DO Qualification Kit

Simulink® Design Verifier™

Tool Operational Requirements

R2017a

January 3, 2017 qualkitdo_sldv_tor

How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
DO Qualification Kit: Simulink® Design Verifier™ Tool Operational Requirements
© COPYRIGHT 2017 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government) and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.

January 3, 2017 qualkitdo_sldv_tor

Revision History
March 2017 New for DO Qualification Kit Version 3.3 (Applies to Release 2017a)

January 3, 2017 qualkitdo_sldv_tor

January 3, 2017 qualkitdo_sldv_tor
Contents
1 Introduction.......................................................................................................................................1-1
1.1 Simulink Design Verifier Product Description........................................................................1-2
2 Operational Requirements.................................................................................................................2-1
2.1 Design Error Detection.............................................................................................................2-2
2.2 Model Objects Support.............................................................................................................2-4
2.3 Tool Interfaces..........................................................................................................................2-6
2.4 Abnormal Operating Modes.....................................................................................................2-8
2.5 User Information......................................................................................................................2-9
3 Installation.........................................................................................................................................3-1
4 Operational Environment..................................................................................................................4-1

January 3, 2017 qualkitdo_sldv_tor v

January 3, 2017 qualkitdo_sldv_tor vi
1 Introduction

This document comprises the Tool Operational Requirements (reference DO-330 Section
10.3.1) for the following capabilities of the Simulink® Design Verifier™ (SLDV) product:

 Design Error Detection

The requirements are provided in the Operational Requirement section in a tabular form, tagged
with unique identifiers that you can use to trace to the associated tool test cases, procedures and
results. Text not included in the tables does not represent the requirement and is intended to
provide supporting information.

The document identifies:

 Features of the Simulink Design Verifier product

 The environment in which the Simulink Design Verifier product should be installed
(reference DO-330, Sections 10.2.4 and 10.3.2).

This document is intended for use in the DO-330 tool qualification process for TQL-5 tools. The
applicant needs to:

 Review the Tool Operational Requirements for applicability in the project or program
under consideration.
 Configure the Tool Operational Requirements in the project or program’s configuration
management system.
 Complete the Tool Operational Requirements and make the document available for review.

See documentation for the following products at the MathWorks® Documentation Center,
R2017a:

 DO Qualification Kit (for DO-178)

 Simulink Design Verifier
 Simulink®
 Stateflow®
1.1 Simulink Design Verifier Product Description
Simulink® Design Verifier™ uses formal methods to identify hidden design errors in models
without extensive simulation runs. It detects blocks in the model that result in integer overflow,
dead logic, array access violations, division by zero, and requirement violations. For each error
it produces a simulation test case for debugging.

Simulink Design Verifier generates test inputs for model coverage and custom objectives. It also
lets you augment and extend existing test cases. These test cases drive your model to satisfy
condition, decision, modified condition/decision (MCDC), and custom coverage objectives.

The Model Slicer tool in Simulink Design Verifier isolates problematic behavior in a model
using a combination of dynamic and static analysis. It lets you highlight and trace functional
dependencies of ports, signals, and blocks, and slice a large model into smaller, standalone
models for analysis. You can view blocks affecting a subsystem output and trace a signal path
through multiple switches and logic. The Variant Reducer tool enables you to simplify models
containing multiple variants by creating sliced models based on active variant configurations.

Key Features

 Test case input generation from functional requirements and model coverage objectives,
including condition, decision, and MCDC
 Detection of dead logic, integer and fixed-point overflows, array access violations, division
by zero, and violations of design requirements
 Verification blocks for modeling functional and safety requirements
 Property proving, with generation of violation examples for analysis and debugging
 Model Slicer for analyzing functional dependencies and problematic behavior in large
models
 Variant Reducer for creating sliced models based on active variant configurations
 Polyspace® and Prover formal verification engines for fixed-point and floating-point
models

Note: For details regarding API use, see the Simulink Design Verifier Reference document.
2 Operational Requirements

The following subsections provide the operation requirements for Simulink® Design Verifier™
capabilities that are supported by the DO Qualification Kit. The user is responsible for
validating that the tool features they rely on to eliminate, reduce or automate the process are
sufficiently covered by Tool Operational Requirements (reference DO-330 Section 6.2.1.aa).
2.1 Design Error Detection
Simulink Design Verifier can be used to detect design errors in the model applying formal
analysis methods. The following table lists the operational requirements for Simulink Design
Verifier design error detection capabilities supported by the DO Qualification Kit.

