A Code Generator for Critical Software-Intensive Systems Defined through Simulink® and Stateflow® Models
QGen is an automatic code generator that preserves the model semantics in the generated code. A single version of QGen supports multiple versions of the Simulink® / Stateflow® environment, from 2011b onwards to today’s latest versions, for both Windows and Linux platforms. Developers can thus choose among modeling tool versions based on their project's needs, without being forced to migrate to a different code generator.
Direct Access from the Simulink® Environment
QGen can be invoked directly from the Simulink® environment’s user interface, using either the menu bar item or the contextual menu for a specific Simulink® subsystem. This allows selective code generation and verification for a single subsystem, even when it is included in a wider simulation model.
QGen is integrated with AdaCore’s GNATcoverage and GNATemulator tools for seamless back-to-back Processor-In-The-Loop (PIL) testing using a qualifiable processor emulator (GNATemulator) and a qualifiable structural coverage analysis tool (GNATcoverage). GNATcoverage supports structural coverage analysis up to MC/DC without any code instrumentation.
A Code Generator to Help Achieve the Highest Levels of Certification
The supported feature set from the Simulink® and Stateflow® environments has been carefully selected to ensure code generation that is appropriate for critical systems, leaving out features that might result in unpredictable behavior or potentially unsafe source code. The qualifiable QGen code generator can generate code in the portable MISRA subset of C. It can also generate code in the SPARK subset of Ada, ensuring the generated code is suitable for formal analysis and for projects following software standards such as DO-178C, ISO 26262, or EN 50128.
A Debugger that Provides a Uniquely Productive Bridge between Control Engineering and Software Engineering
The QGen tool suite goes beyond automatic code generation, to include both static model verification and interactive model-level debugging of the generated code. The QGen model-level debugger provides a side-by-side view of the model and the generated code, allowing the developer to set breakpoints; to view, update and compare signal values; and to step through execution. The QGen debugger can be used for testing the generated code as well as any hand-written code, on the host or the final target. It allows the user to perform back-to-back comparison against expected values for a block or the model as a whole, while delving into the details of a particular subsystem whenever needed. By displaying the model together with the generated source code, the QGen debugger provides a uniquely productive bridge between control engineering and software engineering.
QGen Code Generator Being Qualified at the Highest Level: DO-178C, TQL-1
The QGen automatic code generator is being qualified in compliance with the DO-178C / ED-12C standard at Tool Qualification Level 1 (TQL-1). Some code generators rely on a separate verification tool to check their generated source code, but QGen at TQL-1 allows developers to use the generated code without any extra steps, streamlining the critical-system development and verification process. With QGen, the supported subset of the modeling language is clearly defined together with the expected structure of the generated code, and is coupled with tests that verify the precise match between model simulation results and the run-time semantics of the generated target code.
MB.A-5: Reviews and Analyses of Source Code
1. Source Code complies with low- level requirements
2. Source Code complies with software architecture
3. Source Code is verifiable
4. Source Code conforms to standards
5. Source Code is traceable to low- level requirements
6. Source Code is accurate and consistent.
TQL-1 (plus User Activity)
MB.A-6: Software Testing
3. Executable Object Code complies with low-level requirements
TQL-1 (convert simulation cases for MB.A-6 Obj. 1 into test procedures and run on the executable object code)
4. Executable Object Code is robust with low- level requirements
TQL-1 (convert simulation cases for MB.A-6 Obj. 2 into test procedures and run on the executable object code)
MB.A-7: Test Coverage Analysis
5. Test coverage of software structure (modified condition/decision) is achieved
6. Test coverage of software structure (decision coverage) is achieved
7. Test coverage of software structure (statement coverage) is achieved
Support for Formal Verification
The QGen automatic code generator can generate both MISRA C and the SPARK subset of Ada. SPARK in particular is designed to support formal verification methods, including static proof of both architectural safety/security constraints and run-time properties. The SPARK approach to formal methods avoids the state-space explosion problems that can make other methods impractical in an industrial environment. Incorporating SPARK into the development process can enhance the quality and raise the assurance level of mission-critical systems, while saving effort during verification.
QGen in Action
ELDORADO Research Institute of Brazil
ELDORADO Research Institute of Brazil selected the QGen model-based code generation and verification toolsuite to support research and development of safety-critical medical device software. These applications demand high reliability and currently include a cardiac pacemaker as well as perfusion systems for cardiac surgery and chemotherapy.
MHI Aerospace Systems Corporation
MHI Aerospace Systems Corporation (MASC), a member of the Mitsubishi Heavy Industries Group, has selected the QGen toolset to develop the software for the Throttle Quadrant Assembly (TQA) system. This avionics research project is being conducted to meet the Level C objectives in the DO-178C safety standard for airborne software and its DO-331 supplement on Model-Based Development and Verification.