Professional Documents
Culture Documents
R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Model-Based Design for IEC 61508
© COPYRIGHT 2013–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
March 2013 New for Version 3.1 (Applies to Release 2013a)
September 2013 Revised for Version 3.2 (Applies to Release 2013b)
March 2014 Revised for Version 3.3 (Applies to Release 2014a)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
March 2015 Revised for Version 3.5 (Applies to Release 2015a)
Contents
1 Model-Based Design for IEC 61508 ................................................................................................ 1-1
2 Applicable Model-Based Design Tools and Processes .................................................................... 2-1
2.1 IEC 61508-3 Annex A Tables ................................................................................................. 2-2
Table A.1 Software Safety Requirements Specification ......................................................... 2-2
Table A.2 Software Design and Development – Software Architecture Design ..................... 2-2
Table A.3 Software Design and Implementation – Support Tools and Programming Language
................................................................................................................................................. 2-5
Table A.4 Software Design and Development – Detailed Design........................................... 2-6
Table A.5 Software Design and Development – Software Module Testing and Integration .. 2-7
Table A.6 Programmable Electronics Integration (Hardware and Software) .......................... 2-8
Table A.7 Software Aspects of System Safety Validation ...................................................... 2-9
Table A.8 Modification ........................................................................................................... 2-9
Table A.9 Software Verification ........................................................................................... 2-11
Table A.10 Functional Safety Assessment ............................................................................ 2-12
2.2 IEC 61508-3 Annex B Tables ............................................................................................... 2-13
Table B.1 Design and Coding Standards ............................................................................... 2-13
Table B.2 Dynamic Analysis and Testing ............................................................................. 2-15
Table B.3 Functional and Black-Box Testing ....................................................................... 2-17
Table B.4 Failure Analysis .................................................................................................... 2-18
Table B.5 Modeling............................................................................................................... 2-18
Table B.6 Performance Testing ............................................................................................. 2-18
Table B.7 Semi-formal Methods ........................................................................................... 2-19
Table B.8 Static Analysis ...................................................................................................... 2-19
Table B.9 Modular Approach ................................................................................................ 2-21
v
vi
1 Model-Based Design for IEC
61508
This documentation provides annotated versions of techniques/measures tables that appear in the
IEC 61508-3 standard. The annotated tables provide suggestions on how to use Model-Based
Design products from MathWorks® to apply the techniques/measures listed in the standard for
different Safety Integrity Levels (SILs).
The IEC Certification Kit provides additional support when using Model-Based Design for IEC
61508 applications, including reference workflows for verifying and validating models and
generated code.
1-2
2 Applicable Model-Based Design
Tools and Processes
2.1 IEC 61508-3 Annex A Tables
2-2
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
3b. Diverse monitor techniques (with - R R - Simulink Simulink and Stateflow can be used to design
independence between monitor and/or monitored function.
the monitor and the monitored Stateflow
function in the same computer)
3c. Diverse monitor techniques (with - R R HR Simulink Simulink and Stateflow can be used to design
separation between the monitor and/or monitored function.
monitor computer and the Stateflow
monitored computer)
3d. Diverse redundancy, - - - R Simulink Diverse redundancy for algorithmic parts can be
implementing the same software supported by executing floating-point and fixed-
safety requirements specification Stateflow point versions of an algorithm in parallel and
then comparing the results.
Fixed-Point Designer™
3e. Functionally diverse redundancy, - - R HR Simulink Simulink and Stateflow can be used to
implementing different software implement one or both software safety
safety requirements specification Stateflow requirements specifications.
3f. Backward recovery R R - NR Simulink Simulink and Stateflow can be used to design
fault detection, isolation, and recovery (FDIR)
Stateflow algorithms.
3g. Stateless software design (or - - R HR Stateflow – Flowchart, Truth Simulink and Stateflow provide constructs that
limited state design) Table block can be used to support stateless designs or
limited state designs.
