Certificate Z10 11 12 67052 013 ™ Simulink Design Verifier ™

Report
to the
Certificate
Z10 11 12 67052 013
Software Tools for Safety Related Development
Simulink Verification and Validation

Simulink Design Verifier
Manufacturer
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA, 01760-2098
USA
Report No. MN83534C
Revision 2.7 dated 2015-05-29
Testing Body
TV SD Rail GmbH
Embedded Systems
Certification Body
TV SD Product Service GmbH
Ridlerstrae 65
80339 Munich
Distribution, copying or any other use of information in this report in part is strictly prohibited.
Revision Log
Rev.
Date
Name
Changes/History
1.0
2011-01-24
F. Rauch
Initial Report
1.1
2011-01-24
F. Rauch
Update for Release R2011a
1.2
2011-06-29
S. Waldhausen, L. Brandl
Update for Release R2011b

Update w.r.t. ISO/FDIS 26262-8:2011
Consideration of Model Compliance Analysis
2.0
2011-12-16
S. Waldhausen

Update w.r.t. ISO 26262-8:2011
Reworked some chapters
2.1
2012-06-26
S. Waldhausen

Clarifications with respect to EN50128:2011
2.2
2012-12-18
S. Waldhausen, M. Braun
2.3
2013-06-25
2.4
2013-12-18
2.5
2014-06-13
2.6
2014-11-28
2.7
2015-05-29
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933
Report No.: MN83534C

Revision 2.7
S. Waldhausen
2015-05-29
Page 2 of 18
Content
Page
PURPOSE AND SCOPE ...................................................................................................... 4
PRODUCTS OVERVIEW ..................................................................................................... 4

2.1
Simulink Verification and Validation.......................................................................... 4
2.1.1
General Description................................................................................................ 4
2.1.2
Scope ..................................................................................................................... 5
2.2
Simulink Design Verifier ........................................................................................... 6
2.2.1
General Description................................................................................................ 6
2.2.2
Scope ..................................................................................................................... 6
IDENTIFICATION ................................................................................................................. 7
CERTIFICATION .................................................................................................................. 9
4.1
Standards ...................................................................................................................... 9
4.2
Basis of certification ...................................................................................................... 9
RESULTS .......................................................................................................................... 10
5.1
Software development and quality engineering processes .......................................... 10
5.2
Customer bug reporting processes .............................................................................. 10
5.3
Requirements on software tools in IEC 61508, ISO 26262, and EN 50128.................. 11
5.3.1
General ................................................................................................................ 11
5.3.2
Simulink Verification and Validation and Simulink Design Verifier ............ 11
5.4
Tool classification and validation according to IEC 61508 ........................................... 12
5.4.1
Simulink Verification and Validation ................................................................ 12
5.4.2
Simulink Design Verifier .................................................................................. 13
5.4.3
Summary .............................................................................................................. 14
5.5
EN 50128 .................................................................................................................... 14
5.6
Tool classification and qualification according to ISO 26262 ....................................... 14
5.6.1
Simulink Verification and Validation ................................................................ 14
5.6.1.1
5.6.1.2
5.6.1.3
5.6.2
5.6.2.1
5.6.2.2
5.6.3
5.7
Estimation of TD and resulting TCL: ................................................................................. 15

Evaluation of the tool development process ..................................................................... 15
Validation of the software tool........................................................................................... 15
Simulink Design VerifierTM ................................................................................. 16

Evaluation of the tool development process ..................................................................... 16
Validation of the software tool........................................................................................... 16
Summary .............................................................................................................. 17
IEC 62304 ................................................................................................................... 17
GENERAL CONDITIONS AND RESTRICTIONS ............................................................... 18
SUMMARY AND CERTIFICATE NUMBER ....................................................................... 18
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 3 of 18
1 Purpose and scope

