This is machine translation

Translated by Microsoft
Mouseover text to see original. Click the button below to return to the English version of the page.

Note: This page has been translated by MathWorks. Click here to see
To view all translated materials including this page, select Country from the country navigator on the bottom of this page.

IEC 61508, IEC 62304, ISO 26262, and EN 50128 Checks

IEC 61508, IEC 62304, ISO 26262, and EN 50128 Checks

IEC 61508, IEC 62304, ISO 26262, and EN 50128 checks facilitate designing and troubleshooting models, subsystems, and the corresponding generated code for applications to comply with IEC 61508-3, IEC 62304, ISO 26262-6, or EN 50128.

The Model Advisor performs a checkout of the Simulink® Check™ license when you run the IEC 61508, IEC 62304, ISO 26262, or EN 50128 checks.

These checks are certified by the IEC Certification Kit for use in development processes that must comply with IEC 61508, ISO 26262, EN 50128, or derivative standards.

Tips

If your model uses model referencing, run the IEC 61508, IEC 62304, ISO 26262, or EN 50128 checks on all referenced models before running them on the top-level model.

See Also

  • IEC 61508-3 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements

  • IEC 62304 Medical device software - Software life cycle processes

  • ISO 26262-6 Road vehicles - Functional safety - Part 6: Product development: Software level

  • EN 50128 Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems

  • Embedded Coder® documentation:

Display model metrics and complexity report

Check ID: mathworks.iec61508.MdlMetricsInfo

Display number of elements and name, level, and depth of subsystems for the model or subsystem.

Description

The IEC 61508, ISO 26262, and EN 50128 standards recommend the usage of size and complexity metrics to assess the software under development. This check provides metrics information for the model. The provided information can be used to inspect whether the size or complexity of the model or subsystem exceeds given limits. The check displays:

  • A block count for each Simulink block type contained in the given model, including library linked blocks.

  • A count of Stateflow® constructs in the given model (if applicable).

  • Name, level, and depth of the subsystems contained in the given model (if applicable).

  • The maximum subsystem depth of the given model.

Available with Simulink Check.

This check requires a Stateflow license.

Results and Recommended Actions

ConditionRecommended Action
N/A This summary is provided for your information. No action is required.

Capabilities and Limitations

  • Runs on library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Does not allow exclusions of blocks or charts.

See Also

  • IEC 61508-3, Table B.9 (1) - Software module size limit, Table B.9 (2) - Software complexity control

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1a) - Enforcement of low complexity, Table 3 (a) - Hierarchical structure of software components, Table 3 (b) - Restricted size of software components, and Table 3 (c) - Restricted size of interfaces

  • EN 50128, Table A.12 (8) - Limited size and complexity of Functions, Subroutines and Methods and (9) Limited number of subroutine parameters

  • sldiagnostics in the Simulink documentation

  • Cyclomatic Complexity for Stateflow Charts (Simulink Coverage)

Check for unconnected objects

Check ID: mathworks.iec61508.UnconnectedObjects

Identify unconnected lines, input ports, and output ports in the model.

Description

Unconnected objects are likely to cause problems propagating signal attributes such as data, type, sample time, and dimensions.

Ports connected to Ground or Terminator blocks pass this check.

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
There are unconnected lines, input ports, or output ports in the model or subsystem.
  • Double-click an element in the list of unconnected items to locate the item in the model diagram.

  • Connect the objects identified in the results.

Capabilities and Limitations

  • Runs on library models.

  • Does not analyze content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Allows exclusions of blocks and charts.

See Also

  • IEC 61508-3, Table A.3 (3) - Language subset

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) - Use of language subsets, Table 1 (1d) - Use of defensive implementation techniques

  • EN 50128, Table A.4 (11) - Language Subset

  • Signal Basics (Simulink)

Check safety-related code generation settings

Check ID: mathworks.do178.CodeSet

Check model configuration for code generation settings that can impact safety.

Description

This check verifies that model configuration parameters for code generation are set optimally for a safety-related application.

