IEC Certification Kit: Model-Based Design For IEC 61508

IEC Certification Kit
Model-Based Design for IEC 61508
R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Model-Based Design for IEC 61508
© COPYRIGHT 2013–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
March 2013 New for Version 3.1 (Applies to Release 2013a)
September 2013 Revised for Version 3.2 (Applies to Release 2013b)
March 2014 Revised for Version 3.3 (Applies to Release 2014a)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
March 2015 Revised for Version 3.5 (Applies to Release 2015a)
Contents
1 Model-Based Design for IEC 61508 ................................................................................................ 1-1
2 Applicable Model-Based Design Tools and Processes .................................................................... 2-1
2.1 IEC 61508-3 Annex A Tables ................................................................................................. 2-2
Table A.1 Software Safety Requirements Specification ......................................................... 2-2
Table A.2 Software Design and Development – Software Architecture Design ..................... 2-2
Table A.3 Software Design and Implementation – Support Tools and Programming Language
................................................................................................................................................. 2-5
Table A.4 Software Design and Development – Detailed Design........................................... 2-6
Table A.5 Software Design and Development – Software Module Testing and Integration .. 2-7
Table A.6 Programmable Electronics Integration (Hardware and Software) .......................... 2-8
Table A.7 Software Aspects of System Safety Validation ...................................................... 2-9
Table A.8 Modification ........................................................................................................... 2-9
Table A.9 Software Verification ........................................................................................... 2-11
Table A.10 Functional Safety Assessment ............................................................................ 2-12
2.2 IEC 61508-3 Annex B Tables ............................................................................................... 2-13
Table B.1 Design and Coding Standards ............................................................................... 2-13
Table B.2 Dynamic Analysis and Testing ............................................................................. 2-15
Table B.3 Functional and Black-Box Testing ....................................................................... 2-17
Table B.4 Failure Analysis .................................................................................................... 2-18
Table B.5 Modeling............................................................................................................... 2-18
Table B.6 Performance Testing ............................................................................................. 2-18
Table B.7 Semi-formal Methods ........................................................................................... 2-19
Table B.8 Static Analysis ...................................................................................................... 2-19
Table B.9 Modular Approach ................................................................................................ 2-21
v
vi
1 Model-Based Design for IEC
61508
This documentation provides annotated versions of techniques/measures tables that appear in the
IEC 61508-3 standard. The annotated tables provide suggestions on how to use Model-Based
Design products from MathWorks® to apply the techniques/measures listed in the standard for
different Safety Integrity Levels (SILs).
The IEC Certification Kit provides additional support when using Model-Based Design for IEC
61508 applications, including reference workflows for verifying and validating models and
generated code.
1-2
2 Applicable Model-Based Design
Tools and Processes
2.1 IEC 61508-3 Annex A Tables
Table A.1 Software Safety Requirements Specification

Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1a. Semi-formal methods R R HR HR Simulink® Simulink and Stateflow can be used to model
aspects of the software safety requirements using
Stateflow® semiformal notations.
1b. Formal Methods - R R HR Simulink – Model Model Verification blocks can be used to
Verification block formalize software safety requirements and other
library model properties.
2. Forward traceability between the R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
system safety requirements and Validation – Requirements aspects of the software safety requirements, the
the software safety requirements Management Interface (RMI) RMI can be used to link requirements models to
textual descriptions in Microsoft® Word,
Microsoft® Excel®, ASCII text, and PDF files
3. Backward traceability between R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
the safety requirements and the Validation – Requirements aspects of the software safety requirements, the
perceived safety needs Management Interface (RMI). RMI can be used to link requirements models to
textual descriptions in Microsoft Word,
Microsoft Excel, ASCII text, and PDF files
4. Computer-aided specification R R HR HR Simulink See above.
tools to support appropriate
techniques/measures above Stateflow
Simulink Verification and

Validation – Requirements
Management Interface (RMI)
Table A.2 Software Design and Development – Software Architecture Design

Processes
1. Fault detection - R HR HR Simulink Simulink and Stateflow can be used to design
fault detection, isolation, and recovery (FDIR)
Stateflow algorithms.
2. Error detecting codes R R R HR

