Download - Certkitiec Mbd
-
8/11/2019 Certkitiec Mbd
1/46
IEC Certification Kit
Model-Based Design for ISO 26262
R2012a
-
8/11/2019 Certkitiec Mbd
2/46
How to Contact MathWorks
www.mathworks.com Webcomp.soft-sys.matlab Newsgroupwww.mathworks.com/contact_TS.html Technical Support
[email protected] Product enhancement [email protected] Bug [email protected] Documentation error [email protected] Order status, license renewals, [email protected] Sales, pricing, and general information
508-647-7000 (Phone)
508-647-7001 (Fax)
The MathWorks, Inc.3 Apple Hill DriveNatick, MA 01760-2098For contact information about worldwide offices, see the MathWorks Web site.
IEC Certification Kit Model-Based Design for ISO 26262
COPYRIGHT 2012 by The MathWorks, Inc.The software described in this document is furnished under a license agreement. The software may be usedor copied only under the terms of the license agreement. No part of this manual may be photocopied orreproduced in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentationby, for, or through the federal government of the United States. By accepting delivery of the Programor Documentation, the government hereby agrees that this software or documentation qualifies ascommercial computer software or commercial computer software documentation as such terms are usedor defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms andconditions of this Agreement and only those rights specified in this Agreement, shall pertain to and governthe use, modification, reproduction, release, performance, display, and disclosure of the Program andDocumentation by the federal government (or other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions. If this License fails to meet thegovernments needs or is inconsistent in any respect with federal procurement law, the government agreesto return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. Seewww.mathworks.com/trademarks for a list of additional trademarks. Other product or brandnames may be trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please seewww.mathworks.com/patents for more information.
Revision History
March 2012 Online only New for Version 1.6 (Release 2012a)
http://www.mathworks.com/trademarkshttp://www.mathworks.com/patentshttp://www.mathworks.com/patentshttp://www.mathworks.com/trademarks -
8/11/2019 Certkitiec Mbd
3/46
Contents
Introduction
Model-Based Design for ISO 26262 . . . . . . . . . . . . . . . . . . 1-2
Reference Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
ISO 262626: Applicable Model-Based DesignTools and Processes
Initiation of Product Development at the SoftwareLevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Software Architectural Design . . . . . . . . . . . . . . . . . . . . . . 2-3
Software Unit Design and Implementation . . . . . . . . . . . 2-13
Software Unit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Software Integration and Testing . . . . . . . . . . . . . . . . . . . 2-30
ISO 262628: Applicable Model-Based Design
Tools and Processes
3
Confidence in the Use of Software Tools . . . . . . . . . . . . . 3-2
iii
-
8/11/2019 Certkitiec Mbd
4/46
iv Contents
-
8/11/2019 Certkitiec Mbd
5/46
1
Introduction
Model-Based Design for ISO 26262 on page 1-2
Reference Workflows on page 1-3
-
8/11/2019 Certkitiec Mbd
6/46
1 Introduction
Model-Based Design for ISO 26262This documentation provides annotated versions of method tables that appearin the ISO 262626 and ISO 262628 standards. The annotated tables providesuggestions on how to use Model-Based Design products from MathWorks toapply the methods listed in the standard for different Automotive SafetyIntegrity Levels (ASILs).
Chapter 2, ISO 262626: Applicable Model-Based Design Tools andProcesses
Chapter 3, ISO 262628: Applicable Model-Based Design Tools andProcesses
The IEC Certification Kit provides additional support when usingModel-Based Design for ISO 26262 applications, including referenceworkflows for verifying and validating models and generated code.
