Qualkitdo SLVNV TQP
Qualkitdo SLVNV TQP
Qualkitdo SLVNV TQP
v
vi
1 Introduction
This document comprises the Tool Qualification Plan (reference DO-330 Section 10.1.2) for the
following capabilities of the Simulink® Verification and Validation™ verification tool:
DO-178C/DO-331 checks
Model coverage
This document is intended for use in the DO-178C and DO-330 tool qualification process for
Criteria 3 TQL-5 tools.
You can create detailed requirements traceability reports, author your own modeling style
checks, and develop check configurations to share with engineering teams. Requirements
documentation can be linked to models, test cases, and generated code. You can generate
harness models for testing model components and code, and use model coverage analysis to
ensure that models have been thoroughly tested.
Simulink Verification and Validation provides modeling standards checks for the DO-178, ISO
26262, IEC 61508 and related industry standards.
Key Features
Compliance checking for MAAB style guidelines and high-integrity system design
guidelines (DO-178, ISO 26262, IEC-61508, and related industry standards)
Model Advisor Configuration Editor, including custom check authoring
Requirements Management Interface for traceability of model objects, code, and tests to
requirements documents
Automatic test-harness generation for subsystems
Component testing via simulation, software-in-the-loop (SIL), and processor-in-the-loop
(PIL)
Programmable scripting interface for automating compliance checking, requirements
traceability analysis, and component testing
2-2
2.2 Simulink Verification and Validation Product
Identification
2-3
2-4
3 Tool Operational Requirements
The Tool Operational Requirements for the following capabilities in the Simulink® Verification
and Validation™ product are documented in DO Qualification Kit: Simulink Verification and
Validation Tool Operational Requirements:
DO-178C/DO-331 checks
Model coverage
To access the tool operational requirements document, on the MATLAB ® command line, type
qualkitdo to open the Artifacts Explorer. The document is in Simulink Verification and
Validation > r2015a.
3-2
4 Certification Considerations
This section provides certification considerations for the following capabilities of the Simulink
Verification and Validation verification tool:
DO-178C/DO-331 checks
Model coverage
4.1 Requirement for Qualification
4.1.1 DO-178C/DO-331 Checks
To determine whether a tool must be qualified, you must answer the following questions. If you
answer yes to all three questions, you must qualify the tool.
Question DO-178C/DO-331
Checks
Can the tool insert an error into the airborne software or fail to detect an Yes1
existing error in the software within the scope of its intended usage?
Will the output of the tool not be verified as specified in Section 6 of DO-178C, Yes
DO-278A, DO-331, DO-332 or DO-333?
Are processes of DO-178C, DO-278A, DO-331, DO-332 or DO-333 Yes
eliminated, reduced, or automated by the use of the tool? Will you use output
from the tool to meet an objective or replace an objective of DO-178C, DO-
278A, DO-331, DO-332 or DO-333, Annex A or Annex C?
1 The DO-178C checks might fail to detect an error.
Given that the answer to all the preceding questions is yes, the DO-178C/DO-331 checks in the
Simulink Verification and Validation product must be qualified.
To determine the qualification type (Criteria 1, Criteria 2, or Criteria 3), you must answer the
following questions about the tool.
Question DO-178C/DO-331
Checks
1. Is the tool output part of the airborne software, such that the output can No
insert an error into the software?
2. Could the tool fail to detect an error in the airborne software and is the No
tool also used to justify the elimination or reduction of either of the
following:
Verification processes other than that automated by the tool.
Development processes that could have an impact on the airborne
software.
3. Could the tool fail to detect an error in the airborne software? Yes
Because the answer to the preceding first and second questions are no, the DO-178C/DO-331
checks in the Simulink Verification and Validation product must be qualified as a Criteria 3 tool.
The tool qualification level will therefore be TQL-5.
4-2
4.1.2 Model Coverage
To determine whether a tool must be qualified, you must answer the following questions. If you
answer yes to all three questions, you must qualify the tool.
Given that the answer to all the preceding questions is yes, the model coverage capability in the
Simulink Verification and Validation product must be qualified.
