certkitiec mbd iso26262
TRANSCRIPT
IEC Certification Kit
Model-Based Design for ISO 26262
R2013a
How to Contact MathWorks
www.mathworks.com Web comp.soft-sys.matlab Newsgroup www.mathworks.com/contact_TS.html Technical Support [email protected] Product enhancement [email protected] Bug reports [email protected] Documentation error [email protected] Order status, license renewals, [email protected] Sales, pricing, and general information
508-647-7000 (Phone)
508-647-7001 (Fax)
The MathWorks, Inc. 3 Apple Hill DriveNatick, MA 01760-2098
For contact information about worldwide offices, see the MathWorks Web site.
IEC Certification Kit: Model-Based Design for ISO 26262
© COPYRIGHT 2011–2013 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees that this software or documentation qualifies as commercial computer software or commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more information.
Revision History
March 2012 New for Version 2.1 (Applies to Release 2012a) September 2012 Revised for Version 3.0 (Applies to Release 2012b)March 2013 Revised for Version 3.1 (Applies to Release 2013a)
Contents1 Introduction.......................................................................................................................................1-1
1.1 Model-Based Design for ISO 26262........................................................................................1-22 ISO 26262–6: Applicable Model-Based Design Tools and Processes.............................................2-1
2.1 Initiation of Product Development at the Software Level........................................................2-2Table 1 – Topics To Be Covered By Modeling and Coding Guidelines.................................2-2
2.2 Software Architectural Design.................................................................................................2-3Table 2 – Notations for Software Architectural Design...........................................................2-3Table 3 – Principles for Software Architectural Design..........................................................2-3Table 4 – Mechanisms for Error Detection at the Software Architectural Level.....................2-5Table 5 – Mechanisms for Error Handling at the Software Architectural Level.....................2-5Table 6 – Methods for Verification of Software Architectural Design....................................2-6
2.3 Software Unit Design and Implementation..............................................................................2-8Table 7 – Notations for Software Unit Design.........................................................................2-8Table 8 – Design Principles for Software Unit Design and Implementation...........................2-9Table 9 – Methods for Verification of Software Unit Design and Implementation...............2-11
2.4 Software Unit Testing............................................................................................................2-14Table 10 – Methods for Software Unit Testing......................................................................2-14Table 11 – Methods for Deriving Test Cases for Software Unit Testing...............................2-15Table 12 – Structural Coverage Metrics at the Software Unit Level.....................................2-16
2.5 Software Integration and Testing...........................................................................................2-17Table 13 – Methods for Software Integration Testing...........................................................2-17Table 14 – Methods for Deriving Test Cases for Software Integration Testing....................2-19Table 15 – Structural Coverage Metrics at the Software Architectural Level.......................2-19
3 ISO 26262–8: Applicable Model-Based Design Tools and Processes.............................................3-13.1 Confidence in the Use of Software Tools................................................................................3-2
Table 4 – Qualification of Software Tools Classified TCL3...................................................3-2Table 5 – Qualification of Software Tools Classified TCL2...................................................3-3
v
vi
1 Introduction
1.1 Model-Based Design for ISO 26262This documentation provides annotated versions of method tables that appear in the ISO 26262–6 and ISO 26262–8 standards. The annotated tables provide suggestions on how to use Model-Based Design products from MathWorks® to apply the methods listed in the standard for different Automotive Safety Integrity Levels (ASILs).
The IEC Certification Kit provides additional support when using Model-Based Design for ISO 26262 applications, including reference workflows for verifying and validating models and generated code.
2 ISO 26262–6: Applicable Model-Based Design Tools and Processes
2.1 Initiation of Product Development at the Software Level
Table 1 – Topics To Be Covered By Modeling and Coding Guidelines
Topics ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Enforcement of low complexity
++ ++ ++ ++ Simulink® Modeling Guidelines
The High Integrity System Modeling Guidelines and the MathWorks ® Automotive Advisory Board — Control Algorithm Modeling Guidelines can be used to address topics listed in this table. The guideline subset used for a project should address a combination of topics applicable for the ASIL under consideration.
