©20

08 T

he M

athW

orks

, Inc

.

® ®

Model-Based Design for Safety-Critical and Mission-Critical Applications

Bill PotterTechnical MarketingApril 17, 2008

2

® ®

Safety-Critical Model-Based Design Workflow

Requirements

Model

Source Code

Object Code

Validate

Simulink®

&Stateflow®

Trace:RMI Verify:

SystemTestSLDV Property Proving

Model Coverage

Conformance:Model Advisor

Real-Time Workshop®

Embedded Coder™Conformance:PolySpace™ Products

Embedded IDE

Verify:SLDV Test Generation

Embedded IDE Link XXX

Verify:SystemTest™

Embedded IDE Link™ XXX

Trace:Model/Code Trace Report

3

® ®

Requirements Process for Model-Based Design

Functional, operational, and safety requirementsExist one level above the modelModels trace to requirements

Requirements validation - complete and correctSimulation is a validation technique Traceability can identify incomplete requirementsModel coverage can identify incomplete requirements

Requirements based test casesTest cases trace to requirements

Requirements

Validate

4

® ®

Simulation example – controller and plant

5

® ®

Requirements trace example – view from DOORS® to Simulink

6

® ®

Requirements trace example – view from Simulink to DOORS

7

® ®

Requirements based test trace example – view from Simulink Signal Builder block to DOORS

8

® ®

Model coverage report example

9

® ®

Requirements Process take-aways

Early requirements validationEliminates rework typically seen at integration on projects with poor requirements

Early test case developmentValidated requirements are complete and verifiable which results in well defined test cases

Requirements management and traceabilityRequirements management interfaces provide traceability for design and test cases

Requirements

Validate

10

® ®

Design Process for Model-Based Design

Model-Based DesignCreate the design - Simulink and Stateflow®

Modular design for teams - Model ReferenceModel architecture/regression analysis - Model Dependency ViewerDocumented design - Simulink Report GeneratorRequirements traceability using Simulink Verification and Validation™Design conforms to standards using Model Advisor

Requirements

Model

Simulink&

StateflowTrace:RMI

Conformance:Model Advisor

11

® ®

Example detailed design including model reference and subsystems

Subsystem Reference Model

Top Model

12

® ®

Model dependency viewer

13

® ®

Example Model Advisor report

14

® ®

Design Verification for Model-Based Design

Requirements based test casesAutomated testing using SystemTest™ and Simulink Verification and ValidationTraceability using Simulink Verification and Validation

Robustness testing and analysisBuilt in Simulink run-time diagnosticsFormal proofs using Simulink Design Verifier™

Coverage AnalysisVerify structural coverage of modelVerify data coverage of model

Requirements

Model

Simulink&

Stateflow

Verify:SystemTest

SLDV Property ProvingModel Coverage

15

® ®

SystemTest for requirements based testing

16

® ®

SystemTest – example reportData Plotting and expected

results comparisons

Summary of results

17

® ®

Signal Builder and Assertion Blocks

18

® ®

Model coverage report example – signal ranges

19

® ®

Simulink Design Verifier – Coverage Test

Generated Test Cases

Model Test Report

20

® ®

Simulink Design Verifier – Objective Test

Generated Test Cases

Model with Constraints and Objectives Test Report

21

® ®

Simulink Design Verifier – Property Proving

Property to be proven

ReportModel with Assumption and Objective

22

® ®

Design Process take-awaysModular reusable implementations

Platform independent designScalable to large teams

Consistent and compliant implementationsCommon design language Automated verification of standards compliance

Efficient verification processDevelop verification procedures in parallel with designCoverage analysis early in the processAutomated testing and analysis Requirements

Model

Simulink&

StateflowTrace:RMI

Verify:SystemTest

SLDV Property ProvingModel Coverage

Conformance:Model Advisor

23

® ®

Coding Process for Model-Based Design

Automatic code generationReal-Time Workshop Embedded Coder

TraceabilityHTML Code Traceability Report

Source code verificationComplies with standards using PolySpace MISRA-C®

checkerAccurate, consistent and robust using PolySpace™verifier Model

Source Code

Real-Time WorkshopEmbedded coder Conformance:

PolySpace Products

Trace:Model/Code Trace Report

24

® ®

dependent models rebuilt

model changed and rebuilt

Incrementally Generate CodeIncremental code generation is supported via Model ReferenceWhen a model is changed, only models depending on it are subject to regeneration of their code

Reduces application build times and ensure stability of a project’s codeDegree of dependency checking is configurable

25

® ®

Add Links to Requirements

Requirements appear in the code

26

® ®

Code to Model Trace Report

27

® ®

Simulink Integration with PolySpace ProductsSimulink Integration with PolySpace ProductsInput1Input1

EntriesEntriesvarying from varying from --500 to 500500 to 500

K1 and K2K1 and K2ConstantsConstantsCan be tuned Can be tuned from from --297 to 297 to 303303

Lookup tablesLookup tablesMaps, surfaces,Maps, surfaces,algorithms, algorithms, extrapolationsextrapolationsAdjusted, tunedAdjusted, tuned

Math operationsMath operationsDivide, add, Divide, add, min/max, min/max, product, product, substractsubstract,,sumsum……

28

® ®

See results in the modelSee results in the modelChange the modelChange the modelGenerate the production codeGenerate the production codeRun PolySpace softwareRun PolySpace software

PolySpace detected an error herePolySpace detected an error here(after having analyzed the generated code)(after having analyzed the generated code)

29

® ®

Coding Process takeaways

Reusable and platform independent source codeTraceabilityMISRA-C complianceStatic verification and analysis

Model

Source Code

Real-Time WorkshopEmbedded coder Conformance:

PolySpace Products

Trace:Model/Code Trace Report

30

® ®

Integration Process for Model-Based Design

Executable object code generationANSI® or ISO® C or C++ compatible compilerRun-time libraries provided

Executable object code verificationTest generation using Simulink Design VerifierCapability to build interface for Processor-In-the-Loop (PIL) testingAnalyze code coverage during PILAnalyze execution time during PILAnalyze stack PIL

Requirements

Model

Source Code

Object Code

Embedded IDE

Verify:SLDV Test Generation

Embedded IDE Link XXX

Verify:SystemTest

Embedded IDE Link XXX

31

® ®

Processor-in-the-Loop (PIL) Verification- Execute Generated Code on Target Hardware

Embedded Target

Simulink

Plant ModelAlgorithm

(Software Component)

Cod

e G

ener

atio

n

Execution

• on host and target• non-real-time

Communication via one of

• data link e.g. serial, CAN, TCP/IP• debugger integration with MATLAB

32

® ®

Integration Process Takeaways

Integration with multiple development environmentsTest cases and harnesses generated automaticallyEfficient processor in-the-loop test capability

Requirements

Model

Source Code

Object Code

Embedded IDE

Verify:SLDV Test Generation

Embedded IDE Link XXX

Verify:SystemTest

Embedded IDE Link XXX

33

® ®

Wrap-up

Tools to support the entire safety critical development processParticipation on SC-205/WG-71 committee for DO-178CSafety-Critical/DO-178B guideline document

Available to licensed customers with Real-Time Workshop Embedded CoderContact Bill Potter (bill.potter@mathworks.com) or Tom Erkkinen (tom.erkkinen@mathworks.com)