1-2
-
8/11/2019 Certkitiec Mbd
7/46
Reference Workflows
Reference Workflows IEC Certification Kit: Embedded Coder Reference Workflow
IEC Certification Kit: Polyspace Client/Server for C/C++ ReferenceWorkflow
IEC Certification Kit: SimulinkDesign Verifier Reference Workflow
IEC Certification Kit: Simulink Verification and Validation ReferenceWorkflow
1-3
-
8/11/2019 Certkitiec Mbd
8/46
2
-
8/11/2019 Certkitiec Mbd
9/46
2
ISO 262626: ApplicableModel-Based Design Tools
and Processes
Initiation of Product Development at the Software Level on page 2-2
Software Architectural Design on page 2-3 Software Unit Design and Implementation on page 2-13
Software Unit Testing on page 2-24
Software Integration and Testing on page 2-30
-
8/11/2019 Certkitiec Mbd
10/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Initiation of Product Development at the Software LevelTable 1 Topics To Be Covered By Modelling and Coding Guidelines
ASILTopics
A B C D
ApplicableModel-BasedDesign Toolsand Processes
Comments
1a Enforcement oflow complexity
++ ++ ++ ++
1b Use of languagesubsets
++ ++ ++ ++
1c Enforcement ofstrong typing
++ ++ ++ ++
1d Use of defensiveimplementationtechniques
o + ++ ++
1e Use of establisheddesign principles
+ + + ++
1f Use of unambiguousgraphical
representation
+ ++ ++ ++
1g Use of style guides + ++ ++ ++
1h Use of namingconventions
++ ++ ++ ++
Simulink Modelingguidelines
The Modeling Guidelines forHigh-Integrity Systems
and the MathWorks
Automotive Advisory Board
Control Algorithm
Modeling Guidelines Using
MATLAB, Simulink, and
Stateflow can be used to
address topics listed in thistable. The guideline subsetused for a project shouldaddress a combination oftopics applicable for the
ASIL under consideration.
2-2
-
8/11/2019 Certkitiec Mbd
11/46
Software Architectural Design
Software Architectural DesignTable 2 Notations for Software Architectural Design
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Model Infoand DocBlock blocks
Simulink Verificationand Validation SystemRequirements block
The blocks can beused to integratearchitecturaldescriptions into amodel.
1a Informalnotations
++ ++ + +
Simulink Verificationand Validation
Requirements
Management Interface(RMI)
The RMI can be usedto link Simulink andStateflow architectural
designs to informaldescriptions inMicrosoft Word,Microsoft Excel, ASCIItext, and PDF files.
1b Semiformalnotations
+ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflowsupport softwarearchitectural designusing semiformalnotations.
1c Formal notations + + + +
2-3
-
8/11/2019 Certkitiec Mbd
12/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 3 Principles for Software Architectural Design
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Model block,Ports & Subsystemsblock library
Stateflow
Model blocks(model referencing),subsystems, libraries,
and Stateflow chartssupport hierarchicaldecomposition ofmodels.
Simulink ModelDependency Viewer
When using Modelblocks or libraries tostructure a model, theModel Dependency
Viewer can display agraph of models andlibraries referenced bythe top model.
1a Hierarchicalstructureof software
components
++ ++ ++ ++
Embedded Coder EmbeddedCoder supportsmodularization of code
at the file level.Simulink
Stateflow
Embedded Coder
Software componentscan be structuredhierarchically to limitcomponent size.
1b Restricted sizeof softwarecomponents
++ ++ ++ ++
Simulink Verificationand Validation ISO26262 checks
ISO 26262 ModelAdvisor check Displaymodel metrics and
complexity report
provides informationon the size andcomplexity of modelsand subsystems.
2-4
-
8/11/2019 Certkitiec Mbd
13/46
Software Architectural Design
Table 3 Principles for Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1c Restricted size ofinterfaces
++ ++ ++ ++ Simulink Verificationand Validation ISO26262 checks
ISO 26262 ModelAdvisor check Displaymodel metrics and
complexity report
provides information onthe number of inportsand outports of modelsand subsystems.
1d High cohesionwith software
components
+ + + +
1e Restrictedcoupling betweensoftwarecomponents
+ ++ ++ ++
Simulink Simulink provides away to control the rateof block execution andallows specificationof block-based orport-based sampletimes. Models candisplay color codingand annotations torepresent specificsample times.
1f Appropriateschedulingproperties
+ ++ ++
Stateflow Schedulerpatterns
Stateflow providesmultiple schedulerpatterns for controlling
2-5
-
8/11/2019 Certkitiec Mbd
14/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 3 Principles for Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
execution ofsubsystems.