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
The option to include comments in the generated code is cleared. Comments provide good traceability between the code and the model.Select Include comments (Simulink Coder) on the Code Generation > Comments pane in the Configuration Parameters dialog box or set the parameter GenerateComments to on.
The option to include comments that describe the code for blocks is cleared. Comments provide good traceability between the code and the model. Select Simulink block comments (Simulink Coder) on the Code Generation > Comments pane in the Configuration Parameters dialog box or set the parameter SimulinkBlockComments to on.
The option to include comments that describe the code for blocks eliminated from a model is cleared. Comments provide good traceability between the code and the model. Select Show eliminated blocks (Simulink Coder) on the Code Generation > Comments pane in the Configuration Parameters dialog box or set the parameter ShowEliminatedStatement to on.
The option to include the names of parameter variables and source blocks as comments in the model parameter structure declaration in model_prm.h is cleared. Comments provide good traceability between the code and the model. Select Verbose comments for 'Model default' storage class (Simulink Coder) on the Code Generation > Comments pane in the Configuration Parameters dialog box or set the parameter ForceParamTrailComments to on.
The option to include requirement descriptions assigned to Simulink blocks as comments is cleared. Comments provide good traceability between the code and the model. Select Requirements in block comments (Simulink Coder) on the Code Generation > Custom comments pane in the Configuration Parameters dialog box or set the parameter ReqsInCode to on.
The option to generate nonfinite data and operations is selected. Support for nonfinite numbers is inappropriate for real-time embedded systems. Clear Support: non-finite numbers (Simulink Coder) on the Code Generation > Interface pane in the Configuration Parameters dialog box or set the parameter SupportNonFinite to off.
The option to generate and maintain integer counters for absolute and elapsed time is selected. Support for absolute time is inappropriate for real-time safety-related systems. Clear Support: absolute time (Simulink Coder) on the Code Generation > Interface pane in the Configuration Parameters dialog box or set the parameter SupportAbsoluteTime to off.
The option to generate code for blocks that use continuous time is selected. Support for continuous time is inappropriate for real-time safety-related systems. Clear Support: continuous time (Simulink Coder) on the Code Generation > Interface pane in the Configuration Parameters dialog box or set the parameter SupportContinuousTime to off.
The option to generate code for noninlined S-functions is selected. This option requires support of nonfinite numbers, which is inappropriate for real-time safety-related systems.Clear Support: non-inlined S-functions (Simulink Coder) in the Configuration Parameters dialog box or set the parameter SupportNonInlinedSFcns to off.
The option to generate model function calls compatible with the main program module of the pre-R2012a GRT target is selected. This option is inappropriate for real-time safety-related systems.Clear Classic call call interface (Simulink Coder) on the Code Generation > Interfacepane in the Configuration Parameters dialog box or set the parameter GRTInterface to off.
The option to generate the model_update function is cleared. Having a single call to the output and update functions simplifies the interface to the real-time operating system (RTOS) and simplifies verification of the generated code.Select Single output/update function (Simulink Coder) on the Code Generation > Interfacepane in the Configuration Parameters dialog box or set the parameter CombineOutputUpdateFcns to on.
The option to generate the model_terminate function is selected. This function deallocates dynamic memory, which is unsuitable for real-time safety-related systems. Clear Terminate function (Simulink Coder) on the Code Generation pane in the Configuration Parameters dialog box or set the parameter IncludeMdlTerminateFcn to off.
The option to log or monitor error status is cleared. If you do not select this option, the Simulink Coder™ product generates extra code that might not be reachable for testing. Select Remove error status field in real-time model data structure (Simulink Coder) on the Code Generation > Interface pane in the Configuration Parameters dialog box or set the parameter SuppressErrorStatus to on.
MAT-file logging is selected. This option adds extra code for logging test points to a MAT-file, which is not supported by embedded targets. Use this option only in test harnesses. Clear MAT-file logging (Simulink Coder) in the Configuration Parameters dialog box or set the parameter MatFileLogging to off.
The option that specifies the style for parenthesis usage is set to Minimum (Rely on C/C++ operators precedence) or to Nominal (Optimize for readability). For safety-related applications, explicitly specify precedence with parentheses. Set parameter ParenthesesLevel to Maximum (Specify precedence with parentheses).
The option that specifies whether to preserve operand order is cleared. This option increases the traceability of the generated code.Set parameter PreserveExpressionOrder to on.
The option that specifies whether to preserve empty primary condition expressions in if statements is cleared. This option increases the traceability of the generated code.Set parameter PreserveIfCondition to on.
The minimum number of characters specified for generating name mangling strings is less than four. You can use this option to minimize the likelihood that parameter and signal names will change during code generation when the model changes. Use of this option assists with minimizing code differences between file versions, decreasing the effort to perform code reviews. Set Minimum mangle length (Simulink Coder) on the Code Generation > Symbols pane in the Configuration Parameters dialog box or the parameter MangleLength to a value of 4 or greater.

