementation(Continued)

ASILMethods

A B C D


Comments

Embedded Coder Codegeneration report

IEC Certification Kit Traceability matrix

Code walkthroughs canbe based on HTML code

generation reports,code generation reportswith an integrated Web

View of the model,or model-to-codeand code-to-modeltraceability matrices.

1c Semiformalverification

+ + ++ ++ Simulink Simulink supportssimulation of algorithmand environmentmodels.

1d Formalverification

o o + + Simulink ModelVerification blocks

Simulink DesignVerifier Property

proving, design errordetection, test casegeneration

Model Verificationblocks can be usedto formalize softwaresafety requirements

and other modelproperties.

Property proving canbe used to verify modelproperties using formalverification techniques.Design error detectioncan analyze a model

to detect design errorsthat might occur at runtime.

2-20



29/46


ASILMethods

A B C D


Comments


Runtime errordetection can analyze

C code to identifysoftware errors thatmight occur during runtime.

1e Control flowanalysis

+ + ++ ++ Simulink Verificationand Validation Modelcoverage analysis

Simulink DesignVerifier Test casegeneration

Model coverageanalysis can help toidentify unreachableportions of a model.

Automatic test casegeneration can be usedto detect unreachablemodel constructsthat could result inunreachable code.

Polyspace Call tree,

unreachable codeanalysis

Polyspace can partially

extract control flowinformation from Ccode and can create theapplication call tree.Gray checks detectunreachable code.

1f Data flow analysis + + ++ ++ Simulink Diagnostics

Stateflow Diagnostics

Data Store Memoryblock diagnostics andStateflow diagnosticscan be configured toidentify data flowissues.

2-21



30/46


ASILMethods

A B C D


Comments


Polyspace supportsstatic verification of

dynamic properties ofgenerated code. Thisverification techniqueis based on data flowanalysis.

1g Static codeanalysis

+ ++ ++ ++ Polyspace MISRACchecker

Polyspace can facilitatestatic analysis of Ccode.

1h Semantic codeanalysis

+ + + + Polyspace Codeverification

Polyspace uses abstractinterpretation toanalyze C code.

2-22



31/46

Clause Model-Based Design Toolsand Processes Comments

8.4.5 The softwareunit design andimplementationshall be verified inaccordance with ISO262628:2011 Clause

9, and by applying theverification methodslisted in Table 9 todemonstrate:...

b) the fulfillment ofthe software safetyrequirements as

allocated to thesoftware units (inaccordance with 7.4.9)through traceability...


Generated traceabilitymatrices can be usedto document and review

existing links between textualrequirements, models, andgenerated code.

2-23



32/46

Software Unit TestingTable 10 Methods for Software Unit Testing

ASILMethods

A B C D


Comments

Simulink Verification

and Validation RequirementsManagement Interface(RMI)

RMI can be used to

establish bidirectionallinks between textualrequirements andmodels.


Generated traceabilitymatrices can be used todocument and reviewexisting links between

textual requirements,models, and code.

Simulink SignalBuilder block

Stateflow Dynamictest vector charts

Signal Builder blockscan be used to createopen-loop model tests.

Dynamic test vectorcharts can be used

to create closed-loop,reactive model tests.

1a Requirements-based

test

++ ++ ++ ++

Simulink Verificationand Validation Component testingcapabilities

Component testingcapabilities can be usedto create model testharnesses. They alsoenable a requirementspane in the Signal

Builder that can beused to link tests withtextual requirements.

2-24

Software Unit Testing


33/46

Table 10 Methods for Software Unit Testing (Continued)

ASILMethods

A B C D


Comments

1b Interface test ++ ++ ++ ++ Simulink DesignVerifier Test casegeneration

Automatic testcase generation incombination with Test

Objective blocks canbe used to generateinterface tests.

Simulink

Stateflow

Simulink and Stateflowcan be used to carryout fault injection tests.The tools can also beused to simulate failure

propagation at themodel level. For thispurpose, the systemmodel and a separatefailure model can beused.

1c Fault injectiontest

+ + + ++


Automatic testcase generation incombination with TestObjective blocks cangenerate fault injectiontests.

1d Resource usagetest

+ + + ++ Embedded Coder Processor-in-the-loop(PIL) testing, code

metrics report

PIL testing analyzesresource utilization ona target processor. The

code metrics reportprovides the amountof memory used by thegenerated code.