1g Restricted use ofinterrupts
+ + + ++ Embedded Coder Configuration
Embedded Coder canbe configured to notinsert interrupts intostep function code.
Table 4 Mechanisms for Error Detection at the Software Architectural Level
ASILMethodsA B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink
Stateflow
Simulink and Stateflowcan be used to designrange checks for inputand output data.During simulation,
the Simulation rangechecking diagnosticdetects when signalsexceed specified ranges.
1a Range checks ofinput and outputdata
++ ++ ++ ++
Simulink DesignVerifier
Polyspace
Simulink DesignVerifier and Polyspacecan calculate and verifysignal ranges.
1b Plausibility check + + + ++ Simulink
Stateflow
Simulink and Stateflowcan be used to designplausibility checks.
2-6
-
8/11/2019 Certkitiec Mbd
15/46
Software Architectural Design
Table 4 Mechanisms for Error Detection at the Software Architectural Level (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1c Detection of dataerrors
++ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflowcan be used to detectdata errors.
1d Externalmonitoringfacility
o + + ++
1e Control flowmonitoring
o + ++ ++
1f Diverse softwaredesign
o o + ++ Simulink
StateflowSimulink Fixed Point
Software diversityfor algorithmic partscan be supported byexecuting floating-pointand fixed-pointversions of analgorithm in paralleland comparing theresults.
2-7
-
8/11/2019 Certkitiec Mbd
16/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 5 Mechanisms for Error Handling at the Software Architectural Level
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a Static recoverymechanism
+ + + + Simulink
Stateflow
Simulink and Stateflowcan be used to designfault detection,
isolation, and recovery(FDIR) algorithms.
1b Gracefuldegradation
+ + ++ ++ Stateflow Stateflow can be usedto design gracefuldegradation behavior.
1c Independentparallel
redundancy
o o + ++
1d Correcting codesfor data
+ + + +
Table 6 Methods for Verification of Software Architectural Design
ASILMethods
A B C D
Applicable
Model-Based DesignTools and Processes
Comments
1a Walkthrough ofthe design
++ + o o Simulink
Simulink ReportGenerator Web
View, System DesignDescription (SDD)report
Architectural designwalkthroughs can bebased on the model, agenerated Web View, oran SDD report.
2-8
-
8/11/2019 Certkitiec Mbd
17/46
Software Architectural Design
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink
Simulink Report
Generator WebView, System DesignDescription (SDD)report
Design inspections canbe based on the model,a generated Web View,
or an SDD report.
1b Inspection of thedesign
+ ++ ++ ++
Simulink Verificationand Validation Model
Advisor checks
Design inspectionscan be supportedby ISO 26262,MAAB, Requirements
Consistency, andcustom Model
Advisor checks. AModel Advisor checkconfiguration candefine a set of checksrequired to pass asa prerequisite for
entering a designinspection.
1c Simulation ofdynamic parts ofthe design
+ + + ++ Simulink Simulink supportssimulation of algorithmand environmentmodels.
2-9
2
-
8/11/2019 Certkitiec Mbd
18/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Coder
Embedded Coder
Simulink Coder can beused to generate codefor rapid prototyping.
Embedded Coder canbe used to generatecode for on-targetrapid prototyping.Software-in-the-loop(SIL) andprocessor-in-the-loop
(PIL) simulation canbe used to executegenerated code in thecontext of a model.
1d Prototypegeneration
o o + ++
Simulink 3DAnimation
Gauges Blockset
Simulink 3D Animationcan be used to animate3-dimensional scenesdriven by signals in a
model.Gauges Blockset can beused to add graphicalinstrumentation tomodels.
2-10
-
8/11/2019 Certkitiec Mbd
19/46
Software Architectural Design
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink ModelVerification blocklibrary
Simulink DesignVerifier Propertyproving, design errordetection
Model Verificationblocks can be usedto formalize software
safety requirementsand other modelproperties.
Property proving canbe used to verify modelproperties. Designerror detection can
analyze a model todetect design errorsthat might occur at runtime.
1e Formalverification
o o + +
Polyspace Runtimeerror detection
Runtime errordetection can analyzeC code to identifysoftware errors that
might occur during runtime.
