A qualifiable and customizable code generator from Simulink® and Stateflow® models to MISRA C and SPARK

QGen is a qualifiable and tunable code generation and model verification tool for a safe subset of Simulink® and Stateflow® models. It reduces the development and verification costs for safety-critical applications through qualifiable code generation, model verification, and tight integration with AdaCore’s qualifiable target emulation and structural coverage analysis tools.

QGen answers one core question: how can I decrease the verification costs when applying model-based design and automatic code generation with the Simulink® and Stateflow® environments? This is achieved by

  1. Selecting a safe subset of Simulink® blocks
  2. Ensuring high-performance and tunable code generation
  3. Relying on static analysis for upfront detection of potential errors, and
  4. Providing top-class DO-178B/C, EN 50128 and ISO 26262 qualification material for both the code generator and the model verification tools.

QGen also decreases tool integration costs by integrating smoothly with AdaCore’s qualifiable compilation, target emulation and structural coverage analysis products.

Support for Simulink® and Stateflow® models

QGen supports a wide range of features from the Simulink® and Stateflow® environments, including more than 100 blocks, Simulink® signals and parameters objects and several Matlab operations. The supported feature set from the Simulink® and Stateflow® environments has been carefully selected to ensure code generation that is amenable to safety-critical systems. MISRA Simulink® constraints can be optionally checked with QGen. Features that would imply unpredictable behavior, or that would lead to the generation of unsafe code, have been removed. The modeling standard enforced by QGen is then suitable for DO-178, EN 50128 and ISO 26262 development out-of-the-box.

Qualification material

Complete qualification material for QGen is scheduled for later availability. This qualification material complies with the DO-178C standard at Tool Qualification Level 1 (TQL-1, equivalent to a Development Tool in DO-178B). This will make QGen the only code generator for Simulink® and Stateflow® models for which a TQL-1 qualification kit is available. The QGen qualification kit complies with DO-330 (the DO-178C technology supplement on Model-Based Development) and includes a Tool Qualification Plan, a Tool Development Plan, a Tool Verification Plan, a Tool Quality Assurance Plan and a Tool Configuration Management Plan; it also includes detailed Tool Operational Requirements, Test Cases and Test Execution Results.

Support for model static analysis

QGen supports the static verification that three kinds of issues are prevented: run-time errors, logical errors, and safety violations. Run-time errors, such as division by zero or integer overflow, may lead to exceptions being raised during system execution. Logical errors, for example a Simulink® “If” block condition that is always true, imply a defect in the designed model. And safety properties, which can be modeled using Simulink® Model Verification blocks, represent safety requirements that are embedded in the design model. QGen is able to statically verify all these properties and generate run-time checks as well if configured to do so.

Support for Processor-in-the-Loop testing

QGen can be integrated with AdaCore’s GNATemulator and GNATcoverage tools to support streamlined Processor-In-the-Loop (PIL) testing. The target emulation of Simulink® models can be tested back-to-back against the generated code, which is cross-compiled and deployed on a GNATemulator installation on the user workstation. While conducting PIL testing, GNATcoverage can also perform structural coverage analysis up to MC/DC without any code instrumentation. Both GNATcoverage and GNATemulator have been already qualified in an operational context.