1© 2015 The MathWorks, Inc.

Increasing Design Confidence

Paolo Bizzarri

Principal Applications Engineer

3

The Cost of Failure…

4

Key Message

It is easier and less expensive to fix design

errors early in the process when they happen.

Model and code verification enable:

1. Early testing to increase confidence in your design

2. Delivery of higher quality software throughout the workflow

3. Greater safety!

5

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

Code integration analysis

C/C++ CODEMODEL

6

Application: Control of electromechanical systems

7

System

Inputs OutputsDiagnostics

FIltering

Overall

Control

Unit

Le

ga

cy c

od

e

ECU / Control Unit

Application: Motor Control

2Motor Control

(MBD)

1

8

System

Inputs OutputsDiagnostics

Filters

Le

ga

cy c

od

e

Application: Electromechanical Control System

Motor Control

(MBD)

Overall

Control

Unit

9

Application: Motor Control

Systems Inputs

• Motor On

• Command Type

• Command Value

Sensor Inputs

• Currents, Voltages

• Encoders

Inputs

Engaged

Target speed

Outputs

Motor Control

(MBD)

Position

Speed

Torque

10

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling & coding standards

Code equiv. & integration checks

11

Ad-hoc Tests New “Dashboard” blocks facilitate early ad-hoc testing

12

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling & coding standards

Code equiv. & integration checks

13

Finding Design Errors: Dead Logic

14

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling & coding standards

Code equiv. & integration checks

15

Simulation Testing Workflow

Design

Requirements

Did we meet

requirements?

Review functional

behavior

16

Did We Completely Test our Model?

Model Coverage

Analysis

Potential causes of less than 100%

coverage:

Missing requirements

Over/Under-specified design

Design errors

Missing tests

17

Requirements Based Functional Testing with Coverage Analysis

Sequence Test Editor

(Simulink Test)

18

Functional Testing with Added Requirements & Test Cases

19

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Code equiv. & integration checks

Found a major design problems thanks to Simulink

Design Verifier

– A positive number was always evaluated as less than zero

Functional test cases passed

– Simulink Test or Classic Signal Builder manage execution of

tests

Generated extra test cases for better understanding

how to pilot the control logic

– During test cases generation another defect was corrected

(% commented transition)

With some effort 100% model coverage was

reached!

20

Model Advisor – Model Standards Checking

21

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

22

Code Generation with Model-to-Code Traceability

23

Code Generation with Model-to-Code Traceability

CODESPECS MODEL

CONTROL AND MANAGE

COMPLEXITY

24

Equivalence Testing:

Model vs SIL or PIL Mode Testing

Model

Testing

SIL or PIL

Mode Testing

Coverage 100%

25

Code Equivalence Check Results:

Model vs CodeCode Coverage

Re-used full coverage test vectors and harnesses from Model Verification testing

Ran test vectors on generated code using Model Reference SIL mode

Model Coverage to Code Coverage using the SIL Code Coverage Report

Successfully demonstrated code behavior matches model behavior!

26

Gaining Confidence in our Design

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

Code integration analysis

32

CODE VERIFICATION TOOLS: Bug Finder and Code Prover

Polyspace Code Analysis is STATIC CODE ANALYSIS

static void pointer_arithmetic (void) {

int array[100];

int *p = array;

int i;

for (i = 0; i < 100; i++) {

*p = 0;

p++;

}

if (get_bus_status() > 0) {

if (get_oil_pressure() > 0) {

*p = 5;

} else {

i++;

}

}

i = get_bus_status();

if (i >= 0) {

*(p - i) = 10;

}

}

Source code painted in green, red, gray, orange

Green: reliablesafe pointer access

Red: faultyout of bounds error

Gray: deadunreachable code

Orange: unprovenmay be unsafe for some

conditions

Purple: violationMISRA-C/C++ or JSF++

code rules

variable ‘I’ (int32): [0 .. 99]

assignment of ‘I’ (int32): [1 .. 100]

Range datatool tip

33

RESULTS OF BUG FINDER: errors and MISRA rules

MISRA 2012

MISRA 2012

34

RESULTS OF CODE PROVER: absolute absence of run time errors

NO RTE

(Run Time

Error

Code)

35

Effort / Time

Confidence

Ad-hoc testing

Design error detection

Functional& structural tests

Modeling standards

Model & code equivalence checks

Code integration analysis

Gaining Confidence in our Design

Bug Finder finds only two MISRA violations

These violations can be addressed with another transition

OR could be addressed with a different style of code generation

In both cases the re-validation is automatized

Code Prover initially finds possible overflows

If we run analysis with correct input ranges the code is “all green” no RTE

36

Polyspace Products proven on SOLAR IMPULSE

Visit me at the code verification demo booth …..

38

Conclusion

It is easier and less expensive to fix design

errors early in the process when they happen.

Model and code verification enable:

1. Early testing to increase confidence in your design

2. Delivery of higher quality software throughout the workflow

3. Greater safety!

39© 2015 The MathWorks, Inc.