Professional Documents
Culture Documents
1
2
Introduction ................................................................................................................. 5
DO-178B Software Lifecycle ..................................................................................... 7
2.1 Table A-1 Planning Process ................................................................................. 8
2.1.1
Software development and integral processes activities are defined ............ 8
2.1.2
Transition criteria, inter-relationships and sequencing among processes are
defined 10
2.1.3
Software life cycle environment is defined ................................................ 10
2.1.4
Additional considerations are addressed ..................................................... 10
2.1.5
Software development standards are defined ............................................. 11
2.1.6
Software plans comply with this document ................................................ 11
2.1.7
Software plans are coordinated ................................................................... 11
2.2 Table A-2 Software Development Process ........................................................ 12
2.2.1
High-level requirements are developed ...................................................... 12
2.2.2
Derived high-level requirements are developed ......................................... 13
2.2.3
Software architecture is developed ............................................................. 13
2.2.4
Low-level requirements are developed ....................................................... 13
2.2.5
Derived low-level requirements are developed .......................................... 13
2.2.6
Source code is developed ............................................................................ 13
2.2.7
Executable Object Code is produced and integrated in the target computer
14
2.3 Table A-3 Verification of Requirements Process .............................................. 15
2.3.1
Software high-level requirements comply with system requirements ........ 16
2.3.2
High-level requirements are accurate and consistent.................................. 16
2.3.3
High-level requirements are compatible with the target computer ............. 16
2.3.4
High-level requirements are verifiable ....................................................... 17
2.3.5
High-level requirements conform to standards ........................................... 17
2.3.6
High-level requirements are traceable to system requirements .................. 17
2.3.7
Algorithms are accurate .............................................................................. 17
2.4 Table A-4 Verification of Design Process ......................................................... 18
2.4.1
Low-level requirements comply with high-level requirements .................. 20
2.4.2
Low-level requirements are accurate and consistent .................................. 20
2.4.3
Low-level requirements are compatible with the target computer ............. 20
2.4.4
Low-level requirements are verifiable ........................................................ 20
2.4.5
Low-level requirements conform to standards ........................................... 21
2.4.6
Low-level requirements are traceable to high-level requirements .............. 21
2.4.7
Algorithms are accurate .............................................................................. 21
2.4.8
Software architecture is compatible with high-level requirements............. 22
2.4.9
Software architecture is consistent.............................................................. 22
2.4.10 Software architecture is compatible with the target computer.................... 22
2.4.11 Software architecture is verifiable .............................................................. 23
2.4.12 Software architecture conforms to standards .............................................. 23
2.4.13 Software partitioning integrity is confirmed ............................................... 23
2.5 Table A-5 Verification of Coding and Integration Process................................ 24
2.5.1
Source code complies with low-level requirements ................................... 24
Page 1
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
2.5.2
Source code complies with software architecture ....................................... 25
2.5.3
Source code is verifiable ............................................................................. 25
2.5.4
Source code conforms to standards............................................................. 25
2.5.5
Source code is traceable to low-level requirements .................................... 25
2.5.6
Source code is accurate and consistent ....................................................... 25
2.5.7
Output of software integration process is complete and correct ................. 25
2.6 Table A-6 Testing of Outputs of Integration Process ........................................ 26
2.6.1
Executable Object Code complies with high-level requirements ............... 27
2.6.2
Executable Object Code is robust with high-level requirements ................ 27
2.6.3
Executable Object Code complies with low-level requirements ................ 27
2.6.4
Executable Object Code is robust with low-level requirements ................. 28
2.6.5
Executable Object Code is compatible with target computer ..................... 28
2.7 Table A-7 Verification of Verification Process Results..................................... 29
2.7.1
Test procedures are correct ......................................................................... 29
2.7.2
Test results are correct and discrepancies explained .................................. 30
2.7.3
Test coverage of high-level requirements is achieved ................................ 30
2.7.4
Test coverage of low-level requirements is achieved ................................. 30
2.7.5
Test coverage of software structure (modified condition/decision) is
achieved .................................................................................................................... 30
2.7.6
Test coverage of software structure (decision coverage) is achieved ......... 30
2.7.7
Test coverage of software structure (statement coverage) is achieved ....... 31
2.7.8
Test coverage of software structure (data coupling and control) is achieved
31
2.8 Table A-8 Software Configuration Management Process.................................. 32
2.8.1
Configuration items are identified .............................................................. 32
2.8.2
Baselines and traceability are established ................................................... 33
2.8.3
Problem reporting, change control, change review, and configuration status
accounting are established ........................................................................................ 33
2.8.4
Archive, retrieval, and release are established ............................................ 33
2.8.5
Software load control is established ........................................................... 33
2.8.6
Software life cycle environment control is established .............................. 33
2.9 Table A-9 Software Quality Assurance Process ................................................ 34
2.9.1
Assurance is obtained that software development and integral processes
comply with approved software plans and standards ............................................... 34
2.9.2
Assurance is obtained that transition criteria for the software life cycle
processes are satisfied ............................................................................................... 34
2.9.3
Software conformity review is completed .................................................. 34
2.10
Table A-10 Certification Liaison Process ...................................................... 35
2.10.1 Communication and understanding between the applicant and the
certification authority is established ......................................................................... 35
2.10.2 The means of compliance is proposed and agreement with the Plan for
Software Aspects of Certification is obtained .......................................................... 35
2.10.3 Compliance substantiation is provided ....................................................... 35
3 Model Architecture Considerations .......................................................................... 36
3.1 Use of Atomic Subsystems ................................................................................ 36
Page 2
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
12.7
Math Function Block .................................................................................... 107
12.8
Merge Block ................................................................................................. 108
12.9
Product Block ............................................................................................... 108
12.10 Relational Operator Blocks .......................................................................... 109
12.11 Triggered Subsystem .................................................................................... 109
12.12 While Iterator Subsystem ............................................................................. 109
13 Stateflow Software Considerations for Safety Critical or Mission Critical Systems
110
13.1
Chart Settings ............................................................................................... 110
13.2
Stateflow Software Debugger Settings ...................................................... 111
13.3
Truth Table Settings ..................................................................................... 112
13.4
Chart Commenting ....................................................................................... 112
13.5
Transition Paths Crossing Parallel State Boundaries ................................... 113
13.6
Transition Paths Looping Out of the Parent of Source/Destination Objects 114
13.7
Transition Paths Passing Through a State .................................................... 114
13.8
Flow-Graph Backup ..................................................................................... 116
13.9
Recursive Graphical Functions ..................................................................... 117
14 Run-Time Library Considerations for Safety Critical or Mission Critical Systems118
14.1
Runtime Libraries ......................................................................................... 118
14.2
MISRA-C Violations .................................................................................... 118
Page 4
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
1 Introduction
The purpose of this document is to provide approaches for applying the MathWorks
Model-Based Design products to safety critical or mission critical systems that must meet
DO-178B1 objectives for certification. Approaches presented in this document are
provided as recommendations, but are not the only methods that could be used in meeting
DO-178B objectives for certification. These guidelines may also be applied to safety
critical or mission critical systems that do not have to meet the objectives of DO-178B,
but this document does assume that the software lifecycle follows that standard.
The motivation of the MAAB Style Guidelines, as described in that document, is:
System integration without problems
Clean interfaces
Uniform appearance of models, code and documentation
Reusable models
1
Software Considerations in Airborne Systems and Equipment Certification, Document No. RTCA/DO178B, December 1, 1992, Prepared by SC-167
Page 5
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Readable models
Hassle-free exchange of models
Avoidance of legacies
A clean process
Professional documentation
Understandable presentations
Fast software changes
Cooperation with subcontractors
Handing over of (research or predevelopment) projects (to product development)
Page 6
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Planning process
Software development process
Verification of requirements process
Verification of design process
Verification of coding and integration process
Testing of outputs of integration process
Verification of verification process results
Software configuration management process
Software quality assurance process
Certification liaison process
There are objectives that must be met for each of the lifecycle stages defined in DO-178B.
These objectives are summarized in Appendix A of DO-178B in the form of tables. The
following sections of this document summarize those tables and provide
recommendations on how the objectives may be met using a Model-Based Design
process. Additionally, the potential usage of available Model-Based Design tools in
achieving the objectives is also included.