TV SD Rail GmbH evaluated the Simulink Verification and Validation and Simulink Design
Verifier products of The MathWorks, Inc. The sections of the MathWorksTM development organization responsible for the Simulink Verification and Validation and Simulink Design Verifier
products have been audited to assess their development and quality assurance procedures.
Recurring evaluations focus on processes used by the Simulink Verification and Validation and
Simulink Design Verifier teams to implement enhancements and modifications, as well as quality
engineering, and customer bug reporting processes.
The aim of the assessment was to determine the suitability for use in development processes which
need to comply with IEC 61508, ISO 26262 or EN 50128. The assessment also covered tool classification and tool qualification measures according to ISO 26262.
The basic assessment is documented in the Technical Report MN72051T, recent modifications are
reported in Modification Reports according to the table below.
Title
Technical Report on Functional Safety
Technical Report of Modifications R2013a
Technical Report of Modifications R2013b
Document Name
MN72051T-V2.1.pdf
MN84722T-V1.0.pdf
MN85071T-V1.0.pdf
MN85413T-V1.0.pdf
MN85861T-V1.0.pdf
MN86207T-V1.0.pdf
MN86834T-V1.0.pdf
Date
28.06.2012
18.12.2012
24.06.2012
18.12.2013
13.06.2014
28.11.2014
29.05.2015
Revision
2.1
1.0
1.0
1.0
1.0
1.0
1.0
2 Products overview
Simulink Verification and Validation and Simulink Design Verifier are verification tools that
support various verification and validation activities for executable graphical models designed using
1
Simulink, Simulink Fixed Point, and Stateflow .
2.1
Simulink Verification and Validation
2.1.1 General Description

The Simulink Verification and Validation tool provides capabilities to expose design flaws, inadequate requirements, incomplete tests, and unnecessary design constructs early in the development
process.
The tool allows tracing requirement documents to design models, component tests, and generated
code. It also allows the verification of designs and tests through model coverage analysis and static
checking of models for compliance with design and coding standards
Abbreviated as Simulink models in the remainder of this document.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 4 of 18
2.1.2 Scope
The assessment covers the following capabilities of the Simulink Verification and Validation tool.
Model coverage analysis
When testing a Simulink model, the model coverage analysis capability determines and reports various structural coverage metrics at the model level.
Missing coverage indicates untested elements of the model, such as logical conditions,
switches, lookup table interpolation intervals, and subsystems. Model coverage reports allow
the user to display coverage information on the model, to traverse the model for missing coverage and to navigate to the associated requirements.
Simulink Verification and Validation provides eight model coverage analysis metrics:
Cyclomatic complexity measures the structural complexity of a model, approximating

the McCabe complexity measure for code generated from the model.
Decision coverage examines items that represent decision points in a model, such as
Simulink Switch blocks and Stateflow states.
Condition coverage examines blocks that output the logical combination of their inputs,
such as the Logic block and Stateflow transitions.
Modified condition/decision coverage (MC/DC) determines whether the logical inputs

have independently changed the output.
Lookup table coverage (LUT) records the frequency of usage for each interpolation interval in a lookup table.
Signal range coverage indicates the minimum and maximum values generated during
simulation by each block output and for all Stateflow data objects.
Signal size coverage records the minimum, maximum, and allocated size for all variable-size signals in a model.
Simulink Design Verifier coverage records model coverage data for the Simulink Design Verifier blocks and functions.
Model compliance checking

The model compliance checking feature allows testing of Simulink models for compliance with
design and coding guidelines.
The Simulink Verification and Validation product provides Model Advisor checks for ISO
26262 and IEC 61508 which help to define and implement consistent design and coding
guidelines. These guidelines can be applied across projects and development teams. Model
Advisor finds unwanted model properties, such as incorrect or deprecated blocks and block
parameters, incorrect fonts, and misplaced objects.
The purpose of model compliance checking is to statically verify that Simulink models comply
with MathWorks provided and user-defined modeling standards, and to verify that the code
generator settings are set properly to provide traceable code that complies with coding standards.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 5 of 18
2.2
Simulink Design Verifier
2.2.1 General Description