To determine qualification type (Criteria 1, Criteria 2, or Criteria 3), you must answer the
following questions about the tool.
Because the answer to the preceding first and second questions are no, the model coverage
capability in the Simulink Verification and Validation product must be qualified as a Criteria 3
tool. The tool qualification level will therefore be TQL-5.
4-3
4.2 Certification Credit
Note The DO-178C/DO-331 checks can contain two sections: an analysis section
for reviewing the model and an action section for automatically fixing warnings
and failures. The DO Qualification Kit covers the DO-178C/DO-331 check
analysis, not the check actions.
The DO Qualification Kit does not cover Model Advisor check exclusions.
4-4
Certification Credit for DO-178C/DO-331 Checks
Annex A Objective DO-331 Software or Credit Taken
or C Reference Assurance (in conjunction with other tools)
Table Levels
Table High-level Section A, B, C, D Full or Partial1 – The DO-178C/DO-331
MB.A-3 requirements are MB.6.3.1.b AL1, AL2, AL3, checks verify the accuracy and
accurate and AL4, AL5 consistency of the model statically. A
consistent combination of Model Advisor checks,
simulation against the higher-level
requirements, and review of the System
Design Description can be used to take
full credit for this objective.
Table High-level Section A, B Full or Partial1, 3 – The DO-178C/DO-
MB.A-3 requirements are MB.6.3.1.c AL1, AL2 331 checks verify the code generator
compatible with target settings related to the CPU. A
computer combination of Model Advisor checks
and review of the System Design
Description can be used to take full
credit for this objective.
Table High-level Section A, B, C Full or Partial1 – The DO-178C/DO-331
MB.A-3 requirements are MB.6.3.1.d AL1, AL2, AL3, checks verify parameter tunability, test
verifiable AL4 point visibility, and in some cases can
find unreachable decisions. A
combination of Model Advisor checks
and model coverage during simulation
can be used to take full credit for this
objective.
Table High-level Section A, B, C Full or Partial1 – The DO-178C/DO-331
MB.A-3 requirements conform MB.6.3.1.e AL1, AL2, AL3, checks verify conformance to standards
to standards AL4 that have dedicated checks. For
modeling standards that do not have
Model Advisor checks, this verification
may be completed via manual reviews of
the System Design Description.
Table High-level Section A, B, C, D Partial1 – The DO-178C/DO-331 checks
MB.A-3 requirements are MB.6.3.1.f AL1, AL2, AL3, verify that the requirements links are
traceable to system AL4, AL5 consistent; the actual traceability must be
requirements verified independently by reviewing the
“Requirements Traceability” section of
the System Design Description.
4-5
Annex A Objective DO-331 Software or Credit Taken
or C Reference Assurance (in conjunction with other tools)
Table Levels
Table Algorithms are Section A, B, C Full or Partial1 – The DO-178C/DO-331
MB.A-3 accurate MB.6.3.1.g AL1, AL2, AL3, checks verify the accuracy of data types
AL4 used within the model statically. A
combination of Model Advisor checks,
simulation against the higher-level
requirements, and review of the System
Design Description can be used to take
full credit for this objective.
Table Low-level Section A, B, C Full or Partial2 – The DO-178C/DO-331
MB.A-4 requirements are MB.6.3.2.b AL1, AL2, AL3, checks verify the accuracy and
accurate and AL4 consistency of the model statically. A
consistent combination of Model Advisor checks,
simulation against the higher-level
requirements, and review of the System
Design Description can be used to take
full credit for this objective.
Table Low-level Section A, B Full or Partial2, 3 – The DO-178C/DO-
MB.A-4 requirements are MB.6.3.2.c AL1, AL2 331 checks verify the code generator
compatible with target settings related to the CPU. A
computer combination of Model Advisor checks
and review of the System Design
Description can be used to take full
credit for this objective.
Table Low-level Section A, B Full or Partial2 – The DO-178C/DO-331
MB.A-4 requirements are MB.6.3.2.d AL1, AL2 checks verify parameter tunability, test
verifiable point visibility, and in some cases can
find unreachable decisions. A
combination of Model Advisor checks
and model coverage during simulation
can be used to take full credit for this
objective.