Page 7
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
4.1c
4.1d
4.1f
4.6
4.1g
4.6
No impact as compared to
traditional development
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each planning process objective when using
Model-Based Design.
that these components are used in to provide full functionality may be defined as high
level software requirements. Three different scenarios will be described in this section.
Scenario 1 Models developed at the system level are used to generate code
directly
Under this scenario, high level system requirements allocated to system design are
in the form of textual requirements. The models are developed during the system
design process and allocated to software. The models become both the high and
low level software requirements. The models must meet predefined standards and
must be adequately detailed such that code can be generated directly from the
models. As a part of the development process, a predefined set of library blocks
and/or reusable reference models may be designed for use by the systems
engineers. For this case the requirements for the library blocks and reference
models may be considered to be derived software requirements, since they do not
trace to the higher level requirements.
Under this scenario, the verification objectives from tables A-3 and A-4 would be
combined and applied to the single model.
Scenario 2 Models developed at the system level are not used directly to
generate code
Under this scenario, high level system requirements allocated to system design are
in the form of textual requirements. The models are developed during the system
design process and allocated to software. These models become the high level
software requirements but they are not detailed enough to generate code directly.
An example case of this type of model would be a Simulink diagram that used
continuous time blocks which are not appropriate for embedded real-time code.
The software engineering process would take these models and modify them and
add detail as necessary prior to code generation. These modified models would
then become the low level software requirements.
Under this scenario, the verification objectives from table A-3 would be applied
to the high level model and the objectives from table A-4 would be applied to the
low level model.
Scenario 3 System level textual requirements are allocated to software
Under this scenario, the system level requirements and design allocated to
software are in the form of textual high level software requirements. The models
are developed as part of the software engineering process and are detailed enough
to generate code. In this case the models are the low level software requirements.
Page 9
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Under this scenario, the verification objectives from table A-3 would be applied
to the high level textual requirements and the objectives from table A-4 would be
applied to the model.
Change control and configuration management of the models must be addressed in the
planning process.
Page 10
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
verify the executable object code against the higher level requirements; it may only be
used to supplement the higher level requirements based tests.
MISRA-C:2004 Guidelines for the use of the C language in critical systems, The Motor Industry
Software Reliability Association, dated October 2004.
Page 11
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Available Model-Based
Design Tools
5.1.1a
A, B, C, D Simulink software
Stateflow software
A, B, C, D Simulink software
Stateflow software
Software architecture is
developed.
5.2.1a
A, B, C, D Simulink software
Stateflow software
5.2.1a
A, B, C, D Simulink software
Stateflow software
A, B, C, D Simulink software
Stateflow software
5.3.1a
A, B, C, D Real-Time Workshop
Embedded Coder software
5.3.1a
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each software development process objective
when using Model-Based Design.
Page 12
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
ARP47543. The models should be developed in accordance with the modeling standards
defined during the planning process.
Certification Considerations for Highly Integrated or Complex Aircraft Systems, Document No. SAE
ARP4754, dated November 1996, developed by SAE International.
Page 13
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
appropriate commenting options described later in this document. The source code can be
generated in accordance with MISRA-C standards, with some exceptions, using
appropriate modeling standards.
Page 14
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Available Model-Based
Design Tools
Software high-level
requirements comply with
system requirements.
6.3.1a
6.3.1b
6.3.1c
A, B, C, D Simulink Verification
and Validation
Simulink Design Verifier
SystemTest
Report Generator
Model Reviews
A, B, C, D Simulink Verification
and Validation
SystemTest
Model Advisor
Report Generator
Model Reviews
A, B
Model Advisor
Report Generator
Model Reviews
6.3.1d
A, B, C
High-level requirements
conform to standards.
6.3.1e
A, B, C
6.3.1f
A, B, C, D Requirements Management
Interface
Model Advisor
Report Generator
Model Reviews
Simulink Verification
and Validation
Simulink Design Verifier
SystemTest
Model Advisor
Model Coverage
Report Generator
Model Reviews
Model Advisor
Report Generator
Model Reviews
Page 15
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
6.3.1g
A, B, C
Simulink Verification
and Validation
SystemTest
Model Advisor
Report Generator
Model Reviews
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each of the verification of requirements process
objectives when using Model-Based Design.
Page 16
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 17
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Available Model-Based
Design Tools
Simulink Verification
and Validation
Simulink Design Verifier
SystemTest
Report Generator
Model Reviews
Simulink Verification
and Validation
SystemTest
Report Generator
Model Reviews
Model Advisor
Report Generator
Model Reviews
A, B, C
6.3.2b
A, B, C
6.3.2c
A, B
6.3.2d
A, B
Low-level requirements
conform to standards.
6.3.2e
A, B, C
6.3.2f
A, B, C
Simulink Verification
and Validation
Simulink Design Verifier
SystemTest
Model Advisor
Model Coverage
Report Generator
Model Reviews
Model Advisor
Report Generator
Model Reviews
Requirements Management
Interface
Model Advisor
Report Generator
Model Reviews
Page 18
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Description
Section
Software
Levels
Available Model-Based
Design Tools
6.3.2g
A, B, C
Software architecture is
compatible with high-level
requirements.
6.3.3a
A, B, C
Simulink Verification
and Validation
SystemTest
Model Advisor
Report Generator
Model Reviews
Report Generator
Model Dependency Viewer
Model Reviews
Software architecture is
consistent.
6.3.3b
A, B, C
Model Advisor
Report Generator
Model Dependency Viewer
Model Reviews
10 Software architecture is
compatible with the target
computer.
6.3.3c
A, B
Model Advisor
Report Generator
Model Reviews
11 Software architecture is
verifiable.
6.3.3d
A, B
Model Coverage
Model Advisor
Report Generator
Model Reviews
A, B, C
Model Advisor
Report Generator
Model Reviews
A, B, C, D Not applicable
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each of the verification of design process
objectives when using Model-Based Design.
Page 19
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Generator may be used to generate a model review packet that includes a trace report to
the higher level requirements. SystemTest and Simulink Verification and Validation may
be used to develop test cases from the high level requirements and execute those test
cases on the model. During execution of these test cases, a Model Coverage Report, a
component of Simulink Verification and Validation, may be generated to assist in
verifying that all requirements are fully verified. The coverage report may assist in
finding conditions and decisions in the model that cannot be reached, thus indicating that
the design may not be fully verifiable. Simulink Design Verifier may be used to identify
untestable or unreachable model conditions and decisions using test case generation, thus
indicating that the low level requirements may not be fully verifiable. The Model
Advisor may be used to assist in verifying the proper usage of certain Simulink blocks
and data types.
If the models are defined as high level software requirements, then code may be
generated directly from the high level requirements and this objective does not apply. See
DO-178B, Section 6.1.b for details.
the higher level requirements. SystemTest and Simulink Verification and Validation may
be used to develop test cases from the high level requirements and execute those test
cases on the model, thus assisting in verifying the accuracy of the algorithms within the
model. The Model Advisor may be used to assist in verifying the proper usage of certain
Simulink blocks and data types.
If the models are defined as high level software requirements, then code may be
generated directly from the high level requirements and this objective does not apply. See
DO-178B, Section 6.1.b for details.
2.4.10
Software architecture is compatible with the target
computer
Target compatibility of the software architecture within the models may be verified via
model reviews. Simulink Report Generator may be used to generate a model review
packet. The Model Advisor, a component of Simulink Verification and Validation, may
be used to verify the hardware interface settings used by Real-Time Workshop Embedded
Coder are appropriate for the target processor.
The higher level software architecture, which includes the RTOS and other code, may be
verified using traditional methods.
Page 22
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
2.4.11
2.4.12
2.4.13
Because partitioning is outside of the scope of Model-Based Design, this may be verified
using traditional methods.
Page 23
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
A, B, C
6.3.4b
A, B, C
6.3.4c
A, B
6.3.4d
A, B, C
A, B, C
A, B, C
6.3.4f
A, B, C
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each of the verification of coding and
integration process objective when using Model-Based Design.
in code reviews by providing traceability from the code to the models, including
hyperlinks to the components in the models.
