certkitiec mbd iso26262

IEC Certification Kit

Model-Based Design for ISO 26262

R2013a

How to Contact MathWorks

www.mathworks.com Web comp.soft-sys.matlab Newsgroup www.mathworks.com/contact_TS.html Technical Support [email protected] Product enhancement [email protected] Bug reports [email protected] Documentation error [email protected] Order status, license renewals, [email protected] Sales, pricing, and general information

508-647-7000 (Phone)

508-647-7001 (Fax)

The MathWorks, Inc. 3 Apple Hill DriveNatick, MA 01760-2098

For contact information about worldwide offices, see the MathWorks Web site.

IEC Certification Kit: Model-Based Design for ISO 26262

© COPYRIGHT 2011–2013 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees that this software or documentation qualifies as commercial computer software or commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.

Patents

MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more information.

Revision History

March 2012 New for Version 2.1 (Applies to Release 2012a) September 2012 Revised for Version 3.0 (Applies to Release 2012b)March 2013 Revised for Version 3.1 (Applies to Release 2013a)

Contents1 Introduction.......................................................................................................................................1-1

1.1 Model-Based Design for ISO 26262........................................................................................1-22 ISO 26262–6: Applicable Model-Based Design Tools and Processes.............................................2-1

2.1 Initiation of Product Development at the Software Level........................................................2-2Table 1 – Topics To Be Covered By Modeling and Coding Guidelines.................................2-2

2.2 Software Architectural Design.................................................................................................2-3Table 2 – Notations for Software Architectural Design...........................................................2-3Table 3 – Principles for Software Architectural Design..........................................................2-3Table 4 – Mechanisms for Error Detection at the Software Architectural Level.....................2-5Table 5 – Mechanisms for Error Handling at the Software Architectural Level.....................2-5Table 6 – Methods for Verification of Software Architectural Design....................................2-6

2.3 Software Unit Design and Implementation..............................................................................2-8Table 7 – Notations for Software Unit Design.........................................................................2-8Table 8 – Design Principles for Software Unit Design and Implementation...........................2-9Table 9 – Methods for Verification of Software Unit Design and Implementation...............2-11

2.4 Software Unit Testing............................................................................................................2-14Table 10 – Methods for Software Unit Testing......................................................................2-14Table 11 – Methods for Deriving Test Cases for Software Unit Testing...............................2-15Table 12 – Structural Coverage Metrics at the Software Unit Level.....................................2-16

2.5 Software Integration and Testing...........................................................................................2-17Table 13 – Methods for Software Integration Testing...........................................................2-17Table 14 – Methods for Deriving Test Cases for Software Integration Testing....................2-19Table 15 – Structural Coverage Metrics at the Software Architectural Level.......................2-19

3 ISO 26262–8: Applicable Model-Based Design Tools and Processes.............................................3-13.1 Confidence in the Use of Software Tools................................................................................3-2

Table 4 – Qualification of Software Tools Classified TCL3...................................................3-2Table 5 – Qualification of Software Tools Classified TCL2...................................................3-3

v

1 Introduction

1.1 Model-Based Design for ISO 26262This documentation provides annotated versions of method tables that appear in the ISO 26262–6 and ISO 26262–8 standards. The annotated tables provide suggestions on how to use Model-Based Design products from MathWorks® to apply the methods listed in the standard for different Automotive Safety Integrity Levels (ASILs).

The IEC Certification Kit provides additional support when using Model-Based Design for ISO 26262 applications, including reference workflows for verifying and validating models and generated code.

2 ISO 26262–6: Applicable Model-Based Design Tools and Processes

2.1 Initiation of Product Development at the Software Level

Table 1 – Topics To Be Covered By Modeling and Coding Guidelines

Topics ASIL Applicable Model-Based Design Tools and Processes

Comments

A B C D

1a Enforcement of low complexity

++ ++ ++ ++ Simulink® Modeling Guidelines

The High Integrity System Modeling Guidelines and the MathWorks ® Automotive Advisory Board — Control Algorithm Modeling Guidelines can be used to address topics listed in this table. The guideline subset used for a project should address a combination of topics applicable for the ASIL under consideration.

