Você está na página 1de 46

IEC Certification Kit

Model-Based Design for ISO 26262


R2012a
How to Contact MathWorks
www.mathworks.com Web
comp.soft-sys.matlab Newsgroup
www.mathworks.com/contact_TS.html Technical Support
suggest@mathworks.com Product enhancement suggestions
bugs@mathworks.com Bug reports
doc@mathworks.com Documentation error reports
service@mathworks.com Order status, license renewals, passcodes
info@mathworks.com Sales, pricing, and general information
508-647-7000 (Phone)
508-647-7001 (Fax)
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
For contact information about worldwide offices, see the MathWorks Web site.
IEC Certification Kit Model-Based Design for ISO 26262
COPYRIGHT 2012 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used
or copied only under the terms of the license agreement. No part of this manual may be photocopied or
reproduced in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation
by, for, or through the federal government of the United States. By accepting delivery of the Program
or Documentation, the government hereby agrees that this software or documentation qualifies as
commercial computer software or commercial computer software documentation as such terms are used
or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern
the use, modification, reproduction, release, performance, display, and disclosure of the Program and
Documentation by the federal government (or other entity acquiring for or through the federal government)
and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the
governments needs or is inconsistent in any respect with federal procurement law, the government agrees
to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See
www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand
names may be trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see
www.mathworks.com/patents for more information.
Revision History
March 2012 Online only New for Version 1.6 (Release 2012a)
Contents
Introduction
1
Model-Based Design for ISO 26262 . . . . . . . . . . . . . . . . . . 1-2
Reference Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
ISO 262626: Applicable Model-Based Design
Tools and Processes
2
Initiation of Product Development at the Software
Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Software Architectural Design . . . . . . . . . . . . . . . . . . . . . . 2-3
Software Unit Design and Implementation . . . . . . . . . . . 2-13
Software Unit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Software Integration and Testing . . . . . . . . . . . . . . . . . . . 2-30
ISO 262628: Applicable Model-Based Design
Tools and Processes
3
Confidence in the Use of Software Tools . . . . . . . . . . . . . 3-2
iii
iv Contents
1
Introduction
Model-Based Design for ISO 26262 on page 1-2
Reference Workflows on page 1-3
1 Introduction
Model-Based Design for ISO 26262
This documentation provides annotated versions of method tables that appear
in the ISO 262626 and ISO 262628 standards. The annotated tables provide
suggestions on how to use Model-Based Design products from MathWorks to
apply the methods listed in the standard for different Automotive Safety
Integrity Levels (ASILs).
Chapter 2, ISO 262626: Applicable Model-Based Design Tools and
Processes
Chapter 3, ISO 262628: Applicable Model-Based Design Tools and
Processes
The IEC Certification Kit provides additional support when using
Model-Based Design for ISO 26262 applications, including reference
workflows for verifying and validating models and generated code.
1-2
Reference Workflows
Reference Workflows
IEC Certification Kit: Embedded Coder Reference Workflow
IEC Certification Kit: Polyspace

Client/Server for C/C++ Reference


Workflow
IEC Certification Kit: Simulink

Design Verifier Reference Workflow


IEC Certification Kit: Simulink Verification and Validation Reference
Workflow
1-3
1 Introduction
1-4
2
ISO 262626: Applicable
Model-Based Design Tools
and Processes
Initiation of Product Development at the Software Level on page 2-2
Software Architectural Design on page 2-3
Software Unit Design and Implementation on page 2-13
Software Unit Testing on page 2-24
Software Integration and Testing on page 2-30
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Initiation of Product Development at the Software Level
Table 1 Topics To Be Covered By Modelling and Coding Guidelines
ASIL Topics
A B C D
Applicable
Model-Based
Design Tools
and Processes
Comments
1a Enforcement of
low complexity
++ ++ ++ ++
1b Use of language
subsets
++ ++ ++ ++
1c Enforcement of
strong typing
++ ++ ++ ++
1d Use of defensive
implementation
techniques
o + ++ ++
1e Use of established
design principles
+ + + ++
1f Use of
unambiguous
graphical
representation
+ ++ ++ ++
1g Use of style guides + ++ ++ ++
1h Use of naming
conventions
++ ++ ++ ++
Simulink
Modeling
guidelines
The Modeling Guidelines for
High-Integrity Systems
and the MathWorks