Simulink Verificationand Validation Modelcoverage analysis
Simulink DesignVerifier Test case
generation
Model coverageanalysis can helpidentify unreachableportions of a model.
Automatic test case
generation can be usedto detect unreachablemodel constructs,which could result inunreachable code.
1f Control flowanalysis
+ + ++ ++
2-11
2 ISO 26262 6 A l bl M d l B d D T l d P
-
8/11/2019 Certkitiec Mbd
20/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Polyspace Call tree,unreachable codeanalysis
Polyspace can partiallyextract control flowinformation from C
and can create anapplication call tree.Gray checks detectunreachable code.
Simulink Diagnostics
Stateflow Diagnostics
Data Store Memoryblock diagnostics andStateflow diagnosticscan be configured toidentify data flowissues.
1g Data flow analysis + + ++ ++
Polyspace Polyspace supportsstatic verification ofdynamic properties ofgenerated code. Thisverification technique
is based on data flowanalysis.
2-12
S ft U it D i d I l t ti
-
8/11/2019 Certkitiec Mbd
21/46
Software Unit Design and Implementation
Software Unit Design and ImplementationTable 7 Notations for Software Unit Design
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Model Info
block, DocBlock block
Simulink Verificationand Validation SystemRequirements block
The blocks can be used
to add natural languageor descriptions of a unitdesign to a model.
1a Natural language ++ ++ ++ ++
Simulink Verificationand Validation
Requirements
Management Interface(RMI)
Models representingunit designs can belinked to descriptions
in Microsoft Word,Microsoft Excel, ASCIItext, or PDF files.
Simulink Model Infoblock, DocBlock block
Simulink Verificationand Validation System
Requirements block
The blocks can beused to add informaldescriptions of a unitdesign to a model.
1b Informalnotations
+ ++ ++ ++
Simulink Verificationand Validation
RequirementsManagement Interface(RMI)
The RMI can beused to link modelsrepresenting unitdesigns to externalinformal descriptionsin Microsoft Word,Microsoft Excel, ASCII
text, or PDF files.1c Semiformal
notations+ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflowsupport softwareunit design, usingsemiformal notations.
1d Formal notations + + + +
2-13
2 ISO 26262 6: Applicable Model Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
22/46
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 8 Design Principles for Software Unit Design and Implementation
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a One entry andone exit point insubprograms and
functions
++ ++ ++ ++ Simulink Modelingguidelines
Polyspace MISRACchecker
Adherence can befacilitated by applyingmodeling guidelines
in combinationwith analyzinggenerated code. MAABguideline jc_0511provides correspondingmodelingrecommendations.
Polyspace can assess
compliance withMISRAC:2004 rule14.7.
Embedded Coder Configuration
Embedded Coder can beconfigured to generateC code that doesnot include dynamicobjects.
1b No dynamicobjects orvariables, or elseonline test duringtheir creation
+ ++ ++ ++
Polyspace MISRACchecker
Polyspace can assesscompliance withMISRAC:2004 rule20.4.
2-14
Software Unit Design and Implementation
-
8/11/2019 Certkitiec Mbd
23/46
Software Unit Design and Implementation
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink IC block,diagnostics
An IC block can specifythe initial condition fora signal.
Setting theUnderspecified
initialization
detection diagnosticto Simplifiedimproves consistency ofsimulation resultsfor models thatdo not specifyinitial conditions forconditional subsystemoutput ports or haveconditionally executedsubsystem outputports connected toS-functions.
Embedded Coder Configuration
Parameters in theOptimization > Data
initialization sectionof the ConfigurationParameters dialogbox can be used tocontrol initialization of
variables in generatedcode.
1c Initialization ofvariables
++ ++ ++ ++
Polyspace Codeverification
Polyspace can checkthe initialization ofvariables in generatedcode. Uninitialized
2-15
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
24/46
2 ISO 26262 6: Applicable Model Based Design Tools and Processes
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
variables are reportedas NIV checks.
1d No multiple use ofvariable names
+ ++ ++ ++ Simulink Diagnostics Setting the Duplicatedata store names
diagnostic to errordetects conditionswhere a lower-leveldata store unexpectedlyshadows a higher-leveldata store with the
same name.