Simulink Design Verifier uses formal methods to generate test cases for a Simulink model that
satisfy model coverage and user-defined objectives. The tool also allows detecting design errors,
proving model properties and generating examples of violations.
2.2.2 Scope
The assessment covers the following capability of the Simulink Design Verifier tool.
Test case generation
The test case generation capability provided by Simulink Design Verifier can be used to
generate test cases for a Simulink model. The generated test cases can be used to stimulate
this model or code generated from the model.
The Simulink Design Verifier tool can be used to generate test cases that satisfy the following model coverage analysis metrics:
Decision coverage
Condition coverage
Modified condition and decision coverage (MC/DC)
Design verification blocks can be used to define custom test objectives directly in the Simulink
model. When using these customization blocks or corresponding functions, Simulink Design
Verifier can be used to generate customized test cases covering the custom test objectives.
The model coverage capability of Simulink Verification and Validation can be leveraged to
assess the completeness and adequacy of test cases generated with Simulink Design
Verifier.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 6 of 18
3 Identification
Release
Date
Simulink Veri- Simulink

fication and
Design
Validation
Verifier
Reference Workflow Documentation:

IEC Certification Kit
R2010b
SP1
March
2011
3.0.1
1.7.1
Application-Specific Generation and Verification of Test

Cases; V1.3.1
R2011a
April
2011
3.1
2.0

Cases; V1.4
2.1
Simulink Verification and Validation Reference Workflow; V2.0

Cases; V2.0
2.2
Simulink Verification and Validation ISO 26262 Tool

Qualification Package, V2.1
Simulink Verification and Validation Reference Workflow, V2.1
Simulink Design Verifier ISO 26262 Tool Qualification

Package, V2.1
Simulink Design Verifier Reference Workflow, V2.1
2.3


Package, V3.0
2.4


Package, V3.1
2.5


Package, V3.2
R2011b
Sept.
2011
3.2
R2012a
March
2012
3.3
R2012b
Sept.
2012
3.4
R2013a
March
2013
3.5
R2013b
Sept.
2013
3.6
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 7 of 18
Release
Date
Simulink Veri- Simulink

fication and
Design
Validation
Verifier
Reference Workflow Documentation:

IEC Certification Kit
2.6


Package, V3.3
2.7


Package, V3.4
2.8


Package, V3.5
3.0


Package, V3.6
R2014a
March
2014
3.7
R2014b
Oct.
2014
3.8
R2015a
March
2015
3.9
R2015b
Sept.
2015
3.10
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 8 of 18
4 Certification
4.1
Standards
Standard
Description
IEC 61508-1:2010
Functional Safety of electrical/electronic/programmable electronic

safety-related systems Part 3: General requirements
IEC 61508-3:2010
Functional Safety of electrical/electronic/programmable electronic

safety-related systems Part 3: Software requirements
ISO 26262-8:2011
Road vehicles Functional safety Part 8: Supporting processes

Confidence in the use of software tools
EN 50128:2011
Railway applications Communications, signalling and processing

systems Software for railway control and protection systems
4.2
Basis of certification
Software development, quality engineering, and customer bug reporting processes
Requirements on software tools in IEC 61508, ISO 26262, or EN 50128
Tool classification and validation according to IEC 61508
Tool classification and qualification according to ISO 26262
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 9 of 18
5 Results
5.1
Software development and quality engineering processes
The software development and quality engineering processes applied for Simulink Verification and
Validation and Simulink Design Verifier have been audited, no objections were found.
To ensure adherence to the software development and quality engineering processes, as well as to
keep track of quality improvements, the processes to implement enhancements and modifications
are audited once a year by TV SD.
Product versions that are released in between two consecutive audits are subject to a defined approval procedure by TV SD. The procedure includes the following elements:
5.2
The MathWorks, Inc. documents new customer visible features for each release in the corresponding release notes.
The MathWorks, Inc. documents enhancements and new features of each Simulink
Verification and Validation and Simulink Design Verifier version in an internal delta report.
Test procedures for enhancements and new features are referenced in the delta report to
document MathWorks internal validation activities for newly developed features.
Customer bug reporting processes
MathWorks reports known critical bugs brought to its attention on its bug report system at
http://www.mathworks.com/support/bugreports/. The bug reports are an integral part of the documentation for each release.
The bug report system provides an interface for customers to view and submit bug reports. Customers can track the status of open bugs. Customers can choose to receive notifications for new or updated bug reports. The bug reports on this web site include internally as well as externally nominated bugs. If applicable, bug reports include provisions for known workarounds or file replacements.
Customers can use the bug report mechanism to nominate bugs. These nominations are processed
and evaluated by The MathWorks, Inc. development organization.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 10 of 18
5.3
Requirements on software tools in IEC 61508, ISO 26262, and EN 50128
5.3.1 General
ISO 26262, IEC 61508 and EN 50128 in their current versions contain explicit requirements on software tools.
They strongly recommend the application of development tools and provide provisions for using
model-based design for software development. At the same time, they demand to perform an analysis of the tools used, and an analysis on how they are embedded in the development process:
analysis of tool usage (IEC 61508)
analysis of tool use cases (ISO 26262)
analysis on the effect of possible malfunctions of the applied tool(s).
Depending on the outcome of the above analysis, the standards referred to above demand
a) fault mitigation measures (process)
b) the qualification, respectively validation of tools.
These activities should complement each other, and the combination of both shall reduce the number of faults impacting the final product to a minimum.
5.3.2 Simulink Verification and Validation and Simulink Design Verifier

