Beruflich Dokumente
Kultur Dokumente
R2017a
Phone: 508-647-7000
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government) and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
September 2015 Revised for DO Qualification Kit Version 3.0 (Applies to Release 2015b)
March 2016 Revised for DO Qualification Kit Version 3.1 (Applies to Release 2016a)
September 2016 Revised for DO Qualification Kit Version 3.2 (Applies to Release 2016b)
March 2017 Revised for DO Qualification Kit Version 3.3 (Applies to Release 2017a)
2 Operational Requirements.................................................................................................................2-1
3 Installation.........................................................................................................................................3-1
4 Operational Environment..................................................................................................................4-1
This document comprises the Tool Operational Requirements (Reference DO-330 Section
10.3.1) for the following capabilities of the Simulink® Code Inspector™ verification product:
This document is intended for use in the DO-330 tool qualification process for TQL-4 tools.
For more information about the following products, see the MathWorks® Documentation Center,
R2017a:
Key Features
Simulink Code Inspector carries out translation validation. Inputs to the Code Inspector are a
Simulink model and the C source code generated by the Embedded Coder® code generator for
the model. To be compatible with code inspection, the code generated by Embedded Coder must
comply with either the ANSI C89/C90 or ISO/IEC 9899:1990 standard.
The code inspector processes these two inputs into internal representations (IRs), called model
IR and code IR. These IRs are transformed into normalized representations to facilitate further
analysis. In this process, the model IR represents the expected pattern and the code IR
constitutes the actual pattern to be verified. To verify the generated code, the Code Inspector
attempts to match the normalized model IR with the normalized code IR.
Note Not all tool features are covered by the DO Qualification Kit. For the list of qualified
tool features, see Chapter 2, “Operational RequirementsOperational Requirements”.
Figure 1 shows the architecture of Simulink Code Inspector.
Code generated from models with fatal incompatibilities cannot be verified. The user
is notified with a message and code inspection terminates.
Code generated from models with nonfatal incompatibilities can be partially verified.
Although it might not be possible to fully verify the generated code, code inspection
continues.
The aspects of a Simulink model that are analyzed by code inspection include the following:
The following table lists the Simulink Code Inspector capabilities that are supported by the DO
Qualification Kit. The user is responsible for ensuring that the tool features they rely on to
eliminate, reduce or automate the process are sufficiently covered by Tool Operational
Requirements (reference DO-330 Section 6.2.1.aa).
INVSRCCODE If the source code cannot be parsed, If source code cannot be parsed, code None
Simulink Code Inspector shall inspection terminates with an error
consider the code invalid and post an message.
error message.
MDLFATAL Simulink Code Inspector shall detect Code inspection terminates when the None
if the model is fatally incompatible model does not use an ert-based
with code inspection and terminate system target file.
the inspection.
MDLNONFATAL Simulink Code Inspector shall detect Code inspection continues when Sum None
if the model is nonfatally block input and output ports do not
incompatible with code inspection have the same data type.
and, by default, continue the
inspection.
NONFATALCHOICE Simulink Code Inspector shall allow Code inspection terminates for a None
the user to terminate code inspection nonfatally incompatible model and
for nonfatal incompatibilities. user has selected the option to
terminate inspection for a nonfatally
incompatible model.
Model Interface
MDLINTFUNCGEN Simulink Code Inspector shall verify Model step function is missing. None
that the model interface functions are
implemented in the generated code.
MDLINTDATAGEN Simulink Code Inspector shall verify Root input data structure for a bus is Arrays and built-in types
that the model interface data missing. are supported for
structures are implemented in the inspection. For structures,
generated code. the name or tag is verified,
MDLINTFUNCSIG Simulink Code Inspector shall verify Model step function argument None
that the model interface functions sequence differs from function
have the expected signatures prototype control specification.
MDLINTIOGEN Simulink Code Inspector shall verify External input for initialization Arrays and built-in types
that the expected input and output function was not initialized as are supported for
data structures are implemented in expected. inspection. For structures,
the generated code. the name or tag is verified,
but not the structure fields.
Block Behavior
BLKCOMPS Simulink Code Inspector shall verify Code for a Unit Delay block does not None for blocks supported
that code generated for a block include code for updating its state for inspection.*
includes all components of variable.
functionality.
BLKCOMPSEXP Simulink Code Inspector shall verify Code includes two independent None for blocks supported
that code generated for a block addition operations that trace to the for inspection.*
includes only expected instances of same Sum block.
component functionality.
BLKCOMPSTRACE Simulink Code Inspector shall verify A segment of code exists that does None for blocks supported
that code segments trace back to not trace back to a block source. for inspection.*
block component functionality and
that system logic code traces back to
system functionality.
BLKCOMPSCONFIG Simulink Code Inspector shall verify A Relational Operator block is None for blocks supported
that code for block component configured for an equal (==) for inspection.*
functionality represents the current operation, but it traces to code that
block configuration. applies a not equal (!=) operation.
BLKCOMPSSYSFUNC Simulink Code Inspector shall verify The output code for a Unit Delay None for blocks supported
that code for block component block is in the start function of the for inspection.*
functionality is in the corresponding parent system.
system function.