Action Results

Clicking Modify Settings configures model code generation settings that can impact safety.

Subchecks depend on the results of the subchecks noted with D in the results table in the Model Advisor window.

Capabilities and Limitations

  • Does not run on library models.

  • Does not allow exclusions of blocks or charts.

See Also

Check usage of Math Operations blocks

Check ID: mathworks.iec61508.MathOperationsBlocksUsage

Identify usage of Math Operation blocks that might impact safety.

Description

This check inspects the usage of the following blocks:

  • Abs

  • Assignment

  • Gain

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action

The model or subsystem contains an Absolute Value block that is operating on one of the following:

  • A boolean or an unsigned input data type. This condition results in unreachable simulation pathways through the model and might result in unreachable code

  • A signed integer value with the Saturate on integer overflow check box not selected. For signed data types, the absolute value of the most negative value is problematic because it is not representable by the data type. This condition results in an overflow in the generated code.

If the identified Absolute Value block is operating on a boolean or unsigned data type, do one of the following:

  • Change the input of the Absolute Value block to a signed input type.

  • Remove the Absolute Value block from the model.

If the identified Absolute Value block is operating on a signed data type, in the Block Parameters > Signal Attributes dialog box, select Saturate on integer overflow.

The model or subsystem contains Gain blocks with a of value 1 or an identity matrix.If you are using Gain blocks as buffers, consider replacing them with Signal Conversion blocks.
The model or subsystem might contain Assignment blocks with incomplete array initialization that do not have block parameter Action if any output element is not assigned set to Error or Warning.

Set block parameter Action if any output element is not assigned to one of the recommended values:

  • Error, if Assignment block is not in an Iterator subsystem.

  • Warning, if Assignment block is in an Iterator subsystem.

Capabilities and Limitations

  • Does not run on library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Allows exclusions of blocks and charts.

See Also

Check usage of Logic and Bit Operations blocks

Check ID: mathworks.iec61508.LogicBlockUsage

Identify usage of Logical Operator and Bit Operations blocks that might impact safety.

Description

This check inspects the usage of:

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
The model or subsystem contains a block computing a relational operator that is operating on different data types. The condition can lead to unpredictable results in the generated code. For the identified blocks, use common data types as inputs. You can use Data Type Conversion blocks to change input data types.
The model or subsystem contains a block computing a relational operator that does not have Boolean output. The condition can lead to unpredictable results in the generated code. For the specified blocks, on the Block Parameters > Signal Attributes pane, set the Output data type to boolean.
The model or subsystem contains a block computing a relational operator that uses the == or ~= operator to compare floating-point signals. The use of these operators on floating-point signals is unreliable and unpredictable because of floating-point precision issues. These operators can lead to unpredictable results in the generated code.

For the identified block, do one of the following:

  • Change the signal data type.

  • Rework the model to eliminate using == or ~= operators on floating-point signals.

