Functional Safety and Verification

Tom Erkkinen
May, 2019

© 2019 The MathWorks, Inc.

1
 Introduction
▪ IEC 61508 is functional safety standard for Industrial Automation, umbrella for
industry-specific adaptions:
– EN 50128 - Rail
– IEC 62304 - Medical Supported by IEC Certification Kit (for ISO 26262 and IEC 61508)
– IEC 61511 - Process Control
– ISO 26262 - Automotive

▪ ISO 26262 is functional safety standard for Road Vehicles, consists of:
– Part 1: Vocabulary
– Part 2: Management of functional safety
– Part 3: Concept phase
Rooted in Model-Based Design and states
– Part 4: Product development at the system level
its benefits:
– Part 5: Product development at the hardware level
– Part 6: Product development at the software level The seamless utilization of models facilitates
– Part 7: Production and operation highly consistent and efficient development.
– Part 8: Supporting processes
– Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analyses.
2
Certification Kit

3
ISO 26262-6:2018 notes Simulink and Stateflow as Suitable for
Software Architecture, Design and as basis for Code Generation

Table 2 Software Architecture Design Notations has similar suitability wording for use of Simulink and Stateflow
4
V&V for ISO 26262 Workflow

▪ Shift left V&V (Focus on model)

▪ Model becomes the Truth
▪ Automate implement and verification

Module and integration Back-to-Back

testing at the model level Testing
Prevention of
unintended functionality
Reviews and static
Reviews and static analysis at analysis at code
the model level level

Model used for

Textual Executable Generated
production Object code
requirements specification code
code generation

Code Compilation
Modeling
generation and linking

5
Reference Workflow
Basic tool chain

Simulink Requirements* IEC Cert Kit (for trace)

Simulink Test and Simulink Coverage (for MIL)* Simulink Test and Simulink Coverage (for SIL)*

Simulink Check*
Simulink Test (for PIL)*

Model used for

Textual Executable Generated
production Object code
requirements specification code
code generation

Code Compilation
Modeling
generation and linking
*Qualifiable
Simulink / Stateflow / AUTOSAR Blockset Embedded Coder*
6
Reference Workflow
Advanced tool chain

Simulink Requirements IEC Cert Kit (for trace)

Simulink Test and Simulink Coverage (for MIL)* Simulink Test and Simulink Coverage (for SIL)*

Simulink Check*
Simulink Design Verifier* Simulink Test (for PIL)*

Polyspace*

Model used for

Textual Executable Generated
production Object code
requirements specification code
code generation

Code Compilation
Modeling
generation and linking
*Qualifiable
Simulink / Stateflow / AUTOSAR Blockset Embedded Coder*
7
 Simulink Requirements
Work with requirements without leaving Simulink

Requirements Manage and Analyze Requirements

Capture Requirements Traceability

• Author requirements in Simulink • Identify gaps in design or test • Trace to design, code and test

• Drag and drop to create links • Respond to requirement • Understand impact to design
changes

8
 Simulink Check
Automate verification and correct models to improve design

Standards &
Edit Time Checking Model Metrics Model Refactoring
Guidelines Checks
• Automate compliance • Find and fix compliance • Analyze complexity, • Find clones and
to standards issues while you design size, reusability modeling patterns

• Customize checks • Avoid rework later • Assess design quality • Refactor to improve
maintainability

Clones

9
Simulink Coverage
Measure test coverage in models and generated code
Model Generated Code Highlighting and
Coverage Coverage Reporting

• Measure test completeness • Find untested generated code • View coverage results on diagrams

• Identify missing tests or • Map results from code to • Manage accumulated coverage
unintended functionality model object results

10
 Simulink Test
Develop, manage, and execute simulation-based tests

Test Test Sequence Test

Harnesses Block Manager

• Synchronized, simulation • Define inputs and • Author, execute, manage test cases
test environment assessments based on logical, • Review, export, report
temporal conditions