2-25



34/46

Table 10 Methods for Software Unit Testing (Continued)

ASILMethods

A B C D


Comments

Simulink

Stateflow

Simulink Verificationand Validation Component testingcapabilities, modelcoverage


Simulation capabilitiesof Simulink andStateflow and the

component testcapabilities of Simulink

Verification andValidation facilitatedynamic testing ofmodels. Model coveragecan be used to assessthe completeness of the

model tests. SimulinkDesign Verifier cangenerate missing testcases.

1e Back-to-back testbetween modeland code, if

applicable

+ + ++ ++

Embedded Coder Software-in-the-loop(SIL) testing,processor-in-the-loop

testing, code generationverification (CGV)

Simulink SimulationData Inspector (SDI)

SIL and PIL testingprovide a way toexecute model tests ongenerated code. CGV

automates selectedback-to-back testingworkflows.

SDI supports thecomparison of testresults created duringback-to-back testing.

2-26



35/46

Table 12 Structural Coverage Metrics at the Software Unit Level

ASILMethods

A B C D


Comments

1a Statementcoverage

++ ++ + + Embedded Coder Codecoverage collection

Duringsoftware-in-the-loop(SIL) simulation,

Embedded Codercan collect statementcoverage by using thethird-party tool LDRATestbed.

During SILsimulation, EmbeddedCoder can collect

condition/decisioncoverage information,which usuallysubsumes statementcoverage, by usingthe third-party toolBullseyeCoverage.


and Validation Modelcoverage analysis


During model testing,

Simulink Verificationand Validation cancollect decisioncoverage (also knownas branch coverage) atthe model level.

Simulink DesignVerifier can generatetest cases that satisfydecision coverage at themodel level.

1b Branch coverage + ++ ++ ++

2-27



36/46

Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)

ASILMethods

A B C D


Comments

Embedded Coder Codecoverage collection

Duringsoftware-in-the-loop(SIL) simulation,

Embedded Codercan collect statementcoverage by using thethird-party tool LDRATestbed.

During SIL simulation,Embedded Coder cancollect condition and

decision coverage,which usuallysubsumes statementcoverage, by usingthe third-party toolBullseyeCoverage.

2-28



37/46

Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)

ASILMethods

A B C D


Comments

Simulink Verificationand Validation Modelcoverage analysis


During model testing,Simulink Verificationand Validation

verification can collectMC/DC coverage at themodel level.

Simulink DesignVerifier can be usedto generate test casesthat satisfy MC/DCcoverage at the model

level.

1c MC/DC (ModifiedCondition/DecisionCoverage)

+ + + +

Embedded Coder Codecoverage collection

During SIL simulation,Embedded Coder cancollect MC/DC coverageby using the third-partytool LDRA Testbed.

2-29



38/46

Software Integration and Testing

Table 13 Methods for Software Integration Testing

ASILMethods

A B C D


Comments


and Validation RequirementsManagement Interface(RMI)

RMI can be used to

establish bidirectionallinks between textualrequirements andmodels.


Generated traceabilitymatrices can be used todocument and reviewexisting links between

textual requirements,models, and code.

Simulink SignalBuilder block

Stateflow Dynamictest vector charts

The Signal Builderblock can be used tocreate open-loop modeltests.

Dynamic test vector

charts can be usedto create closed-loop,reactive model tests.

1a Requirements-based

test

++ ++ ++ ++

Simulink Verificationand Validation Component testingcapabilities

Component testingcapabilities can be usedto create model testharnesses. They alsoenable a requirements

pane in the SignalBuilder, which can beused to link tests withtextual requirements.

2-30



39/46

Table 13 Methods for Software Integration Testing (Continued)

ASILMethods

A B C D


Comments

1b Interface test ++ ++ ++ ++ Simulink DesignVerifier Test casegeneration

Automatic testcase generation incombination with Test

Objective blocks canbe used to generateinterface tests.

Simulink

Stateflow

Simulink and Stateflowcan be used to executefault injection tests.Can also simulatefailure propagation at

the model level. Forthis purpose, a systemmodel and/or a separatefailure model can beused.

1c Fault injectiontest

+ + ++ ++


Automatic testcase generation incombination with TestObjective blocks cangenerate fault injectiontests.

