DO Qualification Kit

Simulink Code Inspector

Tool Qualification Plan
R2015b, September 2015

How to Contact MathWorks

Latest news:

www.mathworks.com

Sales and services:

www.mathworks.com/sales_and_services

User community:

www.mathworks.com/matlabcentral

Technical support:

www.mathworks.com/support/contact_us

Phone:

508-647-7000

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA 01760-2098
DO Qualification Kit: Simulink Code InspectorTM Tool Qualification Plan

COPYRIGHT 20122015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the governments needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.

Revision History
March 2012
September 2012
March 2013
September 2013
March 2014
October 2014
March 2015
September 2015

New for Version 1.6 (Applies to Release 2012a)

Revised for Version 2.0 (Applies to Release 2012b)
Revised for Version 2.1 (Applies to Release 2013a)
Revised for Version 2.2 (Applies to Release 2013b)
Revised for Version 2.3 (Applies to Release 2014a)
Revised for Version 2.4 (Applies to Release 2014b)
Revised for Version 2.5 (Applies to Release 2015a)
Revised for DO Qualification Kit Version 3.0 (Applies to Release 2015b)

Contents
1 Introduction ...................................................................................................................................... 1-1
2 Tool Overview and Identification .................................................................................................... 2-1
2.1 Simulink Code Inspector Product Description ........................................................................ 2-2
2.2 Simulink Code Inspector Product Identifier ............................................................................ 2-4
3 Tool Operational Requirements ....................................................................................................... 3-1
4 Certification Considerations ............................................................................................................. 4-1
4.1 Requirements for Qualification ............................................................................................... 4-2
4.2 Certification Credit .................................................................................................................. 4-3
5 Tool Development Life Cycle Tool Developer ............................................................................. 5-1
6 Tool Development Life Cycle Tool User ...................................................................................... 6-1
6.1 Planning................................................................................................................................... 6-2
6.2 Requirements........................................................................................................................... 6-3
6.3 Verification ............................................................................................................................. 6-4
7 Additional Considerations ................................................................................................................ 7-1
7.1 Independence........................................................................................................................... 7-2
7.2 Customer Bug Reporting Considerations ................................................................................ 7-3
7.3 Protection Mechanisms ........................................................................................................... 7-4
8 Tool Life Cycle Data ........................................................................................................................ 8-1
9 Schedule ........................................................................................................................................... 9-1

vi

1 Introduction
This document comprises the Tool Qualification Plan (Reference DO-330 Section 10.1.2) for
the following capability of the Simulink Code Inspector verification tool:
Code inspection report
This document is intended for use in the DO-178C and DO-330 tool qualification process for
Criteria 2 TQL-4 tools.
See also the DO Qualification Kit User's Guide, R2015b.

1-2

2 Tool Overview and Identification

2.1 Simulink Code Inspector Product Description

Automate source code reviews for safety standards

Simulink Code Inspector automatically compares generated code with its source model to
satisfy code-review objectives in DO-178 and other high-integrity standards. The code inspector
systematically examines blocks, state diagrams, parameters, and settings in a model to determine
whether they are structurally equivalent to operations, operators, and data in the generated code.
Simulink Code Inspector provides detailed model-to-code and code-to-model traceability
analysis. It generates structural equivalence and traceability reports that you can submit to
certification authorities to satisfy DO-178 software coding verification objectives.
Key Features

Structural equivalence analysis and reports

Bidirectional traceability analysis and reports
Compatibility checker to restrict model, block, state diagrams, and coder usage to operations
typically used in high-integrity applications
Tool independence from Simulink code generators
Simulink Code Inspector carries out translation validation. Inputs to the Code Inspector are a
Simulink model and the C source code generated by the Embedded Coder code generator for
the model. The Code inspector processes these two inputs into internal representations (IRs),
called model IR and code IR. These IRs are transformed into normalized representations to
facilitate further analysis. In this process, the model IR represents the expected pattern, and the
code IR constitutes the actual pattern to be verified. To verify the generated code, the Code
Inspector attempts to match the normalized model IR with the normalized code IR.
Figure 1 shows the architecture of Simulink Code Inspector.

