qualkitdo slci tqp

8/20/2019 Qualkitdo Slci Tqp

http://slidepdf.com/reader/full/qualkitdo-slci-tqp 1/33

DO Qualification Kit

Simulink® Code Inspector™ Tool Qualification Plan

R2015b, September 2015



How to Contact MathWorks

Latest news: www.mathworks.com

Sales and services: www.mathworks.com/sales_and_services

User community: www.mathworks.com/matlabcentral

Technical support: www.mathworks.com/support/contact_us

Phone: 508-647-7000

The MathWorks, Inc.

3 Apple Hill Drive Natick, MA 01760-2098

DO Qualification Kit: Simulink ® Code Inspector TM

Tool Qualification Plan

© COPYRIGHT 2012 – 2015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under

the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written

consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the

federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees

that this software or documentation qualifies as commercial computer software or commercial computer software documentationas such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and

conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,

reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or

other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.

If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the

government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks f or a

list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective

holders.

Patents

MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents f or more

information.

http://www.mathworks.com/


http://www.mathworks.com/sales_and_services


http://www.mathworks.com/matlabcentral/


http://www.mathworks.com/support/contact_us/


http://www.mathworks.com/trademarks



http://www.mathworks.com/patents











Revision History

March 2012 New for Version 1.6 (Applies to Release 2012a)

September 2012 Revised for Version 2.0 (Applies to Release 2012b)

March 2013 Revised for Version 2.1 (Applies to Release 2013a)September 2013 Revised for Version 2.2 (Applies to Release 2013b)

March 2014 Revised for Version 2.3 (Applies to Release 2014a)

October 2014 Revised for Version 2.4 (Applies to Release 2014b)

March 2015 Revised for Version 2.5 (Applies to Release 2015a)

September 2015 Revised for DO Qualification Kit Version 3.0 (Applies to Release 2015b)



v

Contents

1

Introduction ...................................................................................................................................... 1-1

2 Tool Overview and Identification .................................................................................................... 2-1

2.1 Simulink Code Inspector Product Description ........................................................................ 2-2

2.2 Simulink Code Inspector Product Identifier ............................................................................ 2-4

3 Tool Operational Requirements ....................................................................................................... 3-1

4 Certification Considerations ............................................................................................................. 4-1

4.1 Requirements for Qualification ............................................................................................... 4-2

4.2 Certification Credit .................................................................................................................. 4-3

5

Tool Development Life Cycle – Tool Developer ............................................................................. 5-1

6 Tool Development Life Cycle – Tool User ...................................................................................... 6-1

6.1 Planning................................................................................................................................... 6-2

6.2 Requirements ........................................................................................................................... 6-3

6.3 Verification ............................................................................................................................. 6-4

7 Additional Considerations ................................................................................................................ 7-1

7.1 Independence ........................................................................................................................... 7-2

7.2 Customer Bug Reporting Considerations ................................................................................ 7-3

7.3 Protection Mechanisms ........................................................................................................... 7-4

8

Tool Life Cycle Data ........................................................................................................................ 8-1

9 Schedule ........................................................................................................................................... 9-1



vi



1 Introduction

This document comprises the Tool Qualification Plan (Reference DO-330 Section 10.1.2) forthe following capability of the Simulink ® Code Inspector™ verification tool:

Code inspection report

This document is intended for use in the DO-178C and DO-330 tool qualification process for

Criteria 2 TQL-4 tools.

See also the DO Qualification Kit User's Guide, R2015b.



1-2



2 Tool Overview and Identification



2-2

2.1 Simulink Code Inspector Product DescriptionAutomate source code reviews for safety standards

Simulink ® Code Inspector ™ automatically compares generated code with its source model to

satisfy code-review objectives in DO-178 and other high-integrity standards. The code inspector

systematically examines blocks, state diagrams, parameters, and settings in a model to determinewhether they are structurally equivalent to operations, operators, and data in the generated code.

Simulink Code Inspector provides detailed model-to-code and code-to-model traceability

analysis. It generates structural equivalence and traceability reports that you can submit tocertification authorities to satisfy DO-178 software coding verification objectives.

Key Features

Structural equivalence analysis and reports

Bidirectional traceability analysis and reports

Compatibility checker to restrict model, block, state diagrams, and coder usage to operationstypically used in high-integrity applications

Tool independence from Simulink ® code generators

Simulink Code Inspector carries out translation validation. Inputs to the Code Inspector are a

Simulink model and the C source code generated by the Embedded Coder ® code generator forthe model. The Code inspector processes these two inputs into internal representations (IRs),

called model IR and code IR. These IRs are transformed into normalized representation’s tofacilitate further analysis. In this process, the model IR represents the expected pattern, and the

code IR constitutes the actual pattern to be verified. To verify the generated code, the Code

Inspector attempts to match the normalized model IR with the normalized code IR.