1b Use of language subsets ++ ++ ++ ++1c Enforcement of strong
typing++ ++ ++ ++
1d Use of defensive implementation techniques
o + ++ ++
1e Use of established design principles
+ + + ++
1f Use of unambiguous graphical representation
+ ++ ++ ++
1g Use of style guides + ++ ++ ++1h Use of naming
conventions++ ++ ++ ++
2.2 Software Architectural Design
Table 2 – Notations for Software Architectural Design
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Informal notations ++ ++ + + Simulink – Model Info and DocBlock blocks
Simulink® Verification and Validation™ – System Requirements block
The blocks can be used to integrate architectural descriptions into a model.
Simulink Verification and Validation – Requirements Management Interface (RMI)
The RMI can be used to link Simulink and Stateflow architectural designs to informal descriptions in Microsoft® Word, Microsoft® Excel®, ASCII text, and PDF files.
1b Semiformal notations + ++ ++ ++ Simulink
Stateflow®
Simulink and Stateflow support software architectural design using semiformal notations.
1c Formal notations + + + +
Table 3 – Principles for Software Architectural Design
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Hierarchical structure of software components
++ ++ ++ ++Simulink – Model block, Ports & Subsystems block library
Stateflow
Model blocks (model referencing), subsystems, libraries, and Stateflow charts support hierarchical decomposition of models.
Simulink – Model Dependency Viewer
When using Model blocks or libraries to structure a model, the Model Dependency Viewer can display a graph of models and libraries referenced by the top model.
Embedded Coder® Embedded Coder supports modularization
3
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
of code at the file level.1b Restricted size of
software components++ ++ ++ ++ Simulink
Stateflow
Embedded Coder
Software components can be structured hierarchically to limit component size.
Simulink Verification and Validation – ISO 26262 checks
ISO 26262 Model Advisor check Display model metrics and complexity report provides information on the size and complexity of models and subsystems.
Polyspace® - Metrics Polyspace Metrics supports the generation of size and complexity metrics for source code.
1c Restricted size of interfaces
++ ++ ++ ++ Simulink Verification and Validation – ISO 26262 checks
ISO 26262 Model Advisor check Display model metrics and complexity report provides information on the number of inports and outports of models and subsystems.
Polyspace - Metrics Polyspace Metrics supports the generation of size and complexity metrics for source code.
1d High cohesion with software components
+ + + +
1e Restricted coupling between software components
+ ++ ++ ++
1f Appropriate scheduling properties
+ ++ ++ Simulink Simulink provides a way to control the rate of block execution and allows specification of block-based or port based sample times. Models can display color coding and annotations to represent specific sample times.
Stateflow – Scheduler patterns Stateflow provides multiple scheduler patterns for controlling execution of subsystems.
1g Restricted use of interrupts
+ + + ++ Embedded Coder – Configuration
Embedded Coder can be configured to not insert interrupts into step function code.
4
Table 4 – Mechanisms for Error Detection at the Software Architectural Level
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Range checks of input and output data
++ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow can be used to design range checks for input and output data. During simulation, the Simulation range checking diagnostic detects when signals exceed specified ranges.
Simulink® Design Verifier™
Polyspace – Code verification
Simulink Design Verifier and Polyspace can calculate and verify signal ranges.
1b Plausibility + + + ++ Simulink
Stateflow
Simulink and Stateflow can be used to design plausibility checks.
1c Detection of data errors
++ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow can be used to detect data errors.
1d External monitoring facility
o + + ++
1e Control flow monitoring
o + ++ ++
1f Diverse software design
o o + ++ Simulink
Stateflow
Fixed-Point Designer™
Software diversity for algorithmic parts can be supported by executing floating-point and fixed-point versions of an algorithm in parallel and comparing the results.
Table 5 – Mechanisms for Error Handling at the Software Architectural Level
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Static recovery mechanism
+ + + + Simulink
Stateflow
Simulink and Stateflow can be used to design fault detection, isolation, and recovery (FDIR) algorithms.
1b Graceful degradation + + ++ ++ Stateflow Stateflow can be used to design graceful degradation behaviour.
