1

Daniel MartinsApplication Engineer – MathWorksDaniel.martins@mathworks.fr

Increasing Embedded Software ConfidenceModel and Code Verification

2

What is the Cost of Software Failure…

$7,500,000,000

Ariane 5

Rocket & payload lost

3

What is the Cost of Software Failure…

Casualtiesdue to radiation overdose

6

Therac-25

4

Where do you want to discover and fix errors?

Model

Generated Code

Vehicle TestingIn Service

Pre sales Post sales

5

Using Model-Based Design

It is easier and less expensive to fix design errors early in the process when they happen.

Model-Based Design enables:

1. Early testing to increase confidence in your design

2. Delivery of higher quality software throughout the workflow

6

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

Code integration analysis

7

Application: Cruise Control

70 km/h

Control speed according to setpoint

8

System

Inputs OutputsFuel Rate

Control Module

Shift Logic

Control Module

ECU

system

Legacy c

ode

ECU

Application: Cruise Control

2Cruise

Control

Module (MBD)

1

9

System

Inputs OutputsFuel Rate

Control Module

Shift Logic

Control Module

ECU

system

Legacy c

ode

ECU

Application: Cruise Control

Cruise

Control

Module (MBD)

10

Application: Cruise Control

Cruise_onoff

Brake

Speed

Coast set

Accel reset

Inputs

Engaged

Target speed

Outputs

Cruise

Control

Module (MBD)

11

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

12

Ad-hoc Tests

New “Dashboard” blocks facilitate

early ad-hoc testing

13

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

14

Finding Design Errors: Dead Logic

15

Finding Unintended Behavior

Dead logic due to “uint8”

operation on incdec/holdrate*10

Fix change the order of

operation 10*incdec/holdrate

Condition can never be false

16

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

17

Simulation Testing Workflow

Structural coverage

report

Did we completely

test our model?

Did we meet

requirements?

Review functional

behavior

Design

Requirements

18

Requirements Based Functional Testing with

Coverage Analysis

19

Did We Completely Test our Model?

Model Coverage

Analysis

Potential causes of less

than 100% coverage:

Missing requirements

Over-specified design

Design errors

Missing tests

20

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

21

Model Advisor – Model Standards Checking

22

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

23

Code Generation with Model-to-Code Traceability

24

Equivalence Testing:

Model vs SIL or PIL Mode Testing

Model

Testing

SIL or PIL

Mode Testing

Coverage 100%

25

Code Equivalence Check Results:

Model vs Code

Code Coverage

26

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

Codeintegration analysis

27

System

Inputs OutputsFuel Rate

Control Module

Shift Logic

Control Module

ECU

system

Legacy c

ode

ECU

Code Integration Analysis

Cruise

Control

Module (MBD)

Cruise

Control

Module (MBD)

1

Cruise

Control

Module (MBD)

1

28

Fuel Rate

Control Module

Shift Logic

Control Module

ECU

system

Legacy c

ode

ECU

2Cruise

Control

Module (MBD)

1

Code Integration Analysis

Cruise_onoff

Brake

Speed

Coast set

Accel reset

EGO Sensor

MAP Sensor

Inputs

Gear

Engaged

Target speed

Fuel Rate

Outputs

29

Fuel Rate

Control Module

Shift Logic

Control Module

ECU

system

Legacy c

ode

ECU

Cruise_onoff

Brake

Speed

Coast set

Accel reset

EGO Sensor

MAP Sensor

Inputs

Gear

Engaged

Target speed

Fuel Rate

Outputs

Inaccurate

scaling for

speed

Finding Dead Code During Integration

De

ad

co

de

Cruise

Control

Module (MBD)

2

30

Finding Dead Code with Polyspace

Dead code

Maximum target speed = 90Target speed parameter

propagated to “Cruise_ctrl.c”

[0 … 40]

31

Polyspace Code Analysis

static void pointer_arithmetic (void)

{

int array[100];

int *p = array;

int i;

for (i = 0; i < 100; i++) {

*p = 0;

p++;

}

if (get_bus_status() > 0) {

if (get_oil_pressure() > 0) {

*p = 5;

} else {

i++;

}

}

i = get_bus_status();

if (i >= 0) {

*(p - i) = 10;

}

}

Source code painted in green, red, gray, orange

Green: reliablesafe pointer access

Red: faultyout of bounds error

Gray: deadunreachable code

Orange: unprovenmay be unsafe for some

conditions

Purple: violationMISRA-C/C++ or JSF++

code rules

variable ‘I’ (int32): [0 .. 99]

assignment of ‘I’ (int32): [1 ..

100]

Range datatool tip

32

Conclusion:

Model-Based Design Verification Workflow

Model VerificationDiscover design errors at design time

Code VerificationGain confidence in the generated code

Workflow approved by TÜV SÜD for development of safety-critical software in accordance with

ISO 26262 (automotive), IEC 61508 (industrial), EN 50128 (railway), IEC 62304 (medical devices)

33

Key Takeaway

It is easier and less expensive to fix design errors early in the process when they happen.

Model-Based Design enables:

1. Early testing to increase confidence in your design

2. Delivery of higher quality software throughout the workflow

34

Change the world by

Accelerating the paceof discovery, innovation, development, and learning

in engineering and science