The capabilities of Simulink Verification and Validation and Simulink Design Verifier listed in
sections 2.1.2 and 2.2.2 respectively are certified for use in development processes which need to
comply with IEC 61508, ISO 26262 or EN 50128.
The two verification tools allow the automation of core verification and validation activities for Simulink models and generated code:
Model compliance checking provided by Model Advisor helps to define and implement consistent design and coding guidelines.
Structural model coverage analysis can be used to assess the completeness and adequacy of
a given model test suite. As an example, structural model coverage analysis can be used to
assess the structural coverage of the test cases used for equivalence testing (back-to back
testing) between models and generated code.
Structural model coverage analysis and model vs. code coverage comparison can, for example, be used to detect unintended functionality.
Cyclomatic complexity analysis can e.g. be used to assess the complexity of Simulink models
and their components in order to obey complexity limits recommended by functional safety
standards.
If the structural coverage achieved with a given set of test cases is not sufficient to achieve the
defined test objectives, test case generation can be used to create additional test vectors.
The utilization of formal methods by Simulink Design Verifier allows the generation of test
cases for coverage objectives that are difficult to create manually.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 11 of 18
5.4
Tool classification and validation according to IEC 61508
5.4.1 Simulink Verification and Validation

Simulink Verification and Validation is a class T2 off-line support tool.
The following list provides considerations on how tool users are being supported w.r.t. the requirements of IEC 61508-3 clause 7.4.4:
Simulink Verification and Validation can be integrated with other Model-Based Design
and verification tools from The MathWorks, Inc. (cf. IEC 61508-3, 7.4.4.2, Note 3). A representative combination of tools is tested at the manufacturers site. (cf. IEC 61508-3, 7.4.4.9,
7.4.4.18 a).
The tool documentation for Simulink Verification and Validation (cf. IEC 6158-3, 7.4.4.4) is
provided with the product.
Each release of the tool is identifiable (cf. IEC 61508-3, 7.4.4.15 a).
MathWorks reports critical known bugs brought to its attention on its bug report system at
http://www.mathworks.com/support/bugreports/ (cf. IEC 61508-3, 7.4.4.6, Note 1).
The Release Notes provide the version history for Simulink Verification and Validation.
Tool users can assess available bug reports for different tool versions via the bug reports
system (cf. IEC 61508-3, 7.4.4.6, Note 1)
The MathWorks, Inc., as well as 3rd party vendors, offer training courses for MathWorks tools
(cf. IEC 61508-3, 7.4.4.2, Note 6).
The MathWorks, Inc. developed and applied validation suites to validate the model compliance checking and model coverage analysis capabilities. The application of these validation
suites helps to uncover potential bugs in Simulink Verification and Validation.
Test procedures for enhancements/new features are referenced in the delta report to document MathWorks internal validation activities for newly developed features. The MathWorks,
Inc. validated Simulink Verification and Validation and provided documentation of this validation to TV SD for review and approval (cf. IEC 61508-3, 7.4.4.6, 7.4.4.7).
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 12 of 18
5.4.2 Simulink Design Verifier