1c Independent parallel redundancy
o o + ++
1d Correcting codes for + + + +
5
data
Table 6 – Methods for Verification of Software Architectural Design
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Walkthrough of the design
++ + o o Simulink
Simulink® Report Generator™ Web View, System Design Description (SDD) report
Architectural design walkthroughs can be based on the model, a generated Web View, or an SDD report.
1b Inspection of the design
+ ++ ++ ++ Simulink Design inspections can be based on the model, a generated Web View, or an SDD report.
Simulink Verification and Validation – Model Advisor checks
Design inspections can be supported by ISO 26262, MAAB, Requirements Consistency, and custom Model Advisor checks. A Model Advisor check configuration can define a set of checks required to pass as a prerequisite for entering a design inspection.
1c Simulation of dynamic parts of the design
+ + + ++ Simulink Simulink supports simulation of algorithm and environment models.
1d Prototype generation o o + ++ Simulink® Coder™ Simulink Coder can be used to generate code for rapid prototyping.
Embedded Coder Embedded Coder can be used to generate code for on-target rapid prototyping. Software-in-the-loop (SIL) and processor-in-the-loop (PIL) simulation can be used to execute generated code in the context of a model.
Simulink® 3D Animation™ Simulink 3D Animation can be used to animate 3-dimensional scenes driven by signals in a model.
Gauges Blockset™ Gauges Blockset can be used to add graphical instrumentation to models.
6
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1e Formal verification o o + + Simulink – Model Verification block library
Model Verification blocks can be used to formalize software safety requirements and other model properties.
Simulink Design Verifier – Property proving, design error detection
Property proving can be used to verify model properties. Design error detection can analyze a model to detect design errors that might occur at run time.
Polyspace – Code verification Polyspace - can analyze C code to identify software errors that might occur during run time.
1f Control flow analysis + + ++ ++ Simulink Verification and Validation – Model coverage analysis
Model coverage analysis can help identify unreachable portions of a model.
Simulink Design Verifier – Test case generation
Automatic test case generation can be used to detect unreachable model constructs, which could result in unreachable code.
Polyspace – Call tree, unreachable code analysis
Polyspace can extract control flow information at the function level from C code and create an application call tree. Gray checks detect unreachable code.
1g Data flow analysis + + ++ ++ Simulink – Diagnostics
Stateflow – Diagnostics
Data Store Memory block diagnostics and Stateflow diagnostics can be configured to identify data flow issues.
Polyspace – Variable access pane, generated Excel report, code verification
Polyspace supports static verification of dynamic properties of generated code. This verification technique is based on data flow analysis.
The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated Excel report.
7
2.3 Software Unit Design and Implementation
Table 7 – Notations for Software Unit Design
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Natural language ++ ++ ++ ++ Simulink – Model Info block, DocBlock block
Simulink Verification and Validation – System Requirements block
The blocks can be used to add natural language or descriptions of a unit design to a model.
Simulink Verification and Validation – Requirements Management Interface (RMI)
Models representing unit designs can be linked to descriptions in Microsoft Word, Microsoft Excel, ASCII text, or PDF files.
1b Informal notations + ++ ++ ++ Simulink – Model Info block, DocBlock block
Simulink Verification and Validation – System Requirements block
The blocks can be used to add informal descriptions of a unit design to a model.
Simulink Verification and Validation – Requirements Management Interface (RMI)
The RMI can be used to link models representing unit designs to external informal descriptions in Microsoft Word, Microsoft Excel, ASCII text, or PDF files.
1c Semiformal notations + ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow support software unit design, using semiformal notations.
1d Formal notations + + + +
8
Table 8 – Design Principles for Software Unit Design and Implementation
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a One entry and one exit point in subprograms and functions
++ ++ ++ ++ Simulink Modeling guidelines
Adherence can be facilitated by applying modeling guidelines in combination with analyzing generated code. MAAB guideline jc_0511 provides corresponding modeling recommendations.
Polyspace MISRAC checker
Polyspace can assess compliance with MISRA–C:2004 rule 14.7.