2-2

Figure 1: Simulink Code Inspector Architecture

2-3

2.2 Simulink Code Inspector Product Identifier

Software Tool

Version (Release)

Tool Vendor

Simulink Code Inspector

Version 2.4 (R2015b)

DO Qualification Kit

Version 3.0 (R2015b)

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA, 01760-2098 USA

2-4

3 Tool Operational Requirements

The Tool Operational Requirements for the Simulink Code Inspector code inspection report
are documented in:
Simulink Code Inspector Tool Operational Requirements
To access the tool operational requirements document, on the MATLAB command line, type
qualkitdo to open the Artifacts Explorer. The document is in Simulink Code Inspector.

3-2

4 Certification Considerations
This section provides the certification considerations for the following capabilities of the
Simulink Code Inspector verification tool:
Code inspection report

4.1 Requirements for Qualification

To determine whether a tool must be qualified, you must answer the following questions. If you
answer yes to all three questions, you must qualify the tool.
Question

Code Inspection
Report

Can the tool insert an error into the airborne software or fail to detect an existing
error in the software within the scope of its intended usage?

Yes1

Will the output of the tool not be verified as specified in Section 6 of DO-178C,
DO-278A, DO-331, DO-332 or DO-333?

Yes

Are processes of DO-178C, DO-278A, DO-331, DO-332 or DO-333 eliminated,

reduced, or automated by the use of the tool? Will you use output from the tool to
meet an objective or replace an objective of DO-178C, DO-278A, DO-331, DO332 or DO-333, Annex A or Annex C?

Yes

The code inspection report might fail to detect an error.

Given that the answer to all the preceding questions is yes, the Simulink Code Inspector code
inspection report must be qualified.
To determine the qualification type (Criteria 1, Criteria 2, or Criteria 3), answer the following
questions about the tool:
Question

Code Inspection
Report

1.

No

2.

Is the tool output part of the airborne software, such that the output can insert
an error into the software?
Could the tool fail to detect an error in the airborne software and is the tool
also used to justify the elimination or reduction of either of the following:

Verification processes other than that automated by the tool.

3.

Yes

Development processes that could have an impact on the airborne

software.

Could the tool fail to detect an error in the airborne software?

Yes

Because the answer to the preceding first question is no and the second question is yes, the
Simulink Code Inspector code inspection report must be qualified as a Criteria 2 tool following
the DO-330 tool qualification for process for TQL-4.

4-2

4.2 Certification Credit

The following table shows the certification credit (see DO-331 Annex A or Annex C Objectives)
being taken for the Simulink Code Inspector code inspection report. DO-331 references are
prefaced with MB for the table and section numbers.
Certification Credit for Simulink Code Inspector Code Inspection Report with
Respect to DO-331 Objectives
Annex A Objective
or C
Table

DO-331
Reference

Software or
Assurance
Levels

Credit Taken
(in conjunction with other
tools)

Table
MB.A-5
MB.C-5

Source code
complies with lowlevel requirement

Section MB.6.3.4.a

A, B, C
AL1, AL2, AL3

Full.

Table
MB.A-5
MB.C-5
Table
MB.A-5
MB.C-5
Table
MB.A-5
MB.C-5

Source code
Section MB.6.3.4.b
complies with
software architecture
Source code is
Section MB.6.3.4.c
verifiable

A, B, C
AL1, AL2, AL3

Full.

A, B
AL1, AL2

Full.

Source code is
Section MB.6.3.4.e
traceable to low-level
requirements

A, B, C
AL1, AL2, AL3

Table
MB.A-5
MB.C-5

Source code is
accurate and
consistent

A, B, C
AL1, AL2, AL3

Full Simulink Code Inspector

provides traceability data to
demonstrate traceability
between the Simulink model
and the generated C code
(automatic analysis).
Partial Simulink Code
Inspector can detect
uninitialized or unused
variables or constants in the
generated C code. Other
issues, such as stack usage,
overflows, resource contention,
worst case execution time,
exception handling, and data
corruption, must be assessed
by other means.

Section MB.6.3.4.f

4-3

4-4

5 Tool Development Life Cycle

Tool Developer
The DO Qualification Kit: Tool Life Cycle Process document comprises the:

Tool Development Plan (DO-330, Section 10.1.3)

Tool Verification Plan (DO-330, Section 10.1.4)

Tool Configuration Management Plan (DO-330, Section 10.1.5)

Tool Quality Assurance Plan (DO-330, Section 10.1.6)

for MathWorks tools being qualified to TQL-4, as defined in DO-178C and DO-330. The DO
Qualification Kit: Tool Life Cycle Process document provides information about the tool
development life cycle, including:

Development and verification activities

Organizational responsibilities, configuration management and quality assurance

processes

5-2

6 Tool Development Life Cycle

Tool User

6.1 Planning
The Plan for Software Aspects of Certification (PSAC) or Plan for Software Aspects of
Approval designates that the Simulink Code Inspector code inspection report will be qualified as
a Criteria 2 TQL-4 tool, as defined in DO-178C.
This document provides the Tool Qualification Plan for the Simulink Code Inspector code
inspection report.