Main Model

Component
under test

Test Harness
Excel input
template and
baseline data
11
 Simulink Design Verifier
Use formal methods to identify design errors
Design Error Test Requirements Model
Detection Generation Proving Slicer

• Uncover hard to find • Automate test case • Prove formally design • Simplify models to
dead logic and design generation to complete meets requirements isolate behavior
flaws coverage

12
 Qualify tools with IEC Certification Kit and DO Qualification Kit

▪ Qualify code generation and verification products

▪ Includes documentation, test cases and procedures

KOSTAL Asia R&D Center Receives ISO 26262 BAE Systems Delivers DO-178B Level A Flight
ASIL D Certification for Automotive Software Software on Schedule with Model-Based Design
Developed with Model-Based Design

13
Customer References and Applications

Airbus Helicopters Accelerates Development of DO-178B Certified Software

with Model-Based Design
Software testing time cut by two-thirds

LS Automotive Reduces Development Time for Automotive Component

Software with Model-Based Design
Specification errors detected early

Continental Develops Electronically Controlled Air Suspension for Heavy-

Duty Trucks
Verification time cut by up to 50 percent

More User Stories: [Link]/company/user_stories.html

14
MathWorks V&V Solution Summary

Requirements
Author, manage, and trace requirements

Standards Compliance
Verify compliance with standards and guidelines

Testing
Develop, manage, execute simulation-based tests

Formal Verification
Prove design meets requirements, prove robustness

Coverage Analysis
Measure model and generated code coverage

Static Code Analysis

Check bugs, MISRA compliance, prove code

SIL, PIL
Perform back-to-back testing

15
 MathWorks V&V Product Capabilities

Requirements
Simulink Requirements* (New in R2017b)

Standards Compliance
Simulink Check* (New in R2017b)

Testing
Simulink Test

Formal Verification
Simulink Design Verifier

Coverage Analysis
Simulink Coverage* (New in R2017b)

Static Code Analysis

Polyspace Bug Finder, Polyspace Code Prover

SIL, PIL
Simulink Test

* Customers with Simulink V&V licenses will automatically receive these new products 16
System Composer

System Composer for architecture

modeling

Support for Simulink Requirements:

▪ Entering Requirements Perspective in

Architecture Editor
▪ Components in Archtecture Editor can be
linked with requirements
▪ Requirements browser, Property Inspector,
Requirements annotation, drag-n-drop
linking are available in the Architecture
Editor

17
IEC Certification Kit

R2018a, A-SPICE Level 2 Assessment R2018b, Compliant with 2nd Edition

MathWorks development processes are A-SPICE

Level 2.

Assessed by Continental Automotive

Assessed by TÜV SÜD

R2019a, SOTIF Guidance

18
Your V&V Workflow?

Module and integration

testing at the model level Back-to-Back
Testing
Prevention of
unintended functionality
Reviews and static
Reviews and static analysis at analysis at code
the model level level

Model used for

Textual Executable Generated
production Object code
requirements specification code
code generation

Code Compilation
Modeling
generation and linking

19
Simulink for AUTOSAR

© 2019 The MathWorks, Inc.

20
Agenda

▪ AUTOSAR is already on the road

▪ Simulink for AUTOSAR
▪ Simulink for Adaptive Platform

21
 AUTOSAR Classic is already on the road

▪ BMW - Model-Based Software Development: An

OEM's Perspective

▪ FCA Global Powertrain Controls - Leveraging

MBD, auto-code generation and AUTOSAR to
architect and implement an Engine Control
Application for series production

▪ LG Chem - Developing AUTOSAR and ISO 26262

Compliant Software for a Hybrid Vehicle Battery
Management System with Model-Based Design

▪ John Deere - Vertical AUTOSAR System

Development at John Deere

22
AUTOSAR at a System Level

23
Agenda

▪ AUTOSAR is already on the road

▪ Simulink for AUTOSAR
– Importing and exporting AUTOSAR descriptions artifacts (ARXML files)
– AUTOSAR Coder Dictionary
– Simulation of AUTOSAR ECU software
– Blocks for AUTOSAR Library routines
▪ Simulink for Adaptive Platform