Automotive Advisory Board


Control Algorithm
Modeling Guidelines Using
MATLAB

, Simulink, and
Stateflow

can be used to
address topics listed in this
table. The guideline subset
used for a project should
address a combination of
topics applicable for the
ASIL under consideration.
2-2
Software Architectural Design
Software Architectural Design
Table 2 Notations for Software Architectural Design
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Model Info
and DocBlock blocks
Simulink Verification
and Validation System
Requirements block
The blocks can be
used to integrate
architectural
descriptions into a
model.
1a Informal
notations
++ ++ + +
Simulink Verification
and Validation
Requirements
Management Interface
(RMI)
The RMI can be used
to link Simulink and
Stateflow architectural
designs to informal
descriptions in
Microsoft

Word,
Microsoft Excel

, ASCII
text, and PDF files.
1b Semiformal
notations
+ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow
support software
architectural design
using semiformal
notations.
1c Formal notations + + + +
2-3
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 3 Principles for Software Architectural Design
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Model block,
Ports & Subsystems
block library
Stateflow
Model blocks
(model referencing),
subsystems, libraries,
and Stateflow charts
support hierarchical
decomposition of
models.
Simulink Model
Dependency Viewer
When using Model
blocks or libraries to
structure a model, the
Model Dependency
Viewer can display a
graph of models and
libraries referenced by
the top model.
1a Hierarchical
structure
of software
components
++ ++ ++ ++
Embedded Coder Embedded
Coder supports
modularization of code
at the file level.
Simulink
Stateflow
Embedded Coder
Software components
can be structured
hierarchically to limit
component size.
1b Restricted size
of software
components
++ ++ ++ ++
Simulink Verification
and Validation ISO
26262 checks
ISO 26262 Model
Advisor check Display
model metrics and
complexity report
provides information
on the size and
complexity of models
and subsystems.
2-4
Software Architectural Design
Table 3 Principles for Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1c Restricted size of
interfaces
++ ++ ++ ++ Simulink Verification
and Validation ISO
26262 checks
ISO 26262 Model
Advisor check Display
model metrics and
complexity report
provides information on
the number of inports
and outports of models
and subsystems.
1d High cohesion
with software
components
+ + + +
1e Restricted
coupling between
software
components
+ ++ ++ ++
Simulink Simulink provides a
way to control the rate
of block execution and
allows specification
of block-based or
port-based sample
times. Models can
display color coding
and annotations to
represent specific
sample times.
1f Appropriate
scheduling
properties
+ ++ ++
Stateflow Scheduler
patterns
Stateflow provides
multiple scheduler
patterns for controlling
2-5
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 3 Principles for Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
execution of
subsystems.
1g Restricted use of
interrupts
+ + + ++ Embedded Coder
Configuration
Embedded Coder can
be configured to not
insert interrupts into
step function code.
Table 4 Mechanisms for Error Detection at the Software Architectural Level
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink
Stateflow
Simulink and Stateflow
can be used to design
range checks for input
and output data.
During simulation,
the Simulation range
checking diagnostic
detects when signals
exceed specified ranges.
1a Range checks of
input and output
data
++ ++ ++ ++
Simulink Design
Verifier
Polyspace
Simulink Design
Verifier and Polyspace
can calculate and verify
signal ranges.
1b Plausibility check + + + ++ Simulink
Stateflow
Simulink and Stateflow
can be used to design
plausibility checks.
2-6
Software Architectural Design
Table 4 Mechanisms for Error Detection at the Software Architectural Level (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1c Detection of data
errors
++ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow
can be used to detect
data errors.
1d External
monitoring
facility
o + + ++
1e Control flow
monitoring
o + ++ ++
1f Diverse software
design
o o + ++ Simulink
Stateflow
Simulink Fixed Point
Software diversity
for algorithmic parts
can be supported by
executing floating-point
and fixed-point
versions of an
algorithm in parallel
and comparing the
results.
2-7
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 5 Mechanisms for Error Handling at the Software Architectural Level
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Static recovery
mechanism
+ + + + Simulink
Stateflow
Simulink and Stateflow
can be used to design
fault detection,
isolation, and recovery
(FDIR) algorithms.
1b Graceful
degradation