1b Use of language subsets ++ ++ ++ ++1c Enforcement of strong

typing++ ++ ++ ++

1d Use of defensive implementation techniques

o + ++ ++

1e Use of established design principles

+ + + ++

1f Use of unambiguous graphical representation

+ ++ ++ ++

1g Use of style guides + ++ ++ ++1h Use of naming

conventions++ ++ ++ ++

http://www.mathworks.com/help/releases/R2013a/pdf_doc/simulink/maab_guidelines.pdf



http://www.mathworks.com/help/releases/R2013a/pdf_doc/simulink/hi_guidelines.pdf

http://www.mathworks.com/help/releases/R2013a/pdf_doc/simulink/hi_guidelines.pdf

2.2 Software Architectural Design

Table 2 – Notations for Software Architectural Design

Methods ASIL Applicable Model-Based Design Tools and Processes

Comments

A B C D

1a Informal notations ++ ++ + + Simulink – Model Info and DocBlock blocks

Simulink® Verification and Validation™ – System Requirements block

The blocks can be used to integrate architectural descriptions into a model.

Simulink Verification and Validation – Requirements Management Interface (RMI)

The RMI can be used to link Simulink and Stateflow architectural designs to informal descriptions in Microsoft® Word, Microsoft® Excel®, ASCII text, and PDF files.

1b Semiformal notations + ++ ++ ++ Simulink

Stateflow®

Simulink and Stateflow support software architectural design using semiformal notations.

1c Formal notations + + + +

Table 3 – Principles for Software Architectural Design


Comments

A B C D

1a Hierarchical structure of software components

++ ++ ++ ++Simulink – Model block, Ports & Subsystems block library

Stateflow

Model blocks (model referencing), subsystems, libraries, and Stateflow charts support hierarchical decomposition of models.

Simulink – Model Dependency Viewer

When using Model blocks or libraries to structure a model, the Model Dependency Viewer can display a graph of models and libraries referenced by the top model.

Embedded Coder® Embedded Coder supports modularization

3


Comments

A B C D

of code at the file level.1b Restricted size of

software components++ ++ ++ ++ Simulink

Stateflow

Embedded Coder

Software components can be structured hierarchically to limit component size.

Simulink Verification and Validation – ISO 26262 checks

ISO 26262 Model Advisor check Display model metrics and complexity report provides information on the size and complexity of models and subsystems.

Polyspace® - Metrics Polyspace Metrics supports the generation of size and complexity metrics for source code.

1c Restricted size of interfaces

++ ++ ++ ++ Simulink Verification and Validation – ISO 26262 checks

ISO 26262 Model Advisor check Display model metrics and complexity report provides information on the number of inports and outports of models and subsystems.

Polyspace - Metrics Polyspace Metrics supports the generation of size and complexity metrics for source code.

1d High cohesion with software components

+ + + +

1e Restricted coupling between software components

+ ++ ++ ++

1f Appropriate scheduling properties

+ ++ ++ Simulink Simulink provides a way to control the rate of block execution and allows specification of block-based or port based sample times. Models can display color coding and annotations to represent specific sample times.

Stateflow – Scheduler patterns Stateflow provides multiple scheduler patterns for controlling execution of subsystems.

1g Restricted use of interrupts

+ + + ++ Embedded Coder – Configuration

Embedded Coder can be configured to not insert interrupts into step function code.

4

Table 4 – Mechanisms for Error Detection at the Software Architectural Level


Comments

A B C D

1a Range checks of input and output data

++ ++ ++ ++ Simulink

Stateflow

Simulink and Stateflow can be used to design range checks for input and output data. During simulation, the Simulation range checking diagnostic detects when signals exceed specified ranges.

Simulink® Design Verifier™

Polyspace – Code verification

Simulink Design Verifier and Polyspace can calculate and verify signal ranges.

1b Plausibility + + + ++ Simulink

Stateflow

Simulink and Stateflow can be used to design plausibility checks.

1c Detection of data errors

++ ++ ++ ++ Simulink

Stateflow

Simulink and Stateflow can be used to detect data errors.