Page 25
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Available Model-Based
Design Tools
6.4.2.1
6.4.3
A, B, C, D
6.4.2.2
6.4.3
A, B, C, D
6.4.2.1
6.4.3
A, B, C
6.4.2.2
6.4.3
A, B, C
SystemTest/Simulink
Verification and Validation
test cases reused on
executable object code
Embedded IDE Link CC
Embedded IDE Link
MU
Embedded IDE Link TS
Embedded IDE Link VS
SystemTest/Simulink
Verification and Validation
test cases reused on
executable object code
Embedded IDE Link CC
Embedded IDE Link
MU
Embedded IDE Link TS
Embedded IDE Link VS
Simulink Design Verifier
generated test cases used
on executable object code
Embedded IDE Link CC
Embedded IDE Link
MU
Embedded IDE Link TS
Embedded IDE Link VS
Simulink Design Verifier
generated test cases used
on executable object code
Embedded IDE Link CC
Embedded IDE Link
MU
Embedded IDE Link TS
Embedded IDE Link VS
Page 26
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Description
Section
Software
Levels
Available Model-Based
Design Tools
6.4.3a
A, B, C, D
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each testing of outputs of integration process
objective when using Model-Based Design.
Page 27
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The executable object code may be tested on a target processor or DSP using Embedded
IDE Link CC, Embedded IDE Link MU, Embedded IDE Link TS, or Embedded
IDE Link VS.
Alternatively, verification against the low level requirements may be eliminated, if it can
be shown that requirements based coverage and structural coverage are achieved using
the high level requirements based tests (i.e. software integration tests). The following
guidance is provided in section 6.4 of DO-178B:
If a test case and its corresponding test procedure are developed and executed for
hardware/software integration testing or software integration testing and satisfy
the requirements-based coverage and structural coverage, it is not necessary to
duplicate the test for low-level testing. Substituting nominally equivalent lowlevel tests for high-level tests may be less effective due to the reduced amount of
overall functionality tested.
Page 28
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Available Model-Based
Design Tools
6.3.6b
A, B, C
Review of Simulink
Verification and
Validation test cases
6.3.6c
A, B, C
Not applicable
6.4.4.1
A, B, C, D
6.4.4.1
A, B, C
Simulink Verification
and Validation
Model Coverage
Simulink Verification
and Validation
Model Coverage
Model Coverage and
traditional code
coverage tool
Model Coverage and
traditional code
coverage tool
Model Coverage and
traditional code
coverage tool
Not applicable
A, B
A, B, C
A, B, C
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each of the verification of verification process
results objective when using Model-Based Design.
Page 29
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
traceability from the test cases to the requirements, including hyperlinks to the
requirements in the higher level requirements document.
Page 30
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 31
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
7.2.1
A, B, C, D
7.2.2
A, B, C, D
7.2.3,
A, B, C, D
7.2.4,
7.2.5, 7.2.6
No impact as compared
to traditional
development
Use of Requirements
Management Interface
and traditional baseline
establishment
No impact as compared
to traditional
development
7.2.7
A, B, C, D
7.2.8
A, B, C, D
A, B, C, D
No impact as compared
to traditional
development
No impact as compared
to traditional
development
No impact as compared
to traditional
development
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each configuration management process
objective when using Model-Based Design.
Page 33
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
A, B, C, D
No impact as compared
to traditional
development
A, B
No impact as compared
to traditional
development
A, B, C, D
No impact as compared
to traditional
development
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each software quality assurance process
objective when using Model-Based Design.
Page 34
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Section
Software
Levels
Communication and
understanding between the
applicant and the certification
authority is established.
9.0
A, B, C, D
No impact as compared
to traditional
development
A, B, C, D
No impact as compared
to traditional
development
Compliance substantiation is
provided.
A, B, C, D
No impact as compared
to traditional
development
9.2
The following sections describe in more detail the potential impacts as compared to
traditional development, if applicable, for each certification liaison process objective
when using Model-Based Design.
2.10.1
Communication and understanding between the applicant
and the certification authority is established
This is the same as for traditional projects.
2.10.2
The means of compliance is proposed and agreement
with the Plan for Software Aspects of Certification is obtained
This is the same as for traditional projects.
2.10.3
Page 35
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
When Treat as atomic unit is selected, the generated code for the subsystem is grouped
together and typically includes a starting and ending comment in the code file. Having a
block of code map directly to a page on the diagram simplifies the code review process.
If this option is not selected, then the generated code may be interleaved such that lines of
code trace to blocks across multiple pages on the diagram.
Selecting Treat as atomic unit also allows Simulink to check and report (as an error or
warning) if this group of blocks cannot be executed as a unit, e.g. function call across
subsystem boundary, or direct feedback loop, etc.
Page 36
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Each model and its associated code can be verified as a separate component
When a reference model changes, only its code has to be reviewed
When a reference model changes, only its verification testing has to be
performed
Regression analysis is greatly simplified
Structural coverage analysis is simplified when using smaller models and code
Reference model code can be reused
When using Model Reference, especially with large teams, configuration management of
the reference models is very important. There are two best practice scenarios for
configuration management of the reference models that are described here.
Scenario 1 Model developer checks in the simulation target and embedded
target source code with the model into the configuration management system
Under this scenario the model developer creates a simulation target that will be
used by other model developers that call the referenced model. This target is
created in the form of a .mex32 executable file and would be checked into the
software configuration management tool along with the model. The model
developer would also generate the target source code and check this in with the
model. This ensures that all time and date stamps and the model checksums
match those for the generated code and simulation targets.
For this scenario, any user of the reference model would get the latest copy of the
model, source code and simulation target from the configuration management
system before using it. The Rebuild Option would be set to Never for all
reference models.
The advantage of using this scenario is that the model, source code and simulation
target could all be verified and approved in the software configuration
management system and locked down until such time as a change is necessary.
Additionally this would insure that all users of the reference model are working
from exactly the same files from the configuration management system.
Page 37
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Scenario 2 Model developer checks in only the model into the configuration
management system
Under this scenario, the model developer is only responsible for creation and
check-in of the model into the configuration management system. It would be the
responsibility of the user of the reference model to create a simulation target that
will be used by other model developers that call the referenced model. Another
developer would need to generate the target source code and check this in to the
software configuration management system.
For this scenario, any user of the reference model would get the latest copy of the
model target from the configuration management system before using it. The
Rebuild Option would be set to If Any Changes Detected for all reference models.
The advantage of using this scenario is that the model, source code and simulation
target could all be verified and approved in the software configuration
management system at different times in the development cycle and by different
groups. A disadvantage of this scenario is that insuring that all users of the
reference model are working from exactly the same files from the configuration
management system is much more difficult.
For either of the scenarios above, it is necessary to understand the reference model
dependencies and to determine when a change to one model may require a change to
another model or regeneration of the source code and simulation target for another model.
See the Model Reference documentation for a detailed description of this.
The use of model reference is analogous to the use of multiple code modules across a
large system. The Model Referencing Pane of the Configuration Parameters is shown
below:
Page 38
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended model reference settings are outlined in the following table along with
rationale.
Diagnostic
Rebuild options
Recommended
Setting
Never or If
any changes
detected
Rationale
Allowing the code to rebuild may result
in the necessity to repeat the code review
and verification testing on the generated
code. By locking down the
configuration, verification activities are
minimized. It is preferable for a rebuild
to only occur when a model is checked
out of the configuration management
system. (See DO-178B, Section 6.3.1b &
6.3.2b)
An alternative is to perform local rebuilds
when changes have been detected. For
this case it is still necessary to verify that
the latest version of the model is on the
path.
Page 39
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Never rebuild targets
diagnostics
Model dependencies
Recommended Rationale
Setting
Error if targets This setting will report errors if it detects
require rebuild time stamp inconsistencies between a
model and its associated code or
differences in checksums of global
parameters, etc. indicating that the
simulation target needs to be rebuilt.
Note: this setting only appears if Never is
selected as the Rebuild Option.
One or
If the referenced model is only intended
Multiple
to be used once in a single top level
model, then One should be selected. If
the model is intended to be used as a
reusable function called multiple times
by a top model or by more than one top
model, then Multiple should be selected.