Requirement ID Requirement
SLDV_DBZ Simulink Design Verifier shall determine if division by zero can occur during model
simulation for the supported model objects.
SLDV_OFL Simulink Design Verifier shall determine if overflow of the integer and fixed-point
signals can occur during model simulation for the supported model objects.
SLDV_DR Simulink Design Verifier shall determine if signal values can go out of specified range
during model simulation for the supported model objects that allow signal range
specification.
SLDV_AOB Simulink Design Verifier shall determine if out of bound array access can occur during
model simulation for the supported model objects.
SLDV_DL Simulink Design Verifier shall detect dead logic for the supported model objects that have
decision or condition outcomes. Unreachable decision or condition outcome shall be
considered as dead logic.

Note: Simulink Design Verifier provides two options for dead logic detection
configuration:
- Dead logic detection only: reduced capability, some dead logic may not be detected
- Dead and active logic detection: full capability also reporting active logic

This requirement applies specifically to the second dead logic detection configuration:
“Dead and active logic detection”. For details, see operation requirement
SLDV_IF_OPT and the Simulink Design Verifier User’s Guide.
Requirement ID Requirement
SLDV_SCOPE Simulink Design Verifier shall detect dead logic and determine if design errors can occur
during model simulation for any possible combination of model inputs within specified
ranges, at any simulation step, for models with linear algorithms. If model input signals
ranges are not explicitly specified, the minimum and maximum values of the signal data
type is used for analysis.

Note: Simulink Design Verifier detects errors and dead logic using formal method
which are proven as sound for linear algorithms when no approximation is applied (for
details, refer to the Simulink Design Verifier Tool Qualification Plan document).
Simulink Design Verifier applies approximation methods in the following cases:
- Floating-point numbers approximated with rational numbers
- Linearization of two-dimensional lookup tables for floating-point data types
- Approximation of one- and two-dimensional lookup tables for integer and
fixed-point data types
- Number of while loops iteration may be set to 3 if a conservative constant allowing

the while loop to exit cannot be detected

For details, refer to “Approximations” in Simulink Design Verifier User’s Guide.

If more than one design errors exist in the model, Simulink Design Verifier may report
only one of the errors preceding the others per sorted execution order.

SLDV_SUBSYS If model containing subsystems is analyzed, the analysis shall not consider the signal
ranges specified on the input ports of the subsystems.

January 3, 2017 qualkitdo_sldv_tor 3

2.2 Model Objects Support
Simulink Design Verifier supports model objects which may contain specified design errors.

Requirement ID Requirement
Simulink Design Verifier shall determine division by zero (SLDV_DBZ) for the
following blocks:
SLDV_DBZ_DVD  Divide block
SLDV_DBZ_REC  Math Function for the function reciprocal
SLDV_DBZ_SFC Simulink Design Verifier shall determine division by zero (SLDV_DBZ) for the
Stateflow chart objects with MATLAB and C action language.
Simulink Design Verifier shall determine signal overflow (SLDV_OFL) and signal range
overrun (SLDV_VOR) for the following blocks allowing signal range specification:
SLDV_SR_ABS  Abs
SLDV_SR_DTC  Data Type Conversion
SLDV_SR_DIF  Difference
SLDV_SR_DDER  Discrete Derivative
SLDV_SR_DTI  Discrete-Time Integrator
SLDV_SR_GAIN  Gain
SLDV_SR_IPP  Interpolation Using Prelookup"
SLDV_SR_NDLT  n-D Lookup Table
SLDV_SR_MAT  Math Function
SLDV_SR_MMX  MinMax
SLDV_SR_MSW  Multiport Switch
SLDV_SR_PRD  Product, Divide, Product of Elements
SLDV_SR_SATD  Saturation Dynamic
SLDV_SR_SUM  Sum, Add, Subtract, Sum of Elements
SLDV_SR_SWT  Switch
Simulink Design Verifier shall determine signal range overrun (SLDV_VOR) for the
following blocks allowing signal range specification:
SLDV_SR_IN  Inport
SLDV_SR_OUT  Outport
SLDV_SR_REL  Relay
SLDV_SR_SAT  Saturation
SLDV_SR_SSP  Signal Specification

January 3, 2017 qualkitdo_sldv_tor 4

Requirement ID Requirement
Simulink Design Verifier shall determine out of bound array access (SLDV_ AOB) for
the following blocks:
SLDV_AOB_SLC  Selector
SLDV_AOB_IVT  Index Vector
SLDV_AOB_MLF  MATLAB Function
SLDV_AOB_SFC Simulink Design Verifier shall determine out of bound array access (SLDV_ AOB) for
the Stateflow chart objects with MATLAB and C action language.
Simulink Design Verifier shall detect dead logic for the following blocks that have
decision or condition outcomes (for details, refer to “Model Objects That Receive Dead
Logic Detection” in Simulink Design Verifier User’s Guide):
SLDV_DL_ABS  Abs
SLDV_DL_DZ  Dead Zone
SLDV_DL_DTI  Discrete-Time Integrator
SLDV_DL_ES  Enabled Subsystem
SLDV_DL_FOR  For Iterator, For Iterator Subsystem
SLDV_DL_IF  If, If Action Subsystem
SLDV_DL_LIB  Library-Linked Objects
SLDV_DL_LOG  Logical Operator
Note: Logic expressions treated as short-circuited.