Figure 1 shows the architecture of Simulink Code Inspector.



2-3

Figure 1: Simulink Code Inspector Architecture



2-4

2.2 Simulink Code Inspector Product Identifier

Software Tool Version (Release) Tool Vendor

Simulink Code Inspector Version 2.4 (R2015b) The MathWorks, Inc.3 Apple Hill Drive

Natick, MA, 01760-2098 USADO Qualification Kit Version 3.0 (R2015b)



3 Tool Operational Requirements

The Tool Operational Requirements for the Simulink ® Code Inspector™ code inspection reportare documented in:

Simulink Code Inspector Tool Operational Requirements

To access the tool operational requirements document, on the MATLAB ® command line, type

qualkitdo to open the Artifacts Explorer. The document is in Simulink Code Inspector.



3-2



4 Certification Considerations

This section provides the certification considerations for the following capabilities of theSimulink ® Code Inspector™ verification tool:

Code inspection report



4-2

4.1 Requirements for QualificationTo determine whether a tool must be qualified, you must answer the following questions. If you

answer yes to all three questions, you must qualify the tool.

Question Code InspectionReport

Can the tool insert an error into the airborne software or fail to detect an existing

error in the software within the scope of its intended usage?

Yes1

Will the output of the tool not be verified as specified in Section 6 of DO-178C,

DO-278A, DO-331, DO-332 or DO-333?

Yes

Are processes of DO-178C, DO-278A, DO-331, DO-332 or DO-333 eliminated,

reduced, or automated by the use of the tool? Will you use output from the tool tomeet an objective or replace an objective of DO-178C, DO-278A, DO-331, DO-

332 or DO-333, Annex A or Annex C?

Yes

1 The code inspection report might fail to detect an error.

Given that the answer to all the preceding questions is yes, the Simulink Code Inspector code

inspection report must be qualified.

To determine the qualification type (Criteria 1, Criteria 2, or Criteria 3), answer the following

questions about the tool:

Question Code InspectionReport

1. Is the tool output part of the airborne software, such that the output can insert

an error into the software?

No

2. Could the tool fail to detect an error in the airborne software and is the toolalso used to justify the elimination or reduction of either of the following:

Verification processes other than that automated by the tool.

Development processes that could have an impact on the airbornesoftware.

Yes

3. Could the tool fail to detect an error in the airborne software? Yes

Because the answer to the preceding first question is no and the second question is yes, the

Simulink Code Inspector code inspection report must be qualified as a Criteria 2 tool following

the DO-330 tool qualification for process for TQL-4.



4-3

4.2 Certification CreditThe following table shows the certification credit (see DO-331 Annex A or Annex C Objectives)

being taken for the Simulink Code Inspector code inspection report. DO-331 references are prefaced with MB for the table and section numbers.

Certification Credit for Simulink Code Inspector Code Inspection Report withRespect to DO-331 Objectives

Annex Aor CTable

Objective DO-331Reference

Software orAssuranceLevels

Credit Taken

(in conjunction with othertools)

Table

MB.A-5MB.C-5

Source code

complies with low-level requirement

Section MB.6.3.4.a A, B, C

AL1, AL2, AL3

Full.

TableMB.A-5MB.C-5

Source codecomplies withsoftware architecture

Section MB.6.3.4.b A, B, CAL1, AL2, AL3

Full.

TableMB.A-5

MB.C-5

Source code isverifiable

Section MB.6.3.4.c A, BAL1, AL2

Full.

TableMB.A-5

MB.C-5

Source code istraceable to low-level

requirements

Section MB.6.3.4.e A, B, CAL1, AL2, AL3

Full – Simulink Code Inspector provides traceability data to

demonstrate traceability between the Simulink modeland the generated C code(automatic analysis).

TableMB.A-5

MB.C-5

Source code isaccurate and

consistent

Section MB.6.3.4.f A, B, CAL1, AL2, AL3

Partial – Simulink CodeInspector can detect

uninitialized or unusedvariables or constants in thegenerated C code. Other

issues, such as stack usage,overflows, resource contention,worst case execution time,

exception handling, and datacorruption, must be assessed

by other means.