As needed
This setting is used to include any .MAT
or .M files that contain data needed by
the reference model.
Off
In some cases the scalar value inputs to a
reference model can change during a time
step, resulting in unpredictable
operations. (See DO-178B, Section
6.3.3b)
Off
If this option is selected, then the Single
Output/Update function option is not
allowed. See section 10.7 (See DO178B, Section 6.3.3b)
The code generated from the model can be verified as a stand alone module
without the need to stimulate or record hardware (this does not eliminate the need
to perform hardware software integration testing, but it does eliminate the need to
achieve complete structural coverage during that testing).
Page 40
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The code generated from the model is nearly platform independent, only
Hardware Implementation characteristics in the Configuration Parameters need to
be reconfigured. This enables software reuse across multiple programs.
The hardware device driver code, which is typically generated by hand, can be
verified as a stand alone unit one time. This code is typically very stable and not
subject to change once it has been integrated onto the hardware platform. (The
models are typically subject to several changes during a project, so being able to
perform verification on only those changes reduces the verification costs
significantly)
If device drivers are embedded within models as S-Functions, then the use of test
harnesses and data logging to generate test cases for verification of the executable
object code becomes impossible.
The figure below shows an example of integration with a rate monotonic RTOS, such as
an ARINC 653 compliant operating system, for a simple system with three sample rates.
It is recommended to provide separate models for different sample rates and let the RTOS
take care of function call scheduling and buffering of data between the different sample
rates.
RTOS
Scheduling
Hardware
Input
Device
Drivers
Model A
(rate = x)
Model B
(rate = x/2)
Model C
(rate = x/4)
Hardware
Output
Device
Drivers
Alternatively, if the preference is to generate code for device drivers in a more integrated
fashion, two approaches which can be considered are:
Using the Legacy Code Tool, a function call to a hand written device driver
function can be generated from the model. This function call passes data to/from
the model via function arguments.
Page 41
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Using the Simulink S-function API which provides the ability to generate
efficient and complete device driver code. It can be fully inlined with the
generated algorithmic code of the model.
Input S-function
(rate = x)
Reference Model A
(rate = x)
Rate
Trans
Input S-function
(rate = x/2)
Output S-function
(rate = x)
Rate
Trans
Reference Model B
(rate = x/2)
Output S-function
(rate = x/2)
Changes to the test harness and test procedures will have no affect on the
generated code or the configured model to be tested.
Test independence cannot be easily demonstrated if a single model is used for the
target function and the test.
A separate test harness allows integration of multiple reference models for
performing system level tests and evaluations.
Test cases and procedures must be separately configured and reviewed.
Page 42
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 43
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended solver settings are outlined in the following table along with rationale.
Solver Setting
Start time
Recommended
Setting
0.0
Rationale
This setting must be 0.0 to generate
production code. Simulink software
allows non-zero start time for
simulation, but Real-Time Workshop
Embedded Coder target does not allow
non-zero start time.
Page 44
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Solver Setting
Stop time
Recommended
Setting
Any positive
value
Type
Fixed-step
Solver
Discrete (no
continuous
states)
Any positive
value
Specified,
Ensure sample
time
independent or
Unconstrained
[[Period, offset,
priority], .]
Rationale
The time in seconds of this setting must
be shorter than Application lifespan
(days) on Optimization pane. By
default, Application lifespan (days) is
inf. Any positive value is valid and this
setting has no effect on generated code.
Fixed-step solver is required for
embedded code generation.
Discrete is required for production code.
Page 45
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Solver Setting
Tasking mode for periodic
sample times
Recommended
Setting
SingleTasking
or MultiTasking
On or Off
Off
Rationale
If Ensure sample time independent is
selected for a reference model, this
setting will not appear. This should be
set to SingleTasking if the model is
intended to run at a single rate or the
model is intended to run at multiple
rates in one task. Otherwise it should
be set to MultiTasking if the model is
intended to run at multiple rates.
If Ensure sample time independent is
selected for a reference model, this
setting will not appear. This option
determines whether the priority for
Sample time properties uses the lowest
values as highest priority or the highest
values as highest priority.
If Ensure sample time independent is
selected for a reference model, this
setting will not appear. Setting this to
On could result in rate transition code
being inserted without a model
requirement to trace to. This violates
traceability requirements. (See DO178B, Section 6.3.4e)
Page 46
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
All settings for Data Import and Export should be set to Off for production code
generation. These settings may be used during simulation for debugging and evaluating
the performance of the models.
Page 47
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The following table contains recommendations for some of the optimization settings
when safety critical code is to be generated from a model. The rationale for these settings
is included in the table. While it is understood that highly optimized code is generally
desirable for real-time systems, it must also be recognized that some optimizations can
have undesirable side effects that impact safety.
Page 48
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Optimization
Block reduction
optimization
Parameter Structure
Enable local block outputs
Reuse block outputs
Ignore integer downcasts in
folded expressions
Recommended
Setting
Off
Rationale
Page 49
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Optimization
Eliminate superfluous
temporary variables
Minimize data copies
between local and global
variables
Loop rolling threshold
Recommended
Setting
On or Off
On or Off
2 or greater
On or Off
Off
On or Off
On or Off
2 or greater
Off
On
Rationale
There are no safety implications
regarding the use of this optimization.
There are no safety implications
regarding the use of this optimization.
There are no safety implications
regarding the use of this setting.
There are no safety implications
regarding the use of this optimization.
There are no safety implications
regarding the use of this setting.
For safety critical code all variables
should be explicitly initialized. (See
DO-178B, Section 6.3.3b and MISRAC 2004, Rule 9.1) Note: an alternative
to this setting is to have separate hand
code that explicitly initializes all I/O
variables to zero.
There are no safety implications
regarding the use of this optimization.
For safety critical code all variables
should be explicitly initialized. (See
DO-178B, Section 6.3.3b and MISRAC 2004, Rule 9.1) ) Note: an alternative
to this setting is to have separate hand
code that explicitly initializes all state
variables to zero.
There are no safety implications
regarding the use of this optimization.
Overflows must be avoided for safety
critical code. Prevention of overflows
is discussed in the block setting
considerations section of this document.
(See DO-178B, Section 6.3.1g &
6.3.2g)
Setting this to off will add code that
wraps out of range values for blocks
with Saturate on Overflow set to off.
Un-reachable, and therefore un-testable,
code can result when setting this to off.
(See DO-178B, Section 6.4.4.3c and
MISRA-C 2004, Rule 14.1)
Page 50
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Optimization
Remove code that protects
against division arithmetic
exceptions
Recommended
Setting
Off
Rationale
Division by zero exceptions must be
avoided in safety critical code. (See
DO-178B, Section 6.3.1g & 6.3.2g and
MISRA-C 2004, Rule 21.1)
There are no safety implications
regarding the use of this optimization.
There are no safety implications
regarding the use of this optimization.
There are no safety implications
regarding the use of this optimization.
Page 51
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended solver diagnostic settings are outlined in the following table along with
rationale. Many of the solver settings have no effect on the generated code, therefore
only a few of the settings are of concern for safety critical code generation.
Page 52
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Recommended Rationale
Setting
Algebraic loop
error
Simulink software will employ an
iterative non-linear equation solver when
it detects an algebraic loop. Since such
iterative algorithms are not suitable for
real time applications, it is preferable to
have the model developer break algebraic
loops by inserting unit delay blocks. (See
DO-178B, Section 6.3.3e)
Minimize algebraic loop
error
Simulink software may attempt to
eliminate certain artificial algebraic
loops caused due to model blocks, atomic
subsystems and enabled subsystems.
This will affect execution order, so it is
preferable to have the model developer
resolve this issue by altering the model so
that execution order is predictable, or to
at least verify that the automatic breaking
of the loop is acceptable. (See DO-178B,
Section 6.3.3e)
Block priority violation
error
When Simulink software detects
conflicting block priorities; it can affect
execution order so the model developer
needs to be notified. (See DO-178B,
Section 6.3.3b)
Min step size violation
warning or
This diagnostic has no effect on the
error
generated code.
