MATLAB EXPO

Meet Certification Standards with Automated Requirements Based Testing

Paul Urban Verification and Validation Product Manager



# **Challenge to Deliver Complex Systems and Meet Standards**

- Need to meet industry or customer's standards
  - DO-178C (Aero), ISO 26262 (Auto), IEC 62304 (Medical), IEC 61508 (Industrial), MISRA, etc.
- Time and cost for safety critical projects estimated 20-30 times more costly\*
- Finding defects late increases cost and time







\*Source: Certification Requirements for Safety-Critical Software





# ISO 26262-6:2018 notes Simulink and Stateflow as Suitable for Software Architecture, Design and as basis for Code Generation

|                                                                                                         | Notations                                                                                                                                                                        |           | ASIL     |           |          |  |
|---------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------|-----------|----------|--|
|                                                                                                         |                                                                                                                                                                                  |           | B        | С         | D        |  |
| 1a                                                                                                      | Natural language <sup>a</sup>                                                                                                                                                    | ++        | ++       | ++        | ++       |  |
| 1b                                                                                                      | nformal notations ++ ++ ++ +                                                                                                                                                     |           |          |           |          |  |
| 1c                                                                                                      | Semi-formal notations <sup>b</sup>                                                                                                                                               | +         | +        | ++        | ++       |  |
| 1d                                                                                                      | Formal notations                                                                                                                                                                 | +         | +        | +         | +        |  |
|                                                                                                         | Natural language can complement the use of notations for example where some topics<br>ral language or provide an explanation and rationale for decisions captured in the notat   |           | re readi | ly expre  | essed in |  |
|                                                                                                         | MPLE To avoid possible ambiguity of natural language when designing complex element<br>ram with natural language can be used.                                                    | ts, a con | nbinatio | n of an a | activit  |  |
| b Semi-formal notations can include pseudocode or modelling with UML®, SysML®, Simulink® or Stateflow®. |                                                                                                                                                                                  |           |          |           |          |  |
| NOT                                                                                                     | E UML®, SysML®, Simulink® and Stateflow® are examples of suitable products<br>rmation is given for the convenience of users of this document and does not constitute a<br>lucts. |           |          |           |          |  |

Table 2 Software Architecture Design Notations has similar suitability wording for use of Simulink and Stateflow

#### MATLAB EXPO



## **Qualify tools with IEC Certification Kit and DO Qualification Kit**

- Qualify code generation and verification products
- Includes documentation, test cases and procedures





## **Qualify tools with IEC Certification Kit and DO Qualification Kit**

- Qualify code generation and verification products
- Includes documentation, test cases and procedures



## **Qualify tools with IEC Certification Kit and DO Qualification Kit**

- Qualify code generation and verification products
- Includes documentation, test cases and procedures









#### **Conform to Certification Standards with Reference Workflow**



#### Model Verification: Discover design errors at design time









#### **Code Verification: Gain Confidence in the Generated Code**







# **Manage Requirements**

#### **Model Verification**

- Manage requirements
- Check standard compliance

- Systematically test
- Measure model coverage
- Detect design errors
- Prove model behavior compliance







# **Manage Requirements**



MATLAB EXPO

- Ensure all requirements implemented
- Verify the implementation is correct
- Respond quickly to requirement changes





# Work with Requirements, Architecture and Design Together







#### **Demo: Requirements Perspective**

MATLAB EXPO







# **Test and Requirements Traceability**

MATLAB EXPO







## **Review and Analyze Traceability with Traceability Matrix**



Requirement is missing link to Test Case





# **Review and Analyze Traceability with Traceability Matrix**

- Review links between different requirements, model, test
- Filter view to manage large sets of artifacts
- Highlight missing links
- Directly add links to address gaps



MathWorks<sup>®</sup>

# **Systematic Functional Testing of Model**

#### **Model Verification**

- Manage requirements
- Check standard compliance
- Systematically test
- Measure model coverage
- Detect design errors
- Prove model behavior compliance







## **Requirements Based Verification with Simulink Test**







#### **Measure completeness of testing**

#### **Model Verification**

- Manage requirements
- Check standard compliance

- Systematically test
- Measure model coverage
- Detect design errors
  - Prove model behavior compliance







# **Coverage Analysis to Measure Testing**







#### **Test and Requirements Traceability in Coverage Results**







## **Scoping Model Coverage to Requirements-Based Tests**









## **Scoping Model Coverage to Requirements-Based Tests**







24

R2020a

## **Test and Requirements Traceability in Coverage Results**







## **Test and Requirements Traceability in Coverage Results**







## **Address missing Requirements Based Test Coverage**

Add missing implementation links to requirements



• Update test to increase target speed







# **100% Coverage but Testing Identified Error in Implementation**

| ✓ Results: 2020-Mar-02 23:59:38 | 5010    |
|---------------------------------|---------|
|                                 | 5 💿 1 😆 |
|                                 | 5 💿 1 😒 |
| ▶ 📄 Brake Test                  | 0       |
| Decrement Test                  | 0       |
| Enable Test                     | 0       |
| Increment Test                  | 0       |
| Set Speed Test                  | 0       |
| Throttle Test                   | 0       |
|                                 |         |

#### ▼AGGREGATED COVERAGE RESULTS

Create a coverage report from coverage results to justify or exclude missing coverage. The filters and updated coverage values will be displayed with this result.