4-4



5 Tool Development Life Cycle – Tool Developer

The DO Qualification Kit: Tool Life Cycle Process document comprises the:

Tool Development Plan (DO-330, Section 10.1.3)

Tool Verification Plan (DO-330, Section 10.1.4)

Tool Configuration Management Plan (DO-330, Section 10.1.5)

Tool Quality Assurance Plan (DO-330, Section 10.1.6)

for MathWorks tools being qualified to TQL-4, as defined in DO-178C and DO-330. The DOQualification Kit: Tool Life Cycle Process document provides information about the tool

development life cycle, including:

Development and verification activities

Organizational responsibilities, configuration management and quality assurance

processes



5-2



6 Tool Development Life Cycle – Tool User



6-2

6.1 PlanningThe Plan for Software Aspects of Certification (PSAC) or Plan for Software Aspects of

Approval designates that the Simulink Code Inspector code inspection report will be qualified asa Criteria 2 TQL-4 tool, as defined in DO-178C.

This document provides the Tool Qualification Plan for the Simulink Code Inspector code

inspection report.



6-3

6.2 Requirements

Tool Operational Requirements for the Simulink Code Inspector are in:

Simulink Code Inspector Tool Operational Requirements, R2015b

qualkitdo_slci_tor_tr_trace.xlsx

Tool Requirements for the Simulink Code Inspector are in:

Simulink Code Inspector Tool Requirements, R2015b

The applicant will:

- Review the Tool Operational Requirements for applicability to the project underconsideration.

- Configure the Tool Operational Requirements in a configuration management system.

User information for the Simulink Code Inspector code inspection report can be found in

“Code Inspections Reports” in the Simulink Code Inspector User’s Guide, R2015b.

User information about Simulink Code Inspector model configuration, block, Stateflow, and

MATLAB function constraints can be found in the following sections in the Simulink Code Inspector Reference, R2015b:

- “Model Configuration Constraint”

- “Block Constraints”

-

“Stateflow

®

Constraints” - “MATLAB Function Block Constraints”

To access the requirements documents, traceability matrix and user information, on the

MATLAB® command line, type qualkitdo to open the Artifacts Explorer. The documents

are in Simulink Code Inspector.

Instructions for installing the Simulink Code Inspector product are at the MathWorksDocumentation Center, R2015b:

Installation

http://www.mathworks.com/help/releases/R2015a/index.html








6-4

6.3 VerificationRequirements-based test cases and procedures will be developed from the:

Simulink Code Inspector Tool Operational Requirements, R2015b

Simulink Code Inspector Tool Requirements, R2015b

The test cases and procedures will be developed in the form of Simulink models and code filesthat exercise the Simulink Code Inspector code inspection report.

The test cases and procedures are documented in:

Simulink Code Inspector Test Cases and Procedures, R2015b

qualkitdoSlciRunTests.xls

To access the documents, on the MATLAB command line, type qualkitdo to open the

Artifacts Explorer. The document is in Simulink Code Inspector.

The applicant will:

Review the test cases and procedures for applicability to the project under consideration.

Configure the test cases and procedures in a configuration management system.

Execute the test cases and procedures in the installed environment.

Executing the MATLAB® file listed in the following table opens the corresponding Simulink ®

Report Generator™ re port file, which generates tool verification results in the specified test

reports.

Test Files Test Report

qualkitdoSlciRunTests.mqualkitdoSlciRunTests.rpt

qualkitdoSlciQualificationReport_*.html

The applicant will:

Review the test results. Configure the test results in a configuration management system.



7 Additional Considerations



7-2

7.1 IndependenceThe Simulink Code Inspector is used to verify the output of an unqualified development tool,

Embedded Coder ®. Therefore, for Simulink Code Inspector qualification, the developer needs todemonstrate the independence of Simulink Code Inspector and Embedded Coder development.

Reference DO-330, FAQ D.7.

The DO Qualification Kit: Simulink Code Inspector Independence Analysis document providesan independence analysis, including:

Development team independence

Requirements, design and code independence

Dissimilarities in technical approaches



7-3

7.2 Customer Bug Reporting ConsiderationsMathWorks reports known critical bugs brought to its attention on its bug report system at

www.mathworks.com/support/bugreports . The bug reports are an integral part of thedocumentation for each release.

The bug report system provides an interface for customers to view and submit bug reports. Users

can track the status of open bugs. Users can choose to receive notifications for new or updated bug reports. The bug reports on this web site include internally and externally nominated bugs.