Sample time hit adjusting
none, warning This diagnostic has no effect on the
or error
generated code.
Consecutive zero crossings warning or
This diagnostic has no effect on the
violation
error
generated code.
Unspecified inheritability of error
When Simulink detects that an Ssample times
Function has not been specified explicitly
for inherited sample time, the model
developer needs to correct the S-Function
in order to have predictable behavior.
(See DO-178B, Section 6.3.3e)
Solver data inconsistency
none, warning This diagnostic has no effect on the
or error
generated code.
Page 53
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Automatic solver parameter
selection
Extraneous discrete
derivative signals
State name clash
Recommended Rationale
Setting
error
Simulink software may attempt to
modify the solver, step size or simulation
stop time automatically. This may affect
the operation of the generated code, so it
is preferable to have the model developer
manually correct the settings to the
desired values. (See DO-178B, Section
6.3.3e)
none, warning This diagnostic has no effect on the
or error
generated code.
warning
Simulink ignores this setting during
simulation, but an error will occur during
code generation if a state name clashes
with another Simulink object name. (See
DO-178B, Section 6.3.3b)
Page 54
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended sample time diagnostic settings are outlined in the following table along
with rationale. All of these settings are considered important in the generation of safety
critical code.
Diagnostic
Source block specifies -1
sample time
Recommended Rationale
Setting
error
Source blocks should have a specified
sample time to prevent incorrect
execution sequencing. (See DO-178B,
Section 6.3.3e)
error
This diagnostic will detect if a discrete
block input is a continuous signal, which
should not be used for embedded realtime code. (See DO-178B, Section
6.3.3e)
Page 55
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Multitask rate transition
Multitask conditionally
executed subsystems
Recommended Rationale
Setting
error
This diagnostic will detect if an invalid
rate transition exists in multitasking
mode, which should not be used for
embedded real-time code. (See DO178B, Section 6.3.3b)
none or error
This diagnostic will detect if a rate
transition exists in single tasking mode
which is okay for single tasking mode. If
the model is intended to convert to
multitasking model, set this diagnostic to
error.
error
This diagnostic will detect if a
conditionally executed multirate
subsystem (enabled subsystem, triggered
subsystem, function call subsystem)
operates in multitasking mode which can
lead to data corruption and unpredictable
behavior in real time environments allow
preemption. (See DO-178B, Section
6.3.3b)
none or error
This diagnostic will detect if two
asynchronous tasks have equal priority. If
real time target does not allow
preemption between tasks that have equal
priority, set this diagnostic to None,
otherwise, set it to Error. (See DO178B, Section 6.3.3b)
error
This diagnostic detects different sample
times specified in source and destination
blocks, thus indicating an over specified
sample time. (See DO-178B, Section
6.3.3e)
Page 56
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended data validity diagnostic settings are outlined in the following table along
with rationale. All of these settings, except for the debugging diagnostics, are considered
important for generation of safety critical code.
Diagnostic
Signals: Signal resolution
Recommended Rationale
Setting
Explicit only
This provides predictable operation by
requiring the user to define each signal
and block setting that must resolve to
Simulink.Signal objects in the
workspace. (See DO-178B, Section
6.3.3b)
Page 57
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Signals: Division by
singular matrix
Signals: Underspecified
data types
Signals: Signal range
checking
Signals: Detect overflow
Parameters: Detect
downcast
Parameters: Detect
underflow
Parameters: Detect
overflow
Parameters: Detect
precision loss
Recommended Rationale
Setting
error
Division by a singular matrix can result
in numeric exceptions when executing
the generated code. This is not
acceptable in safety critical systems. (See
DO-178B, Section 6.3.1g & 6.3.2g and
MISRA-C 2004, Rule 21.1)
error
The model developer should insure that
all data types are correctly specified. (See
DO-178B, Section 6.3.1e & 6.3.2e)
error
Out of range data can result in incorrect
and unsafe behavior. (See DO-178B,
Section 6.3.1g & 6.3.2g)
error
Numeric overflows can result in incorrect
and unsafe behavior. (See DO-178B,
Section 6.3.1g & 6.3.2g)
error
Numeric exceptions are not acceptable in
safety critical systems. (See DO-178B,
Section 6.3.1g & 6.3.2g and MISRA-C
2004, Rule 21.1)
error
This prevents name clashing with signals
that Real-Time Workshop Embedded
Coder prefixes with rt (See DO-178B,
Section 6.3.1e & 6.3.2e)
error
A downcast to a lower signal range can
result in numeric overflows of
parameters, resulting in incorrect and
unsafe behavior. (See DO-178B, Section
6.3.1g & 6.3.2g)
error
The data type of the parameter does not
have sufficient resolution; therefore the
parameter value will be zero, instead of
the specified value. This could lead to
incorrect operation of the generated code.
(See DO-178B, Section 6.3.1g & 6.3.2g)
error
Numeric overflows can result in incorrect
and unsafe behavior. (See DO-178B,
Section 6.3.1g& 6.3.2g)
error
The data type of the parameter does not
have sufficient resolution; therefore the
parameter value will be different than the
specified value. This could lead to
incorrect operation of the generated code.
(See DO-178B, Section 6.3.1g & 6.3.2g)
Page 58
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Parameters: Detect loss of
tunability
Model Initialization:
Underspecified
initialization detection
Recommended Rationale
Setting
error
An expression with a tunable parameter
has been reduced to a numerical value;
therefore the parameter value will not be
tunable in the generated code. (See DO178B, Section 6.3.1g & 6.3.2g)
Enable all as
Reading data before it is written can
errors
result in use of un-initialized and stale
data. (See DO-178B, Section 6.3.3b)
Enable all as
Writing data after it is read can result in
errors
use of stale or incorrect data. (See DO178B, Section 6.3.3b)
Enable all as
Writing data twice in one time step can
errors
result in unpredictable data. (See DO178B, Section 6.3.3b)
error
Read or write data in different task in
multitask mode can result in corrupted or
unpredictable data. (See DO-178B,
Section 6.3.3b)
none, warning, This setting controls whether the model
or error
supports the semantic of two unique data
stores having the same Name. Since the
memory for the two instances is unique,
the initial values are distinctly and
uniquely applied in a predictable manner.
error
This setting is only enabled when the
setting for Underspecified Initialization
Detection is set to Classic (when the
latter setting is set to Simplified a
violation always results in an error). If
two or more inputs to a Merge block are
computed in the same time frame, the
output value may be non-deterministic.
(See DO-178B, Section 6.3.3b)
Simplified
An output of a conditionally executed
subsystem could have an un-initialized
output, resulting in non-deterministic
operation. (See DO-178B, Section 6.3.3b
and MISRA-C 2004, Rule 9.1)
Page 59
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Model Initialization: Check
undefined subsystem initial
output
Recommended Rationale
Setting
Off or on
This setting is only enabled when the
setting for Underspecified Initialization
Detection is set to Classic. This setting is
ignored when using the Simplified setting
for Underspecified Initialization
Detection.
Off or on
This setting is only enabled when the
setting for Underspecified Initialization
Detection is set to Classic. This setting is
ignored when using the Simplified setting
for Underspecified Initialization
Detection.
Off or on
This setting is only enabled when the
setting for Underspecified Initialization
Detection is set to Classic. This setting is
ignored when using the Simplified setting
for Underspecified Initialization
Detection.
none, warning This setting is only used for debugging
or error
custom S-Functions.
Disable All
Assertions should not used in embedded
code, these are intended for use in model
verification. Note: It is appropriate to set
this to Use local settings for simulation
and also in test harness models.
Page 60
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended type conversion diagnostic settings are outlined in the following table
along with rationale. Type conversion diagnostics are all considered to be important for
generation of safety critical code.
Diagnostic
Unnecessary type
conversions
Recommended Rationale
Setting
warning
The unnecessary type conversion block
may be optimized out of the generated
code, resulting in a requirement with no
code. The model developer should
remove these unnecessary type
conversions. (See DO-178B, Section
6.3.1g & 6.3.2g)
Page 61
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Vector/matrix block input
conversion
Recommended Rationale
Setting
error
When Simulink software performs
automatic conversions between vector
and matrix dimensions, it is possible to
have an unintended operation or
unpredictable behavior occur. (See DO178B, Section 6.3.1g & 6.3.2g)
warning
This conversion can result in a loss of
precision due to truncation of the least
significant bits for large integer values.