1b No dynamic objects or variables, or else online test during their creation
+ ++ ++ ++ Embedded Coder – Configuration
Embedded Coder can be configured to generate C code that does not include dynamic objects.
Polyspace MISRAC checker
Polyspace can assess compliance with MISRA–C:2004 rule 20.4.
1c Initialization of variables ++ ++ ++ ++ Simulink – IC block, diagnostics
An IC block can specify the initial condition for a signal.
Setting the Underspecified initialization detection diagnostic toSimplified improves consistency of simulation results for models that do not specify initial conditions for conditional subsystem output ports or have conditionally executed subsystem output ports connected to S-functions.
Embedded Coder – Configuration
Parameters in the Optimization > Data initialization section of the Configuration Parameters dialog box can be used to control initialization of variables in generated code.
Polyspace – Code verification Polyspace can check the initializationof variables in generated code. Uninitialized variables are reported as NIV checks.
1d No multiple use ofvariable names
+ ++ ++ ++ Simulink – Diagnostics Setting the Duplicate data store names diagnostic to error detectsconditions where a lower-level data store unexpectedly shadows a higher-level data store with the same name.
9
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1e Avoid global variables or else justify their usage
+ + ++ ++ Simulink Usage of Data Store Memory blocks needs to be reviewed and justified.
Embedded Coder – Configuration
Selecting the Enable local block outputs optimization reduces use ofglobal variables in generated code.
Polyspace – Variable access pane, generated Excel report, MISRA C checker
The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated
Polyspace can assess compliance with MISRA-C:2004 rules 8.11 and 8.7 to help detect variables with scopes that should not be global.
1f Limited use of pointers o + ++ ++ Embedded Coder – Configuration
Embedded Coder may generate pointer arithmetic for certain language features — for example, lookup tables or matrix multiplication. Embedded Coder checks the data type and range of values to avoid corruption of address spaces.
Polyspace – MISRA–C checker, code verification
Polyspace can assess compliance withMISRA–C:2004 rules 11.1 to 11.5 and 17.3 to 17.5, which restrict use of pointers.
Polyspace can check whether pointers refer to valid objects. Violations are reported as IDP checks.
1g No implicit data typeconversions
+ ++ ++ ++ Polyspace – MISRA C checker
MISRA-C:2004 contains rules that facilitate the use of established design principles. Polyspace can assess compliance with MISRA-C:2004 rules 11.1, 11.2, 11.3, and 11.5.
1h No hidden data flow or control flow
+ ++ ++ ++ Polyspace – MISRA C checker
Polyspace can assess compliance with MISRA-C:2004 rule 5.2.
1i No unconditional ++ ++ ++ ++ Polyspace MISRAC Polyspace can assess compliance with
10
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
jumps checker MISRA–C:2004 rules 14.4 and 14.5.1j No recursions + + ++ ++ Simulink Modeling
guidelinesAdherence can be facilitated by applying modeling guidelines.High-integrity guideline hisf_0004Provides corresponding modeling recommendations. Avoid using n-D Lookup Table and Interpolation blocks and Prelookup blocks with dimensions > 5.
Polyspace – Call tree Generated call trees can be reviewed to identify recursive function calls.
Table 9 – Methods for Verification of Software Unit Design and Implementation
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Walkthrough ++ + o o Simulink
Simulink Report Generator – Web View, System DesignDescription (SDD) report
Unit design walkthroughs can be based on a model, a generated Web View, or an SDD report.
Embedded Coder – Code generation report
Code walkthroughs can be based on HTML code generation reports or codeGeneration reports with an integrated Web View of the model.
1b Inspection + ++ ++ ++ Simulink
Simulink Report Generator – Web View, System DesignDescription (SDD) report
Unit design inspections can be based on a model, a generated Web View, or an SDD report.
Simulink Verification andValidation – Model Advisorchecks
Unit design inspections can be supported by ISO 26262, MAAB, Requirements Consistency, and custom checks in Model Advisor. A Model Advisor check configuration can define a set of checks to pass as a prerequisite for entering model inspection.