1d External monitoring facility

o + + ++

1e Control flow monitoring

o + ++ ++

1f Diverse software design

o o + ++ Simulink

Stateflow

Fixed-Point Designer™

Software diversity for algorithmic parts can be supported by executing floating-point and fixed-point versions of an algorithm in parallel and comparing the results.

Table 5 – Mechanisms for Error Handling at the Software Architectural Level


Comments

A B C D

1a Static recovery mechanism

+ + + + Simulink

Stateflow

Simulink and Stateflow can be used to design fault detection, isolation, and recovery (FDIR) algorithms.

1b Graceful degradation + + ++ ++ Stateflow Stateflow can be used to design graceful degradation behaviour.

1c Independent parallel redundancy

o o + ++

1d Correcting codes for + + + +

5

data

Table 6 – Methods for Verification of Software Architectural Design


Comments

A B C D

1a Walkthrough of the design

++ + o o Simulink

Simulink® Report Generator™ Web View, System Design Description (SDD) report

Architectural design walkthroughs can be based on the model, a generated Web View, or an SDD report.

1b Inspection of the design

+ ++ ++ ++ Simulink Design inspections can be based on the model, a generated Web View, or an SDD report.

Simulink Verification and Validation – Model Advisor checks

Design inspections can be supported by ISO 26262, MAAB, Requirements Consistency, and custom Model Advisor checks. A Model Advisor check configuration can define a set of checks required to pass as a prerequisite for entering a design inspection.

1c Simulation of dynamic parts of the design

+ + + ++ Simulink Simulink supports simulation of algorithm and environment models.

1d Prototype generation o o + ++ Simulink® Coder™ Simulink Coder can be used to generate code for rapid prototyping.

Embedded Coder Embedded Coder can be used to generate code for on-target rapid prototyping. Software-in-the-loop (SIL) and processor-in-the-loop (PIL) simulation can be used to execute generated code in the context of a model.

Simulink® 3D Animation™ Simulink 3D Animation can be used to animate 3-dimensional scenes driven by signals in a model.

Gauges Blockset™ Gauges Blockset can be used to add graphical instrumentation to models.

6


Comments

A B C D

1e Formal verification o o + + Simulink – Model Verification block library

Model Verification blocks can be used to formalize software safety requirements and other model properties.

Simulink Design Verifier – Property proving, design error detection

Property proving can be used to verify model properties. Design error detection can analyze a model to detect design errors that might occur at run time.

Polyspace – Code verification Polyspace - can analyze C code to identify software errors that might occur during run time.

1f Control flow analysis + + ++ ++ Simulink Verification and Validation – Model coverage analysis

Model coverage analysis can help identify unreachable portions of a model.

Simulink Design Verifier – Test case generation

Automatic test case generation can be used to detect unreachable model constructs, which could result in unreachable code.

Polyspace – Call tree, unreachable code analysis

Polyspace can extract control flow information at the function level from C code and create an application call tree. Gray checks detect unreachable code.

1g Data flow analysis + + ++ ++ Simulink – Diagnostics

Stateflow – Diagnostics

Data Store Memory block diagnostics and Stateflow diagnostics can be configured to identify data flow issues.

Polyspace – Variable access pane, generated Excel report, code verification

Polyspace supports static verification of dynamic properties of generated code. This verification technique is based on data flow analysis.

The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated Excel report.

7

2.3 Software Unit Design and Implementation

Table 7 – Notations for Software Unit Design


Comments

A B C D

1a Natural language ++ ++ ++ ++ Simulink – Model Info block, DocBlock block

Simulink Verification and Validation – System Requirements block

The blocks can be used to add natural language or descriptions of a unit design to a model.


Models representing unit designs can be linked to descriptions in Microsoft Word, Microsoft Excel, ASCII text, or PDF files.

1b Informal notations + ++ ++ ++ Simulink – Model Info block, DocBlock block

Simulink Verification and Validation – System Requirements block

The blocks can be used to add informal descriptions of a unit design to a model.


The RMI can be used to link models representing unit designs to external informal descriptions in Microsoft Word, Microsoft Excel, ASCII text, or PDF files.