(See DO-178B, Section 6.3.1g & 6.3.2g)
Page 62
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended connectivity diagnostic settings are outlined in the following table along
with rationale.
Diagnostic
Signal label mismatch
Recommended Rationale
Setting
error
This message is only for virtual signals
and has no effect on the generated code,
but signal label mismatches could lead to
confusion during model reviews. (See
DO-178B, Section 6.3.1e & 6.3.2e)
error
Code cannot be generated for
unconnected block inputs. (See DO178B, Section 6.3.1e & 6.3.2e)
error
Dead code can result from unconnected
block outputs. (See DO-178B, Section
6.3.1e & 6.3.2e and MISRA-C 2004,
Rule 14.1)
Page 63
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Unconnected line
Invalid function-call
connection
Context-dependent inputs
Recommended Rationale
Setting
error
Code cannot be generated for
unconnected lines. (See DO-178B,
Section 6.3.1e & 6.3.2e)
error
In order for a bus signal to cross a model
boundary, it must be defined as a Bus
Object to insure compatibility with higher
level models that use this model as a
reference model. (See DO-178B, Section
6.3.3b and MISRA-C 2004, Rule 16.6)
error
This diagnostic is necessary to prevent
the use of incompatible busses into a bus
capable block such that the output names
would be inconsistent. (See DO-178B,
Section 6.3.3b)
error
When Simulink software performs
automatic conversion of a muxed signal
to a bus; it is possible to have an
unintended operation or unpredictable
behavior occur. (See DO-178B, Section
6.3.3b) The user can use the Model
Advisor or the sl_replace_mux utility
function to replace all mux blocks used as
bus creators with a bus creator block.
error
When Simulink software performs
automatic conversion of a bus signal to a
vector; it is possible to have an
unintended operation or unpredictable
behavior occur. (See DO-178B, Section
6.3.3b) The user can use the
Simulink.BlockDiagram.addBusToVector
utility function to insert Bus to Vector
blocks in the appropriate places to
eliminate this problem.
error
An invalid use of a function call
subsystem has been detected and
operation of the generated code may be
incorrect. (See DO-178B, Section 6.3.3b)
Enable All
Unpredictable data coupling has been
detected between a function call
subsystem and its inputs. (See DO-178B,
Section 6.3.3b)
Page 64
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended compatibility diagnostic settings are outlined in the following table along
with rationale. Compatibility diagnostics are considered to be important for generation of
safety critical code if custom S-Functions are being used in the models.
Diagnostic
Recommended Rationale
Setting
S-Function upgrades needed error
An S-Function written for a previous
version may not be compatible with the
current version and could result in
incorrect operation of the generated code.
(See DO-178B, Section 6.3.3b)
Page 65
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended model referencing diagnostic settings are outlined in the following table
along with rationale. Of course these recommendations are only appropriate if model
referencing is being used in the Model-Based Design.
Page 66
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Model block version
mismatch
Model configuration
mismatch
Recommended Rationale
Setting
none
This diagnostic is used to determine that
the model calling the model reference
block is not using the same version of
model as the referenced model on the
path. The user should be getting the
latest version from the software
configuration management system, rather
than using an older version, which could
lead to incorrect simulation results and
mismatches between simulation and
target code operation. (See DO-178B,
Section 6.3.3b)
error
This diagnostic is used to determine that
the model calling the model reference
block has an incorrect graphical interface
to the version of model code as the
referenced model on the path. This could
lead to unconnected lines and ports and
unexpected simulation results. (See DO178B, Section 6.3.3b and MISRA-C
2004, Rule 16.6)
warning
This diagnostic is used to determine that
the referenced model on the path has an
incompatible configuration for a
referenced model or that it has a different
configuration than the parent model.
Some diagnostics for reference models
are not supported in simulation mode, so
setting this to error can cause simulations
not to run. Some differences in
configurations could lead to incorrect
simulation results and mismatches
between simulation and target code
operation, so warnings should be
generated and reviewed. (See DO-178B,
Section 6.3.3b)
Page 67
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Invalid root Inport/Outport
block connection
Recommended Rationale
Setting
error
When Simulink detects an illegal
Inport/Outport connection in a referenced
model; it may automatically insert hidden
blocks into the model to correct the
problem. These hidden blocks lead to
code with no traceable requirements,
which violates DO-178B. Setting this
diagnostic to error, forces the model
developer to manually correct the
reference model. (See DO-178B, Section
6.3.3b and MISRA-C 2004, Rule 16.6)
error
This diagnostic applies to To Workspace
or Scope blocks that are logging signals
in a referenced model. Since these
blocks are ignored for embedded code
and only used for debugging, a warning
or error should occur, indicating that an
inappropriate block is in the referenced
model. (See DO-178B, Section 6.3.1d &
6.3.2d)
Page 68
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended saving diagnostic settings are outlined in the following table along with
rationale.
Diagnostic
Block diagram contains
disabled library links
Recommended Rationale
Setting
error
This diagnostic is used to determine if
there are any broken library links at the
time the model is saved. Saving with
disabled library links may result in the
model being inconsistent with the library
the next time it is opened. (See DO178B, Section 6.3.3b)
Page 69
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Diagnostic
Block diagram contains
parameterized library links
Recommended Rationale
Setting
error
This diagnostic is used to determine if
there are any non-mask parameters used
within library links at the time the model
is saved. Saving with parameterized
library links may result in the model
being inconsistent with the library block.
(See DO-178B, Section 6.3.3b)
Page 70
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The embedded hardware settings must be set to match the operation of the target
compiler and hardware. The emulation hardware must be set to None for target code
generation. This latter setting would only be used for prototyping on hardware that is
different from the actual production target.
Page 71
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 72
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Simulation Target option settings are outlined in the following table along
with rationale.
Option
Enable
debugging/animation
Recommended Rationale
Setting
on
In order to provide diagnostic coverage
specified in sections 13.2 and 13.3 during
simulation, the Enable
debugging/animation setting must be
checked. This will not affect the
embedded code, only the simulation
code.
Off or on
This setting has no effect on safety and is
only used during simulation.
on
This setting should be set so that any
numeric overflows are reported during
simulation. Numeric overflows can
result in incorrect and unsafe behavior.
(See DO-178B, Section 6.4.2.2 & 6.4.3)
Incremental
Method of building of simulation code
build,
has no effect on safety and does not
Rebuild all,
affect the generation of the embedded
Make without code.
generating
code,
Clean all, or
Clean objects
Page 73
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
9.2 Symbols
The Symbols Pane for Simulation Target of the Configuration Parameters is shown
below:
Page 74
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Symbols option settings are outlined in the following table along with
rationale.
Option
Reserved names
Recommended
Setting
Empty or any
valid reserved
name
expression
that does not
contain a
Real-Time
Workshop
keyword
Rationale
The reserved names correspond to
functions or variables that may be
contained in custom code. Real-Time
Workshop will mangle any names that
may conflict with reserved names in the
generated code.
Page 75
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 76
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Custom Code option settings are outlined in the following table along
with rationale.
Option
Source File
Header File
Initialize Function
Terminate Function
Include directories
Source Files
Libraries
Recommended
Setting
Empty or any
valid custom
code
Empty or any
valid include
directories,
source file
names or
library names
to be included
in the
compiled code
Rationale
Insertion of custom code into the autogenerated code should have no safety
impact. It is up to the modeler to
document the requirements for this code
and to provide verification of this code.
Compilation of custom code along with
the auto-generated code should have no
safety impact. It is up to the modeler to
document the requirements for this code
and to provide verification of this code.
Page 77
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Real-Time Workshop option settings are outlined in the following table
along with rationale.
Page 78
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
System target file
Language
Compiler optimization
level
TLC options
Generate makefile
Make command
Template makefile
Recommended
Setting
ERT based
Rationale
Page 79
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Ignore custom storage
classes
Recommended
Setting
On or Off
On or Off
On or Off
Rationale
If custom storage classes are to be used
in the generated code, this option must be
Off. It may be necessary to set this
option to On for simulation targets, if
they do not support custom storage
classes.
