

## Model-Based Design for Safety Critical Applications

Bill Potter The MathWorks





# **Attributes of Safety Critical Systems**

- Reliably perform intended function
- Contain no unintended function
- Implemented with redundancy
- Contain fault detection
- Robust design
- Robust code



# **Attributes of Safety Critical Process**

- Complete and correct requirements
- Design standards are applied
- Coding standards are applied
- Bi-directional traceability
- Requirements based testing
- Robustness verification
- Coverage analysis
- Safety Analysis
- Failure Modes and Effects Analysis (FMEA)



### **Safety-Critical Model-Based Design Workflow and Activities**



Aerospace and Defense Conference '07



### **Requirements Process for Model-Based Design**

- Functional, operational, and safety requirements
  - Exist one level above the model
  - Models trace to requirements
- Requirements validation
  - Prove requirements are complete and correct
  - Simulation is a validation technique
  - Traceability can identify incomplete requirements
  - Model coverage can identify incomplete requirements
- Requirements based test cases
  - Traceability of tests to requirements

## Simulation example – controller and plant



MathWorks Aerospace and Defense Conference '07

The MathWorks



# Requirements trace example – view from DOORS to Simulink

| 👨 Formal module '/Autor                      | oilot Project | /Attitude Controller Derived Requirements' current 0.0 - DOORS                                                                                                                                                                                                                                                                                                             |
|----------------------------------------------|---------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| File Edit View Insert Li                     | nk Analysis   | Table Tools User MATLAB Help                                                                                                                                                                                                                                                                                                                                               |
| 🖬 🖨 😭 │ 👗 🖻 🖻                                |               | ✓ ■ ■ ■ I U #   □ □ □ = □ □ □ □ □ □ □ □ □ □ □ □ □ □ □                                                                                                                                                                                                                                                                                                                      |
| Standard view                                | ▼ All leve    | * 🔽 🚠 🚜   E = = =   🗽 🥌 🖾 🕆 😵 🥪   🛥   🕍 🖤                                                                                                                                                                                                                                                                                                                                  |
| E- Attitude Controller Derive                | ID            | Software requirements for a reusable attitude controller                                                                                                                                                                                                                                                                                                                   |
| ⊞ - 1 Introduction<br>⊞ - 2 Component Design | 43            | [Simulink reference: attitude_controller/Rate Limit (Saturate)]                                                                                                                                                                                                                                                                                                            |
|                                              | 20            | 2.4 Integral Control and Limit 🔹                                                                                                                                                                                                                                                                                                                                           |
|                                              |               | The integral control shall generate a surface command based on the attitude rate error computed<br>by the rate control, integral error gain and the autompilot engage state. The total integral<br>command shall be limited to not exceed the integral command limit. When the autopilot is not<br>engaged, the integral command and internal state shall be held at zero. |
|                                              | 63            | [Simulink reference: attitude_controller_harness/Signal Builder (SubSystem)]                                                                                                                                                                                                                                                                                               |
|                                              | 39            | [Simulink reference: attitude_controller/Int Gain (Gain)]                                                                                                                                                                                                                                                                                                                  |
|                                              | 38            | [Simulink reference: attitude_controller/Not engaged (Logic)]                                                                                                                                                                                                                                                                                                              |
|                                              | 37            | [Simulink reference: attitude_controller/Integrator (DiscreteIntegrator)]                                                                                                                                                                                                                                                                                                  |
|                                              | 21            | 2.5 Surface Command and Limit 4                                                                                                                                                                                                                                                                                                                                            |
|                                              |               | in a threads                                                                                                                                                                                                                                                                                                                                                               |
| Username: bpotter                            | Exclu         | sive edit mode                                                                                                                                                                                                                                                                                                                                                             |