+ + ++ ++ Stateflow Stateflow can be used
to design graceful
degradation behavior.
1c Independent
parallel
redundancy
o o + ++
1d Correcting codes
for data
+ + + +
Table 6 Methods for Verification of Software Architectural Design
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Walkthrough of
the design
++ + o o Simulink
Simulink Report
Generator Web
View, System Design
Description (SDD)
report
Architectural design
walkthroughs can be
based on the model, a
generated Web View, or
an SDD report.
2-8
Software Architectural Design
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink
Simulink Report
Generator Web
View, System Design
Description (SDD)
report
Design inspections can
be based on the model,
a generated Web View,
or an SDD report.
1b Inspection of the
design
+ ++ ++ ++
Simulink Verification
and Validation Model
Advisor checks
Design inspections
can be supported
by ISO 26262,
MAAB, Requirements
Consistency, and
custom Model
Advisor checks. A
Model Advisor check
configuration can
define a set of checks
required to pass as
a prerequisite for
entering a design
inspection.
1c Simulation of
dynamic parts of
the design
+ + + ++ Simulink Simulink supports
simulation of algorithm
and environment
models.
2-9
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Coder
Embedded Coder
Simulink Coder can be
used to generate code
for rapid prototyping.
Embedded Coder can
be used to generate
code for on-target
rapid prototyping.
Software-in-the-loop
(SIL) and
processor-in-the-loop
(PIL) simulation can
be used to execute
generated code in the
context of a model.
1d Prototype
generation
o o + ++
Simulink 3D
Animation
Gauges Blockset
Simulink 3DAnimation
can be used to animate
3-dimensional scenes
driven by signals in a
model.
Gauges Blockset can be
used to add graphical
instrumentation to
models.
2-10
Software Architectural Design
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Model
Verification block
library
Simulink Design
Verifier Property
proving, design error
detection
Model Verification
blocks can be used
to formalize software
safety requirements
and other model
properties.
Property proving can
be used to verify model
properties. Design
error detection can
analyze a model to
detect design errors
that might occur at run
time.
1e Formal
verification
o o + +
Polyspace Runtime
error detection
Runtime error
detection can analyze
C code to identify
software errors that
might occur during run
time.
Simulink Verification
and Validation Model
coverage analysis
Simulink Design
Verifier Test case
generation
Model coverage
analysis can help
identify unreachable
portions of a model.
Automatic test case
generation can be used
to detect unreachable
model constructs,
which could result in
unreachable code.
1f Control flow
analysis
+ + ++ ++
2-11
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 6 Methods for Verification of Software Architectural Design (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Polyspace Call tree,
unreachable code
analysis
Polyspace can partially
extract control flow
information from C
and can create an
application call tree.
Gray checks detect
unreachable code.
Simulink Diagnostics
Stateflow Diagnostics
Data Store Memory
block diagnostics and
Stateflow diagnostics
can be configured to
identify data flow
issues.
1g Data flowanalysis + + ++ ++
Polyspace Polyspace supports
static verification of
dynamic properties of
generated code. This
verification technique
is based on data flow
analysis.
2-12
Software Unit Design and Implementation
Software Unit Design and Implementation
Table 7 Notations for Software Unit Design
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Model Info
block, DocBlock block
Simulink Verification
and Validation System
Requirements block
The blocks can be used
to add natural language
or descriptions of a unit
design to a model.
1a Natural language ++ ++ ++ ++
Simulink Verification
and Validation
Requirements
Management Interface
(RMI)
Models representing
unit designs can be
linked to descriptions
in Microsoft Word,
Microsoft Excel, ASCII
text, or PDF files.
Simulink Model Info
block, DocBlock block
Simulink Verification
and Validation System
Requirements block
The blocks can be
used to add informal
descriptions of a unit
design to a model.
1b Informal
notations
+ ++ ++ ++
Simulink Verification
and Validation
Requirements
Management Interface
(RMI)
The RMI can be
used to link models
representing unit
designs to external
informal descriptions
in Microsoft Word,
Microsoft Excel, ASCII
text, or PDF files.
1c Semiformal
notations
+ ++ ++ ++ Simulink
Stateflow
Simulink and Stateflow
support software
unit design, using
semiformal notations.
1d Formal notations + + + +
2-13
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 8 Design Principles for Software Unit Design and Implementation