This option is used to determine if test
points in the model are to be inserted as
variables that are accessible in the
generated code. If this option is set to
on, then test pointed signals can be
treated as temporary variables and may
not be accessible in the generated code.
This option is used to determine if only
source code is generated, or if the
executable is also built form the source
code. If this is set to Off, then typically,
Generate makefile must be set to On
and Make command and Template
makefile must have valid values
defined. Alternatively, the
PostCodeGenCommand parameter can
be used in conjunction with the buildInfo
object to dynamically interface to an
IDE-based tool chain for compilation.
See the Real-Time Workshop
documentation for details on using this
approach.
Page 80
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.2 Report
The Report Pane of the Configuration Parameters is shown below:
Recommended Report option settings are outlined in the following table along with
rationale.
Page 81
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Create code generation
report
Recommended
Setting
On
Launch report
automatically
On or Off
Code-to-model
On
Model-to-code
On
On
On
On
Traceable Embedded
MATLAB functions
On
Rationale
The code generation report will be used
to perform code reviews and to show
traceability from code to requirements.
(See DO-178B, Section 6.3.4)
This setting determines whether or not
the code generation code report is opened
automatically at code generation time.
The report can also be opened from the
model explorer at any time.
The code to model navigation can assist
in the performance of code reviews and
to show traceability from code to
requirements. (See DO-178B, Section
6.3.4)
The model to code navigation can assist
in the performance of code reviews and
to show traceability from requirements to
code. (See DO-178B, Section 6.3.4)
Showing eliminated and virtual blocks
can assist in the performance of code
reviews and to show traceability from
requirements to code. (See DO-178B,
Section 6.3.4)
Showing traceable Simulink blocks can
assist in the performance of code reviews
and to show traceability from
requirements to code. (See DO-178B,
Section 6.3.4)
Showing traceable Stateflow objects can
assist in the performance of code reviews
and to show traceability from
requirements to code. (See DO-178B,
Section 6.3.4)
Showing traceable Embedded MATLAB
functions can assist in the performance of
code reviews and to show traceability
from requirements to code. (See DO178B, Section 6.3.4)
Page 82
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.3 Comments
The Comments Pane of the Configuration Parameters is shown below:
Recommended Rationale
Setting
On
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
On
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
On
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
On
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
Page 83
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Simulink block descriptions
Stateflow object
descriptions
Requirements in block
comments
Recommended Rationale
Setting
On or Off
This option will comment the code with
Simulink block descriptions that are
entered in the model. Entry of block
descriptions is optional at the model
level.
On or Off
This option will comment the code with
Stateflow object descriptions that are
entered in the model. Entry of object
descriptions is optional at the model
level.
On or Off
This option will comment the code with
Simulink data object descriptions that
are entered in the model. Entry of data
object descriptions is optional at the
model level.
On
This setting provides good traceability
between the code and the high level
requirements. (See DO-178B, Section
6.3.4e)
On or Off
This option will comment the code with
MPT object descriptions that are entered
in the model. Entry of MPT object
descriptions is optional at the model
level.
Page 84
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.4 Symbols
The Symbols Pane of the Configuration Parameters is shown below:
Recommended Rationale
Setting
$R$N$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
Page 85
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Global types
Subsystem methods
Constant macros
Recommended Rationale
Setting
$N$R$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
$N$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
$R$N$M$F
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
$N$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
rtb_$N$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
$R$N$M
This setting can be used to set up naming
styles in the generated code. $M is
required in order to avoid name
collisions. See the Real-Time
Workshop Embedded Coder
documentation for Specifying Identifier
Formats.
Page 86
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Minimum mangle length
Signal naming
Parameter naming
#define naming
Recommended Rationale
Setting
4
This provides a value that makes it
unlikely that parameter and signal names
will change during code generation when
the model has changed. This will assist
in minimizing code differences between
file versions, thus decreasing the effort to
perform code reviews. (See DO-178B,
Section 6.3.1e & 6.3.2e)
31 or greater
The maximum identifier length should be
set based on the maximum allowed by
the compiler being used (although
MISRA-C 2004, Rule 5.1 recommends a
maximum length of 31 for portability).
The longer this length can be the easier it
will be to trace the identifiers to the
model. (See DO-178B, Section 6.3.1e &
6.3.2e)
Literals or
This option determines whether inlined
Macros
parameters are inserted as Literals (i.e.
numeric value) or as Macros (i.e. variable
name)
None, Force
This setting can be used to set up naming
upper case,
styles in the generated code. See the
Force lower
Module Packing Features document to
case or
determine how to use this setting to
Custom Mcustomize signal naming.
function
None, Force
This setting can be used to set up naming
upper case,
styles in the generated code. See the
Force lower
Module Packing Features document to
case or
determine how to use this setting to
Custom Mcustomize parameter naming.
function
None, Force
This setting can be used to set up naming
upper case,
styles in the generated code. See the
Force lower
Module Packing Features document to
case or
determine how to use this setting to
Custom Mcustomize #define naming.
function
Page 87
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Use the same reserved
names as Simulation Target
Reserved names
Recommended Rationale
Setting
Off or on
When this setting is off the code
generator uses the reserved names
identified on this pane. When this setting
is on the code generator uses the reserved
names on the Simulation Target Symbols
Pane.
Empty or any This setting is only enabled if Use The
valid reserved Same Reserved Names As Simulation
name
Target is set to Off. The reserved names
expression
correspond to functions or variables that
that does not
may be contained in custom code. Realcontain a
Time Workshop will mangle any names
Real-Time
that may conflict with reserved names in
Workshop
the generated code.
keyword
Page 88
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Real-Time Workshop Custom Code option settings are outlined in the
following table along with rationale.
Option
Use the same custom code
settings as Simulation
Target
Recommended Rationale
Setting
Off or on
When this setting is off the code
generator uses the custom code identified
on this pane. When this setting is on the
code generator uses the custom code on
the Simulation Target Custom Code
Pane.
Page 89
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Source File
Header File
Initialize Function
Terminate Function
Include directories
Source Files
Libraries
Recommended
Setting
Empty or any
valid custom
code
Empty or any
valid include
directories,
source file
names or
library names
to be included
in the
compiled code
Rationale
Insertion of custom code into the autogenerated code should have no safety
impact. It is up to the modeler to
document the requirements for this code
and to provide verification of this code.
Compilation of custom code along with
the auto-generated code should have no
safety impact. It is up to the modeler to
document the requirements for this code
and to provide verification of this code.
Page 90
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.6 Debug
The Debug Pane of the Configuration Parameters is shown below:
Debugging will normally be turned off, but may be used when developing custom TLC
files. The Debugging has no direct effect on the safety of the code. If artifacts of the code
generation log are desired, select the Verbose build option and capture the output
generated to the MATLAB command window.
Page 91
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.7 Interface
The Interface Pane of the Configuration Parameters is shown below:
Recommended Rationale
Setting
ANSI-C, ISO- This setting is determined by the target
C or GNU
system math libraries. Note: Before
setting this option, verify that your
compiler supports the library you want to
use.
Auto or
See the Real-Time Workshop
Shared
documentation for a description of how
location
to use this setting.
Page 92
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Support floating point
numbers
Recommended Rationale
Setting
On or Off
Normally this will be set to On, unless
the target processor only supports fixed
point, then it should be set to Off to
insure hardware compatibility. (See DO178B Section 6.3.1c, 6.3.2c & 6.3.3c)
Off
Support of non-finite numbers is
inappropriate for real-time safety critical
systems. (See DO-178B Section 6.3.1c &
6.3.2c)
On or Off
Set as appropriate for you application.