6-2

6.2 Requirements
Tool Operational Requirements for the Simulink Code Inspector are in:
Simulink Code Inspector Tool Operational Requirements, R2015b
qualkitdo_slci_tor_tr_trace.xlsx

Tool Requirements for the Simulink Code Inspector are in:

Simulink Code Inspector Tool Requirements, R2015b

The applicant will:

-

Review the Tool Operational Requirements for applicability to the project under
consideration.
Configure the Tool Operational Requirements in a configuration management system.

User information for the Simulink Code Inspector code inspection report can be found in
Code Inspections Reports in the Simulink Code Inspector Users Guide, R2015b.
User information about Simulink Code Inspector model configuration, block, Stateflow, and
MATLAB function constraints can be found in the following sections in the Simulink Code
Inspector Reference, R2015b:
-

Model Configuration Constraint

Block Constraints
Stateflow Constraints
MATLAB Function Block Constraints

To access the requirements documents, traceability matrix and user information, on the
MATLAB command line, type qualkitdo to open the Artifacts Explorer. The documents
are in Simulink Code Inspector.
Instructions for installing the Simulink Code Inspector product are at the MathWorks
Documentation Center, R2015b:
Installation

6-3

6.3 Verification
Requirements-based test cases and procedures will be developed from the:
Simulink Code Inspector Tool Operational Requirements, R2015b
Simulink Code Inspector Tool Requirements, R2015b
The test cases and procedures will be developed in the form of Simulink models and code files
that exercise the Simulink Code Inspector code inspection report.
The test cases and procedures are documented in:
Simulink Code Inspector Test Cases and Procedures, R2015b
qualkitdoSlciRunTests.xls
To access the documents, on the MATLAB command line, type qualkitdo to open the
Artifacts Explorer. The document is in Simulink Code Inspector.
The applicant will:
Review the test cases and procedures for applicability to the project under consideration.
Configure the test cases and procedures in a configuration management system.
Execute the test cases and procedures in the installed environment.
Executing the MATLAB file listed in the following table opens the corresponding Simulink
Report Generator report file, which generates tool verification results in the specified test
reports.
Test Files

Test Report

qualkitdoSlciRunTests.m
qualkitdoSlciRunTests.rpt

qualkitdoSlciQualificationReport_*.html

The applicant will:

Review the test results.
Configure the test results in a configuration management system.

6-4

7 Additional Considerations

7.1 Independence
The Simulink Code Inspector is used to verify the output of an unqualified development tool,
Embedded Coder. Therefore, for Simulink Code Inspector qualification, the developer needs to
demonstrate the independence of Simulink Code Inspector and Embedded Coder development.
Reference DO-330, FAQ D.7.
The DO Qualification Kit: Simulink Code Inspector Independence Analysis document provides
an independence analysis, including:

Development team independence

Requirements, design and code independence

Dissimilarities in technical approaches

7-2

7.2 Customer Bug Reporting Considerations

MathWorks reports known critical bugs brought to its attention on its bug report system at
www.mathworks.com/support/bugreports. The bug reports are an integral part of the
documentation for each release.
The bug report system provides an interface for customers to view and submit bug reports. Users
can track the status of open bugs. Users can choose to receive notifications for new or updated
bug reports. The bug reports on this web site include internally and externally nominated bugs.
If applicable, bug reports include provisions for known workarounds or file replacements.
Customers can use the bug report mechanism to nominate bugs. These nominations are
processed and evaluated by The MathWorks, Inc. development organization.

7-3

7.3 Protection Mechanisms

The Simulink Code Inspector is not a multi-function tool, as defined in DO-330 Section 11.1.
The user does not have the ability to disable any functionality of the Simulink Code Inspector,
and all functions execute during the inspection.