Simulink Usage of Data StoreMemory blocks needsto be reviewed and
justified.
1e Avoid globalvariables or else
justify their usage
+ + ++ ++
Embedded Coder Configuration
Selecting the Enablelocal block outputs
optimization reducesuse of global variablesin generated code.
Embedded Coder Configuration
Embedded Codermay generate pointerarithmetic for certainlanguage features
for example,
lookup tables ormatrix multiplication.Embedded Coderchecks the data typeand range of valuesto avoid corruption ofaddress spaces.
1f Limited use ofpointers
o + ++ ++
2-16
Software Unit Design and Implementation
-
8/11/2019 Certkitiec Mbd
25/46
g p
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Polyspace MISRACchecker, codeverification
Polyspace can assesscompliance withMISRAC:2004 rules
11.1 to 11.5 and 17.3 to17.5, which restrict useof pointers.
Polyspace can checkwhether pointersrefer to valid objects.
Violations are reportedas IDP checks.
1g No implicit datatype conversions
+ ++ ++ ++
1h No hidden dataflow or controlflow
+ ++ ++ ++
1i No unconditional
jumps
++ ++ ++ ++ Polyspace MISRAC
checker
Polyspace can assess
compliance withMISRAC:2004 rules14.4 and 14.5.
2-17
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
26/46
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Modelingguidelines
Adherence can befacilitated by applyingmodeling guidelines.
High-integrityguideline hisf_0004provides correspondingmodelingrecommendations.
Avoid using n-D LookupTable and Interpolationblocks and Prelookup
blocks with dimensions> 5.
1j No recursions + + ++ ++
Polyspace Call graph Generated call graphscan be reviewed toidentify recursivefunction calls.
2-18
Software Unit Design and Implementation
-
8/11/2019 Certkitiec Mbd
27/46
Table 9 Methods for Verification of Software Unit Design and Implementation
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink
Simulink ReportGenerator Web
View, System DesignDescription (SDD)report
Unit designwalkthroughs canbe based on a model, a
generated Web View,or an SDD report.
1a Walkthrough ++ + o o
Embedded Coder Codegeneration report
Code walkthroughs canbe based on HTML codegeneration reports orcode generation reportswith an integrated Web
View of the model.
Simulink
Simulink ReportGenerator Web
View, System DesignDescription (SDD)report
Unit design inspectionscan be based on amodel, a generatedWeb View, or an SDDreport.
Simulink Verificationand Validation Model
Advisor checks
Unit design inspectionscan be supportedby ISO 26262,MAAB, RequirementsConsistency, andcustom checks inModel Advisor. A
Model Advisor checkconfiguration candefine a set of checks topass as a prerequisitefor entering modelinspection.
1b Inspection + ++ ++ ++
2-19
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
28/46
Table 9 Methods for Verification of Software Unit Design and Implementation(Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Embedded Coder Codegeneration report
IEC Certification Kit Traceability matrix
Code walkthroughs canbe based on HTML code
generation reports,code generation reportswith an integrated Web
View of the model,or model-to-codeand code-to-modeltraceability matrices.
1c Semiformalverification
+ + ++ ++ Simulink Simulink supportssimulation of algorithmand environmentmodels.
1d Formalverification
o o + + Simulink ModelVerification blocks
Simulink DesignVerifier Property
proving, design errordetection, test casegeneration
Model Verificationblocks can be usedto formalize softwaresafety requirements
and other modelproperties.
Property proving canbe used to verify modelproperties using formalverification techniques.Design error detectioncan analyze a model
to detect design errorsthat might occur at runtime.
2-20
Software Unit Design and Implementation
-
8/11/2019 Certkitiec Mbd
29/46
Table 9 Methods for Verification of Software Unit Design and Implementation(Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Polyspace Codeverification
Runtime errordetection can analyze
C code to identifysoftware errors thatmight occur during runtime.
1e Control flowanalysis
+ + ++ ++ Simulink Verificationand Validation Modelcoverage analysis
Simulink DesignVerifier Test casegeneration
Model coverageanalysis can help toidentify unreachableportions of a model.