11
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
Embedded Coder – Code generation report
IEC Certification Kit – Traceability matrix
Code walkthroughs can be based on HTML code generation reports, codeGeneration reports with an integrated Web View of the model, or model-to-code and code-to-model traceability matrices.
1c Semiformal verification
+ + ++ ++ Simulink Simulink supports simulation of algorithm and environment models.
1d Formal verification o o + + Simulink – Model Verification blocks
Simulink DesignVerifier – Property proving, design error detection, testcase generation
Model Verification blocks can be used to formalize software safety requirements and other model properties.
Property proving can be used to verify model properties using formal verification techniques. Design error detection can analyze a model to detect design errors that might occur at run time.
Polyspace – Code verification Runtime error detection can analyze C code to identify software errors that might occur during run time.
1e Control flow analysis + + ++ ++ Simulink Verification and Validation – Model coverage analysis
Simulink Design Verifier – Test case generation
Model coverage analysis can help to identify unreachable portions of a model.
Automatic test case generation can be used to detect unreachable model constructs that could result in unreachable code.
Polyspace – Call tree, unreachable code analysis
Polyspace can extract control flow information at the function level from C code and create an application call tree. Gray checks detect unreachable code.
1f Data flow analysis + + ++ ++ Simulink – Diagnostics
Stateflow – Diagnostics
Data Store Memory block diagnostics and Stateflow diagnostics can be configured to identify data flow issues.
Polyspace – Code verification Polyspace supports static verification of dynamic properties of generated code. This verification technique is based on data flow analysis.
1g Static code analysis + ++ ++ ++ Polyspace – MISRA–C checker, metrics
Polyspace can facilitate static analysis of C code.
12
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1h Semantic code analysis
+ + + + Polyspace – Code verification, variable access pane, generated Excel report
Polyspace uses abstract interpretation to analyze C code.
The variable access pane displays the following information about each global variable: number of read and write access operations, location of read and write operations, detailed type value ranges for individual read and write access operations, whether or not it shared, whether shared access is protected (critical section). This information is also accessible in the generated Excel report.
Clause Model-Based Design Tools and Processes
Comments
8.4.5 The software unit design and implementation shall be verified in accordance with ISO 262628:2011 Clause 9, and by applying the verification methods listed in Table 9 to demonstrate:...
b) the fulfillment of the software safety requirements as allocated to the software units (in accordance with 7.4.9) through traceability...
IEC Certification Kit Traceability matrix
Generated traceability matrices can be used to document and review existing links between textual requirements, models, and generated code.
13
2.4 Software Unit Testing
Table 10 – Methods for Software Unit Testing
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Requirements-based test
++ ++ ++ ++ Simulink Verification and Validation Requirements Management Interface (RMI)
RMI can be used to establish bidirectional links between textual requirements and models.
IEC Certification Kit Traceability matrix
Generated traceability matrices can be used to document and review existing links between textual requirements, models, and code.
Simulink Signal Builder block
Stateflow – Dynamic test vector charts
Signal Builder blocks can be used to create open-loop model tests.
Dynamic test vector charts can be used to create closed-loop, reactive model tests.
Simulink Verification and Validation Component testing capabilities
Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder that can be used to link tests with textual requirements.
1b Interface test ++ ++ ++ ++ Simulink Design Verifier Test case generation
Automatic test case generation in combination with Test Objective blocks can be used to generate interface tests.
1c Fault injection test + + + ++ Simulink
Stateflow
Simulink and Stateflow can be used to carry out fault injection tests. The tools can also be used to simulate failure propagation at the model level. For this purpose, the system model and a separate failure model can be used.
Simulink Design Verifier Test case generation
Automatic test case generation in combination with Test Objective blocks can be used to generate fault injection tests.
1d Resource usage test + + + ++ Embedded Coder Processor-in-the-loop (PIL) testing, code metrics report
PIL testing analyzes resource utilization on a target processor. The code metrics report provides the amount of memory used by
14
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
the generated code.1e Back-to-back test
between model and code, if applicable
+ + ++ ++ Simulink
Stateflow
Simulink Verification and Validation Component testing capabilities, model coverage
Simulink Design Verifier Test case generation
Simulation capabilities of Simulink and Stateflow and the component test capabilities of Simulink Verification and Validation facilitate dynamic testing of models.Model coverage can be used to assess the completeness of the model tests. Simulink Design Verifier can generate missing test cases.