24
Importing and Exporting AUTOSAR SW-C Descriptions (ARXML files)

25
 Introducing AUTOSAR “perspective” in a Simulink model

Quick Property
Help Inspector

Help on View/Edit
configuring AUTOSAR
model for SW-C Properties
AUTOSAR

Code Mappings Spreadsheet

View/Edit all blocks and elements configured for AUTOSAR
26
Functional simulation of AUTOSAR basic software is critical for
AUTOSAR ECU development

AUTOSAR ECU
layered architecture Many calls between application software and basic
software
Application Software

RTE Basic software functionality is highly dynamic

Basic Software

Simulation of basic software reduces development

time and improves software quality

27
BSW library Blocks allows user to Simulate Client / Server Calls
Basic Software Library

BSW AUTOSAR Specs

Encapsulated in

Client Block Resides Server Block Resides in

Detailed Specifications of
in SWC Application Simulation Test Harness
Diagnostic Event Manager
28
AUTOSAR Library Routines

Rte_IWrite_Runnable_Step_Out1_Out1(Ifl_IntIpoCur_f32_f32
(Rte_IRead_Runnable_Step_In1_In1(), Rte_CData_L_4_single()->Nx,
Rte_CData_L_4_single()->Bp1, Rte_CData_L_4_single()->Table));

29
Agenda

▪ AUTOSAR is already on the road

▪ Simulink for AUTOSAR
▪ Simulink for Adaptive Platform
– Motivation for New AUTOSAR Platforms
– A closer look at the Adaptive layers
– Mapping Adaptive platform to Simulink
– Code Generation for Adaptive components

30
Motivation for new AUTOSAR Platforms
▪ Main drivers – Automated driving, Car-2-car/infrastructure applications

31
 Expansion of AUTOSAR based on Autonomous Applications

▪ In 2016 work started on

creating these additional
AUTOSAR Platforms

▪ March of 2017 is the first

published release of
AUTOSAR Adaptive
Platform

From [Link] – AUTOSAR Introduction

32
 AUTOSAR Platforms
N Non - AUTOSAR
C Classic - AUTOSAR

A Adaptive - AUTOSAR

N
A
N
C
N
A N
C
N
C N
N

Non- AUTOSAR Classic AUTOSAR Adaptive AUTOSAR

Software Application Software Adaptive Application Software

ARA
RTE
Basic Software Services
Basic Services

Hardware High Performance

Hardware Hardware/Virtual Machine 33
Either AUTOSAR Platform benefits from Design in Simulink

Classic AUTOSAR Adaptive AUTOSAR

Application Software Adaptive Application Software

ARA
RTE
Basic Software Services
Basic Services
High Performance
Hardware
Hardware/Virtual Machine

Power of Simulation in the Application Layer aligns well with Algorithm Development
34
AUTOSAR Layered Software Architecture

Adaptive Adaptive Adaptive Adaptive

Application Application Application Application Components
(SW-C) (SW-C) (SW-C) (SW-C)

AUTOSAR Run-time for Adaptive (ARA)

Run-time
API API API Service Service

Execution Communication S/W CM Diagnostics

Basic
OS
Services
Adaptive AUTOSAR Services

Adaptive AUTOSAR Foundation

High Performance Hardware/Virtual Machine Hardware

35
 Key Concept #1
Everything is a process .. as in “OS process”
OS Process #1 OS Process #2 OS Process #3 OS Process #4

Adaptive Adaptive Adaptive Adaptive

Application Application Application Application
(SW-C) (SW-C) (SW-C) (SW-C)

AUTOSAR Run-time for Adaptive (ARA)

API API API

Provides Execution Communication

multi-process OS
capability (POSIX
Compliant)

Notes: Each OS Process

- Corresponds to main() in C/C++ code
- Has own memory space & namespace
- Can be single or multi-threaded
36
 Key Concept #1
Everything is a process .. as in “OS process”
OS Process #1 OS Process #2 OS Process #3 OS Process #4

Adaptive Adaptive Adaptive Adaptive

Application Application Application Application
(SW-C) (SW-C) (SW-C) (SW-C)

AUTOSAR Run-time for Adaptive (ARA)

API API API

Provides Execution Communication

multi-process OS
capability (POSIX Inter-Process
Compliant) Communication

Process life-cycle
Process scheduling management.

