EN 
DE An introduction to static model analysis
Author: Dr. Simon Rösel, Model Engineering Solutions GmbH
Contribution – Embedded Software Engineering Congress 2018
Model-based development is a modern method for developing embedded control systems. The desired system behavior is described by a model as the central development artifact. Relevant parts of the model form the starting point for automated code generation for ECU software, which is adapted to the runtime environment and can then be loaded onto the controller. The use of modeling guidelines with regard to functional safety and quality assurance is essential in this process.
Static model analysis: The application of guidelines and standards
In the automotive sector, most ECU functions developed using model-based software development are safety-relevant. Standardized, reliable methods are therefore essential. ISO 26262 („Road Vehicles – Functional Safety“) plays a key role as a central ISO standard for the development of electrical/electronic vehicle systems [1]. ISO 26262 dedicates the entirety of Chapter 6 to product development at the software level and explicitly recommends the use of semi-formal modeling languages, such as Simulink.
In software development processes, quality assurance is paramount, alongside functional safety considerations. Both aspects depend significantly on the efficient application of modeling and conformance guidelines. The fundamental principle is that model quality is crucial for the entire development process and thus determines the quality of the generated software. Furthermore, familiar elements of static source code analysis (e.g., range checking, complexity analysis, strong typing verification) also find their counterparts in static model analysis.
Sources for modeling guidelines, examples
Modeling guidelines can be broadly differentiated according to the relevant modeling object, the tool specificity, and the respective objectives. Design aspects of simulation and controller models are paramount in the... MathWorks Automotive Advisory Board (MAAB) -Rules take center stage and promote readability and maintainability through adherence to best practices [2]. MISRA Simulink/Stateflow- and MISRA TargetLink rules focus on security aspects of the models and the code to be generated from them [3] [4].
The dSPACE TargetLink Modeling Guidelines These guidelines also refer to efficient code generation with TargetLink [5]. In particular, they exclude the use of modeling patterns that are incompatible with automatic code generation or that lead to inefficient code. With the same intention, uniform specifications for model configurations and code generator settings are also established.
If the design of safety-relevant software is the primary focus, the MES Functional Safety Guidelines, derived from the requirements of ISO 26262 and other safety standards, application [6]. The following serves as optimal preparation for dynamic model tests. MES Fit for Testing Guideline document [7]. In particular, rules apply here that support a clear relationship between model and test objects as well as automatic testbed generation.
Complete coverage of all relevant aspects requires a sensible combination of the different sets of rules.
See images 1 and 2 (PDF) .
Objectives for the use of modeling guidelines
1) Avoidance of non-robust modeling techniques:
To avoid non-robust modeling techniques, it is particularly necessary to define a "safe subset", i.e., to specify a subset of safe syntactic elements of the respective modeling language.
2) Increased efficiency and safety:
Key measures to achieve this goal include a uniform model and tool configuration, as well as consistent, secure settings for code generation and optimization. Furthermore, known inefficient or functionally risky modeling patterns, such as the use of floating-point variables for Boolean signals, can be prohibited through modeling guidelines.
3) Improved readability, reusability, extensibility, maintainability:
These goals can be achieved through specifications regarding graphical layout, naming conventions, and specific restrictions on the use of modeling elements. In particular, this promotes distributed development, for example, between OEMs and suppliers.
4) Compliance with safety standards:
Compliance with safety standards (e.g. IEC 61508, ISO 26262, ISO 25119, DO-178C) is a primary objective (su).
Model structure analysis and complexity reduction
The maintainability and testability of model components depend significantly on a well-chosen model architecture. The challenge lies in encapsulating functionalities in such a way that modules of manageable complexity are created, coupled by effective interfaces. Another aspect that plays a role in model structure analysis is the avoidance of Model Clones [8]. Such semantically equivalent substructures significantly reduce the maintainability of the model and should therefore be avoided. Various metrics are used in practice to automatically analyze models with regard to these issues. Besides the number of relevant language constructs, these metrics include... local complexity and global complexity as well as the one adapted for models Halstead metric among the most important representatives [9].
Specifications from standards such as ISO 26262 and IEC 61508 regarding guidelines and design principles
As a generic standard for safety-related E/E/PE systems, IEC 61508 defines a series of measures that affect both the development process and the product to ensure the system's safety. As a vehicle-specific design standard, ISO 26262, in Chapter 6 ("Product Development at the Software Level"), requires consideration of several aspects (Topics), which depending on Automotive Safety Integrity Level (ASIL) the function to be developed may have different relevance [1].