SLDV_DL_MLF  MATLAB Function

SLDV_DL_MMX  MinMax
SLDV_DL_MDL  Model
SLDV_DL_MSW  Multiport Switch
SLDV_DL_RTL  Rate Limiter
SLDV_DL_REL  Relay
SLDV_DL_SAT  Saturation
SLDV_DL_SFC  Stateflow Charts
SLDV_DL_SWT  Switch
SLDV_DL_SWC  SwitchCase, SwitchCase Action Subsystem
SLDV_DL_WHL  While Iterator, While Iterator Subsystem

January 3, 2017 qualkitdo_sldv_tor 5

2.3 Tool Interfaces
Simulink Design Verifier provides user interfaces for configuring and executing design error
detection feature and report generation.

Requirement ID Requirement
SLDV_IF_INP Simulink Design Verifier shall operate on models stored in SLX format of the current
release.
SLDV_IF_API Simulink Design Verifier API function sldvrun shall provide the following
capabilities:
 Specify a model or subsystem to analyze
 Specify analysis options to apply using sldvoptions object
 Invoke analysis and generate report with analysis results
 Detect and report incompatibilities of the analyzed mode
SLDV_IF_OPT Simulink Design Verifier shall support the following analysis options specified by
sldvoptions object:
 Enable/disable different analysis modes:
o Mode
o DetectDivisionByZero
o DetectIntegerOverflow
o DesignMinMaxCheck
o DetectOutOfBounds
o DetectDeadLogic
o DetectActiveLogic
 SaveReport to generate the analysis report

Note: DetectDeadLogic and DetectActiveLogic options are enabled for

the supported configuration “Dead and active logic detection”, see operation
requirement SLDV_DL.

Automatic stubbing and block replacement features are not covered by the DO
Qualification Kit, therefore, the following options are set to ‘off’ while executing
DO Qualification Kit test cases
- AutomaticStubbing
- BlockReplacement

January 3, 2017 qualkitdo_sldv_tor 6

Requirement ID Requirement
SLDV_IF_RPT The report generated by Simulink Design Verifier shall include the following sections
 Model Information, which includes model file name, version, author and last
saved timestamp
 Analysis Options, which includes options configuration (for details see
SLDV_IF_OPT)
 Design Error Detection Objectives Status, which lists:
 dead and active logic items (in dead logic detection mode) or
 falsified and proven valid objectives (if any – in all other supported modes)
 Derived Ranges section that identifies derived signal ranges

Note: The report may also include other supplementary information not covered by
the DO Qualification Kit, such as Block Replacement Summary.

Note: For details regarding API use, see the Simulink Design Verifier Reference document.

January 3, 2017 qualkitdo_sldv_tor 7

2.4 Abnormal Operating Modes
Simulink Design Verifier detects the abnormal operating modes and generates corresponding
error messages.

Requirement ID Requirement
SDLV_ABN_MDL Simulink Design Verifier shall check the integrity of the input model file. If model file
corruption is detected Simulink Design Verifier shall generate an error message and
interrupt the analysis without report generation.
SDLV_ABN_API Simulink Design Verifier shall check the validity of the API input arguments. If there are
one or more invalid arguments Simulink Design Verifier shall generate an error message
and interrupt the analysis without report generation.
SDLV_ABN_CMT Simulink Design Verifier shall check if model is compatible with Simulink Design
Verifier. If model has unsupported features Simulink Design Verifier shall generate an
error message and interrupt the analysis not generating the report.

Note: Automatic Stubbing and Block replacement features are not covered by the DO
Qualification Kit, see requirement SLDV_IF_OPT.

January 3, 2017 qualkitdo_sldv_tor 8

2.5 User Information
The Simulink Design Verifier user information is in the Simulink Design Verifier User’s Guide.

To access the user information documents, on the MATLAB® command line, type qualkitdo
to open the Artifacts Explorer. The documents are in Simulink Design Verifier.

January 3, 2017 qualkitdo_sldv_tor 9

January 3, 2017 qualkitdo_sldv_tor 10
3 Installation

To use the Simulink® Design Verifier™ product, install the following MathWorks® products:

 MATLAB®
 Simulink®
 Simulink® Design Verifier™

Instructions for installing the products are available at the MathWorks Documentation Center,
R2017a > Installation.
January 3, 2017 qualkitdo_sldv_tor 3
4 Operational Environment

The DO Qualification Kit product supports the following operating environments for the
Simulink® Design Verifier™ product:

 Personal computer
 One of the following operating systems:
- Microsoft® Windows®
- Linux®1
- Mac OS X
 MATLAB® Software
 Simulink® Software

Linux® is a registered trademark of Linus Torvalds.