Simulink – Combinatorial
Logic block
4a. Re-try fault recovery mechanisms R R - - Simulink Simulink and Stateflow can be used to design
fault detection, isolation, and recovery (FDIR)
Stateflow algorithms.
4b. Graceful Degradation R R HR HR Stateflow Stateflow can be used to design graceful
degradation behaviour.
5. Artificial intelligence - fault - NR NR NR
correction
6. Dynamic reconfiguration - NR NR NR
7. Modular Approach HR HR HR HR Table B.9
8. Use of trusted/verified software R HR HR HR Simulink – Block library, Model blocks (model referencing) facilitate the
elements (if available) Model block creation and re-use of trusted / verified software
elements
2-3
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
9. Forward traceability between the R R HR HR Simulink Verification and The RMI can be used to link models
software safety requirements Validation – Requirements representing the software architecture to
specification and software Management Interface (RMI) requirements specifications in Microsoft Word,
architecture Microsoft Excel, ASCII text, or PDF files.
IEC Certification Kit –
Traceability matrix Generated traceability matrices can be used to
document and review existing links between
requirements and models.
10. Backward traceability between R R HR HR Simulink Verification and The RMI can be used to link models
the software safety requirements Validation – Requirements representing the software architecture to
specification and software Management Interface (RMI) requirements specifications in Microsoft Word,
architecture Microsoft Excel, ASCII text, or PDF files.
IEC Certification Kit –
Traceability matrix Generated traceability matrices can be used to
document and review existing links between
requirements and models.
11a. Structured diagrammatic methods HR HR HR HR
11b. Semi-formal methods R R HR HR Table B.7
11c. Formal design and refinement - R R HR Simulink – Model Model Verification blocks can be used to
methods Verification block library formalize software safety requirements and other
model properties.
11d. Automatic software generation R R R R MATLAB® Coder™ MATLAB Coder, Simulink Coder, and
Embedded Coder facilitate the automatic
Simulink® Coder™ generation of C/C++ code from designs.
13a. Cyclic behaviour, with guaranteed R HR HR HR Simulink Simulink and Stateflow facilitate modeling of
maximum cycle time cyclic behavior.
Stateflow A maximum cycle time needs to be addressed by
additional means.
13b. Time-triggered architecture R HR HR HR Simulink Simulink and Stateflow facilitate modeling of
algorithmic components for time-triggered
Stateflow architectures.
A realization of a time triggered scheduling
needs to be addressed by additional means.
13c. Event-driven, with guaranteed R HR HR - Simulink Simulink and Stateflow facilitate modeling of
maximum response time algorithmic components for event driven
Stateflow architectures.
A maximum response time needs to be
addressed by additional means.
2-4
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
14. Static resource allocation - R HR HR Embedded Coder – Embedded Coder can be configured to generate
Configuration C code that does not include dynamic variables.
Table A.3 Software Design and Implementation – Support Tools and Programming Language
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Suitable programming language HR HR HR HR Embedded Coder C or C++ with subset and coding standard, and
use of static analysis tools are listed classified as
Simulink Coder highly recommended programming languages in
IEC 61508-7, Table C1.
MATLAB Coder MATLAB Coder, Simulink Coder, and
Embedded Coder can generate C or C++ code.
Simulink PLC Coder Language subsets, coding standards, and static
analysis tools are discussed elsewhere in this
document.
2-5
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
3. Language subset - - HR HR Simulink – Modeling Modeling Guidelines for High-Integrity Systems
Guidelines for High-Integrity and custom guidelines can support the definition
Systems of analyzable programs at the model level.
2-6
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
7. Use of trusted/verified software R HR HR HR Simulink – Block library, Model blocks (model referencing) facilitate the
elements Model block creation and re-use of trusted / verified software
(if available) elements by the user.
Table A.5 Software Design and Development – Software Module Testing and Integration
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Probabilistic testing - R R R SystemTest™ SystemTest can generate random test vector
values using probability distribution functions
2-7
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
8. Test management and automation R HR HR HR Simulink – Simulation Data The Simulation Data Inspector, Signal Builder,
tools Inspector, Signal Builder Simulink Verification and Validation, Simulink
Design Verifier, and SystemTest can be used to
Simulink® Verification and manage and automate testing.