Table Low-level Section A, B, C Full or Partial2 – The DO-178C/DO-331
MB.A-4 requirements conform MB.6.3.2.e AL1, AL2, AL3, checks verify conformance to standards
to standards AL4 that have dedicated checks. For
modeling standards that do not have
Model Advisor checks, this verification
may be completed via manual reviews of
the System Design Description.
Table Low-level Section A, B, C Partial2 – The DO-178C/DO-331 checks
MB.A-4 requirements are MB.6.3.2.f AL1, AL2, AL3, verify that the requirements links are
traceable to high-level AL4 consistent; the actual traceability must be
requirements verified independently by reviewing the
“Requirements Traceability” section of
the System Design Description.
4-6
Annex A Objective DO-331 Software or Credit Taken
or C Reference Assurance (in conjunction with other tools)
Table Levels
Table Algorithms are Section A, B, C Full or Partial2 – The DO-178C/DO-331
MB.A-4 accurate MB.6.3.2.g AL1, AL2, AL3, checks verify the accuracy of data types
AL4 used within the model statically. A
combination of Model Advisor checks,
simulation against higher-level
requirements, and review of the System
Design Description can be used to take
full credit for this objective.
Table Software architecture Section A, B, C Full or Partial2 – The DO-178C/DO-331
MB.A-4 is consistent MB.6.3.3.b AL1, AL2, AL3, checks verify that the architecture of the
AL4 model is consistent statically. A
combination of Model Advisor checks,
simulation against higher-level
requirements, and review of the System
Design Description can be used to take
full credit for this objective.
Table Software architecture Section A, B, C Full or Partial2 – The DO-178C/DO-331
MB.A-4 conforms to standards MB.6.3.3.e AL1, AL2, AL3, checks verify conformance to standards
AL4 that have dedicated checks. For
modeling standards that do not have
Model Advisor checks, this verification
may be completed via manual reviews of
the System Design Description.
Table Source code is Section A, B, C Partial2, 3 – The DO-178C/DO-331
MB.A-5 traceable to low-level MB.6.3.4.e AL1, AL2, AL3, checks verify that the code generator is
requirements AL4 set to generate traceable code; the actual
traceability must be verified
independently.
Notes:
1
This credit is taken only if the Simulink® and Stateflow® models are considered Specification Models for the project.
2
This credit is taken only if the Simulink and Stateflow models are considered Design Models for the project.
3
This credit is taken only if the Embedded Coder™ product is used to automatically generate code from the models.
4-7
4.2.2 Model Coverage
The following table shows the certification credit with respect to DO-331 Annex A or Annex C
Objectives being taken for the model coverage capability of the Simulink Verification and
Validation product.
Note The DO Qualification Kit does not cover Model Coverage exclusions, i.e., the
usage of Model coverage filter rules and files.
4-8
Annex A Objective DO-331 Software or Credit Taken
or C Reference Assurance (in conjunction with other tools)
Table Levels
Table Software architecture Section A, B Full or Partial2 – During simulation,
MB.A-4 is verifiable MB.6.3.3.d AL1, AL2 model coverage verifies that conditions
and decisions in the model can be
exercised. A combination of Model
Advisor checks and model coverage
during simulation can be used to take full
credit for this objective.
Table Software architecture Section A, B, C Partial1 – Model coverage can provide a
MB.A-4 conforms to standards MB.6.3.3.e AL1, AL2, cyclomatic complexity metric for the
AL3, AL4 model, which might be part of the
modeling standards.
Notes:
1
This credit is taken only if the Simulink and Stateflow models are considered Specification Models for the project.
2
This credit is taken only if the Simulink and Stateflow models are considered Design Models for the project.
The following table shows the certification credit with respect to DO-178C Annex A or DO-
278A Annex A Objectives being taken for the model coverage capability of the Simulink
Verification and Validation product.