37
 Key Concept #2
Service-oriented inter-process communication
Linux Machine 1 Linux Machine 2

IPC IPC IPC IPC

Process Process Process Process Process Process

IPC Network

38
Key Concept #2
Service-oriented communication
▪ Service Interface can contain <<interface example>>
RadarService

– Methods (Functions) • result = Calibrate(config)

• [success, out_pos] = Adjust(in_pos)

– Events (Messages)
• BrakeEvent

– Fields (Data)
• UpdateRate

39
Key Concept #3: Everything is C++

Adaptive Application Adaptive Application Adaptive Application Adaptive Application ASW::XYZ ASW::ABC
Non-PF Service Non-PF Service

User Applications

AUTOSAR Run-time for Adaptive (ARA)

* ara::com
Communication Mgnt.
ara::rest
RESTful
ara::tsync
Time Synchronization
ara::sm service
State
ara::diag service
Diagnostics
Management
SOME/IP

ara::phm
(local)

ara::per
DDS
IPC

Persistency Platform Health Mgnt.

ara::s2s service ara::nm service
Signal to Service Mapping Network
Management
ara::core ara::exec ara::iam ara::log
Core Types Execution Mgnt. Identity Access Mgnt. Logging & Tracing

POSIX PSE51 / C++ STL ara::crypto ara::ucm service

Operating System Cryptography Update and Configuration Management

High Performance Hardware/Virtual Machine

40
Motivation for Simulink to support Adaptive

▪ Simulink is heavily used for AUTOSAR Classic

▪ Customers have requested Simulink support for
Adaptive platform

▪ Simulink supports service oriented modelling

▪ Embedded Coder generates C and C++ code

▪ MathWorks participates in the AUTOSAR standard

development, including both Classic and Adaptive
platforms

41
 Mapping AUTOSAR AP Concepts to Simulink

Adaptive
Application
RequiredPort

"Radar" : {
// events
"event" : {
“leftLaneDistance"
“leftTurnIndicator“
“leftCarInBlindSpot”
“rightLandDistance”
“rightTurnIndicator”
“rightCarInBlindSpot”
},
// methods
"method" : {
"Calibrate"
"Adjust"
},
// fields
"field" : {
“updateRate"
}
}
42
 Mapping AUTOSAR AP Concepts to Simulink

Adaptive
Application

ProvidedPort
"Radar" : {
// events
"event" : {
“leftHazardIndicator”
“rightHazardIndicator"
},
// methods
"method" : {
"Calibrate"
"Adjust"
},
// fields
"field" : {
“updateRate"
}
}

43
Example of Configuring a model for Adaptive Platform

44
Change Target to AUTOSAR Adaptive

45
Enter Code Perspective to start the Configuration process

46
AUTOSAR Quick Start – Set Component

47
Quick Start Complete – Code Mappings setup for AS Port Events

48
Adaptive AUTOSAR Dictionary – Notice the Service Interfaces

49
Generate Code for the Adaptive AUTOSAR Model

50
C++ Adaptive AS Code
ara Functional Cluster API

51
Software Component Description Files Generated

52
Adaptive Standalone Application Code needs a [Link]

53
Generate Production AUTOSAR Adaptive C++ Code

AUTOSAR support
1. Configure Model
[Link] <model>.cpp
✓ System Target File
*.hpp *.cpp ✓ AUTOSAR Dictionary
*.arxml 2. Generate C++ code

54
To learn more, please visit AUTOSAR webpage

55