Validation™
SystemTest
9. Forward traceability between the R R HR HR Simulink - Signal Builder When using Signal Builder in combination with
software design specification Simulink Verification and Validation, the
and the module and integration test Simulink Verification and Requirements pane in Signal Builder can be used
specifications Validation – Requirements to link test cases in Signal Builder to external
Management Interface (RMI) documents.
10. Formal verification - - R R Simulink – Model Verification Model Verification blocks can be used to
block library formalize software safety requirements and other
model properties.
Simulink Design Verifier –
Property proving, design error Property proving can be used to verify model
detection properties. Design error detection can analyze a
model to detect design errors that might occur at
Polyspace Code Prover – run time.
Code verification
Polyspace Code Prover can analyze C code to
identify software errors that might occur during
run time.
2-8
Table A.7 Software Aspects of System Safety Validation
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Probabilistic testing - R R HR SystemTest SystemTest can generate random test vector
values using probability distribution functions.
2. Process simulation R R HR HR
3. Modeling R R HR HR Table B.5
4. Functional and black-box testing HR HR HR HR Table B.3
5. Forward traceability between the R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
software safety requirements Validation – Requirements aspects of the software safety requirements, the
specification and the software Management Interface (RMI) RMI can be used to link requiremnets models to
safety textual descriptions in Microsoft Word,
validation plan Microsoft Excel, ASCII text, and PDF files
6. Backward traceability between the R R HR HR Simulink Verification and If Simulink or Stateflow are being used to model
software safety validation plan and Validation – Requirements aspects of the software safety requirements, the
the software safety requirements Management Interface (RMI) RMI can be used to link requiremnets models to
Specification textual descriptions in Microsoft Word,
Microsoft Excel, ASCII text, and PDF files
2-9
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
3. Reverify affected software R HR HR HR Simulink – Simulation Data The Simulation Data Inspector, Signal Builder,
modules Inspector, Signal Builder Simulink Verification and Validation, Simulink
Design Verifier, and SystemTest can be used to
Simulink Verification and dynamically verify affected modules (regression
Validation testing).
2-10
Table A.9 Software Verification
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Formal proof - R R HR Simulink – Model Verification Model Verification blocks can be used to
block library formalize software safety requirements and other
model properties.
Simulink Design Verifier –
Property proving, design error Property proving can be used to verify model
detection properties. Design error detection can analyze a
model to detect design errors that might occur at
Polyspace Code Prover – run time.
Code verification
Polyspace Code Prover can analyze C code to
identify software errors that might occur during
run time.
2. Animation of specification and R R R R Simulink Simulink and Stateflow can be used to animate
design design and/or specification models
Stateflow
3. Static analysis R HR HR R Table B.8
4. Dynamic analysis and testing R HR HR HR Table B.2
5. Forward traceability between the R R HR HR Simulink Verification and The RMI can be used to link design models to
software design specification and Validation – Requirements textual descriptions in Microsoft Word,
the software verification Management Interface (RMI) Microsoft Excel, ASCII text, and PDF files
(including data verification) plan
6. Backward traceability between R R HR HR Simulink Verification and The RMI can be used to link design models to
the software Validation – Requirements textual descriptions in Microsoft Word,
verification (including data Management Interface (RMI) Microsoft Excel, ASCII text, and PDF files
verification) plan and the software
design specification
7. Offline numerical analysis R HR HR HR MATLAB MATLAB can support offline numerical
analysis
Software module testing and Table A.5
integration
Programmable electronics integration Table A.6
testing
Software system testing (validation) Table A.7
2-11
Table A.10 Functional Safety Assessment
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Checklists R R R R
2. Decision/truth tables R R R R Stateflow –Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
3. Failure analysis R R HR HR
4. Common cause failure analysis of - R HR HR
diverse software (if diverse
software is actually used)
5. Reliability block diagram R R R R
6. Forward traceability between the R R HR HR
requirements of IEC 61508-3,
clause 8 and the plan for software
functional safety assessment
2-12
2.2 IEC 61508-3 Annex B Tables
2-13
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
6. Limited use of recursion - R HR HR Simulink – Modeling Adherence can be facilitated by applying
Guidelines modeling guidelines.