3a. Failure assertion programming R R R HR Simulink Failure assertion checks can be designed using
Simulink or Stateflow.
Stateflow
2-2
Processes
3b. Diverse monitor techniques (with - R R - Simulink Simulink and Stateflow can be used to design
independence between monitor and/or monitored function.
the monitor and the monitored Stateflow
function in the same computer)
3c. Diverse monitor techniques (with - R R HR Simulink Simulink and Stateflow can be used to design
separation between the monitor and/or monitored function.
monitor computer and the Stateflow
monitored computer)
3d. Diverse redundancy, - - - R Simulink Diverse redundancy for algorithmic parts can be
implementing the same software supported by executing floating-point and fixed-
safety requirements specification Stateflow point versions of an algorithm in parallel and
then comparing the results.
Fixed-Point Designer™
3e. Functionally diverse redundancy, - - R HR Simulink Simulink and Stateflow can be used to
implementing different software implement one or both software safety
safety requirements specification Stateflow requirements specifications.
3f. Backward recovery R R - NR Simulink Simulink and Stateflow can be used to design
3g. Stateless software design (or - - R HR Stateflow – Flowchart, Truth Simulink and Stateflow provide constructs that
limited state design) Table block can be used to support stateless designs or
limited state designs.
Simulink – Combinatorial
Logic block
4a. Re-try fault recovery mechanisms R R - - Simulink Simulink and Stateflow can be used to design
4b. Graceful Degradation R R HR HR Stateflow Stateflow can be used to design graceful
degradation behaviour.
5. Artificial intelligence - fault - NR NR NR
correction
6. Dynamic reconfiguration - NR NR NR
7. Modular Approach HR HR HR HR Table B.9
8. Use of trusted/verified software R HR HR HR Simulink – Block library, Model blocks (model referencing) facilitate the
elements (if available) Model block creation and re-use of trusted / verified software
elements
The shipping Simulink block library has a broad

user base. The block library is subjected to
extensive in-house testing.
Blocks from this standard library can be
preconfigured and/or verified by the user and
grouped into custom libraries.
2-3
Processes
9. Forward traceability between the R R HR HR Simulink Verification and The RMI can be used to link models
software safety requirements Validation – Requirements representing the software architecture to
specification and software Management Interface (RMI) requirements specifications in Microsoft Word,
architecture Microsoft Excel, ASCII text, or PDF files.
IEC Certification Kit –
Traceability matrix Generated traceability matrices can be used to
document and review existing links between
requirements and models.
10. Backward traceability between R R HR HR Simulink Verification and The RMI can be used to link models
the software safety requirements Validation – Requirements representing the software architecture to
specification and software Management Interface (RMI) requirements specifications in Microsoft Word,
architecture Microsoft Excel, ASCII text, or PDF files.
11a. Structured diagrammatic methods HR HR HR HR
11b. Semi-formal methods R R HR HR Table B.7
11c. Formal design and refinement - R R HR Simulink – Model Model Verification blocks can be used to
methods Verification block library formalize software safety requirements and other
model properties.
11d. Automatic software generation R R R R MATLAB® Coder™ MATLAB Coder, Simulink Coder, and
Embedded Coder facilitate the automatic
Simulink® Coder™ generation of C/C++ code from designs.
Simulink PLC Coder facilitates the automatic

Embedded Coder®
generation of structured text from designs.
Simulink® PLC Coder™ HDL Coder facilitates the automatic generation
of HDL code from designs.
HDL Coder™
12. Computer-aided specification and R R HR HR Simulink product family The Simulink product family supports computer-
design tools aided specification and design.
13a. Cyclic behaviour, with guaranteed R HR HR HR Simulink Simulink and Stateflow facilitate modeling of
maximum cycle time cyclic behavior.
Stateflow A maximum cycle time needs to be addressed by
additional means.
13b. Time-triggered architecture R HR HR HR Simulink Simulink and Stateflow facilitate modeling of
algorithmic components for time-triggered
Stateflow architectures.
A realization of a time triggered scheduling
needs to be addressed by additional means.
13c. Event-driven, with guaranteed R HR HR - Simulink Simulink and Stateflow facilitate modeling of
maximum response time algorithmic components for event driven
Stateflow architectures.
A maximum response time needs to be
addressed by additional means.
2-4
Processes
14. Static resource allocation - R HR HR Embedded Coder – Embedded Coder can be configured to generate
Configuration C code that does not include dynamic variables.
Polyspace® Bug Finder™ – Polyspace Bug Finder can assess compliance

MISRA-C checker with MISRA–C rules for static resource
allocation.
15. Static synchronisation of access to - - R HR
shared resources
Table A.3 Software Design and Implementation – Support Tools and Programming Language
Processes
1. Suitable programming language HR HR HR HR Embedded Coder C or C++ with subset and coding standard, and
use of static analysis tools are listed classified as
Simulink Coder highly recommended programming languages in
IEC 61508-7, Table C1.
MATLAB Coder MATLAB Coder, Simulink Coder, and
Embedded Coder can generate C or C++ code.
Simulink PLC Coder Language subsets, coding standards, and static
analysis tools are discussed elsewhere in this
document.
Structured text with defined subset of language