Simulink Design Verifier is a class T2 off-line support tool.
The following list provides considerations on how tool users are being supported w.r.t. the requirements of IEC 61508-3 clause 7.4.4:
Simulink Design Verifier can be integrated with other Model-Based Design and verification tools from The MathWorks, Inc. (cf. IEC 61508-3, 7.4.4.2, Note 3). A possible integration
is outlined in the reference workflow documentation. A representative combination of tools is
tested at the manufacturers site. (cf. IEC 61508-3, 7.4.4.9, 7.4.4.18 a).
The tool documentation for Simulink Design Verifier (cf. IEC 6158-3, 7.4.4.4) is provided
with the product.
Each release of the tool is identifiable (cf. IEC 61508-3, 7.4.4.15 a).
MathWorks reports critical known bugs brought to its attention on its bug report system at
http://www.mathworks.com/support/bugreports/ (cf. IEC 61508-3, 7.4.4.6, Note 1).
The Release Notes provide the version history for Simulink Design Verifier. Tool users
can assess available bug reports for different tool versions via the bug reports system (cf.
IEC 61508-3, 7.4.4.6, Note 1)
The MathWorks, Inc., as well as 3rd party providers, offer training courses for MathWorks
tools (cf. IEC 61508-3, 7.4.4.2, Note 6).
The reference workflow documentation provides mitigation measures to potential failure

mechanisms of Simulink Design Verifier (cf. IEC 61508-3, 7.4.4.5, 7.4.4.8). Applying the
measures in the workflow provides a high degree of confidence that potential bugs in the test
case generation capability Simulink Design Verifier can be detected / mitigated.
The model coverage capability can be used instead of reviewing the Simulink Design Verifier
report. Completeness and adequacy of the generated test cases can be assessed by running
the generated test cases against the model, measuring the model coverage, and reviewing
the model coverage report. This way, the tool user can claim credit for demonstrating completeness and adequacy of the test cases generated by Simulink Design Verifier.
Test procedures for enhancements/new features are referenced in the delta report to document MathWorks internal validation activities for newly developed features. The MathWorks,
Inc. validated Simulink Design Verifier and provided documentation of this validation to
TV SD for review and approval (cf. IEC 61508-3, 7.4.4.6, 7.4.4.7).
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 13 of 18
5.4.3 Summary
All Simulink Verification and Validation and Simulink Design Verifier versions listed in section
3 are certified as T2 off-line support tools and are suitable for safety-related use in application development up to SIL 3 according to IEC 61508:2010. The tools meet the requirements of IEC 615083 7.4.4 to the extent applicable to a tool manufacturer. The certification covers the following capabilities:
Simulink Verification and Validation: Model Compliance Checking, Model Coverage

Analysis
Simulink Design Verifier: Test Case Generation
The tool classification and the assessment of the tool validation activities were carried out by TV
SD.
Tool certification can be claimed by referencing this certification report and the corresponding certificate.
5.5
EN 50128
EN 50128:2011 is an application standard derived from IEC 61508. The requirements for software
tools are explicitly derived from the requirements on software tools according to IEC 61508-3:2010.
Due to the equivalences between the two standards no separate testing has been performed with
respect to EN 50128.
Simulink Verification and Validation and Simulink Design Verifier are suitable to be used in
the development of safety-related software according to EN 50128:2011 up to SIL 3/4. Tool certification for the versions listed in section 3 can be claimed by referencing this certification report and the
corresponding certificate.
5.6
Tool classification and qualification according to ISO 26262
5.6.1 Simulink Verification and Validation

The tool classification according to ISO 26262 depends on the particular use-cases used during the
development of safety-related application software components.
For Simulink Verification and Validation, the following use-cases were considered in the tool
classification process:
[SLVNV_UC1] Static analysis of a model to verify compliance with design and coding guidelines
[SLVNV_UC2] Automatic fixing of reported issues
[SLVNV_UC3] Structural coverage analysis of test cases at the model level
Based on these use cases, the tool impact of Simulink Verification and Validation is TI2.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 14 of 18
5.6.1.1 Estimation of TD and resulting TCL:

