Report

to the

Certificate
Z10 11 01 67052 007
Software Tool for Safety Related Development

Simulink PLC Coder™

Manufacturer:
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA, 01760-2098
USA

Report No.: MN76171C

Revision 2.0 dated 2014-11-28

Testing Body:
TÜV SÜD Rail GmbH
Embedded Systems

Certification Body:
TÜV SÜD Product Service GmbH
Ridlerstraße 65
80339 Munich

Distribution, copying or any other use of information in this report in part is strictly prohibited.
Revision Log
Rev. Date Name Changes/History
1.0 2010-04-27 F. Rauch Initial Report
1.1 2010-06-10 F. Rauch Update for Release R2010b
1.2 2011-01-18 F. Rauch Update for Release R2011a
Updates w.r.t. IEC 61508:2010
1.3 2011-06-22 S. Waldhausen, L. Brandl Update for Release R2011b
1.4 2011-12-19 S. Waldhausen Update for Release R2012a
1.5 2012-06-26 S. Waldhausen Update for Release R2012b
1.6 2013-12-18 S. Waldhausen, M. Braun Update for Release R2013a
1.7 2013-06-25 S. Waldhausen, M. Braun Update for Release R2013b
1.8 2013-12-18 S. Waldhausen, M. Braun Update for Release R2014a
1.9 2014-06-13 S. Waldhausen, M. Braun Update for Release R2014b
2.0 2014-11-28 S. Waldhausen, M. Braun Update for Release R2015a

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 2 of 11
Content Page

1 PURPOSE AND SCOPE ............................................................................................... 4

2 PRODUCT OVERVIEW ................................................................................................ 4
3 IDENTIFICATION .......................................................................................................... 5
4 CERTIFICATION ........................................................................................................... 6
4.1 Standards ...................................................................................................................... 6
4.2 Basis of certification ...................................................................................................... 6
5 RESULTS ..................................................................................................................... 7
5.1 Software development and quality engineering processes ............................................ 7
5.2 Customer bug reporting processes ................................................................................ 7
5.3 Usage considerations for development processes which need to comply with
IEC 61508 or IEC 61511 ............................................................................................... 8
5.4 Tool classification and validation according to IEC 61508:2010 ..................................... 9
5.5 Summary ..................................................................................................................... 10
6 GENERAL CONDITIONS AND RESTRICTIONS........................................................ 11
7 SUMMARY AND CERTIFICATE NUMBER ................................................................ 11

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 3 of 11
1 Purpose and scope
TÜV SÜD Rail GmbH1 evaluated the Simulink PLC Coder™ product of The MathWorks, Inc.. The
sections of the MathWorksTM development organization responsible for the Simulink PLC Coder™
product have been audited to assess their development and quality assurance procedures.
Recurring evaluations focus on processes used by the Simulink PLC Coder™ team to implement
enhancements and modifications, as well as quality engineering, and customer bug reporting pro-
cesses.
The aim of the assessment was to determine the suitability for use in development processes which
need to comply with IEC 61508 or IEC 61511.
The basic assessment is documented in the Technical Report MN72051T, recent modifications are
reported in Modification Reports according to the table below.

Title Document Name Date Revision

Technical Report on Functional Safety MN72051T-V2.1.pdf 28.06.2012 2.1

Technical Report of Modifications R2013a MN84722T-V1.0.pdf 18.12.2012 1.0

Technical Report of Modifications R2013b MN85071T-V1.0.pdf 24.06.2012 1.0

Technical Report of Modifications R2014a MN85413T-V1.0.pdf 18.12.2013 1.0

Technical Report of Modifications R2014b MN85861T-V1.0.pdf 13.06.2014 1.0

Technical Report of Modifications R2015a MN86207T-V1.0.pdf 28.11.2014 1.0

2 Product overview
Simulink PLC Coder™ generates hardware-independent IEC 61131 structured text from Simulink®
models and Stateflow® charts. The structured text is generated in PLCopen and other file formats
supported by widely used integrated development environments (IDEs). As a result, it is possible to
compile and deploy an application to numerous programmable logic controller (PLC) and program-
mable automation controller (PAC) devices. Simulink PLC Coder™ generates test benches that help
to verify the structured text using PLC and PAC IDEs and simulation tools.