is listed classified as highly recommended
programming language in IEC 61508-7, Table
C1. Simulink PLC Coder can generate
Structured text. Language subsets are discussed
elsewhere in this document
2. Strongly typed programming HR HR HR HR Simulink, Simulink – Simulink and Stateflow can be configured to
language Configuration facilitate strong typing at the model level.
Type compatibility constraints can be embedded
Stateflow in the math operator or logical blocks at the
model level.
Validation – IEC 61508 IEC 61508 and custom checks in Model Advisor
Model Advisor checks can be used to check typing considerations
within the model.
Polyspace® Code Prover™ –
Code verification PolySpace Code Prover and Polyspace Bug
Finder can be used to restrict data values to a
Polyspace Bug Finder – subrange of the underlying data type. Attempts
MISRA-C checker to violate the defined subranges will be flagged.
2-5
Processes
3. Language subset - - HR HR Simulink – Modeling Modeling Guidelines for High-Integrity Systems
Guidelines for High-Integrity and custom guidelines can support the definition
Systems of analyzable programs at the model level.
Simulink Verification and Language subset considerations at the model

Validation – IEC 61508 level can be supported by IEC 61508 and custom
Model Advisor checks checks in Model Advisor.
4a. Certified tools and certified R HR HR HR IEC Certification Kit TÜV SÜD certified Embedded Coder, Simulink
translators PLC Coder, Simulink Verification and
Validation, Simulink Design Verifier, Polyspace
Bug Finder, Polyspace Code Prover for use in
development processes that need to comply with
IEC 61508. The IEC Certification Kit contains
the corresponding certificates and certificate
reports.
4b. Tools and translators: increased HR HR HR HR MATLAB® MATLAB, Simulink and Stateflow have a broad
confidence from use user base. The products are subjected to
Simulink extensive in-house testing.
Bug Reports can be accessed by using the Bug
Stateflow Reports Section of the MathWorks Website.
Table A.4 Software Design and Development – Detailed Design

Processes
1a. Structured methods HR HR HR HR Simulink – Subsystems, model Simulink supports software detailed design using
blocks structured methods.
Subsystem blocks and Model blocks can be used
to structure such models.
1b. Semi-formal methods R HR HR HR Table B.7
1c. Formal design and refinement - R R HR Simulink – Model Verification Model Verification blocks can be used to
methods block library formalize software safety requirements and other
model properties.
2. Computer-aided design tools R R HR HR Simulink product family The Simulink product family supports computer-
aided specification and design.
3. Defensive programming - R HR HR Simulink Defensive programming can be implemented in
Simulink and Stateflow.
Stateflow
Modeling Guidelines for High-Integrity Systems
Simulink - Modeling guidelines facilitate defensive programming at
Guidelines for High-Integrity the model level.
Systems
4. Modular approach HR HR HR HR Table B.9
5. Design and coding standards R HR HR HR Table B.1
6. Structured programming HR HR HR HR
2-6
Processes
7. Use of trusted/verified software R HR HR HR Simulink – Block library, Model blocks (model referencing) facilitate the
elements Model block creation and re-use of trusted / verified software
(if available) elements by the user.
Blocks from this standard library can be

preconfigured, verified, and grouped into custom
libraries to facilitate creation and re-use of
trusted/verified software elements by the user.
8. Forward traceability between the R R HR HR Simulink Verification and The RMI can be used to link models
software safety requirements Validation – Requirements representing the software architecture to
specification and software design Management Interface (RMI) requirements specifications in Microsoft Word,
Microsoft Excel, ASCII text, or PDF files.
Table A.5 Software Design and Development – Software Module Testing and Integration
Processes
1. Probabilistic testing - R R R SystemTest™ SystemTest can generate random test vector
values using probability distribution functions
2. Dynamic analysis and testing R HR HR HR Table B.2

3. Data recording and analysis HR HR HR HR Data Acquisition Toolbox™ Data Acquisition Toolbox provides functions for
connecting MATLAB to data acquisition
hardware
4. Functional and black box testing HR HR HR HR Table B.3
5. Performance testing R R HR HR Table B.6
6. Model based testing R R HR HR Simulink Design Verifier – Simulink Design Verifier can be used to
Test case generation generate test cases from models.
Test Objective blocks can be used to guide the
test case generation.
7. Interface testing R R HR HR Simulink Design Verifier – Automatic test case generation in combination
Test case generation with Test Objective blocks can be used to
generate interface tests.
2-7
Processes
8. Test management and automation R HR HR HR Simulink – Simulation Data The Simulation Data Inspector, Signal Builder,
tools Inspector, Signal Builder Simulink Verification and Validation, Simulink
Design Verifier, and SystemTest can be used to
Simulink® Verification and manage and automate testing.
Validation™
Simulink Design Verifier
SystemTest
9. Forward traceability between the R R HR HR Simulink - Signal Builder When using Signal Builder in combination with
software design specification Simulink Verification and Validation, the
and the module and integration test Simulink Verification and Requirements pane in Signal Builder can be used
specifications Validation – Requirements to link test cases in Signal Builder to external
Management Interface (RMI) documents.
10. Formal verification - - R R Simulink – Model Verification Model Verification blocks can be used to
block library formalize software safety requirements and other
model properties.
Simulink Design Verifier –
Property proving, design error Property proving can be used to verify model
detection properties. Design error detection can analyze a
model to detect design errors that might occur at
Polyspace Code Prover – run time.
Code verification
Polyspace Code Prover can analyze C code to
identify software errors that might occur during
run time.
Table A.6 Programmable Electronics Integration (Hardware and Software)