Model compliance checking (SLVNV_UC1 and SLVNV_UC2):
Provided that the reference workflow for Simulink Verification and Validation is followed (Simulink Verification and Validation Reference Workflow), the minimal (worst case) tool error detection for the model compliance checking capability of Simulink Verification and Validation (use
cases SLVNV_UC1 and SLVNV_UC2) is TD2. The actual TD depends on the selected measures.
The resulting tool confidence level is TCL2.
Model coverage analysis capability (SLVNV_UC3):
Assuming that there are no systematic measures in the development process to verify the coverage
analysis results, the tool error detection for the model coverage analysis capability of Simulink
Verification and Validation is TD3. The resulting tool confidence level is TCL3.
A combination of the following tool qualification methods was carried out for the model compliance
checking and model coverage analysis capability of Simulink Verification and Validation:
Evaluation of the tool development process
Validation of the software tool
5.6.1.2 Evaluation of the tool development process
TV SD conducts yearly surveillance audits of the software development and quality engineering processes for Simulink Verification and Validation.
The MathWorks, Inc. documents new customer visible features for each release in the corresponding release notes. The release notes were submitted to TV SD.
The MathWorks, Inc. documents enhancements and new features for each release to be
qualified in a comprehensive delta report. The delta reports were submitted to TV SD.
5.6.1.3 Validation of the software tool
The MathWorks, Inc. developed and applied validation suites for the model compliance
checking and model coverage analysis capabilities that can be used to validate these features. The application of these validation suites helps to uncover potential bugs in Simulink
Verification and Validation. A successful validation is considered as a means of end-to-end
validation of the model compliance checking and model coverage analysis capabilities in
Simulink Verification and Validation. The validation reports were submitted to TV SD.
Test procedures for enhancements/new features of Simulink Verification and Validation

are referenced in the delta report to document The MathWorks, Inc. internal validation activities for newly developed features.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 15 of 18
5.6.2 Simulink Design VerifierTM

The tool classification according to ISO 26262 depends on the particular use-cases used during the
development of safety-related application software components.
For Simulink Design Verifier, the following use cases were considered in the tool classification
process:
[SLDV_UC1] Generating test cases to satisfy structural coverage objectives
[SLDV_UC2] Generating customized test cases
[SLDV_UC3] Applying the generated test cases
Based on these use cases, the tool impact of Simulink Design Verifier is TI2.
Applying the error prevention or detection measures listed in the reference workflow provides a high
degree of confidence that a malfunction or an erroneous output of the test vector generation capability in Simulink Design Verifier will be prevented or detected. The resulting tool confidence level is
TCL1.
The tool qualification methods for Simulink Design Verifier are voluntary and provide additional
confidence.
5.6.2.1 Evaluation of the tool development process
TV SD conducts yearly surveillance audits of the software development and quality engineering processes for Simulink Design Verifier.
The MathWorks, Inc. documents new customer visible features for each release in the corresponding release notes. The release notes were submitted to TV SD.
The MathWorks, Inc. documents enhancements and new features for each release to be
qualified in a comprehensive delta report. The delta reports were submitted to TV SD.
5.6.2.2 Validation of the software tool
Test procedures for enhancements/new features of Simulink Design Verifier are referenced in the delta report to document The MathWorks, Inc. internal validation activities for
newly developed features.
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 16 of 18
5.6.3 Summary
All Simulink Verification and Validation and Simulink Design Verifier versions listed in section
3 are qualified for all ASILs according to ISO 26262.
The qualification comprises the following capabilities:
Simulink Verification and Validation: Model Compliance Checking, Model Coverage Analysis
Simulink Design Verifier: Test Case Generation
The model compliance checking capability of Simulink Verification and Validation has been classified as TCL2 and qualified accordingly.
The model coverage analysis capability of Simulink Verification and Validation has been classified as TCL3 and qualified accordingly.
Provided that the error prevention or detection measures listed in the reference workflow for
Simulink Design Verifier are carried out, the test vector generation capability Simulink Design
Verifier has been classified as TCL1. The tool qualification measures have been carried out on a
voluntary basis to provide additional confidence.
The review of the tool classifications and the assessment of the results of the measures applied to
qualify the software tool were carried out by TV SD.
Tool qualification for Simulink Verification and Validation and Simulink Design Verifier can be
claimed by referencing this certification report and the corresponding certificate.
5.7
IEC 62304
IEC 62304:2006 provides a framework of life cycle processes for the safe design and maintenance
of medical device software.
IEC 62304 does not place specific requirements on software tools, or on the qualification of tools,
but IEC 62304 advises that IEC 61508 can be looked to as a source of methods, tools and techniques that can be used to implement the requirements in IEC 62304 (IEC 62304:2006, C.1).
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 17 of 18
6 General conditions and restrictions
As a prerequisite to claim tool qualification for Simulink Verification and Validation and
Simulink Design Verifier according to ISO 26262, the error prevention or detection
measures listed in the respective reference workflows shall be applied.
7 Summary and certificate number