1c Semiformal notations + ++ ++ ++ Simulink

Stateflow

Simulink and Stateflow support software unit design, using semiformal notations.

1d Formal notations + + + +

8

Table 8 – Design Principles for Software Unit Design and Implementation


Comments

A B C D

1a One entry and one exit point in subprograms and functions

++ ++ ++ ++ Simulink Modeling guidelines

Adherence can be facilitated by applying modeling guidelines in combination with analyzing generated code. MAAB guideline jc_0511 provides corresponding modeling recommendations.

Polyspace MISRAC checker

Polyspace can assess compliance with MISRA–C:2004 rule 14.7.

1b No dynamic objects or variables, or else online test during their creation

+ ++ ++ ++ Embedded Coder – Configuration

Embedded Coder can be configured to generate C code that does not include dynamic objects.

Polyspace MISRAC checker

Polyspace can assess compliance with MISRA–C:2004 rule 20.4.

1c Initialization of variables ++ ++ ++ ++ Simulink – IC block, diagnostics

An IC block can specify the initial condition for a signal.

Setting the Underspecified initialization detection diagnostic toSimplified improves consistency of simulation results for models that do not specify initial conditions for conditional subsystem output ports or have conditionally executed subsystem output ports connected to S-functions.

Embedded Coder – Configuration

Parameters in the Optimization > Data initialization section of the Configuration Parameters dialog box can be used to control initialization of variables in generated code.

Polyspace – Code verification Polyspace can check the initializationof variables in generated code. Uninitialized variables are reported as NIV checks.

1d No multiple use ofvariable names

+ ++ ++ ++ Simulink – Diagnostics Setting the Duplicate data store names diagnostic to error detectsconditions where a lower-level data store unexpectedly shadows a higher-level data store with the same name.

9


Comments

A B C D

1e Avoid global variables or else justify their usage

+ + ++ ++ Simulink Usage of Data Store Memory blocks needs to be reviewed and justified.

Embedded Coder – Configuration

Selecting the Enable local block outputs optimization reduces use ofglobal variables in generated code.

Polyspace – Variable access pane, generated Excel report, MISRA C checker

The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated

Polyspace can assess compliance with MISRA-C:2004 rules 8.11 and 8.7 to help detect variables with scopes that should not be global.

1f Limited use of pointers o + ++ ++ Embedded Coder – Configuration

Embedded Coder may generate pointer arithmetic for certain language features — for example, lookup tables or matrix multiplication. Embedded Coder checks the data type and range of values to avoid corruption of address spaces.

Polyspace – MISRA–C checker, code verification

Polyspace can assess compliance withMISRA–C:2004 rules 11.1 to 11.5 and 17.3 to 17.5, which restrict use of pointers.

Polyspace can check whether pointers refer to valid objects. Violations are reported as IDP checks.

1g No implicit data typeconversions

+ ++ ++ ++ Polyspace – MISRA C checker

MISRA-C:2004 contains rules that facilitate the use of established design principles. Polyspace can assess compliance with MISRA-C:2004 rules 11.1, 11.2, 11.3, and 11.5.

1h No hidden data flow or control flow

+ ++ ++ ++ Polyspace – MISRA C checker

Polyspace can assess compliance with MISRA-C:2004 rule 5.2.

1i No unconditional ++ ++ ++ ++ Polyspace MISRAC Polyspace can assess compliance with

10


Comments

A B C D

jumps checker MISRA–C:2004 rules 14.4 and 14.5.1j No recursions + + ++ ++ Simulink Modeling

guidelinesAdherence can be facilitated by applying modeling guidelines.High-integrity guideline hisf_0004Provides corresponding modeling recommendations. Avoid using n-D Lookup Table and Interpolation blocks and Prelookup blocks with dimensions > 5.

Polyspace – Call tree Generated call trees can be reviewed to identify recursive function calls.

Table 9 – Methods for Verification of Software Unit Design and Implementation


Comments

A B C D

1a Walkthrough ++ + o o Simulink

Simulink Report Generator – Web View, System DesignDescription (SDD) report

Unit design walkthroughs can be based on a model, a generated Web View, or an SDD report.