High-integrity guideline hisf_0004 provides
Polyspace Code Prover – Call corresponding modeling recommendations.
tree computation Avoid using n-D Lookup Table and
Interpolation blocks and Prelookup blocks with
Polyspace Bug Finder – dimensions > 5.
MISRA-C checker
Generated call graphs can be reviewed to
identify recursive function calls.
2-14
Table B.2 Dynamic Analysis and Testing
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Test Case Execution from R HR HR HR Simulink Design Verifier Test Automatic test case generation in combination
Boundary Value Analysis case generation with Test Objective blocks can be used to
generate test cases and test sequences for given
boundary values.
2. Test Case Execution from Error R R R R
Guessing
3. Test Case Execution from Error - R R R Simulink Simulink and Stateflow can be used to carry out
Seeding fault injection tests. The tools can also be used to
Stateflow simulate failure propagation at the model level.
For this purpose, the system model and a
Simulink Design Verifier Test separate failure model can be used.
case generation
Automatic test case generation in combination
with Test Objective blocks can be used to
generate test cases and test sequences for error
seeding tests.
4. Test case execution from model- R R HR HR Simulink Design Verifier – Test Simulink Design verifier can be used to generate
based test case generation case generation test cases from models.
Test Objective blocks can be used to guide the
test case generation.
5. Performance Modeling R R R HR
6. Equivalence Classes and Input R R R HR Simulink Design Verifier Test The analysis of equivalence classes can be based
Partition Testing case generation on the interfaces of the model.
Automatic test case generation in combination
with Test Objective blocks can be used to
generate test cases and test sequences for given
equivalence classes.
7a. Structural test coverage (entry HR HR HR HR Embedded Coder Code During SIL simulation, Embedded Coder can
points) 100 % coverage collection collect function coverage information by using
the third-party tool BullseyeCoverage™
7b. Structural test coverage R HR HR HR Embedded Coder Code During software-in-the-loop (SIL) simulation,
(statements) 100 % coverage collection Embedded Coder can collect statement coverage
by using the third-party tool LDRA Testbed®.
During SIL simulation,
2-15
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
7c. Structural test coverage R R HR HR Simulink Verification and During model testing, Simulink Verification and
(branches) 100 % Validation Model coverage Validation can collect decision coverage (also
analysis known as branch coverage) at the model level.
Simulink Design Verifier Test Simulink Design Verifier can generate test cases
case generation that satisfy decision coverage at the model level.
2-16
Table B.3 Functional and Black-Box Testing
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Test case execution from cause - - R R
consequence diagrams
2. Test case execution from model- R R HR HR Table A.1 Simulink Design verifier can be used to generate
based test case generation Design Verifier – Test case test cases from models.
generation Test Objective blocks can be used to guide the
test case generation.
3. Prototyping/animation - - R R Simulink Coder Simulink Coder can be used to generate code for
rapid prototyping.
Embedded Coder
Embedded Coder can be used to generate code for
HDL Coder on-target rapid prototyping. Software-in-the-loop
(SIL) and processor-in-the-loop (PIL) simulation
Simulink® Real-Time™ can be used to execute generated code in the
context of a model.
Simulink® 3D Animation™
HDL Coder can be used to generate on-target
Gauges Blockset™ rapid prototyping on FPGA.
2-17
Table B.4 Failure Analysis
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1a. Cause consequence diagrams R R R R
1b. Event tree analysis R R R R
2. Fault tree analysis R R R R
3. Software functional failure R R R R
analysis
2-18
Table B.7 Semi-formal Methods
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
1. Logic/function block diagrams R R HR HR
2. Sequence diagrams R R HR HR
3. Data flow diagrams R R R R
4a. Finite state machines/ state R R HR HR Stateflow - State charts Stateflow supports finite state machines using
transition diagrams Mealy and Moore semantics.
