© 2008 The MathWorks, Inc. ® ® Model-Based Design for Safety-Critical and Mission-Critical Applications Bill Potter Technical Marketing April 17, 2008
©20
08 T
he M
athW
orks
, Inc
.
® ®
Model-Based Design for Safety-Critical and Mission-Critical Applications
Bill PotterTechnical MarketingApril 17, 2008
2
® ®
Safety-Critical Model-Based Design Workflow
Requirements
Model
Source Code
Object Code
Validate
Simulink®
&Stateflow®
Trace:RMI Verify:
SystemTestSLDV Property Proving
Model Coverage
Conformance:Model Advisor
Real-Time Workshop®
Embedded Coder™Conformance:PolySpace™ Products
Embedded IDE
Verify:SLDV Test Generation
Embedded IDE Link XXX
Verify:SystemTest™
Embedded IDE Link™ XXX
Trace:Model/Code Trace Report
3
® ®
Requirements Process for Model-Based Design
Functional, operational, and safety requirementsExist one level above the modelModels trace to requirements
Requirements validation - complete and correctSimulation is a validation technique Traceability can identify incomplete requirementsModel coverage can identify incomplete requirements
Requirements based test casesTest cases trace to requirements
Requirements
Validate
4
® ®
Simulation example – controller and plant
5
® ®
Requirements trace example – view from DOORS® to Simulink
6
® ®
Requirements trace example – view from Simulink to DOORS
7
® ®
Requirements based test trace example – view from Simulink Signal Builder block to DOORS
8
® ®
Model coverage report example
9
® ®
Requirements Process take-aways
Early requirements validationEliminates rework typically seen at integration on projects with poor requirements
Early test case developmentValidated requirements are complete and verifiable which results in well defined test cases
Requirements management and traceabilityRequirements management interfaces provide traceability for design and test cases
Requirements
Validate
10
® ®
Design Process for Model-Based Design
Model-Based DesignCreate the design - Simulink and Stateflow®
Modular design for teams - Model ReferenceModel architecture/regression analysis - Model Dependency ViewerDocumented design - Simulink Report GeneratorRequirements traceability using Simulink Verification and Validation™Design conforms to standards using Model Advisor
Requirements
Model
Simulink&
StateflowTrace:RMI
Conformance:Model Advisor
11
® ®
Example detailed design including model reference and subsystems
Subsystem Reference Model
Top Model
12
® ®
Model dependency viewer
13
® ®
Example Model Advisor report
14
® ®
Design Verification for Model-Based Design
Requirements based test casesAutomated testing using SystemTest™ and Simulink Verification and ValidationTraceability using Simulink Verification and Validation
Robustness testing and analysisBuilt in Simulink run-time diagnosticsFormal proofs using Simulink Design Verifier™
Coverage AnalysisVerify structural coverage of modelVerify data coverage of model
Requirements
Model
Simulink&
Stateflow
Verify:SystemTest
SLDV Property ProvingModel Coverage
15
® ®
SystemTest for requirements based testing
16
® ®
SystemTest – example reportData Plotting and expected
results comparisons
Summary of results
17
® ®
Signal Builder and Assertion Blocks
18
® ®
Model coverage report example – signal ranges
19
® ®
Simulink Design Verifier – Coverage Test
Generated Test Cases
Model Test Report
20
® ®
Simulink Design Verifier – Objective Test
Generated Test Cases
Model with Constraints and Objectives Test Report
21
® ®
Simulink Design Verifier – Property Proving
Property to be proven
ReportModel with Assumption and Objective
22
® ®
Design Process take-awaysModular reusable implementations
Platform independent designScalable to large teams
Consistent and compliant implementationsCommon design language Automated verification of standards compliance
Efficient verification processDevelop verification procedures in parallel with designCoverage analysis early in the processAutomated testing and analysis Requirements
Model
Simulink&
StateflowTrace:RMI
Verify:SystemTest
SLDV Property ProvingModel Coverage
Conformance:Model Advisor
23
® ®
Coding Process for Model-Based Design
Automatic code generationReal-Time Workshop Embedded Coder
TraceabilityHTML Code Traceability Report
Source code verificationComplies with standards using PolySpace MISRA-C®
checkerAccurate, consistent and robust using PolySpace™verifier Model
Source Code
Real-Time WorkshopEmbedded coder Conformance:
PolySpace Products
Trace:Model/Code Trace Report
24
® ®
dependent models rebuilt
model changed and rebuilt
Incrementally Generate CodeIncremental code generation is supported via Model ReferenceWhen a model is changed, only models depending on it are subject to regeneration of their code
Reduces application build times and ensure stability of a project’s codeDegree of dependency checking is configurable
25
® ®
Add Links to Requirements
Requirements appear in the code
26
® ®
Code to Model Trace Report
27
® ®
Simulink Integration with PolySpace ProductsSimulink Integration with PolySpace ProductsInput1Input1
EntriesEntriesvarying from varying from --500 to 500500 to 500
K1 and K2K1 and K2ConstantsConstantsCan be tuned Can be tuned from from --297 to 297 to 303303
Lookup tablesLookup tablesMaps, surfaces,Maps, surfaces,algorithms, algorithms, extrapolationsextrapolationsAdjusted, tunedAdjusted, tuned
Math operationsMath operationsDivide, add, Divide, add, min/max, min/max, product, product, substractsubstract,,sumsum……
28
® ®
See results in the modelSee results in the modelChange the modelChange the modelGenerate the production codeGenerate the production codeRun PolySpace softwareRun PolySpace software
PolySpace detected an error herePolySpace detected an error here(after having analyzed the generated code)(after having analyzed the generated code)
29
® ®
Coding Process takeaways
Reusable and platform independent source codeTraceabilityMISRA-C complianceStatic verification and analysis
Model
Source Code
Real-Time WorkshopEmbedded coder Conformance:
PolySpace Products
Trace:Model/Code Trace Report
30
® ®
Integration Process for Model-Based Design
Executable object code generationANSI® or ISO® C or C++ compatible compilerRun-time libraries provided
Executable object code verificationTest generation using Simulink Design VerifierCapability to build interface for Processor-In-the-Loop (PIL) testingAnalyze code coverage during PILAnalyze execution time during PILAnalyze stack PIL
Requirements
Model
Source Code
Object Code
Embedded IDE
Verify:SLDV Test Generation
Embedded IDE Link XXX
Verify:SystemTest
Embedded IDE Link XXX
31
® ®
Processor-in-the-Loop (PIL) Verification- Execute Generated Code on Target Hardware
Embedded Target
Simulink
Plant ModelAlgorithm
(Software Component)
Cod
e G
ener
atio
n
Execution
• on host and target• non-real-time
Communication via one of
• data link e.g. serial, CAN, TCP/IP• debugger integration with MATLAB
32
® ®
Integration Process Takeaways
Integration with multiple development environmentsTest cases and harnesses generated automaticallyEfficient processor in-the-loop test capability
Requirements
Model
Source Code
Object Code
Embedded IDE
Verify:SLDV Test Generation
Embedded IDE Link XXX
Verify:SystemTest
Embedded IDE Link XXX
33
® ®
Wrap-up
Tools to support the entire safety critical development processParticipation on SC-205/WG-71 committee for DO-178CSafety-Critical/DO-178B guideline document
Available to licensed customers with Real-Time Workshop Embedded CoderContact Bill Potter ([email protected]) or Tom Erkkinen ([email protected])