The model or subsystem contains a Logical Operator block that has inputs or outputs that are not Boolean inputs or outputs. The block might result in floating-point equality or inequality comparisons in the generated code.
  • Modify the Logical Operator block so that all inputs and outputs are Boolean. On the Block Parameters > Signal Attributes pane, consider selecting Require all inputs to have the same data type and setting Output data type to boolean.

  • In the Configuration Parameters dialog box, consider selecting the Implement logic signals as boolean data (vs. double).

Capabilities and Limitations

  • Does not run on library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Allows exclusions of blocks and charts.

See Also

Check usage of Ports and Subsystems blocks

Check ID: mathworks.iec61508.PortsSubsystemsUsage

Identify usage of Ports and Subsystems blocks that might impact safety.

Description

This check inspects the usage of:

  • For Iterator blocks

  • While Iterator blocks

  • If blocks

  • Switch Case blocks

The check does not flag Switch Case blocks that do not use integer data types or enumeration values for inputs. To comply with hisl_0011: Usage of Switch Case blocks and Action Subsystem blocks (Simulink) – C, use an integer data type or an enumeration value for the inputs to Switch Case blocks.

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
The model or subsystem contains a For Iterator block that has variable iterations. This condition can lead to unpredictable execution times or infinite loops in the generated code.

For the identified For Iterator blocks, do one of the following:

  • Set the Iteration limit source parameter to internal.

  • If the Iteration limit source parameter must be external, use a Constant, Probe, or Width block as the source.

  • Clear the Set next i (iteration variable) externally check box.

  • Consider selecting the Show iteration variable check box and observe the iteration value during simulation.

The model or subsystem contains a While Iterator block that has unlimited iterations. This condition can lead to infinite loops in the generated code. mo

For the identified While Iterator blocks:

  • Set the Maximum number of iterations (-1 for unlimited) parameter to a positive integer value.

  • Consider selecting the Show iteration number port check box and observe the iteration value during simulation.

The model or subsystem contains an If block with an If expression or Elseif expressions that might cause floating-point equality or inequality comparisons in generated code.Modify the expressions in the If block to avoid floating-point equality or inequality comparisons in generated code.
The model or subsystem contains an If block using Elseif expressions without an Else condition.In the If block Block Parameters dialog box, select Show else condition. Connect the resulting Else output port to an If Action Subsystem block.
The model or subsystem contains an If block with output ports that do not connect to If Action Subsystem blocks.Verify that output ports of the If block connect to If Action Subsystem blocks.
The model or subsystem contains an Switch Case block without a default case.In the Switch Case block Block Parameters dialog box, select Show default case. Connect the resulting default output port to a Switch Case Action Subsystem block.
The model or subsystem contains a Switch Case block with an output port that does not connect to a Switch Case Action Subsystem block.Verify that output ports of the Switch Case blocks connect to Switch Case Action Subsystem blocks.

The model or subsystem contains one of the following time-dependent blocks in a For Iterator or While Iterator subsystem:

  • Discrete Filter

  • Discrete FIR Filter

  • Discrete State-Space

  • Discrete Transfer Fcn

  • Discrete Zero-Pole

  • Transfer Fcn First Order

  • Transfer Fcn Lead or Lag

  • Transfer Fnc Real Zero

  • Discrete Derivative

  • Discrete Transfer Fcn (with initial outputs)

  • Discrete Transfer Fcn (with initial states)

  • Discrete Zero-Pole (with initial outputs)

  • Discrete Zero-Pole (with initial states)

In the model or subsystem, consider removing the time-dependent blocks.

Capabilities and Limitations

  • Does not run on library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Allows exclusions of blocks and charts.

See Also

Display configuration management data

Check ID: mathworks.iec61508.MdlVersionInfo

Display model configuration and checksum information.

Description

This informer check displays the following information for the current model:

  • Model version number

  • Model author

  • Date

  • Model checksum

Available with Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
Could not retrieve model version and checksum information. This summary is provided for your information. No action is required.

Capabilities and Limitations

  • Does not run on library models.

  • Does not allow exclusions of blocks or charts.

See Also