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a One entry and
one exit point in
subprograms and
functions
++ ++ ++ ++ Simulink Modeling
guidelines
Polyspace MISRAC
checker
Adherence can be
facilitated by applying
modeling guidelines
in combination
with analyzing
generated code. MAAB
guideline jc_0511
provides corresponding
modeling
recommendations.
Polyspace can assess
compliance with
MISRAC:2004 rule
14.7.
Embedded Coder
Configuration
Embedded Coder can be
configured to generate
C code that does
not include dynamic
objects.
1b No dynamic
objects or
variables, or else
online test during
their creation
+ ++ ++ ++
Polyspace MISRAC
checker
Polyspace can assess
compliance with
MISRAC:2004 rule
20.4.
2-14
Software Unit Design and Implementation
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink IC block,
diagnostics
An IC block can specify
the initial condition for
a signal.
Setting the
Underspecified
initialization
detection diagnostic
to Simplified
improves consistency of
simulation results
for models that
do not specify
initial conditions for
conditional subsystem
output ports or have
conditionally executed
subsystem output
ports connected to
S-functions.
Embedded Coder
Configuration
Parameters in the
Optimization > Data
initialization section
of the Configuration
Parameters dialog
box can be used to
control initialization of
variables in generated
code.
1c Initialization of
variables
++ ++ ++ ++
Polyspace Code
verification
Polyspace can check
the initialization of
variables in generated
code. Uninitialized
2-15
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
variables are reported
as NIV checks.
1d No multiple use of
variable names
+ ++ ++ ++ Simulink Diagnostics Setting the Duplicate
data store names
diagnostic to error
detects conditions
where a lower-level
data store unexpectedly
shadows a higher-level
data store with the
same name.
Simulink Usage of Data Store
Memory blocks needs
to be reviewed and
justified.
1e Avoid global
variables or else
justify their usage
+ + ++ ++
Embedded Coder
Configuration
Selecting the Enable
local block outputs
optimization reduces
use of global variables
in generated code.
Embedded Coder
Configuration
Embedded Coder
may generate pointer
arithmetic for certain
language features
for example,
lookup tables or
matrix multiplication.
Embedded Coder
checks the data type
and range of values
to avoid corruption of
address spaces.
1f Limited use of
pointers
o + ++ ++
2-16
Software Unit Design and Implementation
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Polyspace MISRAC
checker, code
verification
Polyspace can assess
compliance with
MISRAC:2004 rules
11.1 to 11.5 and 17.3 to
17.5, which restrict use
of pointers.
Polyspace can check
whether pointers
refer to valid objects.
Violations are reported
as IDP checks.
1g No implicit data
type conversions
+ ++ ++ ++
1h No hidden data
flow or control
flow
+ ++ ++ ++
1i No unconditional
jumps
++ ++ ++ ++ Polyspace MISRAC
checker
Polyspace can assess
compliance with
MISRAC:2004 rules
14.4 and 14.5.
2-17
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 8 Design Principles for Software Unit Design and Implementation (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Modeling
guidelines
Adherence can be
facilitated by applying
modeling guidelines.
High-integrity
guideline hisf_0004
provides corresponding
modeling
recommendations.
Avoid using n-DLookup
Table and Interpolation
blocks and Prelookup
blocks with dimensions
> 5.
1j No recursions + + ++ ++
Polyspace Call graph Generated call graphs
can be reviewed to
identify recursive
function calls.
2-18
Software Unit Design and Implementation
Table 9 Methods for Verification of Software Unit Design and Implementation
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink
Simulink Report
Generator Web
View, System Design
Description (SDD)
report
Unit design
walkthroughs can
be based on a model, a
generated Web View,
or an SDD report.
1a Walkthrough ++ + o o
Embedded Coder Code
generation report
Code walkthroughs can
be based on HTML code
generation reports or
code generation reports
with an integrated Web
View of the model.
Simulink
Simulink Report
Generator Web
View, System Design
Description (SDD)
report
Unit design inspections
can be based on a
model, a generated
Web View, or an SDD
report.
Simulink Verification
and Validation Model
Advisor checks
Unit design inspections
can be supported
by ISO 26262,
MAAB, Requirements
Consistency, and
custom checks in
Model Advisor. A
Model Advisor check
configuration can
define a set of checks to
pass as a prerequisite
for entering model
inspection.
1b Inspection + ++ ++ ++
2-19
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 9 Methods for Verification of Software Unit Design and Implementation
(Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Embedded Coder Code