Processes
1. Functional and black box testing HR HR HR HR Table B.3
2. Performance testing R R HR HR Table B.6
3. Forward traceability between the R R HR HR
system and software design
requirements for
hardware/software
integration and the
hardware/software integration test
specifications
2-8
Table A.7 Software Aspects of System Safety Validation
Processes
1. Probabilistic testing - R R HR SystemTest SystemTest can generate random test vector
values using probability distribution functions.
2. Process simulation R R HR HR
3. Modeling R R HR HR Table B.5
4. Functional and black-box testing HR HR HR HR Table B.3
software safety requirements Validation – Requirements aspects of the software safety requirements, the
specification and the software Management Interface (RMI) RMI can be used to link requiremnets models to
safety textual descriptions in Microsoft Word,
validation plan Microsoft Excel, ASCII text, and PDF files
6. Backward traceability between the R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
software safety validation plan and Validation – Requirements aspects of the software safety requirements, the
the software safety requirements Management Interface (RMI) RMI can be used to link requiremnets models to
Specification textual descriptions in Microsoft Word,
Microsoft Excel, ASCII text, and PDF files
Table A.8 Modification

Processes
1. Impact analysis HR HR HR HR Simulink Verification and The RMI can be used to facilitate impact
Validation – Requirements analysis across linked artifacts.
Management Interface (RMI)
Generated traceability matrices can be used to
IEC Certification Kit – facilitate impact analysis between requirements,
Traceability matrix models, and generated code.
2. Reverify changed software HR HR HR HR Simulink – Simulation Data The Simulation Data Inspector, Signal Builder,
module Inspector, Signal Builder Simulink Verification and Validation, Simulink
Simulink Verification and dynamically verify changed modules (regression
Validation testing).
Simulink Design Verifier Simulink Verification and Validation, Simulink

design verifier can be used to statically verify
SystemTest changed modules.
Polyspace Code Prover –

Code verification
Polyspace Bug Finder –

MISRA-C checker
2-9
Processes
3. Reverify affected software R HR HR HR Simulink – Simulation Data The Simulation Data Inspector, Signal Builder,
modules Inspector, Signal Builder Simulink Verification and Validation, Simulink
Simulink Verification and dynamically verify affected modules (regression
Validation testing).
Simulink Design Verifier Simulink Verification and Validation, Simulink

design verifier can be used to statically verify
SystemTest affected modules.

MISRA-C checker
Polyspace Code Prover –

Code verification
4a. Revalidate complete system - R HR HR Table A.7
4b. Regression validation R HR HR HR Same as for technique / Methods and tools used for complete system
measure 4a validation can be used for regression validation
as well.
5. Software configuration HR HR HR HR Simulink Simulink can interface with configuration
management management systems,
Simulink - Projects Model and parameter files can be treated as
configuration items.
Simulink Projects supports configuration