Embedded Coder Software-in-the-loop (SIL) testing, processor-in-the-loop testing, code generation verification (CGV)
Simulink Simulation Data Inspector (SDI)
SIL and PIL testing provide a way to execute model tests on generated code. CGV automates selected back-to-back testing workflows.
SDI supports the comparison of test results created during back-to-back testing.
Table 11 – Methods for Deriving Test Cases for Software Unit Testing
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Analysis of requirements
++ ++ ++ ++ Simulink Verification and Validation Component testing capabilities
Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder that can be used to link tests with textual requirements.
1b Generation and analysis of equivalence classes
+ ++ ++ ++ Simulink Design Verifier Test case generation
The analysis of equivalence classes can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given equivalence classes.
15
1c Analysis of boundary values
+ ++ ++ ++ Simulink Design Verifier Test case generation
The analysis of boundary values can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given boundary values.
1d Error guessing + + + +
Table 12 – Structural Coverage Metrics at the Software Unit Level
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Statement coverage ++ ++ + + Embedded Coder Code coverage collection
During software-in-the-loop (SIL) simulation, Embedded Coder can collect statement coverage by using the third-party tool LDRA Testbed®.During SIL simulation, Embedded Coder can collect condition/decision coverage information, which usually subsumes statement coverage, by using the third-party tool BullseyeCoverage®.
1b Branch coverage + ++ ++ ++ Simulink Verification and Validation Model coverage analysis
Simulink Design Verifier Test case generation
During model testing, Simulink Verification and Validation can collect decision coverage (also known as branch coverage) at the model level.Simulink Design Verifier can generate test cases that satisfy decision coverage at the model level.
Embedded Coder Code coverage collection
During software-in-the-loop (SIL) simulation, Embedded Coder can collect statement coverage by using the third-party tool LDRA Testbed.During SIL simulation, Embedded Coder can collect condition and decision coverage, which usually subsumes statement coverage, by using the third-party tool BullseyeCoverage.
1c MC/DC (Modified Condition/Decision Coverage)
+ + + ++ Simulink Verification and Validation Model coverage analysis
Simulink Design Verifier Test case generation
During model testing, Simulink Verification and Validation verification can collect MC/DC coverage at the model level.Simulink Design Verifier can be used to generate test cases that satisfy MC/DC coverage at the model level.
16
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
Embedded Coder Code coverage collection
During SIL simulation, Embedded Coder can collect MC/DC coverage by using the third-party tool LDRA Testbed.
17
2.5 Software Integration and Testing
Table 13 – Methods for Software Integration Testing
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Requirements-based test
+ + + + Simulink Verification and Validation Requirements Management Interface (RMI)
RMI can be used to establish bidirectional links between textual requirements and models.
IEC Certification Kit Traceability matrix
Generated traceability matrices can be used to document and review existing links between textual requirements, models, and code.
Simulink Signal Builder block The Signal Builder block can be used to create open-loop model tests.
Stateflow Dynamic test vector charts
Dynamic test vector charts can be used to create closed-loop, reactive model tests.
Simulink Verification and Validation Component testing capabilities
Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder, which can be used to link tests with textual requirements.
1b Interface test ++ ++ ++ ++ Simulink Design Verifier Test case generation
Automatic test case generation in combination with Test Objective blocks can generate fault injection tests.
1c Fault infection test + + ++ ++ Simulink
Stateflow
Simulink and Stateflow can be used to execute fault injection tests. Can also simulate failure propagation at the model level. For this purpose, a system model and/or a separate failure model can be used.
Simulink Design Verifier Test case generation
Automatic test case generation in combination with Test Objective blocks can generate fault injection tests.
1d Resource usage test + + + ++ Embedded Coder Processor-in-the-loop (PIL) testing, code metrics report
PIL testing analyzes resource utilization on a target processor. The code metrics report provides information about memory usage of generated code.