Automatic test casegeneration can be usedto detect unreachablemodel constructsthat could result inunreachable code.
Polyspace Call tree,
unreachable codeanalysis
Polyspace can partially
extract control flowinformation from Ccode and can create theapplication call tree.Gray checks detectunreachable code.
1f Data flow analysis + + ++ ++ Simulink Diagnostics
Stateflow Diagnostics
Data Store Memoryblock diagnostics andStateflow diagnosticscan be configured toidentify data flowissues.
2-21
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
30/46
Table 9 Methods for Verification of Software Unit Design and Implementation(Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Polyspace Codeverification
Polyspace supportsstatic verification of
dynamic properties ofgenerated code. Thisverification techniqueis based on data flowanalysis.
1g Static codeanalysis
+ ++ ++ ++ Polyspace MISRACchecker
Polyspace can facilitatestatic analysis of Ccode.
1h Semantic codeanalysis
+ + + + Polyspace Codeverification
Polyspace uses abstractinterpretation toanalyze C code.
2-22
Software Unit Design and Implementation
-
8/11/2019 Certkitiec Mbd
31/46
Clause Model-Based Design Toolsand Processes Comments
8.4.5 The softwareunit design andimplementationshall be verified inaccordance with ISO262628:2011 Clause
9, and by applying theverification methodslisted in Table 9 todemonstrate:...
b) the fulfillment ofthe software safetyrequirements as
allocated to thesoftware units (inaccordance with 7.4.9)through traceability...
IEC Certification Kit Traceability matrix
Generated traceabilitymatrices can be usedto document and review
existing links between textualrequirements, models, andgenerated code.
2-23
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
32/46
Software Unit TestingTable 10 Methods for Software Unit Testing
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Verification
and Validation RequirementsManagement Interface(RMI)
RMI can be used to
establish bidirectionallinks between textualrequirements andmodels.
IEC Certification Kit Traceability matrix
Generated traceabilitymatrices can be used todocument and reviewexisting links between
textual requirements,models, and code.
Simulink SignalBuilder block
Stateflow Dynamictest vector charts
Signal Builder blockscan be used to createopen-loop model tests.
Dynamic test vectorcharts can be used
to create closed-loop,reactive model tests.
1a Requirements-based
test
++ ++ ++ ++
Simulink Verificationand Validation Component testingcapabilities
Component testingcapabilities can be usedto create model testharnesses. They alsoenable a requirementspane in the Signal
Builder that can beused to link tests withtextual requirements.
2-24
Software Unit Testing
-
8/11/2019 Certkitiec Mbd
33/46
Table 10 Methods for Software Unit Testing (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1b Interface test ++ ++ ++ ++ Simulink DesignVerifier Test casegeneration
Automatic testcase generation incombination with Test
Objective blocks canbe used to generateinterface tests.
Simulink
Stateflow
Simulink and Stateflowcan be used to carryout fault injection tests.The tools can also beused to simulate failure
propagation at themodel level. For thispurpose, the systemmodel and a separatefailure model can beused.
1c Fault injectiontest
+ + + ++
Simulink DesignVerifier Test casegeneration
Automatic testcase generation incombination with TestObjective blocks cangenerate fault injectiontests.
1d Resource usagetest
+ + + ++ Embedded Coder Processor-in-the-loop(PIL) testing, code
metrics report
PIL testing analyzesresource utilization ona target processor. The
code metrics reportprovides the amountof memory used by thegenerated code.
2-25
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
34/46
Table 10 Methods for Software Unit Testing (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink
Stateflow
Simulink Verificationand Validation Component testingcapabilities, modelcoverage
Simulink DesignVerifier Test casegeneration
Simulation capabilitiesof Simulink andStateflow and the
component testcapabilities of Simulink
Verification andValidation facilitatedynamic testing ofmodels. Model coveragecan be used to assessthe completeness of the
model tests. SimulinkDesign Verifier cangenerate missing testcases.
1e Back-to-back testbetween modeland code, if
applicable
+ + ++ ++
Embedded Coder Software-in-the-loop(SIL) testing,processor-in-the-loop
testing, code generationverification (CGV)
Simulink SimulationData Inspector (SDI)
SIL and PIL testingprovide a way toexecute model tests ongenerated code. CGV
automates selectedback-to-back testingworkflows.