management when using Model-Based Design.
6. Data recording and analysis HR HR HR HR Data Acquisition Toolbox Data Acquisition Toolbox provides functions for
connecting MATLAB to data acquisition
hardware
Software safety requirements Validation – Requirements aspects of the software safety requirements, the
specification and the software Management Interface (RMI) RMI can be used to link requiremnets models to
modification plan (including textual descriptions in Microsoft Word,
reverification and Microsoft Excel, ASCII text, and PDF files
revalidation)
8. Backward traceability between R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
the software Validation – Requirements aspects of the software safety requirements, the
modification plan (including Management Interface (RMI) RMI can be used to link requiremnets models to
reverification and textual descriptions in Microsoft Word,
revalidation)and the software Microsoft Excel, ASCII text, and PDF files
safety requirements
specification
2-10
Table A.9 Software Verification
Processes
1. Formal proof - R R HR Simulink – Model Verification Model Verification blocks can be used to
model properties.
Polyspace Code Prover – run time.
Code verification
Polyspace Code Prover can analyze C code to
identify software errors that might occur during
run time.
2. Animation of specification and R R R R Simulink Simulink and Stateflow can be used to animate
design design and/or specification models
Stateflow
3. Static analysis R HR HR R Table B.8
4. Dynamic analysis and testing R HR HR HR Table B.2
5. Forward traceability between the R R HR HR Simulink Verification and The RMI can be used to link design models to
software design specification and Validation – Requirements textual descriptions in Microsoft Word,
the software verification Management Interface (RMI) Microsoft Excel, ASCII text, and PDF files
(including data verification) plan
6. Backward traceability between R R HR HR Simulink Verification and The RMI can be used to link design models to
the software Validation – Requirements textual descriptions in Microsoft Word,
verification (including data Management Interface (RMI) Microsoft Excel, ASCII text, and PDF files
verification) plan and the software
design specification
7. Offline numerical analysis R HR HR HR MATLAB MATLAB can support offline numerical
analysis
Software module testing and Table A.5
integration
Programmable electronics integration Table A.6
testing
Software system testing (validation) Table A.7
2-11
Table A.10 Functional Safety Assessment
Processes
1. Checklists R R R R
2. Decision/truth tables R R R R Stateflow –Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
3. Failure analysis R R HR HR
4. Common cause failure analysis of - R HR HR
diverse software (if diverse
software is actually used)
5. Reliability block diagram R R R R
6. Forward traceability between the R R HR HR
requirements of IEC 61508-3,
clause 8 and the plan for software
functional safety assessment
2-12
2.2 IEC 61508-3 Annex B Tables
Table B.1 Design and Coding Standards

Processes
1. Use of coding standard to reduce HR HR HR HR Simulink  Modeling The Modeling Guidelines for High-Integrity
likelihood of errors Guidelines Systems and the MathWorks®Automotive
Advisory Board — Control Algorithm Modeling
Simulink Verification and Guidelines Using MATLAB, Simulink, and
Validation – IEC 61508 Model Stateflow provide guidelines at model level.
advisor checks, MAAB Model
Advisor checks, custom checks The MISRA AC AGC guidelines provide
guidelines at the code level.
Embedded Coder –
MISRAC:2004 Model Model Advisor checks can be used to check
Advisor checks modeling or coding standards considerations at
the model level.
MISRA-C checker Polyspace Bug Finder MISRA-C checker can be
used to check MISRA AC AGC compliance
considerations at the source code level.
2. No Dynamic Objects R HR HR HR Embedded Coder – Embedded Coder can be configured to generate
Configuration C code that does not include dynamic
objects/variables.
MISRA-C checker Polyspace Bug Finder can assess compliance
with MISRA–C rules for dynamic objects.
3a. No Dynamic Variables - R HR HR Embedded Coder – Embedded Coder can be configured to generate
Configuration C code that does not include dynamic variables.
Polyspace Bug Finder – Polyspace Bug Finder can assess compliance

MISRA-C checker with MISRA–C rules for dynamic variables.
3b. Online checking of the - R R R
installation of dynamic variables
4. Limited use of interrupts R HR HR HR Embedded Coder – Embedded Coder can be configured to not insert
Configuration interrupts into step function code.
5. Limited use of pointers - R HR HR Embedded Coder – Embedded Coder may generate pointer
Configuration arithmetic for certain language features - for
example, lookup tables or matrix multiplication.
Polyspace Bug Finder – Embedded Coder checks the data type and range
MISRA-C checker of values to avoid corruption of address spaces.
Polyspace Bug Finder can assess compliance

with MISRA–C rules for the use of pointers.
Polyspace Bug Finder can check whether

pointers refer to valid objects. Violations are
reported as IDP checks.
2-13
Processes
6. Limited use of recursion - R HR HR Simulink – Modeling Adherence can be facilitated by applying
Guidelines modeling guidelines.
High-integrity guideline hisf_0004 provides
Polyspace Code Prover – Call corresponding modeling recommendations.
tree computation Avoid using n-D Lookup Table and
Interpolation blocks and Prelookup blocks with
Polyspace Bug Finder – dimensions > 5.
MISRA-C checker
Generated call graphs can be reviewed to
identify recursive function calls.
Polyspace Code Prover and Polyspace Bug