1d Resource usagetest

+ + + ++ Embedded Coder Processor-in-the-loop(PIL) testing, codemetrics report

PIL testing analyzesresource utilization ona target processor. Thecode metrics report

provides informationabout memory usage ofgenerated code.

2-31



40/46

Table 13 Methods for Software Integration Testing (Continued)

ASILMethods

A B C D


Comments

Simulink

Stateflow

Simulink Verificationand Validation Component testingcapabilities, modelcoverage


Simulation capabilitiesof Simulink andStateflow and the

component testcapabilities of SimulinkVerification andValidation facilitatedynamic model testing.

Model coveragecan assess thecompleteness of model

tests.

Simulink DesignVerifier can generatemissing test cases.

1e Back-to-back testbetween modeland code, if

applicable

+ + ++ ++

Embedded Coder Software-in-the-loop(SIL) testing,

processor-in-the-loop(PIL) testing, codegeneration verification(CGV)

Simulink SimulationData Inspector (SDI)

SIL and PIL testingcapabilities executemodel tests on

generated code. CGVcan automate selectedback-to-back testingworkflows.

SDI supportscomparison of testresults created duringback-to-back testing.

2-32



41/46

Table 15 Structural Coverage Metrics at the Software Architectural Level

ASILMethods

A B C D


Comments

1a Function coverage + + ++ ++ Embedded Coder Codecoverage collection

During SIL simulation,Embedded Codercan collect function

coverage informationby using the third-partytool BullseyeCoverage.

1b Call coverage + + ++ ++ Embedded Coder Codecoverage collection

During SILsimulation, EmbeddedCoder can collectprocedure/function callcoverage information

by using the third-partytool LDRA Testbed.

2-33



42/46

2-34

3


43/46

ISO 262628: ApplicableModel-Based Design Tools

and Processes



44/46

Confidence in the Use of Software Tools

Table 4 Qualification of Software Tools Classified TCL3

ASILMethods

A B C D


Comments

1a Increased

confidence fromuse in accordancewith 11.4.7

++ ++ + +

1b Evaluation of thetool developmentprocess inaccordance with11.4.8

++ ++ + +

1c Validation of thesoftware tool inaccordance with11.4.9

+ + + ++

IEC Certification Kit Embedded Coder(including AUTOSARTPP), Simulink

Verification andValidation, Simulink

Design Verifier, andPolyspace productsfor C/C++ have beenprequalified, usinga combination ofmethods 1b and 1c.TV SD carriedout an independent

tool qualificationassessment.

The IEC CertificationKit provides SoftwareTool CriteriaEvaluation reports,Software ToolQualification reports,

and evidence forthe independentassessment.

The IEC CertificationKit provides exemplarytest cases and test

3-2

Confidence in the Use of Software Tools


45/46

Table 4 Qualification of Software Tools Classified TCL3 (Continued)

ASILMethods

A B C D


Comments

procedures forEmbedded Coder,Simulink Verificationand Validation, andPolyspace productsfor C/C++ that can beused to facilitate toolvalidation tests forthese products.

1d Development in

accordance with asafety standard

+ + + ++

Table 5 Qualification of Software Tools Classified TCL2

ASILMethods

A B C D


Comments

1a Increasedconfidence fromuse in accordancewith 11.4.7

++ ++ ++ +

1b Evaluation of thetool developmentprocess in

accordance with11.4.8

++ ++ ++ +

1c Validation of thesoftware tool inaccordance with11.4.9

+ + + ++

IEC Certification Kit Embedded Coder(including AUTOSARTPP), Simulink

Verification andValidation, SimulinkDesign Verifier, andPolyspace productsfor C/C++ have beenprequalified, usinga combination of

3-3



46/46

Table 5 Qualification of Software Tools Classified TCL2 (Continued)

ASILMethods

A B C D


Comments

methods 1b and 1c.TV SD carriedout an independenttool qualificationassessment.

The IEC CertificationKit provides SoftwareTool CriteriaEvaluation reports,Software Tool

Qualification reports,and evidence forthe independentassessment.

The IEC CertificationKit provides exemplarytest cases andtest procedures for

Embedded Coder,Simulink Verificationand Validation, andPolyspace productsfor C/C++ that can beused to facilitate toolvalidation tests forthese products.

1d Development inaccordance with asafety standard

+ + + ++

3-4

Certkitiec Mbd

Documents

Transcript of Certkitiec Mbd