Embedded Coder – Code generation report

Code walkthroughs can be based on HTML code generation reports or codeGeneration reports with an integrated Web View of the model.

1b Inspection + ++ ++ ++ Simulink

Simulink Report Generator – Web View, System DesignDescription (SDD) report

Unit design inspections can be based on a model, a generated Web View, or an SDD report.

Simulink Verification andValidation – Model Advisorchecks

Unit design inspections can be supported by ISO 26262, MAAB, Requirements Consistency, and custom checks in Model Advisor. A Model Advisor check configuration can define a set of checks to pass as a prerequisite for entering model inspection.

11


Comments

A B C D

Embedded Coder – Code generation report

IEC Certification Kit – Traceability matrix

Code walkthroughs can be based on HTML code generation reports, codeGeneration reports with an integrated Web View of the model, or model-to-code and code-to-model traceability matrices.

1c Semiformal verification

+ + ++ ++ Simulink Simulink supports simulation of algorithm and environment models.

1d Formal verification o o + + Simulink – Model Verification blocks

Simulink DesignVerifier – Property proving, design error detection, testcase generation

Model Verification blocks can be used to formalize software safety requirements and other model properties.

Property proving can be used to verify model properties using formal verification techniques. Design error detection can analyze a model to detect design errors that might occur at run time.

Polyspace – Code verification Runtime error detection can analyze C code to identify software errors that might occur during run time.

1e Control flow analysis + + ++ ++ Simulink Verification and Validation – Model coverage analysis

Simulink Design Verifier – Test case generation

Model coverage analysis can help to identify unreachable portions of a model.

Automatic test case generation can be used to detect unreachable model constructs that could result in unreachable code.

Polyspace – Call tree, unreachable code analysis

Polyspace can extract control flow information at the function level from C code and create an application call tree. Gray checks detect unreachable code.

1f Data flow analysis + + ++ ++ Simulink – Diagnostics

Stateflow – Diagnostics

Data Store Memory block diagnostics and Stateflow diagnostics can be configured to identify data flow issues.

Polyspace – Code verification Polyspace supports static verification of dynamic properties of generated code. This verification technique is based on data flow analysis.

1g Static code analysis + ++ ++ ++ Polyspace – MISRA–C checker, metrics

Polyspace can facilitate static analysis of C code.

12


Comments

A B C D

1h Semantic code analysis

+ + + + Polyspace – Code verification, variable access pane, generated Excel report

Polyspace uses abstract interpretation to analyze C code.

The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated Excel report.

Clause Model-Based Design Tools and Processes

Comments

8.4.5 The software unit design and implementation shall be verified in accordance with ISO 262628:2011 Clause 9, and by applying the verification methods listed in Table 9 to demonstrate:...

b) the fulfillment of the software safety requirements as allocated to the software units (in accordance with 7.4.9) through traceability...

IEC Certification Kit Traceability matrix

Generated traceability matrices can be used to document and review existing links between textual requirements, models, and generated code.

13

2.4 Software Unit Testing

Table 10 – Methods for Software Unit Testing


Comments

A B C D

1a Requirements-based test

++ ++ ++ ++ Simulink Verification and Validation Requirements Management Interface (RMI)

RMI can be used to establish bidirectional links between textual requirements and models.


Generated traceability matrices can be used to document and review existing links between textual requirements, models, and code.

Simulink Signal Builder block

Stateflow – Dynamic test vector charts

Signal Builder blocks can be used to create open-loop model tests.

Dynamic test vector charts can be used to create closed-loop, reactive model tests.

Simulink Verification and Validation Component testing capabilities

Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder that can be used to link tests with textual requirements.

1b Interface test ++ ++ ++ ++ Simulink Design Verifier Test case generation

Automatic test case generation in combination with Test Objective blocks can be used to generate interface tests.

1c Fault injection test + + + ++ Simulink

Stateflow

Simulink and Stateflow can be used to carry out fault injection tests. The tools can also be used to simulate failure propagation at the model level. For this purpose, the system model and a separate failure model can be used.

Simulink Design Verifier Test case generation

Automatic test case generation in combination with Test Objective blocks can be used to generate fault injection tests.