2

# **Additional Testing Identified Error in Implementation**







# Scoped Model Coverage to Requirements-Based Tests R2020a

| 📣 Test Manager                                              |           |                      | - 🗆 X                                                                                                       |
|-------------------------------------------------------------|-----------|----------------------|-------------------------------------------------------------------------------------------------------------|
| TESTS<br>Test Browser Results and A                         | Artifacts | Results: 2019-Oct    | t-02 19:02:58 ×                                                                                             |
| Filter results by name or tags, e.g. tag                    | s: t 🔳 🍸  | ▶ SUMMARY            | ?                                                                                                           |
| NAME                                                        | STATUS    | ▼ AGGREGATED CO      | OVERAGE RESULTS ?                                                                                           |
|                                                             | 20        |                      |                                                                                                             |
|                                                             | 20        | ANALYZED MODEL       |                                                                                                             |
| ✓                                                           | 20        | http://www.mtestReqL | <u>inkBasic</u> ₹ 5 33% 25%                                                                                 |
| <ul> <li>▶ 	≡ Testcase 1</li> <li>▶ ≡ Testcase 2</li> </ul> | 0         |                      |                                                                                                             |
| ▶ = Testcase 2                                              | 0         |                      |                                                                                                             |
|                                                             |           |                      | ge results to linked requirements                                                                           |
|                                                             |           | Scope coverag        | MultiPortSwitch block " <u>MPSwitch1</u> "                                                                  |
|                                                             |           |                      | Multi of iswitch block Mitswitch                                                                            |
|                                                             |           |                      | Requirement Testing Details                                                                                 |
|                                                             |           |                      | Implemented Requirements Verified by Tests Associated Runs                                                  |
| 178C coverage inf                                           |           |                      | Requirement 1 Testcase 1 T1                                                                                 |
|                                                             |           | d 🛛                  | Metric Coverage                                                                                             |
| <b>testing</b> to confir                                    | rm that   |                      | Cyclomatic Complexity 2                                                                                     |
|                                                             |           |                      | Decision 33% (1/3) decision outcomes                                                                        |
|                                                             |           |                      | Execution 100% (1/1) objective outcomes Decisions analyzed                                                  |
|                                                             |           |                      | truncated input value 33%                                                                                   |
|                                                             |           |                      |                                                                                                             |
|                                                             |           |                      |                                                                                                             |
|                                                             |           |                      | = 1 (output is from input port 1) Hit by linked RBT Satisfied                                               |
|                                                             |           |                      | = 1 (output is from input port 1)<br>= 2 (output is from input port 2)<br>= 2 (output is from input port 2) |
|                                                             |           |                      | Hit by linked RBT Satisfied                                                                                 |
| MATLAB                                                      |           |                      | = 1 (output is from input port 1)<br>= 2 (output is from input port 2)<br>= 2 (output is from input port 2) |

#### **Check standard compliance**

#### **Model Verification**







# **Verify Design to Guidelines and Standards**

Check for:

- Readability and Semantics
- Performance and Efficiency
- Clones
- And more.....









#### Built in checks for industry standards and guidelines

- DO-178/DO-331 •
- **ISO 26262** •
- **IEC 61508** •
- **IEC 62304** •
- EN 50128 •

- MISRA C:2012
- CERT C, CWE, ISO/IEC TS 17961 •
- MAB (MathWorks Advisory Board)
- JMAAB (Japan MATLAB Automotive Advisory Board) •







# **Shift Verification Earlier With Edit-Time Checking**







# **Detect Design Errors with Formal Methods**

#### **Model Verification**







# **Detect Design Errors Using Formal Methods**



- Find design errors
  - Integer overflow
  - Dead Logic
  - Division by zero
  - Array out-of-bounds
  - Range violations
- Generate counter example to reproduce error





#### **Prove Model Behavior Compliance**

#### **Model Verification**







# **Proving Model Meets Requirements**

### Safety Requirement:

When the brake is applied for three consecutive steps, the throttle shall go to zero.

 Need to ensure the design performs correctly







### Model functional and safety requirements









### Link requirements to properties







### **Prove That Design Meets Requirements**









# **Debugging Property Proving Violations**



### MATLAB EXPO



 $\times$ 

- 🐨

# **Resolve unexpected behavior in a model with Model Slicer**

#### Isolate

Find the area of the model responsible for unexpected behavior

#### Analyze dependencies

Understand data & control dependencies in large or complex models

#### Inspect slice regions

Highlight model slices for time windows or failure states & transitions for state flow.