Certification Credit for Model Coverage with respect to DO-178C or DO-278A objectives
Annex A Objective DO-178C or Software or Credit Taken
DO-278A Assurance
Reference Levels
Table A-7 Test procedures are Section 6.4.5.b A, B, CPartial – During simulation, model
correct coverage verifies that conditions and
AL1, AL2,
decisions in the model have been
AL3, AL4
exercised and provides the data ranges
achieved. The adequacy of the data ranges
and the expected results are not verified
by model coverage. The model coverage
report may be used to verify the validity
and completeness of test cases generated
by the Simulink® Design Verifier™
product3.
Table A-7 Test coverage of high- Section 6.4.4.a A, B, C, D Partial1 – During simulation, model
level requirements is AL1, AL2, coverage verifies that conditions and
achieved AL3, AL4, AL5 decisions in the model have been
exercised and provides the data ranges
achieved. The test cases executed on the
model must be repeated on the object
code to complete this objective.
4-9
Annex A Objective DO-178C or Software or Credit Taken
DO-278A Assurance
Reference Levels
Table A-7 Test coverage of low- Section 6.4.4.b A, B, C Partial2 – During simulation, model
level requirements is AL1, AL2, coverage verifies that conditions and
achieved AL3, AL4 decisions in the model have been
exercised and provides the data ranges
achieved. The test cases executed on the
model must be repeated on the object
code to complete this objective.
Notes:
1
This credit is taken only if the Simulink and Stateflow models are considered Specification Models for the project.
2
This credit is taken only if the Simulink and Stateflow models are considered Design Models for the project.
3
The Simulink Design Verifier product is not a qualified tool. However, executing the Simulink Design Verifier automatically
generated tests on the model and assessing the results, while using the qualified model coverage tool, provides credit for
demonstrating completeness and validity of those test cases.
4-10
5 Tool Development Life Cycle –
Tool User
5.1 Planning
The Plan for Software Aspects of Certification (PSAC) or Plan for Software Aspects of
Approval (PSAA) designates that the following capabilities of the Simulink Verification and
Validation product will be qualified as Criteria 3 tools:
DO-178C/DO-331 checks
Model coverage
This document provides the Tool Qualification Plan for these capabilities of the Simulink
Verification and Validation product.
5-2
5.2 Requirements
5.2.1 DO-178C/DO-331 Checks
Tool Operational Requirements for the DO-178C/DO-331 checks in the Simulink
Verification and Validation product are in:
To access the tool operational requirements document, on the MATLAB command line,
type qualkitdo to open the Artifacts Explorer. The document is in Simulink
Verification and Validation > r2015a.
Review the Tool Operational Requirements for applicability to the project under
consideration.
Configure the Tool Operational Requirements in a configuration management system.
The Simulink Verification and Validation user information for the DO-178C/DO-331
checks is in the Simulink Verification and Validation DO-178C/DO-331 Checks and Model
Advisor User Information. To access the user information document, on the MATLAB
command line, type qualkitdo to open the Artifacts Explorer. The document is in
Simulink Verification and Validation > r2015a.Instructions for installing the Simulink
Verification and Validation product are available at the MathWorks Documentation Center,
R2015a:
Installation
5-3
5.2.2 Model Coverage
Tool Operational Requirements for the model coverage capability of the Simulink
Verification and Validation product are in:
To access the tool operational requirements document, on the MATLAB command line,
type qualkitdo to open the Artifacts Explorer. The document is in Simulink
Verification and Validation > r2015a.
Review the Tool Operational Requirements for applicability to the project under
consideration.
Configure the Tool Operational Requirements in a configuration management system.
The Simulink Verification and Validation user information for model coverage is in the
Simulink Verification and Validation Model Coverage User Information.
To access the user information document, on the MATLAB command line, type
qualkitdo to open the Artifacts Explorer. The document is in Simulink Verification
and Validation > r2015a.
Instructions for installing the Simulink Verification and Validation product are available at
the MathWorks Documentation Center, R2015a:
Installation
5-4
5.3 Verification
5.3.1 DO-178C/DO-331 Checks
Requirements-based test cases and procedures will be developed from
The test cases and procedures will be developed in the form of the Simulink models that
exercise the DO-178C/DO-331 checks under consideration in the Model Advisor.