1 For releases prior to R2011a, the evaluations were carried out by TÜV SÜD Automotive GmbH. Both companies apply
the “Testing and Certification Regulations TÜV SÜD Group” and are accredited to state compliance with the standards
listed in 4.1.

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 4 of 11
3 Identification
Release Date Software Tool Reference Workflow Documentation

IEC Certification Kit

Simulink PLC Coder™
R2010a March 2010 Application-Specific Verification and Validation of Models
V1.0
and Generated PLC Code; V1.2
IEC Certification Kit
Simulink PLC Coder™
R2010b Sept. 2010 Application-Specific Verification and Validation of Models
V1.1
and Generated PLC Code; V1.3
IEC Certification Kit
Simulink PLC Coder™
R2011a April 2011 Application-Specific Verification and Validation of Models
V1.2
and Generated PLC Code; V1.4
IEC Certification Kit
Simulink PLC Coder™
R2011b Sept. 2011 Application-Specific Verification and Validation of Models
V1.2.1
and Generated PLC Code; V2.0

Simulink PLC Coder™ IEC Certification Kit

R2012a March 2012 ®
V 1.3 Simulink PLC Coder™ Reference Workflow; V2.1

Simulink PLC Coder™ IEC Certification Kit

R2012b Sept. 2012 ®
V 1.4 Simulink PLC Coder™ Reference Workflow; V3.0

Simulink PLC Coder™ IEC Certification Kit

R2013a March 2013 ®
V 1.5 Simulink PLC Coder™ Reference Workflow; V3.1

Simulink PLC Coder™ IEC Certification Kit

R2013b Sept. 2013 ®
V 1.6 Simulink PLC Coder™ Reference Workflow; V3.2

Simulink PLC Coder™ IEC Certification Kit

R2014a March 2014 ®
V 1.7 Simulink PLC Coder™ Reference Workflow; V3.3

Simulink PLC Coder™ IEC Certification Kit

R2014b Oct. 2014 ®
V 1.8 Simulink PLC Coder™ Reference Workflow; V3.4

Simulink PLC Coder™ IEC Certification Kit

R2015a March 2015 ®
V 1.9 Simulink PLC Coder™ Reference Workflow; V3.5

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 5 of 11
4 Certification
4.1 Standards
Standard Description

IEC 61508-1:2010 Functional Safety of electrical/electronic/programmable electronic safety-related

systems Part 1: General requirements

IEC 61508-3:2010 Functional Safety of electrical/electronic/programmable electronic safety-related

systems - Part 3: Software requirements
IEC 61511-1:2003 Functional safety – Safety Instrumented Systems for the process industry sector
- Part 1: Framework, definitions, system, hardware and software requirements

4.2 Basis of certification

 Software development and quality engineering processes
 Customer bug reporting processes
 Usage considerations for development processes which need to comply with IEC 61508 or
IEC 61511
 Tool classification and validation according to IEC 61508

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 6 of 11
5 Results
5.1 Software development and quality engineering processes
The software development and quality engineering processes applied for Simulink PLC Coder™
have been audited, no objections were found.
To ensure adherence to the software development and quality engineering processes as well as to
facilitate further quality improvements, the software modification processes for Simulink PLC
Coder™ will be audited once a year by TÜV SÜD.
Product versions that are released in between two consecutive audits are subject to a defined ap-
proval procedure by TÜV SÜD. The procedure includes the following elements:
 The MathWorks, Inc. documents new customer visible features for each release in the corre-
sponding release notes.
 The MathWorks, Inc. documents enhancements and new features of each Simulink PLC
Coder™ version in an internal delta report.
 Test procedures for enhancements and new features are referenced in the delta report to
document MathWorks internal validation activities for newly developed features.

5.2 Customer bug reporting processes

The bug reports section of the MathWorks web site provides an interface for customers to view and
submit bug reports.
Customers can track the status of open bugs. Critical bugs can be easily identified in the bug report
section of the MathWorks web site. Customers can choose to receive email or RSS notifications for
new or updated bug reports. The bug reports on this web site include internally as well as externally
nominated bugs. If applicable, bug reports include provisions for known workarounds or file re-
placements.
Customers can use the bug report mechanism to nominate bugs. These nominations are processed
and evaluated by The MathWorks, Inc. development organization.