#### Debug simulation behavior

Step through precompiled slices to understand signal and port value propagation



### **Correct Model**

### MATLAB EXPO

MathWorks<sup>®</sup>

# **Code Verification: Gain Confidence in the Generated Code**







# **Back-to-Back Testing**







# **Automate Test Creation using Test Manager Wizard**

| 22 | -   | 6 | - | 200  | 22  | -   |   | 20 | - |      |
|----|-----|---|---|------|-----|-----|---|----|---|------|
| Ы  | - 1 |   |   | 13   |     | R   | F | Δ  | Ð | •    |
| -  | ω.  |   |   | 0.08 | 100 | 1.1 |   |    |   | La 🗅 |
|    |     |   |   |      |     |     |   |    |   |      |

| Test | File | from | Model |  |
|------|------|------|-------|--|
|      |      |      |       |  |

Create a test file from model

| Test for Model Component          |  |
|-----------------------------------|--|
| Create a new baseline or back-to- |  |

rtwdemo sil block Harness1

MATLAB EXPO

Test from Spreadsheet Create a new test with data speci

| Equivalence Test                                           |                                                      |
|------------------------------------------------------------|------------------------------------------------------|
| Select releases for simulation: Current 👻                  |                                                      |
| - DESCRIPTION*                                             |                                                      |
| Test generated for the subsystem 'rtwdemo_sil_block/Contro | oller'.                                              |
| - SIMULATION 1                                             |                                                      |
| ▼ SYSTEM UNDER TEST*                                       |                                                      |
| Model: rtwdemo_sil_block                                   | ■指表で                                                 |
| ✓ TEST HARNESS*                                            |                                                      |
| Harness: rtwdemo_sil_block_Harness1                        | ▼ C #                                                |
| ▼ SIMULATION SETTINGS OVERRIDES*                           |                                                      |
| Simulation Mode: Normal 🔻                                  | Override model blocks in SIL/PIL mode to normal mode |
| ▼ SIMULATION 2 Copy settings from Simulation 1             |                                                      |
| ▼ SYSTEM UNDER TEST*                                       |                                                      |
| Model: rtwdemo_sil_block                                   | ■ <b>1 2 3 3 C</b>                                   |
| ▼ TEST HARNESS*                                            |                                                      |
| Harness: rtwdemo_sil_block_SILHarness1                     | ▼ C ₹                                                |
| ✓ SIMULATION SETTINGS OVERRIDES*                           |                                                      |
| Simulation Mode: Software-in-the-Loop (SIL)                | Override model blocks in SIL/PIL mode to normal mode |

- Guided steps to define component to test, inputs, type of test and format for output
- Wizard generates required test harness
- Auto generate tests using Simulink Design Verifier



## **Cross Release SIL/PIL Test Harness Generation**



- Create a SIL/PIL test harness using code that was generated in a previous release
- Modify existing SIL/PIL test harnesses to store the build folder path information which can be used for rebuild

| R2019<br>Amplifier0_ert_rtw<br>Amplifier0_comp.rsp<br>Amplifier0_ref.rsp<br>Amplifier0.bat<br>Amplifier0.c<br>Amplifier0.c<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Amplifier0.nk<br>Codedescriptor.dmr<br>codedescriptor.dmr<br>codelnfo.mat<br>codelnfo.mat<br>codelnfo.mat<br>compilelnfo.mat<br>defines.txt<br>ert_main.cbj<br>modelsources.txt | Create Test Harness Specify the properties of the test harness. The component under test is the system for which the harness is being created. After creation, use the block badge to find and open harnesses. Component under Test: mrtwdemo_counter/Amplifier Basic Properties Advanced Properties Description Harness Creation Options Verification Mode: Software-in-the-Loop (SIL) Verification Parameters and Model Workspace data on rebuild Post-rebuild callback method Harness Component Synchronization Options Synchronization Mode: Synchronize only during rebuild | 1<br>2<br>equal_to_count<br>Trigger<br>Signal spec.<br>and routing | Signal spec.<br>and routing |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|-----------------------------|
|                                                                                                                                                                                                                                                                                                                                                                                                                                      | OK Cancel Help                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                    |                             |





# **Reference Workflow for Generated Code**





# **Customer References and Applications**



Airbus Helicopters Accelerates Development of DO-178B Certified Software with Model-Based Design

Software testing time cut by two-thirds



LS Automotive Reduces Development Time for Automotive Component Software with Model-Based Design Specification errors detected early



Continental Develops Electronically Controlled Air Suspension for Heavy-Duty Trucks

Verification time cut by up to 50 percent

More User Stories: <a href="http://www.mathworks.com/company/user\_stories.html">www.mathworks.com/company/user\_stories.html</a>





## Use reference workflow to conform to standards

- Shift verification earlier
- Automate manual verification tasks (coding, compiling, back-to-back)
- Measure completeness of Requirements Based Testing





# **Learn More**

- Verification, Validation, and Test Solution Page
- Requirements-Based Testing Workflow Example
- Verifying Models and Code for High-Integrity Systems
- <u>Getting Started with Model Verification and Validation</u>





# **Thank You!**