Therefore, when using guidelines for safety-relevant software components, it must be taken into account that the guidelines specified by the ISO are followed. Topics This can be addressed by thoroughly checking the derived rules on the model (and in the code) in order to make appropriate adjustments if necessary. The aspects of ISO 26262 that are specifically relevant for modeling and coding guidelines are summarized in Figure 3. Part 6 of ISO 26262 also contains concrete implementation guidelines for the design of software modules. These primarily serve to ensure the correct execution of program parts within modules and to achieve interface consistency between modules. The aspects relevant for model-based development are... Topics are summarized in Figure 4.
| Topic | ASIL A | ASIL B | ASIL C | ASIL D |
| Enforcement of low complexity | ++ | ++ | ++ | ++ |
| Use of language subsets | ++ | ++ | ++ | ++ |
| Enforcement of strong typing | ++ | ++ | ++ | ++ |
| Use of defensive implementation
techniques |
o | + | ++ | ++ |
| Use of established design principles | + | + | + | ++ |
| Use of unambiguous graphical representation | + | ++ | ++ | ++ |
| Use of style guides | + | ++ | ++ | ++ |
| Use of naming conventions | ++ | ++ | ++ | ++ |
Fig. 3: ISO 26262-6, § 5.4.7, Table 1 (o no recommendation / + recommended / ++ highly recommended)
Furthermore, ISO 26262-6 contains abstract principles for software architecture design aimed at reducing errors caused by high complexity. In many cases, specific guidelines for the model-based approach can also be derived from this, which can be used for conformity assessment with the ISO principles [9].
| Topic | ASIL A | ASIL B | ASIL C | ASIL D |
| Initialization of variables | ++ | ++ | ++ | ++ |
| No multiple use of variable names | + | ++ | ++ | ++ |
| Avoid global variables or else justify their usage | + | + | ++ | ++ |
| No implicit type conversion | + | ++ | ++ | ++ |
| No hidden data flow or control flow | + | ++ | ++ | ++ |
Fig. 4: ISO 26262-6, § 8.4.4, excerpt from Table 8 with aspects relevant to model-based software development
(+ recommended / ++ highly recommended)
Continuous Integration of Static Model Analysis
For the practical application of modeling guidelines, static model analyses must be continuously and automatically integrated throughout the development process. This applies particularly to test routines for guideline compliance. Jenkins servers are typically used as the basis for the automation infrastructure. These are configured to execute various tasks for model engineers, module testers, and software testers. In particular, static model analyses, often in seamless interaction with version control systems, can be automatically evaluated, thus enabling resource-efficient and effective verification of quality constraints.
Bibliography
| [1] | International Organization for Standardization, ISO 26262: Road vehicles – Functional safety, 2011. |
| [2] | MathWorks Automotive Advisory Board (MAAB), „Control Algorithm Modeling Guidelines Using MATLAB, Simulink, and Stateflow (Version 3.0),“ 2012. |
| [3] | MIRA Limited, „MISRA AC SLSF: Modeling design and style guidelines for the application of Simulink and Stateflow,“ 2009. |
| [4] | MIRA Limited, „MISRA AC TL: Modeling style guidelines for the application of TargetLink in the context of automatic code generation,“ 2007. |
| [5] | dSpace GmbH, „Modeling Guidelines for dSpace TargetLink (Version 4.0.3)“, 2016. |
| [6] | Model Engineering Solutions GmbH, „Functional Safety Modeling Guidelines“, 2015. |
| [7] | Model Engineering Solutions GmBH, „MES Fit for Testing“, 2018. |
| [8] | E. Salecker and I. Stuermer, „JUST SIMPLIFY: Clone Detection for Simulink Controller Models,“, SAE Int. J. Passeng. Cars – Electron. Electr. system, 2016. |
| [9] | F. Bachmann and H. Dörr, „Analysis and Improvement of Model Architectures for Safety Related Systems“, SAE Technical Paper, 2018. |
author
Dr. Simon Rösel has been a Software Engineer for the MES Model Examiner (MXAM) since 2017. He holds a doctorate in Mathematical Optimization from Humboldt University of Berlin. His work at MES focuses on developing checks for automated policy verification, for example, in the context of ISO 26262, and supporting customer and research projects. He is particularly interested in how models can be used efficiently in development processes.
Modeling – MicroConsult Training & Coaching
Do you want to bring yourself up to date with the latest technology?
Then find out more here MircoConsult offers training courses/seminars/workshops and individual coaching on the topic of modeling/embedded and real-time software development.
Training & coaching on the other topics in our portfolio can be found here. here.
Modeling – Expertise
Valuable expertise in modeling/embedded and real-time software development is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