generation report
IEC Certification Kit
Traceability matrix
Code walkthroughs can
be based on HTML code
generation reports,
code generation reports
with an integrated Web
View of the model,
or model-to-code
and code-to-model
traceability matrices.
1c Semiformal
verification
+ + ++ ++ Simulink Simulink supports
simulation of algorithm
and environment
models.
1d Formal
verification
o o + + Simulink Model
Verification blocks
Simulink Design
Verifier Property
proving, design error
detection, test case
generation
Model Verification
blocks can be used
to formalize software
safety requirements
and other model
properties.
Property proving can
be used to verify model
properties using formal
verification techniques.
Design error detection
can analyze a model
to detect design errors
that might occur at run
time.
2-20
Software Unit Design and Implementation
Table 9 Methods for Verification of Software Unit Design and Implementation
(Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Polyspace Code
verification
Runtime error
detection can analyze
C code to identify
software errors that
might occur during run
time.
1e Control flow
analysis
+ + ++ ++ Simulink Verification
and Validation Model
coverage analysis
Simulink Design
Verifier Test case
generation
Model coverage
analysis can help to
identify unreachable
portions of a model.
Automatic test case
generation can be used
to detect unreachable
model constructs
that could result in
unreachable code.
Polyspace Call tree,
unreachable code
analysis
Polyspace can partially
extract control flow
information from C
code and can create the
application call tree.
Gray checks detect
unreachable code.
1f Data flowanalysis + + ++ ++ Simulink Diagnostics
Stateflow Diagnostics
Data Store Memory
block diagnostics and
Stateflow diagnostics
can be configured to
identify data flow
issues.
2-21
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 9 Methods for Verification of Software Unit Design and Implementation
(Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Polyspace Code
verification
Polyspace supports
static verification of
dynamic properties of
generated code. This
verification technique
is based on data flow
analysis.
1g Static code
analysis
+ ++ ++ ++ Polyspace MISRAC
checker
Polyspace can facilitate
static analysis of C
code.
1h Semantic code
analysis
+ + + + Polyspace Code
verification
Polyspace uses abstract
interpretation to
analyze C code.
2-22
Software Unit Design and Implementation
Clause Model-Based Design Tools
and Processes
Comments
8.4.5 The software
unit design and
implementation
shall be verified in
accordance with ISO
262628:2011 Clause
9, and by applying the
verification methods
listed in Table 9 to
demonstrate:
...
b) the fulfillment of
the software safety
requirements as
allocated to the
software units (in
accordance with 7.4.9)
through traceability
...
IEC Certification Kit
Traceability matrix
Generated traceability
matrices can be used
to document and review
existing links between textual
requirements, models, and
generated code.
2-23
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Software Unit Testing
Table 10 Methods for Software Unit Testing
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Verification
and Validation
Requirements
Management Interface
(RMI)
RMI can be used to
establish bidirectional
links between textual
requirements and
models.
IEC Certification Kit
Traceability matrix
Generated traceability
matrices can be used to
document and review
existing links between
textual requirements,
models, and code.
Simulink Signal
Builder block
Stateflow Dynamic
test vector charts
Signal Builder blocks
can be used to create
open-loop model tests.
Dynamic test vector
charts can be used
to create closed-loop,
reactive model tests.
1a Requirements-based
test
++ ++ ++ ++
Simulink Verification
and Validation
Component testing
capabilities
Component testing
capabilities can be used
to create model test
harnesses. They also
enable a requirements
pane in the Signal
Builder that can be
used to link tests with
textual requirements.
2-24
Software Unit Testing
Table 10 Methods for Software Unit Testing (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1b Interface test ++ ++ ++ ++ Simulink Design
Verifier Test case
generation
Automatic test
case generation in
combination with Test
Objective blocks can
be used to generate
interface tests.
Simulink
Stateflow
Simulink and Stateflow
can be used to carry
out fault injection tests.
The tools can also be
used to simulate failure
propagation at the
model level. For this
purpose, the system
model and a separate
failure model can be
used.
1c Fault injection
test
+ + + ++
Simulink Design
Verifier Test case
generation
Automatic test
case generation in
combination with Test
Objective blocks can
generate fault injection
tests.
1d Resource usage
test