### MathWorks Aerospace and Defense Conference '07

The MathWorks

# Requirements-based test trace example – view from Simulink Signal Builder block to DOORS



MathWorks Aerospace and Defense Conference '07

The MathWorks



### Model coverage report example

| ♣ C A A Location:                      | file:///C | :/local_work_area/o | demos/autopi | lot_R2007a_n | ndlref/attitude | e_control_res | ults19486407 | .html   |         |         |         |         |
|----------------------------------------|-----------|---------------------|--------------|--------------|-----------------|---------------|--------------|---------|---------|---------|---------|---------|
| iscrete integrator block " <u>In</u>   | tegrato   | <b>r</b> "          |              |              |                 |               |              |         |         |         |         |         |
| Parent:                                | /attitude | _controller         |              |              |                 |               |              |         |         |         |         |         |
| Metric                                 |           | Coverage            |              |              |                 |               |              |         |         |         |         |         |
| Cyclomatic Complexity<br>Decision (D1) |           | 3<br>100% (6/6) dec | cision outco | mes          |                 |               |              |         |         |         |         |         |
| Decisions analyzed:                    |           |                     |              |              |                 |               |              |         |         |         |         |         |
| Reset                                  |           | 100%                | 100%         | 100%         | 100%            | 100%          | 100%         | 100%    | 100%    | 100%    | 100%    | 100%    |
| false                                  |           | 201/401             | 201/401      | 201/401      | 201/401         | 201/401       | 201/401      | 201/401 | 201/401 | 201/401 | 240/401 | 2049/40 |
| true                                   |           | 200/401             | 200/401      | 200/401      | 200/401         | 200/401       | 200/401      | 200/401 | 200/401 | 200/401 | 161/401 | 1961/40 |
| integration result <= lowe             | er limit  | 50%                 | 50%          | 50%          | 50%             | 50%           | 50%          | 50%     | 50%     | 50%     | 100%    | 100%    |
| false                                  |           | 401/401             | 401/401      | 401/401      | 401/401         | 401/401       | 401/401      | 401/401 | 401/401 | 401/401 | 283/342 | 3892/39 |
| true                                   |           | 0/401               | 0/401        | 0/401        | 0/401           | 0/401         | 0/401        | 0/401   | 0/401   | 0/401   | 59/342  | 59/395  |
| integration result >= upp              | er limit  | 50%                 | 50%          | 50%          | 50%             | 50%           | 50%          | 50%     | 50%     | 50%     | 100%    | 100%    |
| false                                  |           | 401/401             | 401/401      | 401/401      | 401/401         | 401/401       | 401/401      | 401/401 | 401/401 | 401/401 | 342/401 | 3951/40 |
| true                                   |           | 0/401               | 0/401        | 0/401        | 0/401           | 0/401         | 0/401        | 0/401   | 0/401   | 0/401   | 59/401  | 59/401  |
|                                        |           |                     |              |              |                 |               |              |         |         |         |         |         |
| ogic block " <u>Not engaged</u> "      |           |                     |              |              |                 |               |              |         |         |         |         |         |
| Parent:                                | /attitude | <u>_controller</u>  |              |              |                 |               |              |         |         |         |         |         |
| Metric                                 |           | Coverage            |              |              |                 |               |              |         |         |         |         |         |
| Cyclomatic Complexity                  |           | 0                   |              |              |                 |               |              |         |         |         |         |         |
| Condition (C1)                         |           | 100% (2/2) cor      | ndition outc | omes         |                 |               |              |         |         |         |         |         |



### **Requirements Process take-aways**

- Early requirements validation
  - Eliminates rework typically seen at integration on projects with poor requirements
- Early test case development
  - Validated requirements are complete and verifiable which results in well defined test cases
- Requirements management and traceability
  - Requirements management interfaces provide traceability for design and test cases

# **Design Process for Model-Based Design**

### Model-Based Design

- Create the design Simulink and Stateflow
- Modular design for teams Model Reference
- Model architecture/regression analysis Model Dependency Viewer
- Documented design Simulink Report Generator
- Conformance to standards
  - Design conforms to standards Model Advisor
- Traceability

'he MathWorks

 Design to requirements - Requirements Management Interface



# Example detailed design including model reference and subsystems





### **Model dependency viewer**





### **Example Model Advisor report**

Done

Check for blocks not supported by Real-Time Workshop:

Ŧ



### **Design Verification for Model-Based Design**

- Requirements based test cases
  - Automated testing using SystemTest/Simulink V&V
  - Traceability using Requirements Management Interface
  - Capability to inject faults for FMEA
- Robustness testing and analysis
  - Built in Simulink run-time diagnostics
  - Formal proofs using Simulink Design Verifier
- Coverage Analysis

he MathWorks

- Verify structural coverage of model
- Verify data coverage of model



### SystemTest for requirements based testing



### MathWorks Aerospace and Defense Conference '07

The MathWorks



File:///C:/local\_work\_area/demos/autopilot\_R2007a\_mdlref/attitude\_control\_report/attitude\_control\_report.html