1d Resource usage test + + + ++ Embedded Coder Processor-in-the-loop (PIL) testing, code metrics report

PIL testing analyzes resource utilization on a target processor. The code metrics report provides the amount of memory used by

14


Comments

A B C D

the generated code.1e Back-to-back test

between model and code, if applicable

+ + ++ ++ Simulink

Stateflow

Simulink Verification and Validation Component testing capabilities, model coverage


Simulation capabilities of Simulink and Stateflow and the component test capabilities of Simulink Verification and Validation facilitate dynamic testing of models.Model coverage can be used to assess the completeness of the model tests. Simulink Design Verifier can generate missing test cases.

Embedded Coder Software-in-the-loop (SIL) testing, processor-in-the-loop testing, code generation verification (CGV)

Simulink Simulation Data Inspector (SDI)

SIL and PIL testing provide a way to execute model tests on generated code. CGV automates selected back-to-back testing workflows.

SDI supports the comparison of test results created during back-to-back testing.

Table 11 – Methods for Deriving Test Cases for Software Unit Testing


Comments

A B C D

1a Analysis of requirements

++ ++ ++ ++ Simulink Verification and Validation Component testing capabilities


1b Generation and analysis of equivalence classes

+ ++ ++ ++ Simulink Design Verifier Test case generation

The analysis of equivalence classes can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given equivalence classes.

15

1c Analysis of boundary values


The analysis of boundary values can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given boundary values.

1d Error guessing + + + +

Table 12 – Structural Coverage Metrics at the Software Unit Level


Comments

A B C D

1a Statement coverage ++ ++ + + Embedded Coder Code coverage collection

During software-in-the-loop (SIL) simulation, Embedded Coder can collect statement coverage by using the third-party tool LDRA Testbed®.During SIL simulation, Embedded Coder can collect condition/decision coverage information, which usually subsumes statement coverage, by using the third-party tool BullseyeCoverage®.

1b Branch coverage + ++ ++ ++ Simulink Verification and Validation Model coverage analysis


During model testing, Simulink Verification and Validation can collect decision coverage (also known as branch coverage) at the model level.Simulink Design Verifier can generate test cases that satisfy decision coverage at the model level.

Embedded Coder Code coverage collection

During software-in-the-loop (SIL) simulation, Embedded Coder can collect statement coverage by using the third-party tool LDRA Testbed.During SIL simulation, Embedded Coder can collect condition and decision coverage, which usually subsumes statement coverage, by using the third-party tool BullseyeCoverage.

1c MC/DC (Modified Condition/Decision Coverage)

+ + + ++ Simulink Verification and Validation Model coverage analysis


During model testing, Simulink Verification and Validation verification can collect MC/DC coverage at the model level.Simulink Design Verifier can be used to generate test cases that satisfy MC/DC coverage at the model level.

16


Comments

A B C D

Embedded Coder Code coverage collection

During SIL simulation, Embedded Coder can collect MC/DC coverage by using the third-party tool LDRA Testbed.

17

2.5 Software Integration and Testing

Table 13 – Methods for Software Integration Testing


Comments

A B C D

1a Requirements-based test

+ + + + Simulink Verification and Validation Requirements Management Interface (RMI)

RMI can be used to establish bidirectional links between textual requirements and models.


Generated traceability matrices can be used to document and review existing links between textual requirements, models, and code.

Simulink Signal Builder block The Signal Builder block can be used to create open-loop model tests.

Stateflow Dynamic test vector charts

Dynamic test vector charts can be used to create closed-loop, reactive model tests.

Simulink Verification and Validation Component testing capabilities

Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder, which can be used to link tests with textual requirements.

1b Interface test ++ ++ ++ ++ Simulink Design Verifier Test case generation

Automatic test case generation in combination with Test Objective blocks can generate fault injection tests.

1c Fault infection test + + ++ ++ Simulink

Stateflow

Simulink and Stateflow can be used to execute fault injection tests. Can also simulate failure propagation at the model level. For this purpose, a system model and/or a separate failure model can be used.


Automatic test case generation in combination with Test Objective blocks can generate fault injection tests.