To access the documents, on the MATLAB command line, type qualkitdo to open the
Artifacts Explorer. The documents are in Simulink Verification and Validation > r2015a.
Review the test cases and procedures for applicability to the project under consideration.
Configure the test cases and procedures in a configuration management system.
Execute the test cases and procedures in the installed environment.
Executing the Simulink Report Generator report listed in the following table generates tool
verification results in the specified test report.
5-5
5.3.2 Model Coverage
Requirements-based test cases and procedures will be developed from:
The test cases and procedures will be developed in the form of the Simulink models that
exercise the model coverage capability.
To access the documents, on the MATLAB command line, type qualkitdo to open the
Artifacts Explorer. The document is in Simulink Verification and Validation > r2015a.
Review the test cases and procedures for applicability to the project under consideration.
Configure the test cases and procedures in a configuration management system.
Execute the test cases and procedures in the installed environment.
5-6
Executing the Simulink Report Generator reports listed in the following table generates tool
verification results in the specified test reports.
5-7
5-8
6 Additional Considerations
6.1 Customer Bug Reporting
MathWorks reports known critical bugs brought to its attention on its bug report system at
www.mathworks.com/support/bugreports. The bug reports are an integral part of the
documentation for each release.
The bug report system provides an interface for customers to view and submit bug reports. Users
can track the status of open bugs. Users can choose to receive notifications for new or updated
bug reports. The bug reports on this web site include internally and externally nominated bugs.
If applicable, bug reports include provisions for known workarounds or file replacements.
Customers can use the bug report mechanism to nominate bugs. These nominations are
processed and evaluated by The MathWorks, Inc. development organization.
6-2
7 Tool Life Cycle Data
7.1 DO-178C/DO-331 Checks
The following table shows the life cycle data for the DO-178C/DO-331 checks in the Simulink
Verification and Validation product. The table maps the documents and artifacts to DO-330 life
cycle data items.
qualkitdo_slvnv_tcpr1.rpt
Test Results Available* Section DO Qualification Kit: Simulink Verification
10.3.4 and Validation Test Cases, Procedures, and
Results
qualkitdo_slvnv_
qualificationreport1.html
Software Accomplishment Submit Section <Insert reference to SAS** here.>
Summary (SAS) 10.1.16
Tool Qualification Submit Section <Insert reference to Tool Qualification
Accomplishment Summary 10.1.15 Accomplishment Summary** here.>
Notes:
* Optional for TQL-5 tool qualification
** To be created by applicant
7-2
The applicant must deliver data marked “Submit” to the certification authorities. Data marked
“Available” must be available at the applicant’s or tool vendor’s site for inspection by the
certification authorities.
qualkitdo_slvnv_tcpr2.rpt,
qualkitdo_slvnv_tcpr3.rpt,
qualkitdo_slvnv_tcpr4.rpt,
qualkitdo_slvnv_tcpr5.rpt,
qualkitdo_slvnv_tcpr6.rpt
7-3
Data Available/ DO-330 Documents/Artifacts
Submit Reference
Test Results Available* Section DO Qualification Kit: Simulink Verification
10.3.4 and Validation Test Cases, Procedures, and
Results
qualkitdo_slvnv_
qualificationreport2.html,
qualkitdo_slvnv_
qualificationreport3.html,
qualkitdo_slvnv_
qualificationreport4.html,
qualkitdo_slvnv_
qualificationreport5.html,
qualkitdo_slvnv_
qualificationreport6.html
Software Accomplishment Submit Section <Insert reference to SAS** here.>
Summary (SAS) 10.1.16
Tool Qualification Submit Section <Insert reference to Tool Qualification
Accomplishment Summary 10.1.15 Accomplishment Summary** here.>
Notes:
* Optional for TQL-5 tool qualification
** To be created by applicant
The applicant must deliver data marked “Submit” to the certification authorities. Data marked
“Available” must be available at the applicant’s or tool vendor’s site for inspection by the
certification authorities.
7-4
8 Schedule