18
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1e Back-to-back test between model and code, if applicable
+ + ++ ++ Simulink
Stateflow
Simulation capabilities of Simulink and Stateflow and the component test capabilities of Simulink Verification and Validation facilitate dynamic model testing.
Simulink Verification and Validation Component testing capabilities, model coverage
Simulink Design Verifier Test case generation
Model coverage can assess the completeness of model tests.Simulink Design Verifier can generate missing test cases.
Embedded Coder Software-in-the-loop (SIL) testing, processor-in-the-loop (PIL) testing, code generation verification (CGV)
SIL and PIL testing capabilities execute model tests on generated code. CGV can automate selected back-to-back testing workflows.
Simulink Simulation Data Inspector (SDI)
SDI supports comparison of test results created during back-to-back testing.
19
Table 14 – Methods for Deriving Test Cases for Software Integration Testing
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Analysis of requirements
++ ++ ++ ++ Simulink Verification and Validation Component testing capabilities
Component testing capabilities can be used to create model test harnesses. They also enable a requirements pane in the Signal Builder that can be used to link tests with textual requirements.
1b Generation and analysis of equivalence classes
+ ++ ++ ++ Simulink Design Verifier Test case generation
The analysis of equivalence classes can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given equivalence classes.
1c Analysis of boundary values
+ ++ ++ ++ Simulink Design Verifier Test case generation
The analysis of boundary values can be based on the interfaces of the model.Automatic test case generation in combination with Test Objective blocks can be used to generate test cases and test sequences for given boundary values.
1d Error guessing + + + +
Table 15 – Structural Coverage Metrics at the Software Architectural Level
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Function coverage + + ++ ++ Embedded Coder Code coverage collection
During SIL simulation, Embedded Coder can collect function coverage information by using the third-party tool BullseyeCoverage.
1b Call coverage + + ++ ++ Embedded Coder Code coverage collection
During SIL simulation, Embedded Coder can collect procedure/function call coverage information by using the third-party tool LDRA Testbed.
20
21
3 ISO 26262–8: Applicable Model-Based Design Tools and Processes
3.1 Confidence in the Use of Software Tools
Table 4 – Qualification of Software Tools Classified TCL3
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Increased confidence from use in accordance with 11.4.7
++ ++ + +
1b Evaluation of the tool development process in accordance with 11.4.8
++ ++ + + IEC Certification Kit - ISO 26262 Tool Qualification Kits
Embedded Coder, Simulink Verification and Validation, Simulink Design Verifier, and Polyspace products for C/C++ have been prequalified, using a combination of methods 1b and 1c. TÜV SÜD carried out an independent tool qualification assessment.The IEC Certification Kit provides Software Tool Criteria Evaluation reports, Software Tool Qualification reports, and evidence for the independent assessment.The IEC Certification Kit provides exemplary test cases and test procedures for Embedded Coder, Simulink Verification and Validation, and Polyspace products for C/C++ that can be used to facilitate tool validation tests for these products.
1c Validation of the software tool in accordance with 11.4.9
+ + + ++
1d Development in accordance with a safety standard
+ + + ++
Table 5 – Qualification of Software Tools Classified TCL2
Methods ASIL Applicable Model-Based Design Tools and Processes
Comments
A B C D
1a Increased confidence from use in accordance with 11.4.7
++ ++ ++ +
1b Evaluation of the tool development process in accordance with 11.4.8
++ ++ ++ + IEC Certification Kit- ISO 26262 Tool Qualification Kits
Embedded, Simulink Verification and Validation, Simulink Design Verifier, and Polyspace products for C/C++ have been prequalified, using a combination of methods 1b and 1c. TÜV SÜD carried out an independent tool qualification assessment.The IEC Certification Kit provides Software Tool Criteria Evaluation reports, Software Tool Qualification reports, and evidence for the independent assessment.The IEC Certification Kit provides exemplary test cases and test procedures for Embedded Coder, Simulink Verification and Validation, and Polyspace products for C/C++ that can be used to facilitate tool validation tests for these products.
1c Validation of the software tool in accordance with 11.4.9
+ + + ++
1d Development in accordance with a safety standard
+ + + ++
3