Finder can assess compliance with MISRA–C
rules for recursion.
7. No unstructured control flow in R HR HR HR Polyspace Bug Finder – Polyspace Bug Finder can assess compliance
programs in higher level MISRA-C checker with
languages MISRA–C rules for unstructured control flow.
8. No automatic type conversion R HR HR HR Simulink, Simulink – Simulink and Stateflow can be configured to
Configuration facilitate strong typing at the model level.
Type compatibility constraints can be embedded
Stateflow in the math operator or logical blocks at the
model level.
Validation – IEC 61508 Model IEC 61508 and custom checks in Model Advisor
Advisor checks can be used to check typing considerations
within the model.
Polyspace Code Prover – Code
verification PolySpace Code Prover and Polyspace Bug
Finder can be used to restrict data values to a
Polyspace Bug Finder – subrange of the underlying data type. Attempts
MISRA-C checker to violate the defined subranges will be flagged.
2-14
Table B.2 Dynamic Analysis and Testing
Processes
1. Test Case Execution from R HR HR HR Simulink Design Verifier  Test Automatic test case generation in combination
Boundary Value Analysis case generation with Test Objective blocks can be used to
generate test cases and test sequences for given
boundary values.
2. Test Case Execution from Error R R R R
Guessing
3. Test Case Execution from Error - R R R Simulink Simulink and Stateflow can be used to carry out
Seeding fault injection tests. The tools can also be used to
Stateflow simulate failure propagation at the model level.
For this purpose, the system model and a
Simulink Design Verifier  Test separate failure model can be used.
case generation
Automatic test case generation in combination
with Test Objective blocks can be used to
generate test cases and test sequences for error
seeding tests.
4. Test case execution from model- R R HR HR Simulink Design Verifier – Test Simulink Design verifier can be used to generate
based test case generation case generation test cases from models.
Test Objective blocks can be used to guide the
5. Performance Modeling R R R HR
6. Equivalence Classes and Input R R R HR Simulink Design Verifier  Test The analysis of equivalence classes can be based
Partition Testing case generation on the interfaces of the model.
equivalence classes.
7a. Structural test coverage (entry HR HR HR HR Embedded Coder  Code During SIL simulation, Embedded Coder can
points) 100 % coverage collection collect function coverage information by using
the third-party tool BullseyeCoverage™
7b. Structural test coverage R HR HR HR Embedded Coder  Code During software-in-the-loop (SIL) simulation,
(statements) 100 % coverage collection Embedded Coder can collect statement coverage
by using the third-party tool LDRA Testbed®.
During SIL simulation,
During SIL simulation, Embedded Coder can

collect condition/decision coverage information,
which usually subsumes statement coverage, by
using the third-party tool BullseyeCoverage
2-15
Processes
7c. Structural test coverage R R HR HR Simulink Verification and During model testing, Simulink Verification and
(branches) 100 % Validation  Model coverage Validation can collect decision coverage (also
analysis known as branch coverage) at the model level.
Simulink Design Verifier  Test Simulink Design Verifier can generate test cases
case generation that satisfy decision coverage at the model level.
Embedded Coder  Code During software-in-the-loop (SIL) simulation,

coverage collection Embedded Coder can collect statement coverage
by using the third-party tool LDRA Testbed.
During SIL simulation, Embedded Coder can

collect condition / decision coverage, which
usually subsumes statement coverage, by using
the third-party tool BullseyeCoverage.
7d. Structural test coverage R R R HR Simulink Verification and During model testing, Simulink Verification and
(conditions, MC/DC) 100% Validation  Model coverage Validation verification can collect MC/DC
analysis coverage at the model level.
Simulink Design Verifier  Test Simulink Design Verifier can be used to

case generation generate test cases that satisfy MC/DC coverage
at the model level.
Embedded Coder  Code
coverage collection During SIL simulation, Embedded Coder can
collect MC/DC coverage by using the third-party
tool LDRA Testbed.
2-16
Table B.3 Functional and Black-Box Testing
Processes
1. Test case execution from cause - - R R
consequence diagrams
2. Test case execution from model- R R HR HR Table A.1 Simulink Design verifier can be used to generate
based test case generation Design Verifier – Test case test cases from models.
generation Test Objective blocks can be used to guide the
3. Prototyping/animation - - R R Simulink Coder Simulink Coder can be used to generate code for
rapid prototyping.
Embedded Coder
Embedded Coder can be used to generate code for
HDL Coder on-target rapid prototyping. Software-in-the-loop
(SIL) and processor-in-the-loop (PIL) simulation
Simulink® Real-Time™ can be used to execute generated code in the
context of a model.
Simulink® 3D Animation™
HDL Coder can be used to generate on-target
Gauges Blockset™ rapid prototyping on FPGA.
Simulink Real-Time can be used to perform rapid

prototyping on Windows platforms.
Simulink 3DAnimation can be used to animate 3-

dimensional scenes driven by signals in a model.
Gauges Blockset can be used to add graphical

instrumentation to models.
4. Equivalence classes and input R HR HR HR Simulink Design Verifier  Test Automatic test case generation in combination
partition testing, including case generation with Test Objective blocks can be used to
boundary value analysis generate test cases and test sequences for given
boundary values.
The analysis of equivalence classes can be based

on the interfaces of the model.
equivalence classes.
5. Process simulation R R R R Simulink, Stateflow, Simulink products support simulation of
Simscape™ algorithm and environment models.
2-17
Table B.4 Failure Analysis
Processes
1a. Cause consequence diagrams R R R R
1b. Event tree analysis R R R R
2. Fault tree analysis R R R R
3. Software functional failure R R R R
analysis
Table B.5 Modeling