+ + + ++ Embedded Coder
Processor-in-the-loop
(PIL) testing, code
metrics report
PIL testing analyzes
resource utilization on
a target processor. The
code metrics report
provides the amount
of memory used by the
generated code.
2-25
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 10 Methods for Software Unit Testing (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink
Stateflow
Simulink Verification
and Validation
Component testing
capabilities, model
coverage
Simulink Design
Verifier Test case
generation
Simulation capabilities
of Simulink and
Stateflow and the
component test
capabilities of Simulink
Verification and
Validation facilitate
dynamic testing of
models. Model coverage
can be used to assess
the completeness of the
model tests. Simulink
Design Verifier can
generate missing test
cases.
1e Back-to-back test
between model
and code, if
applicable
+ + ++ ++
Embedded Coder
Software-in-the-loop
(SIL) testing,
processor-in-the-loop
testing, code generation
verification (CGV)
Simulink Simulation
Data Inspector (SDI)
SIL and PIL testing
provide a way to
execute model tests on
generated code. CGV
automates selected
back-to-back testing
workflows.
SDI supports the
comparison of test
results created during
back-to-back testing.
2-26
Software Unit Testing
Table 12 Structural Coverage Metrics at the Software Unit Level
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Statement
coverage
++ ++ + + Embedded Coder Code
coverage collection
During
software-in-the-loop
(SIL) simulation,
Embedded Coder
can collect statement
coverage by using the
third-party tool LDRA
Testbed.
During SIL
simulation, Embedded
Coder can collect
condition/decision
coverage information,
which usually
subsumes statement
coverage, by using
the third-party tool
BullseyeCoverage.
Simulink Verification
and Validation Model
coverage analysis
Simulink Design
Verifier Test case
generation
During model testing,
Simulink Verification
and Validation can
collect decision
coverage (also known
as branch coverage) at
the model level.
Simulink Design
Verifier can generate
test cases that satisfy
decision coverage at the
model level.
1b Branch coverage + ++ ++ ++
2-27
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Embedded Coder Code
coverage collection
During
software-in-the-loop
(SIL) simulation,
Embedded Coder
can collect statement
coverage by using the
third-party tool LDRA
Testbed.
During SIL simulation,
Embedded Coder can
collect condition and
decision coverage,
which usually
subsumes statement
coverage, by using
the third-party tool
BullseyeCoverage.
2-28
Software Unit Testing
Table 12 Structural Coverage Metrics at the Software Unit Level (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Verification
and Validation Model
coverage analysis
Simulink Design
Verifier Test case
generation
During model testing,
Simulink Verification
and Validation
verification can collect
MC/DC coverage at the
model level.
Simulink Design
Verifier can be used
to generate test cases
that satisfy MC/DC
coverage at the model
level.
1c MC/DC (Modified
Condition/Decision
Coverage)
+ + + +
Embedded Coder Code
coverage collection
During SIL simulation,
Embedded Coder can
collect MC/DC coverage
by using the third-party
tool LDRA Testbed.
2-29
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Software Integration and Testing
Table 13 Methods for Software Integration Testing
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink Verification
and Validation
Requirements
Management Interface
(RMI)
RMI can be used to
establish bidirectional
links between textual
requirements and
models.
IEC Certification Kit
Traceability matrix
Generated traceability
matrices can be used to
document and review
existing links between
textual requirements,
models, and code.
Simulink Signal
Builder block
Stateflow Dynamic
test vector charts
The Signal Builder
block can be used to
create open-loop model
tests.
Dynamic test vector
charts can be used
to create closed-loop,
reactive model tests.
1a Requirements-based
test
++ ++ ++ ++
Simulink Verification
and Validation
Component testing
capabilities
Component testing
capabilities can be used
to create model test
harnesses. They also
enable a requirements
pane in the Signal
Builder, which can be
used to link tests with
textual requirements.
2-30
Software Integration and Testing
Table 13 Methods for Software Integration Testing (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1b Interface test ++ ++ ++ ++ Simulink Design
Verifier Test case
generation
Automatic test
case generation in
combination with Test
Objective blocks can
be used to generate
interface tests.
Simulink
Stateflow
Simulink and Stateflow
can be used to execute
fault injection tests.
Can also simulate
failure propagation at
the model level. For
this purpose, a system
model and/or a separate
failure model can be