SDI supports thecomparison of testresults created duringback-to-back testing.
2-26
Software Unit Testing
-
8/11/2019 Certkitiec Mbd
35/46
Table 12 Structural Coverage Metrics at the Software Unit Level
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a Statementcoverage
++ ++ + + Embedded Coder Codecoverage collection
Duringsoftware-in-the-loop(SIL) simulation,
Embedded Codercan collect statementcoverage by using thethird-party tool LDRATestbed.
During SILsimulation, EmbeddedCoder can collect
condition/decisioncoverage information,which usuallysubsumes statementcoverage, by usingthe third-party toolBullseyeCoverage.
Simulink Verification
and Validation Modelcoverage analysis
Simulink DesignVerifier Test casegeneration
During model testing,
Simulink Verificationand Validation cancollect decisioncoverage (also knownas branch coverage) atthe model level.
Simulink DesignVerifier can generatetest cases that satisfydecision coverage at themodel level.
1b Branch coverage + ++ ++ ++
2-27
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
36/46
Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Embedded Coder Codecoverage collection
Duringsoftware-in-the-loop(SIL) simulation,
Embedded Codercan collect statementcoverage by using thethird-party tool LDRATestbed.
During SIL simulation,Embedded Coder cancollect condition and
decision coverage,which usuallysubsumes statementcoverage, by usingthe third-party toolBullseyeCoverage.
2-28
Software Unit Testing
-
8/11/2019 Certkitiec Mbd
37/46
Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Verificationand Validation Modelcoverage analysis
Simulink DesignVerifier Test casegeneration
During model testing,Simulink Verificationand Validation
verification can collectMC/DC coverage at themodel level.
Simulink DesignVerifier can be usedto generate test casesthat satisfy MC/DCcoverage at the model
level.
1c MC/DC (ModifiedCondition/DecisionCoverage)
+ + + +
Embedded Coder Codecoverage collection
During SIL simulation,Embedded Coder cancollect MC/DC coverageby using the third-partytool LDRA Testbed.
2-29
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
38/46
Software Integration and Testing
Table 13 Methods for Software Integration Testing
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink Verification
and Validation RequirementsManagement Interface(RMI)
RMI can be used to
establish bidirectionallinks between textualrequirements andmodels.
IEC Certification Kit Traceability matrix
Generated traceabilitymatrices can be used todocument and reviewexisting links between
textual requirements,models, and code.
Simulink SignalBuilder block
Stateflow Dynamictest vector charts
The Signal Builderblock can be used tocreate open-loop modeltests.
Dynamic test vector
charts can be usedto create closed-loop,reactive model tests.
1a Requirements-based
test
++ ++ ++ ++
Simulink Verificationand Validation Component testingcapabilities
Component testingcapabilities can be usedto create model testharnesses. They alsoenable a requirements
pane in the SignalBuilder, which can beused to link tests withtextual requirements.
2-30
Software Integration and Testing
-
8/11/2019 Certkitiec Mbd
39/46
Table 13 Methods for Software Integration Testing (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1b Interface test ++ ++ ++ ++ Simulink DesignVerifier Test casegeneration
Automatic testcase generation incombination with Test
Objective blocks canbe used to generateinterface tests.
Simulink
Stateflow
Simulink and Stateflowcan be used to executefault injection tests.Can also simulatefailure propagation at
the model level. Forthis purpose, a systemmodel and/or a separatefailure model can beused.
1c Fault injectiontest
+ + ++ ++
Simulink DesignVerifier Test casegeneration
Automatic testcase generation incombination with TestObjective blocks cangenerate fault injectiontests.
1d Resource usagetest
+ + + ++ Embedded Coder Processor-in-the-loop(PIL) testing, codemetrics report
PIL testing analyzesresource utilization ona target processor. Thecode metrics report
provides informationabout memory usage ofgenerated code.
2-31
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
40/46
Table 13 Methods for Software Integration Testing (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
Simulink
Stateflow
Simulink Verificationand Validation Component testingcapabilities, modelcoverage
Simulink DesignVerifier Test casegeneration
Simulation capabilitiesof Simulink andStateflow and the
component testcapabilities of SimulinkVerification andValidation facilitatedynamic model testing.