Technique/Measure SIL 1 SIL2 SIL3 SIL4 Design Tools and Comments
Processes
1. Data flow diagrams R R R R
2a. Finite state machines - R HR HR Stateflow - Statecharts Stateflow supports finite state machines using
Mealy and Moore semantics.
2b. Formal methods - R R HR Simulink – Model Verification Model Verification blocks can be used to
model properties.
run time.
2c. Time Petri nets - R HR HR
3. Performance modeling R HR HR HR
4. Prototyping/animation R R R R Simulink Real-Time Simulink Real-Time can be used to perform rapid
prototyping on Windows platforms.
Simulink 3D Animation
Simulink 3D Animation can be used to animate 3-
dimensional scenes driven by signals in a model.
5. Structure diagrams R R R HR
Table B.6 Performance Testing

Processes
1. Avalanche/stress testing R R HR HR
2. Response timings and memory HR HR HR HR Embedded Coder  Processor- PIL testing analyzes resource utilization on a
constraints in-the-loop (PIL) testing, code target processor. The code metrics report provides
metrics report the amount of memory used by the generated
code.
3. Performance requirements HR HR HR HR
2-18
Table B.7 Semi-formal Methods
Processes
1. Logic/function block diagrams R R HR HR
2. Sequence diagrams R R HR HR
3. Data flow diagrams R R R R
4a. Finite state machines/ state R R HR HR Stateflow - State charts Stateflow supports finite state machines using
transition diagrams Mealy and Moore semantics.
4b. Time Petri nets R R HR HR
5. Entity-relationship-attribute data R R R R
models
6. Message sequence charts R R R R
7. Decision/truth tables R R HR HR Stateflow –Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
8. UML
Table B.8 Static Analysis

Processes
1. Boundary value analysis R R HR HR Simulink Design Verifier  Test Automatic test case generation in combination
case generation with Test Objective blocks can be used to
boundary values.
2. Checklists R R R R
3. Control flow analysis R HR HR HR Simulink Verification and Model coverage analysis can help to identify
Validation – Model coverage unreachable portions of a model.
analysis
Automatic test case generation can be used to
Simulink Design Verifier – Test detect unreachable model constructs that could
case generation result in unreachable code.
Polyspace Code Prover– Call Polyspace Code Prover can partially extract
tree computation control flow information from C code and can
create the application call tree. Gray checks detect
Polyspace Code Prover – unreachable code.
Unreachable code analysis
4. Data flow analysis R HR HR HR Simulink – Diagnostics Data Store Memory block diagnostics and
Stateflow – Diagnostics Stateflow diagnostics can be configured to
identify data flow issues.
Polyspace Code Prover – Code
verification Polyspace Code Prover supports static
verification of dynamic properties of generated
code. This verification technique is based on data
flow analysis.
5. Error guessing R R R R
2-19
Processes
6a. Formal inspections, including R R HR HR Simulink Design inspections can be based on a model, a
specific criteria generated Web View, or an SDD report.
Simulink Report Generator –
Web View, System Design Design inspections can be supported by ISO
Description (SDD) report 26262, MAAB, Requirements Consistency, and
custom checks in Model Advisor. A Model
Simulink Verification and Advisor check configuration can define a set of
Validation – Model Advisor checks to pass as a prerequisite for entering
checks model inspection.
Embedded Coder – Code Code inspections can be based on HTML code