### SystemTest – example report



### MathWorks Aerospace and Defense Conference '07

- 🗆 ×

# **Signal Builder and Assertion Blocks**



Aerospace and Defense Conference '07

**MathWorks** 

The MathWorks



### Model coverage report example – signal ranges

| 🚯 attitude_contr        | oller | Cove           | erag         | e Re   | port       |                |       |              |      |      |       |         |       |       |      |        |        |       |       |       |       |        | _     |    |
|-------------------------|-------|----------------|--------------|--------|------------|----------------|-------|--------------|------|------|-------|---------|-------|-------|------|--------|--------|-------|-------|-------|-------|--------|-------|----|
| jie <u>E</u> dit View ( | 50 C  | De <u>b</u> ug | ι <u>D</u> ε | esktoj | р <u>W</u> | <u>/</u> indov | v H   | <u>i</u> elp |      |      |       |         |       |       |      |        |        |       |       |       |       |        |       | Y  |
| 🕨 🔿 🗢 🛤                 | Å     | <b>ģ</b>   L   | .ocati       | ion:   | file:/     | //⊂:/le        | ocal_ | work_        | area | /dem | os/ai | utopilo | ot_R2 | 2007a | a_md | lref/a | ttituc | le_co | ntrol | _resu | lts19 | 486407 | .html | -  |
| Signal Rai              | nae   | es:            |              | ,      |            |                |       |              |      |      |       |         |       |       |      |        |        |       |       |       |       |        |       |    |
| •                       | Ũ     |                | _            |        | _          |                | _     |              | _    |      | _     |         | _     |       | _    |        | _      |       | _     |       | _     |        |       |    |
| Hierarchy               |       | st1            |              | st2    |            | st3            |       | st4          | Tes  |      |       | st6     |       | st 7  |      | st8    |        | st9   |       | st 10 |       | erall  |       |    |
|                         | Min   | Max            | Min          | мах    | Min        | мах            | Min   | Max          | Min  | Max  | Min   | Max     | Min   | Max   | Min  | Max    | MID    | мах   | Min   | Max   | Min   | Max    |       |    |
| attitude_controller     |       | ~              | ~            |        |            | ~              | ~     | ~            |      | ~    | ~     | ~       | ~     |       |      |        |        | ~     | ~     | ~     | ~     | ~      |       |    |
| <u>Integrator</u>       | 0     | 0              | 0            | U      | 0          | 0              | 0     | 0            | 0    | 0    | U     | 0       | 0     | 0     | 0    | 0      | 0      | 0     | -3    | 3     | -3    | 3      |       |    |
| <u>Not engaged</u>      | 0     | 1              | 0            | 1      | 0          | 1              | 0     | 1            | 0    | 1    | 0     | 1       | 0     | 1     | 0    | 1      | 0      | 1     | 0     | 1     | 0     | 1      |       |    |
| <u>Cmd Limit</u>        | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -4   | 4    | -5    | 5       | -1    | 1     | -7   | 7      | -7.5   | 7.5   | -4    | 4     | -10   | 10     |       |    |
| <u>Disp Limit</u>       | -1    | 1              | -9           | 9      | -10        | 10             | 0     | 0            | 0    | 0    | 0     | 0       | 0     | 0     | 0    | 0      | 0      | 0     | -1    | 1     | -10   | 10     |       |    |
| <u>Rate Limit</u>       | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -4   | 4    | -5    | 5       | 0     | 0     | 0    | 0      | 0      | 0     | -1    | 1     | -10   | 10     |       |    |
| <u>Disp Gain</u>        | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -4   | 4    | -6    | 6       | 0     | 0     | ο    | 0      | 0      | 0     | -1    | 1     | -10   | 10     |       |    |
| <u>Int Gain</u>         | ο     | 0              | 0            | 0      | ο          | 0              | 0     | 0            | 0    | 0    | 0     | 0       | 0     | о     | 0    | ο      | ο      | ο     | -2    | 2     | -2    | 2      |       |    |
| <u>Rate Gain</u>        | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -4   | 4    | -5    | 5       | -1    | 1     | -7   | 7      | -8     | 8     | -1    | 1     | -10   | 10     |       |    |
| <u>Sum</u>              | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -1   | 1    | -1    | 1       | 0     | 0     | 0    | 0      | 0      | 0     | -1    | 1     | -10   | 10     |       |    |
|                         | -1    | 4              | -9           | 9      | -10        | 10             | -1    | 1            | -4   |      | -5    | •       | -     | 1     | -1   | 1      | -1     | 1     | -1    | 1     | -10   | 10     |       |    |
| <u>Sum1</u>             | -     | 1              |              | _      |            |                | -     | 1            |      | 4    |       | 5       | -1    | 1     | -    |        | -      |       | -     |       |       |        |       |    |
| <u>Sum2</u>             | -1    | 1              | -9           | 9      | -10        | 10             | -1    | 1            | -4   | 4    | -5    | 5       | -1    | 1     | -7   | 7      | -8     | 8     | -4    | 4     | -10   | 10     |       |    |
|                         |       |                |              |        |            |                |       |              |      |      |       |         |       |       |      |        |        |       |       |       |       |        |       | ÞĒ |
| one                     |       |                |              |        |            |                |       |              |      |      |       |         |       |       |      |        |        |       |       |       |       |        |       |    |
| brie                    |       |                |              |        |            |                |       |              |      |      |       |         |       |       |      |        |        |       |       |       |       |        |       |    |