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 7 of 11
5.3 Usage considerations for development processes which need to comply with
IEC 61508 or IEC 61511
Simulink PLC Coder™ fulfills the normative requirements regarding tool support and automation.
Several measures and techniques recommended by IEC 61508-3 target potential deficiencies of
manual transformation steps2.The less manual steps necessary to transform the requirements into
an implementation, the less likely systematic errors are introduced (including the introduction of un-
intended functionality). By utilizing executable models (i.e. models that can be simulated), Model-
Based Design reduces the scope of transformation steps necessary to get a first executable repre-
sentation. Tool support and automation provided by the PLC code generator reduce the amount of
error-prone manual transformations and can thereby help to reduce the number of systematic errors.
If the structured text generated by Simulink PLC Coder™ is being deployed in safety-related applica-
tions, modeling and PLC code generation are to be complemented by appropriate measures and
techniques to verify and validate the Simulink® / Stateflow® model and the generated PLC code. A
recommended application-specific verification and validation workflow is provided in the reference
workflow documentation identified in section 3.
According to IEC 61508-3, a structural coverage analysis is highly recommended for SIL 3 and
above to help that no unintended functionality has been introduced into the source code. But usually
this requirement is hard to meet if hand written PLC code is used, because automated structural
coverage analysis is not commonly available for PLC languages. However, having a Simulink® mod-
el as an early executable representation facilitates (model) coverage analysis that measures test
coverage and helps to identify unintended functionality in the model. This approach, which is very
similar to the code coverage analysis for high-level programming languages such as C, provides a
means to help demonstrate the absence of unintended functionality.
A welcome side effect of the equivalence testing recommended as part of the verification and valida-
tion workflow is that in addition to coding errors certain compiler errors can be detected as well. Due
to this implicit way of detecting compiler errors, the PLC compiler is considered as a minor source of
error that can be addressed sufficiently by tool validation (or certification in IEC 61508 terminology)
according to a national standard or increased confidence from use.
A national or international language standard (such as ANSI C) does not exist for the input language
of Simulink PLC Coder™. Consequently, there are no means to certify or validate Simulink PLC
Coder™ against such a language standard, as suggested by IEC 61508. To bridge this gap, the
documented translation validation workflow allows verifying and validating the transformation from
models to code. By using this workflow, a developer can verify and validate the model-to-code trans-
lation to the extent necessary.
IEC 61511 is considered a sector-specific standard derived from IEC 61508. Whereas IEC 61508
needs to be tailored to and interpreted for PLC application developments, IEC 61511 is already tai-
lored for this class of applications. The above paragraphs are related to the IEC 61508-3 subset for
limited variability languages and are therefore applicable to IEC 61511 as well.

2 In IEC 61508, tailoring a PLC to a particular application by using its standard programming facilities, for example struc-
tured text, is considered as user application programming in limited variability languages. Only a subset of the IEC
61508-3 requirements is applicable to limited variability languages.