used.
1c Fault injection
test
+ + ++ ++
Simulink Design
Verifier Test case
generation
Automatic test
case generation in
combination with Test
Objective blocks can
generate fault injection
tests.
1d Resource usage
test
+ + + ++ Embedded Coder
Processor-in-the-loop
(PIL) testing, code
metrics report
PIL testing analyzes
resource utilization on
a target processor. The
code metrics report
provides information
about memory usage of
generated code.
2-31
2 ISO 262626: Applicable Model-Based Design Tools and Processes
Table 13 Methods for Software Integration Testing (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
Simulink
Stateflow
Simulink Verification
and Validation
Component testing
capabilities, model
coverage
Simulink Design
Verifier Test case
generation
Simulation capabilities
of Simulink and
Stateflow and the
component test
capabilities of Simulink
Verification and
Validation facilitate
dynamic model testing.
Model coverage
can assess the
completeness of model
tests.
Simulink Design
Verifier can generate
missing test cases.
1e Back-to-back test
between model
and code, if
applicable
+ + ++ ++
Embedded Coder
Software-in-the-loop
(SIL) testing,
processor-in-the-loop
(PIL) testing, code
generation verification
(CGV)
Simulink Simulation
Data Inspector (SDI)
SIL and PIL testing
capabilities execute
model tests on
generated code. CGV
can automate selected
back-to-back testing
workflows.
SDI supports
comparison of test
results created during
back-to-back testing.
2-32
Software Integration and Testing
Table 15 Structural Coverage Metrics at the Software Architectural Level
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Function coverage + + ++ ++ Embedded Coder Code
coverage collection
During SIL simulation,
Embedded Coder
can collect function
coverage information
by using the third-party
tool BullseyeCoverage.
1b Call coverage + + ++ ++ Embedded Coder Code
coverage collection
During SIL
simulation, Embedded
Coder can collect
procedure/function call
coverage information
by using the third-party
tool LDRA Testbed.
2-33
2 ISO 262626: Applicable Model-Based Design Tools and Processes
2-34
3
ISO 262628: Applicable
Model-Based Design Tools
and Processes
3 ISO 262628: Applicable Model-Based Design Tools and Processes
Confidence in the Use of Software Tools
Table 4 Qualification of Software Tools Classified TCL3
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Increased
confidence from
use in accordance
with 11.4.7
++ ++ + +
1b Evaluation of the
tool development
process in
accordance with
11.4.8
++ ++ + +
1c Validation of the
software tool in
accordance with
11.4.9
+ + + ++
IEC Certification Kit Embedded Coder
(including AUTOSAR
TPP), Simulink
Verification and
Validation, Simulink
Design Verifier, and
Polyspace products
for C/C++ have been
prequalified, using
a combination of
methods 1b and 1c.
TV SD carried
out an independent
tool qualification
assessment.
The IEC Certification
Kit provides Software
Tool Criteria
Evaluation reports,
Software Tool
Qualification reports,
and evidence for
the independent
assessment.
The IEC Certification
Kit provides exemplary
test cases and test
3-2
Confidence in the Use of Software Tools
Table 4 Qualification of Software Tools Classified TCL3 (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
procedures for
Embedded Coder,
Simulink Verification
and Validation, and
Polyspace products
for C/C++ that can be
used to facilitate tool
validation tests for
these products.
1d Development in
accordance with a
safety standard
+ + + ++
Table 5 Qualification of Software Tools Classified TCL2
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
1a Increased
confidence from
use in accordance
with 11.4.7
++ ++ ++ +
1b Evaluation of the
tool development
process in
accordance with
11.4.8
++ ++ ++ +
1c Validation of the
software tool in
accordance with
11.4.9
+ + + ++
IEC Certification Kit Embedded Coder
(including AUTOSAR
TPP), Simulink
Verification and
Validation, Simulink
Design Verifier, and
Polyspace products
for C/C++ have been
prequalified, using
a combination of
3-3
3 ISO 262628: Applicable Model-Based Design Tools and Processes
Table 5 Qualification of Software Tools Classified TCL2 (Continued)
ASIL Methods
A B C D
Applicable
Model-Based Design
Tools and Processes
Comments
methods 1b and 1c.
TV SD carried
out an independent
tool qualification
assessment.
The IEC Certification
Kit provides Software
Tool Criteria
Evaluation reports,
Software Tool
Qualification reports,
and evidence for
the independent
assessment.
The IEC Certification
Kit provides exemplary
test cases and
test procedures for
Embedded Coder,
Simulink Verification
and Validation, and
Polyspace products
for C/C++ that can be
used to facilitate tool
validation tests for
these products.
1d Development in
accordance with a
safety standard
+ + + ++
3-4