# Simulink<sup>®</sup> Design Verifier – Coverage Test



#### **Generated Test Cases**

The MathWorks



MathWorks Aerospace and Defense Conference '07

#### **Test Report**

| ina   | diok-I   | locian | Vorifio | r Repo          | et -    |         |         |         |             | - [] |
|-------|----------|--------|---------|-----------------|---------|---------|---------|---------|-------------|------|
| Ed    |          | ew Go  |         |                 |         | Window  | Help    |         |             | _    |
| -     | C        |        |         |                 |         | _       |         | MATLAB/ | sldv_outpul | d i  |
| 'es   | t C      | ase    | I       |                 | _       |         |         |         |             |      |
|       |          | 400    | •       |                 |         |         |         |         |             |      |
| Sumi  | -        |        |         |                 |         |         |         |         |             |      |
| Lengt |          | Count: |         | econd           | s (bis: | ample p | eriods) |         |             |      |
|       |          |        |         |                 |         |         |         |         |             |      |
| )bjec | tives    | Reac   | hed A   | t:              |         |         |         |         |             |      |
| Step  |          | Time   | •       | Objee           | tives   |         |         |         |             |      |
| 1     |          | 0      |         | 1               |         |         |         |         |             |      |
| 2     |          | 0.01   |         | Z               |         |         |         |         |             |      |
|       |          |        |         | <u>5</u>        |         |         |         |         |             |      |
| 3     |          | 0.02   |         | 11              |         |         |         |         |             |      |
|       |          |        |         | <u>16</u><br>18 |         |         |         |         |             |      |
|       |          |        |         | 10              |         |         |         |         |             |      |
| 9     |          | 0.08   |         | 10              |         |         |         |         |             |      |
|       |          |        |         | 14              |         |         |         |         |             |      |
| 13    |          | 0.12   |         | <u>15</u>       |         |         |         |         |             |      |
| Sono  | rated    | Input  | Data    | 1               |         |         |         |         |             |      |
|       |          |        |         |                 |         | _       |         |         |             |      |
| Time  | <u> </u> | 0.01   | 0.02    | 0.07            | 0.08    | _       |         |         |             |      |
| Step  |          | 2      | 3       | 4               | 5       | -       |         |         |             |      |
| raw   | 128      | 1      | 128     | 0               | 128     |         |         |         |             |      |
|       |          |        |         |                 |         |         |         |         |             |      |
|       |          |        |         |                 |         | _       |         |         |             |      |

### **Simulink Design Verifier – Objective Test**

#### Model with Constraints and Objectives

The MathWorks



#### **Generated Test Cases**



### MathWorks Aerospace and Defense Conference '07

#### **Test Report**

| 🔮 Simulink I                                    | Design V      | /erifie       | r Report 📃 🔍                                         |  |  |  |  |  |  |
|-------------------------------------------------|---------------|---------------|------------------------------------------------------|--|--|--|--|--|--|
| <u>File E</u> dit Vi                            | ew Go         | De <u>b</u> u | ug Desktop Window Help 🏻 🔊                           |  |  |  |  |  |  |
| <b>♦ ♦ ∅</b>                                    | 3             | <b>#</b>      | Location: dvdemo_debounce_testconblk_report.html 🔽 👘 |  |  |  |  |  |  |
| Chapte                                          | er 3.         | Tes           | t Cases / Counterexamples                            |  |  |  |  |  |  |
| Table of C                                      | ontent        | s             |                                                      |  |  |  |  |  |  |
| Test Case                                       | Test Case 1   |               |                                                      |  |  |  |  |  |  |
| Test Case                                       | <u> </u>      |               |                                                      |  |  |  |  |  |  |
| Test C                                          | ase ′         | 1             |                                                      |  |  |  |  |  |  |
| Summary<br>Length:<br>Objective (<br>Objectives | C<br>Count: 2 | 2             | Geconds (4 sample periods)<br>.t:                    |  |  |  |  |  |  |
| Step                                            | Time          |               | Objectives                                           |  |  |  |  |  |  |
| 7                                               | 0.06          |               | 2                                                    |  |  |  |  |  |  |
| 13                                              | 0.12          |               | 1                                                    |  |  |  |  |  |  |
| 15                                              | 0.12          |               | 1                                                    |  |  |  |  |  |  |
| Generated                                       | i Input       | Data.         |                                                      |  |  |  |  |  |  |
| Time 0                                          | 0.01          | 0.07          |                                                      |  |  |  |  |  |  |
| Step 1                                          | 2             | 3             |                                                      |  |  |  |  |  |  |
| raw O                                           | 1             | 0             | 1                                                    |  |  |  |  |  |  |
|                                                 | 4             |               | -                                                    |  |  |  |  |  |  |
| •                                               |               |               |                                                      |  |  |  |  |  |  |
| Done                                            |               |               |                                                      |  |  |  |  |  |  |

