A Code Generator for Critical Software-Intensive Systems Defined through Simulink® and Stateflow® Models
QGen is an automatic code generator that preserves the model semantics in the generated code. A single version of QGen supports multiple versions of the Simulink® / Stateflow® environment, from 2011b onwards to today’s latest versions, for both Windows and Linux platforms. Developers can thus choose among modeling tool versions based on their project's needs, without being forced to migrate to a different code generator.
Direct Access from the Simulink® Environment
QGen can be invoked directly from the Simulink® environment’s user interface, using either the menu bar item or the contextual menu for a specific Simulink® subsystem. This allows selective code generation and verification for a single subsystem, even when it is included in a wider simulation model.
PIL/SIL/S-Function Testing and Debugging
QGen is integrated with a model-level debugger (see below), and can be used with AdaCore’s GNATcoverage and GNATemulator tools for back-to-back Processor-In-The-Loop (PIL), Software-In-The-Loop (SIL), and S-Function testing and debugging. GNATemulator is a qualifiable processor emulator, and GNATCoverage is a qualifiable structural coverage analysis tool supporting analysis up to MC/DC with or without code instrumentation.
A Code Generator to Help Achieve the Highest Levels of Certification
The supported feature set from the Simulink® and Stateflow® environments has been carefully selected to ensure code generation that is appropriate for critical systems, leaving out features that might result in unpredictable behavior or potentially unsafe source code. The qualifiable QGen code generator can generate code in the portable MISRA subset of C. It can also generate code in the SPARK subset of Ada, ensuring the generated code is suitable for formal analysis and for projects following software standards such as DO-178C, ISO 26262, or EN 50128.
A Debugger that Provides a Uniquely Productive Bridge between Control Engineering and Software Engineering
The QGen tool suite goes beyond automatic code generation, to include both static model verification and interactive model-level debugging of the generated code. The QGen model-level debugger provides a side-by-side view of the model and the generated code, allowing the developer to set breakpoints; to view, update and compare signal values; and to step through execution. The QGen debugger can be used for testing the generated code as well as any hand-written code, on the host or the final target. It allows the user to perform back-to-back comparison against expected values for a block or the model as a whole, while delving into the details of a particular subsystem whenever needed. By displaying the model together with the generated source code, the QGen debugger provides a uniquely productive bridge between control engineering and software engineering.
QGen Code Generator Being Qualified at the Highest Level: DO-178C, TQL-1
The QGen automatic code generator is being qualified in compliance with the DO-178C / ED-12C standard at Tool Qualification Level 1 (TQL-1). Some code generators rely on a separate verification tool to check their generated source code, but QGen at TQL-1 allows developers to use the generated code without any extra steps, streamlining the critical-system development and verification process. With QGen, the supported subset of the modeling language is clearly defined together with the expected structure of the generated code, and is coupled with tests that verify the precise match between model simulation results and the run-time semantics of the generated target code.
How to Streamline Your Certification Process using the QGen TQL-1 Qualifiable Auto Code Generator for Simulink®/Stateflow®
This session will introduce the QGen Auto Code Generator for Simulink®/Stateflow® and explain the advantages provided by a TQL-1 Qualification, in terms of reduced time and effort to certify a Simulink-based application. The talk will identify the DO-178C and DO-331 objectives that are covered by the QGen code generator, meaning that your team can avoid many of the most labor-intensive steps involved in achieving certification, even at the highest level of criticality. The talk is aimed at both engineers and managers for such critical systems development activities and will cover the features of the QGen code generator, as well as other tools with which it is integrated, including a model-level debugger and testing tools for Simulink-based applications running in embedded targets.
QGen in Action
Eldorado & Braile Biomédica
How Eldorado and Braile Biomédica Used AdaCore’s QGen Code Generator to Develop New Artificial Lung Equipment in Just Six Months
Eldorado used AdaCore’s QGen code generation and model verification tool suite on a cardiac pacemaker as a pilot project. Once they felt they had a mature understanding of how to use QGen in code generation and verification, they began applying QGen on other projects. One of those projects was Braile's new Solis System. With the partnership of Braile, the Eldorado Institute, and QGen, it was possible to complete a two-year development program in only six months.
ELDORADO Research Institute of Brazil
Critical Medical Applications
ELDORADO Research Institute of Brazil selected the QGen model-based code generation and verification toolsuite to support research and development of safety-critical medical device software. These applications demand high reliability and currently include a cardiac pacemaker as well as perfusion systems for cardiac surgery and chemotherapy.
MHI Aerospace Systems Corporation
Software for Throttle Quadrant Assembly (TQA) system
MHI Aerospace Systems Corporation (MASC), a member of the Mitsubishi Heavy Industries Group, has selected the QGen toolset to develop the software for the Throttle Quadrant Assembly (TQA) system. This avionics research project is being conducted to meet the Level C objectives in the DO-178C safety standard for airborne software and its DO-331 supplement on Model-Based Development and Verification.
Frequently Asked Questions
Which Simulink® blocks are supported by QGen?
QGen supports approximately 120 different Simulink® block types. Please refer to Simulink Block Types and Constraints for the complete list.
Which additional features of the Simulink® environment are supported by QGen?
Model Libraries, Model References, Simulink.Parameter, Simulink.Signal, Storage Classes, Structs
Which MATLAB functions are supported by QGen?
abs, acos, acosh, asin, asinh, atan, atan2, atanh, cos, cosh, exp, log, log10, min, max, mod, rem, round, sign, sin, sinh, sqrt, tan, tanh, transpose.
How does AdaCore select which features of the Simulink® environment to support?
We carefully selected a safe subset that guarantees predictable code generation patterns, that does not require any run-time support, and that allows for tool qualification against a safety standard like DO-178C/DO-331.
Which Stateflow® features are supported?
QGen supports all major features of Stateflow®, with C as the action language. For specific details please see the detailed list of Stateflow modeling rules.
What do you mean by "qualifiable"?
A tool is qualifiable when its developer makes available a documentation “kit” that enables the tool to be qualified for a project’s use with minimal additional effort performed by the project personnel. The QGen Code Generator will be qualifiable for DO-178C/DO-331 at Tool Qualification Level 1, and for ISO 26262 at TCL3 (developed in compliance with a safety standard).
What about back-to-back testing?
QGen can be used in conjunction with GNATemulator and GNATcoverage to support processor-in-the-loop (PIL) and software-in-the-loop (SIL) testing and structural coverage analysis with or without code instrumentation. The QGen Debugger can log results from host or target execution of the generated code, and load the log file into Simulink® to trace the results back to the model. Debugging of S-Functions is supported, written in either C or Ada.
How do you ensure the generated code is consistent with the simulation performed by the Simulink® environment?
As part of qualifying QGen, a detailed, rigorous semantic definition for each supported Simulink block has been produced. QGen is then extensively tested against the simulation of the Simulink® model for each such block. In addition, a tool validation suite was developed, comparing the behavior of the generated code against simulation on a wide range of Simulink® models, and is available to customers on demand.
QGen has been developed following a software safety standard, in particular DO-178C/DO-331. As part of that process, a specification of the generated coding pattern for every supported feature is rigorously defined.