QGen is a qualifiable and tunable code generation and model verification tool for a safe subset of Simulink® and Stateflow® models. It reduces the development and verification costs for safety-critical applications through qualifiable code generation, model verification, and tight integration with AdaCore’s qualifiable simulation and structural coverage analysis tools.
QGen answers one core question: how can I decrease the verification costs when applying model-based design and automatic code generation with the Simulink® and Stateflow® environments? This is achieved by
- Selecting a safe subset of Simulink® blocks
- Ensuring high-performance and tunable code generation
- Relying on static analysis for upfront detection of potential errors, and
- Providing top-class DO-178B/C, EN 50128 and ISO 26262 qualification material for both the code generator and the model verification tools.
QGen also decreases tool integration costs by integrating smoothly with AdaCore’s qualifiable compilation, simulation and structural coverage analysis products.
Support for Simulink® and Stateflow® models
QGen supports a wide range of features from the Simulink® and Stateflow® environments, including more than 100 blocks, Simulink® signals and parameters objects and several Matlab operations. The supported feature set from the Simulink® and Stateflow® environments has been carefully selected to ensure code generation that is amenable to safety-critical systems. MISRA Simulink® constraints can be optionally checked with QGen. Features that would imply unpredictable behavior, or that would lead to the generation of unsafe code, have been removed. The modeling standard enforced by QGen is then suitable for DO-178, EN 50128 and ISO 26262 development out-of-the-box.
Complete qualification material for QGen is scheduled for later availability. This qualification material complies with the DO-178C standard at Tool Qualification Level 1 (TQL1, equivalent to a Development Tool in DO-178B). This will make QGen the only code generator for Simulink® and Stateflow® models for which a TQL1 qualification kit is available. The QGen qualification kit complies with DO-330 (the DO-178C technology supplement on Model-Based Development) and includes a Tool Qualification Plan, a Tool Development Plan, a Tool Verification Plan, a Tool Quality Assurance Plan and a Tool Configuration Management Plan; it also includes detailed Tool Operational Requirements, Test Cases and Test Execution Results.
Support for model static analysis
QGen supports the static verification that three kinds of issues are prevented: run-time errors, logical errors, and safety violations. Run-time errors, such as division by zero or integer overflow, may lead to exceptions being raised during system execution. Logical errors, for example a Simulink® “If” block condition that is always true, imply a defect in the designed model. And safety properties, which can be modeled using Simulink® Model Verification blocks, represent safety requirements that are embedded in the design model. QGen is able to statically verify all these properties and generate run-time checks as well if configured to do so.
Support for Processor-in-the-Loop testing
QGen can be integrated with AdaCore’s GNATemulator and GNATcoverage tools to support streamlined Processor-In-the-Loop (PIL) testing. The simulation of Simulink® models can be tested back-to-back against the generated code, which is cross-compiled and deployed on a GNATemulator installation on the user workstation. While conducting PIL testing, GNATcoverage can also perform structural coverage analysis up to MC/DC without any code instrumentation. Both GNATcoverage and GNATemulator have been already qualified in an operational context.