This report specifies the conditions of use and restrictions required for the application of Simulink
Verification and Validation and Simulink Design Verifier by The MathWorks, Inc. on the certificate:
Z10 11 12 67052 013
The certificate Z10 11 12 67052 013 replaces the certificates Z10 11 01 67052 008 and Z10 11 06
67052 009.
Munich, 2015-05-29
Technical Certifier
Peter Wei
TV SD Rail GmbH
Embedded Systems
Barthstr. 16
80339 Mnchen
Phone: +49 89 5791-4378; Fax: -2933

Revision 2.7
S. Waldhausen
2015-05-29
Page 18 of 18

Certificate Z10 11 12 67052 013 ™ Simulink Design Verifier ™

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Certificate Z10 11 12 67052 013 ™ Simulink Design Verifier ™

Загружено:

Авторское право:

Доступные форматы

Report

Simulink Verification and Validation

Update for Release R2011a

Update for Release R2011b

Update for Release R2012a

Update for Release R2012b

Update for Release R2013a

Update for Release R2013b

Update for Release R2014a

Update for Release R2014b

Update for Release R2015a

Update for Release R2015b

Report No.: MN83534C

PURPOSE AND SCOPE ...................................................................................................... 4

PRODUCTS OVERVIEW ..................................................................................................... 4

Basis of certification ...................................................................................................... 9

Software development and quality engineering processes .......................................... 10

Customer bug reporting processes .............................................................................. 10

Estimation of TD and resulting TCL: ................................................................................. 15

Simulink Design VerifierTM ................................................................................. 16

IEC 62304 ................................................................................................................... 17

GENERAL CONDITIONS AND RESTRICTIONS ............................................................... 18

SUMMARY AND CERTIFICATE NUMBER ....................................................................... 18

Report No.: MN83534C

1 Purpose and scope

Simulink Verification and Validation

2.1.1 General Description

Abbreviated as Simulink models in the remainder of this document.

Report No.: MN83534C

Cyclomatic complexity measures the structural complexity of a model, approximating

Modified condition/decision coverage (MC/DC) determines whether the logical inputs

Model compliance checking

Report No.: MN83534C

Simulink Design Verifier

2.2.1 General Description

Modified condition and decision coverage (MC/DC)

Report No.: MN83534C

Simulink Veri- Simulink

Reference Workflow Documentation:

Application-Specific Generation and Verification of Test

Application-Specific Generation and Verification of Test

Simulink Verification and Validation Reference Workflow; V2.0

Simulink Verification and Validation ISO 26262 Tool

Simulink Verification and Validation Reference Workflow, V2.1

Simulink Design Verifier ISO 26262 Tool Qualification

Simulink Design Verifier Reference Workflow, V2.1

Simulink Verification and Validation ISO 26262 Tool

Simulink Verification and Validation Reference Workflow, V3.0

Simulink Design Verifier ISO 26262 Tool Qualification

Simulink Design Verifier Reference Workflow, V3.0

Simulink Verification and Validation ISO 26262 Tool

Simulink Verification and Validation Reference Workflow, V3.1

Simulink Design Verifier ISO 26262 Tool Qualification

Simulink Design Verifier Reference Workflow, V3.1

Simulink Verification and Validation ISO 26262 Tool

Simulink Verification and Validation Reference Workflow, V3.2

Simulink Design Verifier ISO 26262 Tool Qualification

Simulink Design Verifier Reference Workflow, V3.2

Report No.: MN83534C

Simulink Veri- Simulink

Reference Workflow Documentation:

Simulink Verification and Validation ISO 26262 Tool

Simulink Verification and Validation Reference Workflow, V3.3