Increasing Embedded Software Confidence Model and Code Verification Daniel Martins Application Engineer MathWorks Daniel.martins@mathworks.fr 1
What is the Cost of Software Failure Ariane 5 $7,500,000,000 Rocket & payload lost 2
What is the Cost of Software Failure Therac-25 6 Casualties due to radiation overdose 3
Where do you want to discover and fix errors? Pre sales Post sales Model Vehicle Testing In Service Generated Code 4
Using Model-Based Design It is easier and less expensive to fix design errors early in the process when they happen. Model-Based Design enables: 1. Early testing to increase confidence in your design 2. Delivery of higher quality software throughout the workflow 5
Confidence Gaining Confidence in our Design Adhoc testin g Design error detectio n Modeling Functional standard & structural s tests Effort / Time Model & code equivalen ce checks Code integration analysis 6
Application: Cruise Control Control speed according to setpoint 70 km/h 7
Legacy code Application: Cruise Control System Inputs ECU system ECU Cruise Control Module (MBD) 1 Fuel Rate Control Module 2 Outputs Shift Logic Control Module 8
Legacy code Application: Cruise Control ECU Cruise Control Module (MBD) System Inputs ECU system Fuel Rate Control Module Outputs Shift Logic Control Module 9
Application: Cruise Control Inputs Cruise_onoff Brake Speed Coast set Accel reset Cruise Control Module (MBD) Outputs Engaged Target speed 10
Confidence Gaining Confidence in our Design Ad-hoc testing Effort / Time 11
Ad-hoc Tests New Dashboard blocks facilitate early ad-hoc testing 12
Confidence Gaining Confidence in our Design Ad-hoc testing Design error detection Effort / Time 13
Finding Design Errors: Dead Logic 14
Finding Unintended Behavior Dead logic due to uint8 operation on incdec/holdrate*10 Fix change the order of operation 10*incdec/holdrate Condition can never be false 15
Confidence Gaining Confidence in our Design Ad-hoc testing Design error detection Functional & structural tests Effort / Time 16
Simulation Testing Workflow Requirements Did we meet requirements? Review functional behavior Design Did we completely test our model? Structural coverage report 17
Requirements Based Functional Testing with Coverage Analysis 18
Did We Completely Test our Model? Model Coverage Analysis Potential causes of less than 100% coverage: Missing requirements Over-specified design Design errors Missing tests 19
Confidence Gaining Confidence in our Design Ad-hoc testing Design error detection Functional & structural tests Effort / Time Modeling standards 20
Model Advisor Model Standards Checking 21
Confidence Gaining Confidence in our Design Ad-hoc testing Design error detection Functional & structural tests Effort / Time Modeling standards Model & code equivalence checks 22
Code Generation with Model-to-Code Traceability 23
Equivalence Testing: Model vs SIL or PIL Mode Testing Coverage 100% Model Testing SIL or PIL Mode Testing 24
Code Equivalence Check Results: Model vs Code Code Coverage 25
Confidence Gaining Confidence in our Design Ad-hoc testing Design error detection Functional & structural tests Effort / Time Modeling standards Model & code equivalence checks Code integration analysis 26
Legacy code Code Integration Analysis ECU System Inputs ECU system 1 Cruise Control Module (MBD) Fuel Rate Control Module Outputs Shift Logic Control Module 27
Legacy code Code Integration Analysis Inputs Cruise_onoff Brake Speed Coast set Accel reset EGO Sensor ECU system ECU Cruise Control Module (MBD) 1 Fuel Rate Control Module 2 Outputs Gear Engaged Target speed Fuel Rate MAP Sensor Shift Logic Control Module 28
Legacy code Dead code Finding Dead Code During Integration Inputs Cruise_onoff ECU Cruise Control Module (MBD) 2 Outputs Brake Speed Coast set Accel reset EGO Sensor Inaccurate scaling for speed ECU system Fuel Rate Control Module Gear Engaged Target speed Fuel Rate MAP Sensor Shift Logic Control Module 29
Finding Dead Code with Polyspace Target speed parameter propagated to Cruise_ctrl.c [0 40] Maximum target speed = 90 Dead code 30
Polyspace Code Analysis Source code painted in green, red, gray, orange Green: reliable safe pointer access static void pointer_arithmetic (void) { int array[100]; int *p = array; int i; Red: faulty out of bounds error Gray: dead unreachable code Orange: unproven may be unsafe for some conditions for (i = 0; i < 100; i++) { *p = 0; p++; } variable I (int32): [0.. 99] assignment of I (int32): [1.. 100] if (get_bus_status() > 0) { if (get_oil_pressure() > 0) { *p = 5; } else { i++; } } Purple: violation MISRA-C/C++ or JSF++ code rules Range data tool tip i = get_bus_status(); if (i >= 0) { *(p - i) = 10; } } 31
Conclusion: Model-Based Design Verification Workflow Model Verification Discover design errors at design time Code Verification Gain confidence in the generated code Workflow approved by TÜV SÜD for development of safety-critical software in accordance with ISO 26262 (automotive), IEC 61508 (industrial), EN 50128 (railway), IEC 62304 (medical devices) 32
Key Takeaway It is easier and less expensive to fix design errors early in the process when they happen. Model-Based Design enables: 1. Early testing to increase confidence in your design 2. Delivery of higher quality software throughout the workflow 33
Change the world by Accelerating the pace of discovery, innovation, development, and learning in engineering and science 34