generation report generation reports, code
Generation reports with an integrated Web View
IEC Certification Kit – of the model, or model-to-code and code-to-
Traceability matrix model traceability matrices.
6b. Walk-through (software) R R R R Simulink Design walkthroughs can be based on a model, a
generated Web View, or an SDD report.
Web View, System Design Code walkthroughs can be based on HTML code
Description (SDD) report generation reports or code
Generation reports with an integrated Web View
Embedded Coder – Code of the model.
generation report
7. Symbolic execution - - R R
8. Design review HR HR HR HR Simulink Design reviews can be based on a model, a
generated Web View, or an SDD report.
Web View, System Design Design reviews can be supported by ISO 26262,
Description (SDD) report MAAB, Requirements Consistency, and custom
checks in Model Advisor. A Model Advisor
Simulink Verification and check configuration can define a set of checks to
Validation – Model Advisor pass as a prerequisite for entering model review.
checks
Code reviews can be based on HTML code
Embedded Coder – Code generation reports, code
generation report Generation reports with an integrated Web View
of the model, or model-to-code and code-to-
IEC Certification Kit – model traceability matrices.
Traceability matrix
9. Static analysis of run time error R R R HR Polyspace Code Prover – Code Run-time error detection can analyze C or C++
behaviour verification code to identify software errors that might occur
during run time.
10. Worst-case execution time R R R R
analysis
2-20
Table B.9 Modular Approach
Technique/Measure SIL 1 SIL 2 SIL 3 SIL4 Design Tools and Comments
Processes
1. Software module size limit HR HR HR HR Simulink Software components can be structured
hierarchically to limit component size.
Embedded Coder
Simulink Verification and validation provides the
Simulink Verification and ability to measure model size.
Validation – Cyclomatic
Complexity Metric IEC 61508 Model Advisor check “Display model
metrics and complexity report” provides
Simulink Verification and information on the size and of models and
Validation – IEC 61508 checks subsystems.
Embedded Coder  Code The code metrics report provides the amount of
metrics report memory used by the generated code
Polyspace Bug Finder – Code Polyspace Bug Finder – Code metrics supports
metrics the generation of size metrics for source code.
2. Software complexity control R R HR HR Simulink Verification and Simulink Verification and validation provides the
Validation – Cyclomatic ability to measure model.
Complexity Metric
IEC 61508 Model Advisor check “Display model
Simulink Verification and metrics and complexity report” provides
Validation – IEC 61508 checks information on the complexity of models and
subsystems.
Polyspace Bug Finder – Code
metrics Polyspace Bug Finder – Code metrics supports
the generation of size and complexity metrics for
source code.
3. Information hiding/encapsulation R HR HR HR Simulink – Model block, Ports Model blocks (model referencing), subsystems,
& Subsystems block library libraries, and Stateflow charts can support
information encapsulation and hiding.
Stateflow
When using Model blocks or libraries to structure
Simulink – Model Dependency a model, the Model Dependency Viewer can
Viewer display a graph of models and libraries referenced
by the top model.
4. Parameter number limit / fixed R R R R
number of subprogram
parameters
5. One entry/one exit point in HR HR HR HR Simulink  Modeling Adherence can be facilitated by applying
subroutines and functions Guidelines modeling guidelines in combination with
analyzing generated code. MAAB guideline
Polyspace Bug Finder  jc_0511 provides corresponding modeling
MISRA-C checker recommendations.
Polyspace Bug Finder can assess compliance with

MISRA–C rules for subroutines and functions.
2-21
Technique/Measure SIL 1 SIL 2 SIL 3 SIL4 Design Tools and Comments
Processes
6. Fully defined interface HR HR HR HR Simulink – Model blocks The usage of model locks facilitates fully defined
interface specifications at the model block
Simulink Verification and boundaries.
Validation – IEC 61508 checks
IEC 61508 Model Advisor check “Check for fully
defined interface” identifies root model Inport
blocks that do not have fully defined attributes.
2-22

IEC Certification Kit: Model-Based Design For IEC 61508

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IEC Certification Kit: Model-Based Design For IEC 61508

Uploaded by

Copyright:

Available Formats

IEC Certification Kit

Model-Based Design for IEC 61508

Table A.1 Software Safety Requirements Specification

Simulink Verification and

Table A.2 Software Design and Development – Software Architecture Design

2. Error detecting codes R R R HR

The shipping Simulink block library has a broad

Simulink PLC Coder facilitates the automatic

Polyspace® Bug Finder™ – Polyspace Bug Finder can assess compliance

Structured text with defined subset of language

Simulink Verification and Language subset considerations at the model

Table A.4 Software Design and Development – Detailed Design

Blocks from this standard library can be

2. Dynamic analysis and testing R HR HR HR Table B.2

Simulink Design Verifier

Table A.6 Programmable Electronics Integration (Hardware and Software)

Table A.8 Modification

Simulink Design Verifier Simulink Verification and Validation, Simulink

Polyspace Code Prover –

Polyspace Bug Finder –

Simulink Design Verifier Simulink Verification and Validation, Simulink

Polyspace Bug Finder –

Polyspace Code Prover –

Simulink Projects supports configuration

Table B.1 Design and Coding Standards

Polyspace Bug Finder – Polyspace Bug Finder can assess compliance

Polyspace Bug Finder can assess compliance

Polyspace Bug Finder can check whether

Polyspace Code Prover and Polyspace Bug

During SIL simulation, Embedded Coder can

Embedded Coder  Code During software-in-the-loop (SIL) simulation,

During SIL simulation, Embedded Coder can

Simulink Design Verifier  Test Simulink Design Verifier can be used to

Simulink Real-Time can be used to perform rapid

Simulink 3DAnimation can be used to animate 3-

Gauges Blockset can be used to add graphical

The analysis of equivalence classes can be based

Table B.5 Modeling

Table B.6 Performance Testing

Table B.8 Static Analysis

Embedded Coder – Code Code inspections can be based on HTML code

Polyspace Bug Finder can assess compliance with

You might also like