BLKCOMPSPROPS Simulink Code Inspector shall verify A Gain block with an output data None for blocks supported
BLKCRL Simulink Code Inspector shall verify Code for Sqrt block does not use a For a list of functions and
that code generated for a block uses function or operation supported for operations supported for
functions and operations supported code inspection in the CRL. code inspection, see
for code inspection in the Code “Supported Functions and
Replacement Libraries (CRLs). Operations in Code
Replacement Libraries” in
the Simulink Code
Inspector Tool
Requirements, R2017a.
* For a list of blocks supported for code inspection, see “Supported Block Constraints” in the Simulink Code Inspector Tool
Requirements, R2017a.
Stateflow Behavior
SFFLOWGRAPH Simulink Code Inspector shall verify Stateflow does not generate a control See “Stateflow Charts” in
that the generated code execution flow with more than 1 default the Simulink Code
order and execution paths represent transition. Inspector Tool
the execution order and execution Requirements, R2017a.
paths in the Stateflow Chart.
SFSTATES Simulink Code Inspector shall verify Stateflow does not generate a control See “Stateflow States” in
that the code generated for a state flow with more than 1 default the Simulink Code
represents the corresponding state in transition. Inspector Tool
the model, including entry, during, Requirements, R2017a.
and exit actions.
SFTRANSITION Simulink Code Inspector shall verify A condition action uses operator cos See “Stateflow
that the code generated for a and the generated code has operator Transitions” in the
transition represents the sin. Simulink Code Inspector
corresponding transition in the Tool Requirements,
model, including conditions and R2017a.
actions.
SFJUNCTION Simulink Code Inspector shall verify An unconditional transition executing See “Stateflow Junctions”
that the code generated for a junction last in the chart is executed first in the in the Simulink Code
represents the corresponding generated code. Inspector Tool
SFDATA Simulink Code Inspector shall verify Output of Stateflow block with data See “Stateflow Data and
that the Stateflow data in the type uint32_T traces to code that Events” in the Simulink
generated code represents the model assigns the block output to variable of Code Inspector Tool
data. data type int8_T. Requirements, R2017a.
SFEVENT Simulink Code Inspector shall verify Output trigger type is Either edge See “Stateflow Data and
that the code generated for instead of function-call. Events” in the Simulink
function-call event represents Code Inspector Tool
the function-call event in the Requirements, R2017a.
model.
SFGRAPHFUNC Simulink Code Inspector shall verify Stateflow graphical function property See “Stateflow Graphical
that the code generated for a InlineOption is set to Inline Functions” in the Simulink
graphical function represents the but the generated code has a Code Inspector Tool
graphical function in the model, function. Requirements, R2017a.
including the control flow.
SFSLFUNC Simulink Code Inspector shall verify Generated code does not inline the See “Stateflow Simulink
that the code generated for a correct Simulink function when Functions” in the Simulink
Simulink function represents the Simulink functions exist in both a Code Inspector Tool
Simulink function in the model. chart and a state within the chart. Requirements, R2017a.
SFTRUTHTABLE Simulink Code Inspector shall verify When Decision 1 is true, Action 1 See “Stateflow Truth
that the code generated for a truth should execute. However, in the Tables” in the Simulink
table represents the truth table in the generated code, Action 2 executes. Code Inspector Tool
model. Requirements, R2017a.
MLFUNCOPER Simulink Code Inspector shall verify A statement in a MATLAB Function See “MATLAB Function
that the code generated for block using a plus (+) operator traces Blocks” in the Simulink
MATLAB function block operators to code that performs a subtraction (-) Code Inspector Tool
represents the current block operation. Requirements, R2017a.
functionality.
MLFUNUSER Simulink Code Inspector shall verify A statement in a user-defined See “MATLAB Function
that the code generated for user- function inside a MATLAB function Blocks” in the Simulink
written functions in MATLAB block uses the second element in an Code Inspector Tool
Function blocks represents the user- array. However, in the generated Requirements, R2017a.
written function in the model. code, the third element is used.
BLKDATADEFUSE Simulink Code Inspector shall verify A variable buffer is written to by the None
that the data definition and use operation of block A. It is written to
dependencies in the code reflect the again by the operation of block B
dependencies in the model. before a destination block for block A
has read the first value.
BLKINPUT Simulink Code Inspector shall verify A Gain block uses input from a None
that the block input sources in the muxed signal for input ports 1 and 2
code represent the block input (in that order). The generated
sources in the model. multiplication code for the Gain
block represents the block input
sources in a different order than
expected. For example,
instead of
BLKINDEX Simulink Code Inspector shall verify A Gain block is fed by a Bus Selector None
that the data selection in the code that selects field f1 from bus foobus.
represents the data selection in the The multiplication operation in the
model. code is on foobus.
BLKEXEORDER Simulink Code Inspector shall verify Gain block A feeds a Unit Delay None
that the code execution order is block B. The update code of Unit
consistent with model element Delay block B appears before the
execution order. output code of Gain block A.