1d Resource usage test + + + ++ Embedded Coder Processor-in-the-loop (PIL) testing, code metrics report

PIL testing analyzes resource utilization on a target processor. The code metrics report provides information about memory usage of generated code.

18


Comments

A B C D

1e Back-to-back test between model and code, if applicable

+ + ++ ++ Simulink

Stateflow

Simulation capabilities of Simulink and Stateflow and the component test capabilities of Simulink Verification and Validation facilitate dynamic model testing.

Simulink Verification and Validation Component testing capabilities, model coverage


Model coverage can assess the completeness of model tests.Simulink Design Verifier can generate missing test cases.

Embedded Coder Software-in-the-loop (SIL) testing, processor-in-the-loop (PIL) testing, code generation verification (CGV)

SIL and PIL testing capabilities execute model tests on generated code. CGV can automate selected back-to-back testing workflows.

Simulink Simulation Data Inspector (SDI)

SDI supports comparison of test results created during back-to-back testing.

19

Table 14 – Methods for Deriving Test Cases for Software Integration Testing


Comments

A B C D

1a Analysis of requirements

++ ++ ++ ++ Simulink Verification and Validation Component testing capabilities


1b Generation and analysis of equivalence classes


The analysis of equivalence classes can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given equivalence classes.

1c Analysis of boundary values


The analysis of boundary values can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given boundary values.

1d Error guessing + + + +

Table 15 – Structural Coverage Metrics at the Software Architectural Level


Comments

A B C D

1a Function coverage + + ++ ++ Embedded Coder Code coverage collection

During SIL simulation, Embedded Coder can collect function coverage information by using the third-party tool BullseyeCoverage.

1b Call coverage + + ++ ++ Embedded Coder Code coverage collection

During SIL simulation, Embedded Coder can collect procedure/function call coverage information by using the third-party tool LDRA Testbed.

20

3 ISO 26262–8: Applicable Model-Based Design Tools and Processes

3.1 Confidence in the Use of Software Tools

Table 4 – Qualification of Software Tools Classified TCL3


Comments

A B C D

1a Increased confidence from use in accordance with 11.4.7

++ ++ + +

1b Evaluation of the tool development process in accordance with 11.4.8

++ ++ + + IEC Certification Kit - ISO 26262 Tool Qualification Kits

Embedded Coder, Simulink Verification and Validation, Simulink Design Verifier, and Polyspace products for C/C++ have been prequalified, using a combination of methods 1b and 1c. TÜV SÜD carried out an independent tool qualification assessment.The IEC Certification Kit provides Software Tool Criteria Evaluation reports, Software Tool Qualification reports, and evidence for the independent assessment.The IEC Certification Kit provides exemplary test cases and test procedures for Embedded Coder, Simulink Verification and Validation, and Polyspace products for C/C++ that can be used to facilitate tool validation tests for these products.

1c Validation of the software tool in accordance with 11.4.9

+ + + ++

1d Development in accordance with a safety standard

+ + + ++

Table 5 – Qualification of Software Tools Classified TCL2


Comments

A B C D

1a Increased confidence from use in accordance with 11.4.7

++ ++ ++ +

1b Evaluation of the tool development process in accordance with 11.4.8

++ ++ ++ + IEC Certification Kit- ISO 26262 Tool Qualification Kits

Embedded, Simulink Verification and Validation, Simulink Design Verifier, and Polyspace products for C/C++ have been prequalified, using a combination of methods 1b and 1c. TÜV SÜD carried out an independent tool qualification assessment.The IEC Certification Kit provides Software Tool Criteria Evaluation reports, Software Tool Qualification reports, and evidence for the independent assessment.The IEC Certification Kit provides exemplary test cases and test procedures for Embedded Coder, Simulink Verification and Validation, and Polyspace products for C/C++ that can be used to facilitate tool validation tests for these products.

1c Validation of the software tool in accordance with 11.4.9

+ + + ++

1d Development in accordance with a safety standard

+ + + ++

3

certkitiec mbd iso26262

Documents

integrated web view

tv sd carried

establish bidirectional links

iec certification kit

simulate failure propagation

review existing links

application call tree

exemplary test cases