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 8 of 11
5.4 Tool classification and validation according to IEC 61508:2010
Simulink PLC Coder™ is a class T3 off-line support tool. It can be used to transform executable
graphical models created using Simulink® and Stateflow® into structured text.
IEC 61508:2010 details and extends the requirements for tool certification specified in the first edi-
tion of the standard. The following list provides considerations on how tool users are being support-
ed w.r.t. the requirements of IEC 61508-3 clause 7.4.4:
 Code generation using Simulink PLC Coder™ can be integrated with other Model-Based De-
sign and verification tools from The MathWorks, Inc. (cf. IEC 61508-3, 7.4.4.2, Note 3). A
possible integration is outlined in the reference workflow documentation. A representative
combination of tools is being tested at the manufacturer’s site. (cf. IEC 61508-3, 7.4.4.9,
7.4.4.18 a).
 The tool documentation for Simulink PLC Coder™ (cf. IEC 6158-3, 7.4.4.4) is being provided
with the product.
 The reference workflow documentation provides mitigation measures to potential failure
mechanisms of Simulink PLC Coder™ (cf. IEC 61508-3, 7.4.4.5, 7.4.4.8). Applying the com-
plete workflow provides a high degree of confidence that potential bugs in Simulink PLC
Coder™ can be mitigated.
 MathWorks reports critical known bugs brought to its attention on its Bug Report system at
http://www.mathworks.com/support/bugreports/ (cf. IEC 61508-3, 7.4.4.6, Note 1).
 The Release Notes for Simulink PLC Coder™ provide the version history of tool. Tool users
can assess available bug reports for different Simulink PLC Coder™ versions via the Bug
Reports system (cf. IEC 61508-3, 7.4.4.6, Note 1)
 The MathWorks, Inc. validated Simulink PLC Coder™ and provided documentation of this
validation to TÜV SÜD for review and approval (cf. IEC 61508-3, 7.4.4.6, 7.4.4.7). Each certi-
fied Simulink PLC Coder™ version is subject to a defined approval procedure by TÜV SÜD
outlined in section 5.1. (cf. IEC 61508-3, 7.4.4.18, Note)
 Test procedures for enhancements/new features of Simulink PLC Coder™ are referenced in
the delta report to document The MathWorks, Inc. internal validation activities for newly de-
veloped features.
 Each release of Simulink PLC Coder™ is identifiable (cf. IEC 61508-3, 7.4.4.15 a)
 The MathWorks, Inc. as well as 3rd party vendors offer training courses for MathWorks tools
(cf. IEC 61508-3, 7.4.4.2, Note 6).

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 9 of 11
5.5 Summary
The Simulink PLC Coder™ product is suitable for use in development processes which need to
comply with IEC 61508 or sector specific implementations of IEC 61508 such as IEC 61511.
All Simulink PLC Coder™ versions listed in the subsequent table are certified as T3 off-line support
tools according to IEC 61508:2010. The tool meets the applicable requirements of IEC 61508-3
7.4.4.
The tool classification and the assessment of the tool validation activities were carried out by TÜV
SÜD.
Following the reference workflow documented in Simulink® PLC Coder™ Reference Workflow ena-
bles the prevention or detection of potential malfunctions or erroneous outputs of the PLC code gen-
erator with a high degree of confidence.
Using a suitable subset of the reference workflow, documented in Simulink® PLC Coder™
Reference Workflow, enables the prevention or detection of potential malfunctions or erroneous out-
puts of the PLC code generator with a medium degree of confidence. The lesser degree of confi-
dence is deemed acceptable due to the additional approval procedure outlined in section 5.1.
Certification of Simulink PLC Coder™ according to the standards listed in section 4.1 can be
claimed by referencing this certification report and the corresponding certificate. The certification
comprises all Simulink PLC Coder™ versions listed in the subsequent table. The certification audit
was carried out by TÜV SÜD. Artifacts necessary to carry out the approval procedure were created
by MathWorks and submitted to TÜV SÜD for review and approval.

Certification Audit / Approval Procedure Artifacts / Tool Valida-

tion Activities
Tool / Release
Surveillance Release Notes Delta Report Validation Suite
Audit
Simulink PLC Coder™ R2010a   

Simulink PLC Coder™ R2010b   
Simulink PLC Coder™ R2011a   

Simulink PLC Coder™ R2011b   
Simulink PLC Coder™ R2012a   

Simulink PLC Coder™ R2012b   
Simulink PLC Coder™ R2013a   

Simulink PLC Coder™ R2013b   
Simulink PLC Coder™ R2014a   

Simulink PLC Coder™ R2014b   
Simulink PLC Coder™ R2015a    

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 10 of 11
6 General conditions and restrictions
 The reference workflow documented in Simulink® PLC Coder™ Reference Workflow shall be
applied for all safety-related applications. The workflow shall be instantiated in accordance
with the notified body depending on the SIL required.

7 Summary and certificate number

This report specifies the conditions of use and restrictions required for the application of the Simulink
PLC Coder™ by The MathWorks, Inc. on the certificate:

Z10 11 01 67052 007

The certificate no. Z10 11 01 67052 007 replaces the certificate no. Z10 10 04 67052 004.

Munich, 2014-11-28

Technical Certifier
Peter Weiß

TÜV SÜD Rail GmbH Report No.: MN76171C

Embedded Systems Revision 2.0
Barthstr. 16 S. Waldhausen
80339 München 2014-11-28
Phone: +49 89 5791-4378; Fax: -2933 Page 11 of 11