Model coveragecan assess thecompleteness of model
tests.
Simulink DesignVerifier can generatemissing test cases.
1e Back-to-back testbetween modeland code, if
applicable
+ + ++ ++
Embedded Coder Software-in-the-loop(SIL) testing,
processor-in-the-loop(PIL) testing, codegeneration verification(CGV)
Simulink SimulationData Inspector (SDI)
SIL and PIL testingcapabilities executemodel tests on
generated code. CGVcan automate selectedback-to-back testingworkflows.
SDI supportscomparison of testresults created duringback-to-back testing.
2-32
Software Integration and Testing
-
8/11/2019 Certkitiec Mbd
41/46
Table 15 Structural Coverage Metrics at the Software Architectural Level
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a Function coverage + + ++ ++ Embedded Coder Codecoverage collection
During SIL simulation,Embedded Codercan collect function
coverage informationby using the third-partytool BullseyeCoverage.
1b Call coverage + + ++ ++ Embedded Coder Codecoverage collection
During SILsimulation, EmbeddedCoder can collectprocedure/function callcoverage information
by using the third-partytool LDRA Testbed.
2-33
2 ISO 262626: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
42/46
2-34
3
-
8/11/2019 Certkitiec Mbd
43/46
ISO 262628: ApplicableModel-Based Design Tools
and Processes
3 ISO 262628: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
44/46
Confidence in the Use of Software Tools
Table 4 Qualification of Software Tools Classified TCL3
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a Increased
confidence fromuse in accordancewith 11.4.7
++ ++ + +
1b Evaluation of thetool developmentprocess inaccordance with11.4.8
++ ++ + +
1c Validation of thesoftware tool inaccordance with11.4.9
+ + + ++
IEC Certification Kit Embedded Coder(including AUTOSARTPP), Simulink
Verification andValidation, Simulink
Design Verifier, andPolyspace productsfor C/C++ have beenprequalified, usinga combination ofmethods 1b and 1c.TV SD carriedout an independent
tool qualificationassessment.
The IEC CertificationKit provides SoftwareTool CriteriaEvaluation reports,Software ToolQualification reports,
and evidence forthe independentassessment.
The IEC CertificationKit provides exemplarytest cases and test
3-2
Confidence in the Use of Software Tools
-
8/11/2019 Certkitiec Mbd
45/46
Table 4 Qualification of Software Tools Classified TCL3 (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
procedures forEmbedded Coder,Simulink Verificationand Validation, andPolyspace productsfor C/C++ that can beused to facilitate toolvalidation tests forthese products.
1d Development in
accordance with asafety standard
+ + + ++
Table 5 Qualification of Software Tools Classified TCL2
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
1a Increasedconfidence fromuse in accordancewith 11.4.7
++ ++ ++ +
1b Evaluation of thetool developmentprocess in
accordance with11.4.8
++ ++ ++ +
1c Validation of thesoftware tool inaccordance with11.4.9
+ + + ++
IEC Certification Kit Embedded Coder(including AUTOSARTPP), Simulink
Verification andValidation, SimulinkDesign Verifier, andPolyspace productsfor C/C++ have beenprequalified, usinga combination of
3-3
3 ISO 262628: Applicable Model-Based Design Tools and Processes
-
8/11/2019 Certkitiec Mbd
46/46
Table 5 Qualification of Software Tools Classified TCL2 (Continued)
ASILMethods
A B C D
ApplicableModel-Based DesignTools and Processes
Comments
methods 1b and 1c.TV SD carriedout an independenttool qualificationassessment.
The IEC CertificationKit provides SoftwareTool CriteriaEvaluation reports,Software Tool
Qualification reports,and evidence forthe independentassessment.
The IEC CertificationKit provides exemplarytest cases andtest procedures for
Embedded Coder,Simulink Verificationand Validation, andPolyspace productsfor C/C++ that can beused to facilitate toolvalidation tests forthese products.
1d Development inaccordance with asafety standard
+ + + ++
3-4