BLKMULTIRATE If a model contains blocks that An Abs block is executing at a See the “Solver Pane” and
execute at different sample rates, sample rate of 10 Hz. However, in “Diagnostics Pane: Sample
Simulink Code Inspector shall verify the generated code, the Abs block Time” constraints in the
that the code for each block is called executes at 20 Hz. Simulink Code Inspector
at the proper rate and in the proper Tool Requirements,
execution order. R2017a.
SIGOBJGLOB Simulink Code Inspector shall verify Signal sig1 is specified with the Code inspection is
that signal objects that do not have ExportedGlobal storage class. In supported for Simulink
an auto storage class in the code the code, sig1 is represented as a global and other storage
represent signal objects that do not global variable. classes with Custom
have an auto storage class in the Storage Class types set to
model. Unstructured.
PARAMOBJAUTO Simulink Code Inspector shall verify Parameter K is specified with the None
that parameter objects with storage auto storage class. In the code, the
PARAMOBJTUNA Simulink Code Inspector shall verify Parameter K is specified with the Code inspection is
that parameter objects that do not ExportedGlobal storage class. In supported for Simulink
have an auto storage class in the the code, the literal value of the global and other storage
code represent parameter objects that parameter is represented as a global classes with Custom
do not have an auto storage class in variable. Storage Class types set to
the model. (For example, Simulink Unstructured.
Code Inspector will verify that
tunable parameters in the code
represent tunable parameters in the
model.)
PARAMINLINE Simulink Code Inspector shall verify A Gain block has its Gain parameter None
that Inlined parameter values in the set to 3.0. The code uses the literal
code represent Inlined parameter value 4.0 in the multiplication
values in the model. operation.
Local Variables
LCLVARUSED Simulink Code Inspector shall Local variable tmp is defined but not None
verify that all local variables are used.
used.
LCLVARDEF Simulink Code Inspector shall Local variable tmp is used, but is not None
verify that all local variables are defined.
defined before initial use.
Configuration Parameters
SOLVERPANE Simulink Code Inspector shall detect Model specifies a single sample time, See “Configuration
configuration parameter settings on but the generated code has multirate Parameter Constraints” in
the Solver Pane that are not code. the Simulink Code
compatible with code inspection. Inspector Tool
Requirements, R2017a.
DATAPANE Simulink Code Inspector shall detect Configuration parameter See “Configuration
configuration parameter settings on InitialState is set to ‘’, but the Parameter Constraints” in
OPTPANE Simulink Code Inspector shall detect Configuration parameter See “Configuration
configuration parameter settings on StateBitSets is set to off, but Parameter Constraints” in
the Optimization Pane that are not the generated code behaves as if this the Simulink Code
compatible with code inspection. parameter is on. Inspector Tool
Requirements, R2017a.
DIAGPANE Simulink Code Inspector shall detect Configuration parameter See “Configuration
configuration parameter settings on UnderspecifiedInitializat Parameter Constraints” in
the Diagnostics Pane that are not ionDetection is set to the Simulink Code
compatible with code inspection. Simplified, but the generated Inspector Tool
code has code for Classic mode. Requirements, R2017a.
HWPANE Simulink Code Inspector shall detect Configuration parameter See “Configuration
configuration parameter settings on ProdBitPerShort is set to 16, Parameter Constraints” in
the Hardware Implementation Pane but the generated code uses 32. the Simulink Code
that are not compatible with code Inspector Tool
inspection. Requirements, R2017a.
MODREFPANE Simulink Code Inspector shall detect A referenced model has None
configuration parameter settings on ModelReferenceNumInstance
the Model Referencing Pane that are sAllowed set to Multi, but the
not compatible with code inspection. generated code for it has single-
instance code.
CODEGENPANE Simulink Code Inspector shall detect On Code Generation: Interface > See “Configuration
configuration parameter settings on Data pane, configuration parameter Parameter Constraints” in
the Code Generation Pane that are Interface is set to None, but the the Simulink Code
not compatible with code inspection. generated code has initialization code Inspector Tool
for error C-API interface. Requirements, R2017a.
For a list of blocks supported for code inspection, see “Supported Block Constraints” in the
Simulink Code Inspector Tool Requirements, R2017a.
For information about model configuration, block, Stateflow, and MATLAB function
constraints when using the Simulink Code Inspector to inspect code, see the following sections
in the Simulink Code Inspector Tool Requirements, R2017a:
For traceability between the operational requirements and tool requirements, see
qualkitdo_slci_tor_tr_trace.xlsx
To access these documents, on the MATLAB command line, type qualkitdo to open the
Artifacts Explorer. The documents are in Simulink Code Inspector.
To use the Simulink® Code Inspector™ product, install the following MathWorks® products:
MATLAB®
Simulink®
Simulink Code Inspector
To generate model code for inspection, install the following MathWorks products:
MATLAB® Coder™
Simulink® Coder™
Embedded Coder®
Instructions for installing the products are available at the MathWorks Documentation Center,
R2017a > Installation.
4 Operational Environment
The DO Qualification Kit product supports the following operating environments for the
Simulink® Code Inspector™ product:
Personal computer
One of the following operating systems:
Microsoft® Windows®
Linux®1
MATLAB® Software
Simulink® Software