4b. Time Petri nets R R HR HR
5. Entity-relationship-attribute data R R R R
models
6. Message sequence charts R R R R
7. Decision/truth tables R R HR HR Stateflow –Truth Table block The Truth Table block enables the usage of truth
table logic directly in a Simulink model.
8. UML
Polyspace Code Prover– Call Polyspace Code Prover can partially extract
tree computation control flow information from C code and can
create the application call tree. Gray checks detect
Polyspace Code Prover – unreachable code.
Unreachable code analysis
4. Data flow analysis R HR HR HR Simulink – Diagnostics Data Store Memory block diagnostics and
Stateflow – Diagnostics Stateflow diagnostics can be configured to
identify data flow issues.
Polyspace Code Prover – Code
verification Polyspace Code Prover supports static
verification of dynamic properties of generated
code. This verification technique is based on data
flow analysis.
5. Error guessing R R R R
2-19
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL 4 Design Tools and Comments
Processes
6a. Formal inspections, including R R HR HR Simulink Design inspections can be based on a model, a
specific criteria generated Web View, or an SDD report.
Simulink Report Generator –
Web View, System Design Design inspections can be supported by ISO
Description (SDD) report 26262, MAAB, Requirements Consistency, and
custom checks in Model Advisor. A Model
Simulink Verification and Advisor check configuration can define a set of
Validation – Model Advisor checks to pass as a prerequisite for entering
checks model inspection.
2-20
Table B.9 Modular Approach
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL4 Design Tools and Comments
Processes
1. Software module size limit HR HR HR HR Simulink Software components can be structured
hierarchically to limit component size.
Embedded Coder
Simulink Verification and validation provides the
Simulink Verification and ability to measure model size.
Validation – Cyclomatic
Complexity Metric IEC 61508 Model Advisor check “Display model
metrics and complexity report” provides
Simulink Verification and information on the size and of models and
Validation – IEC 61508 checks subsystems.
Embedded Coder Code The code metrics report provides the amount of
metrics report memory used by the generated code
Polyspace Bug Finder – Code Polyspace Bug Finder – Code metrics supports
metrics the generation of size metrics for source code.
2. Software complexity control R R HR HR Simulink Verification and Simulink Verification and validation provides the
Validation – Cyclomatic ability to measure model.
Complexity Metric
IEC 61508 Model Advisor check “Display model
Simulink Verification and metrics and complexity report” provides
Validation – IEC 61508 checks information on the complexity of models and
subsystems.
Polyspace Bug Finder – Code
metrics Polyspace Bug Finder – Code metrics supports
the generation of size and complexity metrics for
source code.
3. Information hiding/encapsulation R HR HR HR Simulink – Model block, Ports Model blocks (model referencing), subsystems,
& Subsystems block library libraries, and Stateflow charts can support
information encapsulation and hiding.
Stateflow
When using Model blocks or libraries to structure
Simulink – Model Dependency a model, the Model Dependency Viewer can
Viewer display a graph of models and libraries referenced
by the top model.
4. Parameter number limit / fixed R R R R
number of subprogram
parameters
5. One entry/one exit point in HR HR HR HR Simulink Modeling Adherence can be facilitated by applying
subroutines and functions Guidelines modeling guidelines in combination with
analyzing generated code. MAAB guideline
Polyspace Bug Finder jc_0511 provides corresponding modeling
MISRA-C checker recommendations.
2-21
Applicable Model-Based
Technique/Measure SIL 1 SIL 2 SIL 3 SIL4 Design Tools and Comments
Processes
6. Fully defined interface HR HR HR HR Simulink – Model blocks The usage of model locks facilitates fully defined
interface specifications at the model block
Simulink Verification and boundaries.
Validation – IEC 61508 checks
IEC 61508 Model Advisor check “Check for fully
defined interface” identifies root model Inport
blocks that do not have fully defined attributes.
2-22