### **Simulink Design Verifier – Property Proving**

#### Model with Assumption and Objective



The MathWorks

#### Property to be proven



### MathWorks Aerospace and Defense Conference '07

#### Report

| 6 | Simulink Design Verifier Rej                      | port _OX                                         |
|---|---------------------------------------------------|--------------------------------------------------|
| Ē | jile <u>E</u> dit View Go De <u>b</u> ug <u>D</u> | 2esktop Window Help 🏻 🛥                          |
| 4 | 🕨 🔿 😂 🛛 🎒 Locat                                   | tion: /sldvdemo_debounce_assumeblk_report.html 💌 |
|   | Salonopon                                         |                                                  |
| L | ReportFileName                                    | \$ModelName\$_report                             |
|   | ReportIncludeGraphics                             | off                                              |
|   | DisplayReport                                     | on                                               |

#### **Chapter 2. Test/Proof Objectives**

Table of Contents

<u>Status</u> Verify True Output

#### Status

Table 2.1. Objectives having No Counterexamples of 20 or Fewer Steps

| #: | Туре   | Model Item       | Description                  |
|----|--------|------------------|------------------------------|
| 1  | Assert | <u>Assertion</u> | Assertion "Assertion" assert |

With the following active constraints:

| Name       | Constraint |
|------------|------------|
| Assumption | {01}       |

#### Verify True Output

#### Objectives of: Assertion

| #: | Status      | Test Cases | Description |   |
|----|-------------|------------|-------------|---|
| 1  | Undecidable | n/a        | assert      |   |
| (  |             |            |             | ì |
|    |             |            |             |   |



### **Design Process take-aways**

- Modular reusable implementations
  - Platform independent design and code
  - Scalable to large teams
- Consistent and compliant implementations
  - Common design language
  - Automated verification of standards compliance
- Efficient verification process
  - Develop verification procedures in parallel with design
  - Automated analysis techniques
  - Coverage analysis early in the process



# **Coding Process for Model-Based Design**

- Incremental code generation
  - Model Reference
- Traceability
  - HTML Code Report
- Source code verification
  - Complies with standards using PolySpace MISRA-C Checker
  - Accurate, consistent and robust using PolySpace Verifier

## **Incrementally Generate Code**

 Incremental code generation is supported via Model Reference

The MathWorks

 When a model is changed, only models depending on it are subject to regeneration of their code





- Reduces application build times and ensure stability of a project's code
- Degree of dependency checking is configurable



### **Add Links to Requirements**



# **Compliance history of generated code**

• Our MISRA-C test suite consists of several example models

The MathWorks

• Results shown for most frequently violated rules



- Improving MISRA-C compliance with each release, e.g.
  - Eliminate Stateflow *goto* statements (R2007a)
  - Compliant parentheses option available (R2006b)
  - Generate *default* case for *switch-case* statements (R2006b)
- MathWorks MISRA-C Compliance Package available upon

request http://www.mathworks.com/support/solutions/data/1-1IFP0W.html MathWorks Aerospace and Defense Conference '07



### **Coding Process take-aways**

- Reusable and efficient source code
- Traceability
- MISRA-C compliance
- Static verification and analysis



### **Integration Process for Model-Based Design**

- Executable object code generation
  - ANSI/ISO C or C++ compatible compiler
  - Makefile generation capability
  - Run-time libraries provided
- Executable object code verification
  - Capability to build interface for Processor-In-the-Loop (PIL) testing
  - Analyze code coverage during PIL
  - Analyze execution time during PIL



### **Processor-in-the-Loop (PIL) Verification**

- Execute Generated Code on Target Hardware



MathWorks Embedded Target Aerospace and Defense Conference '07



### **Integration Process take-aways**

- Integration with multiple development environments
- Efficient processor in-the-loop test capability



## Wrap-up

- Tools to support the entire safety critical development process
  - Requirements
  - Design
  - Code
  - Executable
  - Verification
- MathWorks is participating on SC-205/WG-71 committee which is working on Revision C of DO-178
- See the various demos in the exhibit area