Design Article
Verify automatically generated flight code for DO-178
Tom Erkkinen, MathWorks
3/16/2012 10:01 AM EDT
Executable object code assessment
Code efficiency
Simulink supports executable object code verification with profiling analysis using software-in-the-loop (SIL) and processor-in-the-loop (PIL) testing. With SIL testing, the generated code is compiled and run on the host computer for quick assessment of the code’s execution using test data provided by Simulink, which serves as the test harness. With PIL testing, the generated code is cross-compiled into executable object code (EOC) and run on the actual flight processor or instruction set simulator, again with Simulink as the test harness in-the-loop.
Embedded Coder supports PIL testing for bare board or RTOS execution on any embedded processor using customizable APIs and reference implementations. One example implementation available for view and download uses Green Hills MULTI IDE and Integrity RTOS with a Freescale MPC8620 processor.
Figure 4: Verifying executable object code using PIL testing
(Click on image to enlarge)
Figure 5: Profiling execution cycles using MATLAB
(Click on image to enlarge)
Code verification
With Model-Based Design, the same requirements-based simulation test cases used for verifying the model can be reused for SIL and PIL testing. Engineers can apply the same input data used in the model simulations, and then compare SIL and PIL test results with the model simulation results to determine if they are numerically equivalent using the Simulink Simulation Data Inspector.
Figure 6: Comparing simulation and PIL test results using Simulation Data Inspector
(Click on image to enlarge)
DO-178B also requires structural coverage analysis of the software, including Modified Condition/Decision Coverage (MC/DC), to assess if the code is fully exercised during testing. An analogous concept at the model level, Model Coverage, is provided by Simulink Verification and Validation to assess if the model was fully exercised. Together, model and code coverage analysis detect potential errors in design, implementation, and testing. Simulink Verification and Validation provides model coverage analysis. In R2011b, Embedded Coder integrates with LDRA Testbed for code coverage and additional DO-178 workflow support.
Figure 7: Measuring model and code coverage using Simulink Model Coverage Tool and LDRA Testbed
(Click on image to enlarge)
Next: Summary
Code efficiency
Simulink supports executable object code verification with profiling analysis using software-in-the-loop (SIL) and processor-in-the-loop (PIL) testing. With SIL testing, the generated code is compiled and run on the host computer for quick assessment of the code’s execution using test data provided by Simulink, which serves as the test harness. With PIL testing, the generated code is cross-compiled into executable object code (EOC) and run on the actual flight processor or instruction set simulator, again with Simulink as the test harness in-the-loop.
Embedded Coder supports PIL testing for bare board or RTOS execution on any embedded processor using customizable APIs and reference implementations. One example implementation available for view and download uses Green Hills MULTI IDE and Integrity RTOS with a Freescale MPC8620 processor.
Figure 4: Verifying executable object code using PIL testing
(Click on image to enlarge)
A code profile execution report is generated during PIL testing for assessing bottlenecks and optimizing designs, for example by using code replacement technologies that substitute single instruction, multiple data (SIMD) and Intel Integrated Performance Primitives (IPP) optimizations for default ANSI/ISO C generated code. MATLAB can generate plots from the code profile execution data for further analysis. DO-178 and related standards require that the complex flight software is verified on the complex flight hardware, making PIL testing a critical verification activity for high-integrity systems.
Figure 5: Profiling execution cycles using MATLAB
(Click on image to enlarge)
Code verification
With Model-Based Design, the same requirements-based simulation test cases used for verifying the model can be reused for SIL and PIL testing. Engineers can apply the same input data used in the model simulations, and then compare SIL and PIL test results with the model simulation results to determine if they are numerically equivalent using the Simulink Simulation Data Inspector.
Figure 6: Comparing simulation and PIL test results using Simulation Data Inspector
(Click on image to enlarge)
DO-178B also requires structural coverage analysis of the software, including Modified Condition/Decision Coverage (MC/DC), to assess if the code is fully exercised during testing. An analogous concept at the model level, Model Coverage, is provided by Simulink Verification and Validation to assess if the model was fully exercised. Together, model and code coverage analysis detect potential errors in design, implementation, and testing. Simulink Verification and Validation provides model coverage analysis. In R2011b, Embedded Coder integrates with LDRA Testbed for code coverage and additional DO-178 workflow support.
Figure 7: Measuring model and code coverage using Simulink Model Coverage Tool and LDRA Testbed
(Click on image to enlarge)
Next: Summary
|
|
|
|
|
Navigate to related information