7-4

8 Tool Life Cycle Data

The following table shows the life cycle data for the Simulink Code Inspector code inspection
report. The table maps the documents and artifacts to DO-330 life cycle data items.
Simulink Code Inspector Code Inspection Report Life Cycle Data
Data

Available/
Submit

DO-330
Reference

Documents/Artifacts

Plan for Software Aspects of Submit

Certification (PSAC) or
Plan for Software Aspects of
Approval (PSAA)
Tool Qualification Plan
Submit

Section 10.1.1

<Insert PSAC or PSAA** reference here.>

Section 10.1.2

Tool Development Plan

Available

Section 10.1.3

Tool Verification Plan

Available

Section 10.1.4

Tool Configuration
Available
Management Plan
Tool Quality Assurance Plan Available

Section 10.1.5

Tool Requirements Standards N/A for TQL-4

Section 10.1.7

Simulink Code Inspector

Tool Qualification Plan (this document)
DO Qualification Kit: Tool Life Cycle Process document.
For more information, contact MathWorks.
DO Qualification Kit: Tool Life Cycle Process document.
For more information, contact MathWorks.
DO Qualification Kit: Tool Life Cycle Process document.
For more information, contact MathWorks.
DO Qualification Kit: Tool Life Cycle Process document.
For more information, contact MathWorks.
N/A for TQL-4

Tool Design Standards

N/A for TQL-4

Section 10.1.8

N/A for TQL-4

Tool Code Standards

N/A for TQL-4

Section 10.1.9

N/A for TQL-4

Tool Life Cycle Environment Available

Configuration Index
Tool Configuration Index
Submit

Section 10.1.6

Section 10.1.10 Simulink Code Inspector Tool Configuration Index. For more
information, contact MathWorks.
Section 10.1.11 Simulink Code Inspector Tool Configuration Index. For more
information, contact MathWorks.
Section 10.1.12 MathWorks bug report system at
www.mathworks.com/support/bugreports.

Tool Problem Reports

Available

Tool Configuration
Management Records
Tool Quality Assurance
Records
Tool-Specific Information in
SECI
Tool Requirements

Available

Section 10.1.13 Records. For more information, contact MathWorks.

Available

Section 10.1.14 Reports. For more information, contact MathWorks.

Available

Section 10.1.17 <Insert Software Life Cycle Environment Configuration

Index** reference here>

Available

Section 10.2.1

Simulink Code Inspector Tool Requirements

Tool Design Description

Available

Section 10.2.2

Tool Source Code

Available

Section 10.2.3

Simulink Code Inspector Tool Architecture document. For

more information, contact MathWorks.
N/A for TQL-4

Tool Executable Object Code Available

Section 10.2.4

Provided as part of R2015b

8-2

Data

Available/
Submit

DO-330
Reference

Documents/Artifacts

Tool Operational
Requirements

Available

Section 10.3.1

Simulink Code Inspector

Tool Operational Requirements

Tool Installation Report

Submit

<Insert reference to ** here.>

Test Cases and Procedures

Available

Section
10.3.2
Section 10.3.3
10.2.5

Simulink Code Inspector Test Cases and Procedures

qualkitdoSlciRunTests.m
qualkitdoSlciRunTests.rpt
qualkitdoSlciRunTests.xlsx

Test Case Review Checklist. For more information, contact

MathWorks.
Test Results

Trace Data

Available

Available

Section 10.3.4
10.2.6

qualkitdoSlciQualificationReport_*.html

Section
10.2.7

qualkitdoSlciRunTests.xlsx
qualkitdo_slci_tor_trace.xlsx

Test Result Review Checklist. For more information, contact

MathWorks.

Compatibility_checks_tests_tracematrix.xlsx
Robustness_Testing_trace_to_tr.xlsx

Tool Independence Data

Available

Software Accomplishment
Submit
Summary (SAS)
Tool Qualification
Submit
Accomplishment Summary
Notes:
** To be created by applicant

FAQ D.7

Simulink Code Inspector Independence Analysis Document.

For more information, contact MathWorks.
Section 10.1.16 <Insert reference to SAS** here.>
Section 10.1.15 Simulink Code Inspector Tool Qualification Accomplishment
Summary**. For more information, contact MathWorks.

The applicant must deliver data marked Submit to the certification authorities. Data marked Available
must be available at the applicants or tool vendors site for inspection by the certification authorities.

8-3

8-4

9 Schedule
<Insert tool schedule in this section.>