Off
Support of absolute time is inappropriate
for real-time safety critical systems. (See
DO-178B Section 6.3.1c & 6.3.2c)
Off
Support of continuous time is
inappropriate for real-time safety critical
systems. (See DO-178B Section 6.3.1c &
6.3.2c)
Off
This option would require supporting
non-finite numbers which is
inappropriate for real-time safety critical
systems. (See DO-178B Section 6.3.1c &
6.3.2c)
Off
This option is not appropriate for realtime embedded systems. (See DO-178B
Section 6.3.1c & 6.3.2c)
On
Having a single call to the output and
update functions simplifies the interface
to the RTOS and simplifies verification
of the auto-generated code. (See DO178B Section 6.3.1c & 6.3.2c)
Off
Terminate function is only used for
dynamic memory de-allocation, which is
not appropriate for real-time safety
critical systems. ((See DO-178B Section
6.3.1c & 6.3.2c and MISRA-C 2004,
Rule 20.4)
On or Off
This option affects the style of the code
interface. If the auto-generated code is
intended to be reused multiple times in
the same executable with different data
sets for each use, then this option must be
set to On. If the code is only to be used
once, then this option may be On or Off.
Page 93
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Option
Suppress error status in
real-time model data
structure
Interface
Recommended Rationale
Setting
On
Not selecting this option will produce
extra code that may be unreachable and
therefore un-testable in the generated
code. (See DO-178B, Section 6. 3.1c &
6.3.2c and MISRA-C 2004, Rule 14.1)
On or Off
This option creates an S-Function
wrapper for the generated code so that it
can be tested during simulation using a
test harness. The generated model code
is unaffected by this option, only an
additional S-function interface file
(<modelname>_sf.c) is created.
Alternatively, model reference can be
used to test the code generated for a
Model block during a simulation,
however the target code for the Model
block will need to be generated
separately from the simulation code.
On or Off
This option allows the generated code to
be compiled for use with the S-Function
wrapper described above in this table,
even if the word size of the host machine
is different from the word size of the
target computer defined in the Hardware
Implementation pane of the
Configuration Parameters.
Off
This option adds extra code to log test
point to a MAT file, which would not be
supported by the embedded target
platform. (See DO-178B Section 6.3.1c
& 6.3.2c) This option should only be
used in test harnesses, not in models used
for embedded target code generation.
None
This option allows extra interface code to
be generated to support signal
observation and parameter tuning on the
target platform. Any of the three options:
C-API, External Mode or ASAP2 may be
used during development, but it is
recommended that this software be
removed for the final production version.
Page 94
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Recommended Real-Time Workshop Code Style option settings are outlined in the
following table along with rationale.
Option
Parentheses level
Recommended
Setting
Maximum
(MISRA C
compliance)
On
Preserve condition
expression in if statement
On
Rationale
This setting forces the use of parentheses
and avoids the reliance on C precedence
rules. (See DO-178B Section 6.3.1c &
6.3.2c and MISRA-C 2004, Rule 12.1)
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
This setting provides good traceability
between the code and the model. (See
DO-178B, Section 6.3.4e)
Page 95
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
10.9 Templates
The Templates Pane of the Configuration Parameters is shown below:
Templates are used only to insert program specific header information into the source and
header files. These have no direct effect on the safety of the generated code, but must be
verified to be acceptable by the system developer.
Page 96
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Data placement options affect the style of the generated code. These have no direct effect
on the safety of the generated code, but must be verified to be acceptable by the system
developer.
Page 97
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Data Type Replacement allows developers to replace the standard Real-Time Workshop
data type identifiers with there own custom data type identifiers. For safety, it is
recommended that data type replacement not be used. Currently, replacement names do
not fully participate in RTW name conflicts check. There could be conflicts between
replacement name and other symbols, e.g. function, variable, etc. If that happens, code
wont compile correctly or will be incorrect if compiles. However, all default type names
are reserved words, so this is not an issue if default type names are used.
Page 98
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Memory Sections allows developers to map the generated code to specific memory
sections or memory types in the target. These have no direct effect on the safety of the
generated code, but must be verified to be acceptable by the system developer.
Page 99
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Rationale
Random number generation may be nondeterministic and is difficult to verify.
Random number generation may be nondeterministic and is difficult to verify.
White noise generation may be nondeterministic and is difficult to verify.
Page 100
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Figure 12-1
For fixed point operations the Accumulator Data Type and Output Data Type should
be set using the data type assistant. This will enable the settings for Mode, Sign,
Scaling, Word length, Slope, Bias and Lock Output Scaling Against Changes
by the Autoscaling Tool. It is highly recommended that for fixed point operations that
the output scaling be displayed as a block attribute so that the proper output scaling can
Page 101
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
be verified during model reviews. Figure 12-2 shows the recommended settings for fixed
point.
Figure 12-2
Page 102
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Some blocks have a Parameter Attributes pane. For all operations other than fixed
point arithmetic, it is recommended to set Parameter Data Type is to use Inherit: Same
as input as shown in Figure 12-3. For fixed point operations the Parameter Data Type
should be set to using the data type assistant as shown in Figure 12-4. (See MISRA-C
2004, Rule 10.1, 10.2, 10.3 & 10.4)
Figure 12-3
Figure 12-4
Page 103
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
For all logical and relational operator blocks the Output Data Type should always be
set to Boolean as shown in Figure 12-5. (See MISRA-C 2004, Rule 12.6)
Figure 12-5
Page 104
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
When performing type casts, Saturate on integer overflow selection should be carefully
considered on a case by case basis, but is absolutely required when performing downcasts,
such as from 32 bit to 16 bit. If Inherit via back propagation type casting is used, then
Saturate on integer overflow should also be set on, as shown in Figure 12-6, because
this could result in down casting. (See DO-178B, Section 6.4.2.2 & 6.4.3 and MISRA-C
2004, Rule 10.1, 10.2 10.3 & 10.4)
Figure 12-6
Page 105
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The use of Data Store blocks can have significant effects on the software verification
effort, especially in the area of data coupling and control. Models and subsystems which
use only inports and outports to pass data result in clean, deterministic and verifiable
interfaces in the generated code. (See DO-178B, Section 6.3.3b)
When using For Iterator subsystems it is recommended that sample time dependent
blocks such as integrators, filters and transfer functions not be used within these
subsystems because they will not function properly with an inherited sample time.
Port dimensions
Sample time
Page 106
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Data type
Signal type
Sampling mode
Figure 12-7
A Model Advisor check exists that can verify these settings. (See DO-178B, Section
6.3.1b & 6.3.2b)
Page 107
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
The math functions log, log10 and rem rely on non-finite number support, which may
result in numeric exceptions in the generated code. It is recommended that these math
functions not be used. (See DO-178B, Section 6.4.2.2 & 6.4.3 and MISRA-C 2004, Rule
21.1) If these functions are necessary in the design then a custom hand coded S-Function
with built-in protection against non-finite numbers may be used in place of these math
functions. For log and log10 functions, if precision is not an issue, then a lookup table
may be used in place of these math functions.
When using the math function reciprocal, it is possible to get a divide by zero, resulting
in inf as an output. When using this function, the divisor input must be protected from
going to zero. (See DO-178B, Section 6.4.2.2 & 6.4.3 and MISRA-C 2004, Rule 21.1)
Page 109
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
State Machine Type allows the user to select between Classic, Mealy or Moore
semantic rules. Here is a brief comparison of the semantics:
Mealy and Moore charts use a subset of Stateflow semantics which can provide state
charts which may be easier to understand and use in safety critical systems. For more
information, see Building Mealy and Moore Charts in Stateflow in the help
documentation for Stateflow.
Use Strong Data Typing with Simulink I/O should be checked because strong data
typing is recommended for safety critical code. (See MISRA-C 2004, Rule 10.1, 10.2,
10.3 & 10.4)
User specified state/transition execution order should be checked. In this mode, the
model developer has complete control of the order in which parallel states are executed
and transitions originating from a source are tested for execution. It is also recommended
that under the Chart View Menu, Show Transition Execution Order always is set to on
so that the transition testing order is always visible. (See DO-178B, Section 6.3.1b &
6.3.2b)
Page 112
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 113
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 114
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 115
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
In contrast, a3 gets executed at most once, in the following diagram which does not
have the backup.
Page 116
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 117
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 118
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
http://www.mathworks.com/support/solutions/data/1-1IFP0W.html
Page 119
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute
Page 120
MathWorks Confidential subject to Non-Disclosure Agreement
Do not distribute