If applicable, bug reports include provisions for known workarounds or file replacements.Customers can use the bug report mechanism to nominate bugs. These nominations are

processed and evaluated by The MathWorks, Inc. development organization.

http://www.mathworks.com/support/bugreports





7-4

7.3 Protection MechanismsThe Simulink Code Inspector is not a multi-function tool, as defined in DO-330 Section 11.1.

The user does not have the ability to disable any functionality of the Simulink Code Inspector,and all functions execute during the inspection.



8 Tool Life Cycle Data



8-2

The following table shows the life cycle data for the Simulink Code Inspector code inspection

report. The table maps the documents and artifacts to DO-330 life cycle data items.

Simulink Code Inspector—

Code Inspection Report Life Cycle Data

Data Available/Submit

DO-330Reference

Documents/Artifacts

Plan for Software Aspects ofCertification (PSAC) or

Plan for Software Aspects of

Approval (PSAA)

Submit Section 10.1.1 <Insert PSAC or PSAA** reference here.>

Tool Qualification Plan Submit Section 10.1.2 Simulink Code Inspector

Tool Qualification Plan (this document)

Tool Development Plan Available Section 10.1.3 DO Qualification Kit: Tool Life Cycle Process document.

For more information, contact MathWorks.

Tool Verification Plan Available Section 10.1.4 DO Qualification Kit: Tool Life Cycle Process document.


Tool ConfigurationManagement Plan

Available Section 10.1.5 DO Qualification Kit: Tool Life Cycle Process document.For more information, contact MathWorks.

Tool Quality Assurance Plan Available Section 10.1.6 DO Qualification Kit: Tool Life Cycle Process document.


Tool Requirements Standards N/A for TQL-4 Section 10.1.7 N/A for TQL-4

Tool Design Standards N/A for TQL-4 Section 10.1.8 N/A for TQL-4

Tool Code Standards N/A for TQL-4 Section 10.1.9 N/A for TQL-4

Tool Life Cycle Environment

Configuration Index

Available Section 10.1.10 Simulink Code Inspector Tool Configuration Index. For more

information, contact MathWorks.

Tool Configuration Index Submit Section 10.1.11 Simulink Code Inspector Tool Configuration Index. For moreinformation, contact MathWorks.

Tool Problem Reports Available Section 10.1.12 MathWorks bug report system atwww.mathworks.com/support/bugreports.

Tool ConfigurationManagement Records

Available Section 10.1.13 Records. For more information, contact MathWorks.

Tool Quality Assurance

Records

Available Section 10.1.14 Reports. For more information, contact MathWorks.

Tool-Specific Information in

SECI

Available Section 10.1.17 <Insert Software Life Cycle Environment Configuration

Index** reference here>

Tool Requirements Available Section 10.2.1 Simulink Code Inspector Tool Requirements

Tool Design Description Available Section 10.2.2 Simulink Code Inspector Tool Architecture document. For

more information, contact MathWorks.

Tool Source Code Available Section 10.2.3 N/A for TQL-4

Tool Executable Object Code Available Section 10.2.4 Provided as part of R2015b






8-3

Data Available/Submit

DO-330Reference

Documents/Artifacts

Tool Operational

Requirements

Available Section 10.3.1 Simulink Code Inspector

Tool Operational Requirements

Tool Installation Report Submit Section

10.3.2

< Insert reference to ** here.>

Test Cases and Procedures Available Section 10.3.3

10.2.5

Simulink Code Inspector Test Cases and Procedures

qualkitdoSlciRunTests.mqualkitdoSlciRunTests.rptqualkitdoSlciRunTests.xlsx

Test Case Review Checklist . For more information, contactMathWorks.

Test Results Available Section 10.3.4

10.2.6

qualkitdoSlciQualificationReport_*.html

Test Result Review Checklist . For more information, contactMathWorks.

Trace Data Available Section

10.2.7

qualkitdoSlciRunTests.xlsxqualkitdo_slci_tor_trace.xlsx

Compatibility_checks_tests_tracematrix.xlsx Robustness_Testing_trace_to_tr.xlsx

Tool Independence Data Available FAQ D.7 Simulink Code Inspector Independence Analysis Document .For more information, contact MathWorks.

Software AccomplishmentSummary (SAS)

Submit Section 10.1.16 < Insert reference to SAS** here.>

Tool Qualification

Accomplishment Summary

Submit Section 10.1.15 Simulink Code Inspector Tool Qualification Accomplishment

Summary**. For more information, contact MathWorks.

Notes:** To be created by applicant

The applicant must deliver data marked “Submit” to the certification authorities. Data marked “Available”

must be available at the applicant’s or tool vendor’s site for inspection by the certification authorities.



8-4



9 Schedule

<Insert tool schedule in this section.>