Certkitiec Ug

IEC Certification Kit
User's Guide
R2015a
How to Contact MathWorks

Latest news:
www.mathworks.com
Sales and services:
www.mathworks.com/sales_and_services
User community:
www.mathworks.com/matlabcentral
Technical support:
www.mathworks.com/support/contact_us
Phone:
508-647-7000
The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit User's Guide
COPYRIGHT 20092015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used
or copied only under the terms of the license agreement. No part of this manual may be photocopied or
reproduced in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation
by, for, or through the federal government of the United States. By accepting delivery of the Program
or Documentation, the government hereby agrees that this software or documentation qualifies as
commercial computer software or commercial computer software documentation as such terms are used
or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and
govern the use, modification, reproduction, release, performance, display, and disclosure of the Program
and Documentation by the federal government (or other entity acquiring for or through the federal
government) and shall supersede any conflicting contractual terms or conditions. If this License fails
to meet the government's needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See
www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand
names may be trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see
www.mathworks.com/patents for more information.
Revision History
March 2009
Online only
September 2009
Online only
March 2010
Online only
September 2010
Online only
April 2011
Online only
September 2011
Online only
March 2012
Online only
September 2012
Online only
March 2013
Online only
September 2013
Online only
March 2014
Online only
October 2014
Online only
March 2015
Online only
New for Version 1.0 (Applies to Releases 2007a

+, 2008a, 2008b, 2009a)
Revised for Version 1.1 (Applies to Releases
2008a, 2008b, 2009a, 2009a+, 2009b)
Revised for Version 1.2 (Applies to Release
2010a)
2009bSP1, R2010a, 2010b)
2010bSP1, 2011a)
2011b)
2012a)
2010bSP2, 2012b)
2013a)
2013b)
2014a)
2014b)
2015a)
Contents
Getting Started with IEC Certification Kit

IEC Certification Kit Product Description . . . . . . . . . . . . . . .
Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-2
1-2
Required Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-3
IEC Certification Kit Component Overview . . . . . . . . . . . . . .
1-4
Tool Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificate Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reference Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conformance Demonstration Template (CDT) . . . . . . . . . . . .
ISO 26262 Tool Qualification Package (TQP) . . . . . . . . . . . .
Test Procedure and Test Cases . . . . . . . . . . . . . . . . . . . . . .
Exploring the Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-6
1-7
1-7
1-8
1-9
1-9
1-10
1-10
Supporting Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Model-Based Design Information . . . . . . . . . . . . . . . . . . . .
Software Tool Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-13
1-13
1-13
Products Supported by IEC Certification Kit for Each

MathWorks Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-14
Access Certification Artifacts for Embedded Coder . . . . . .
1-19
Access Certification Artifacts for Simulink PLC Coder . . .
1-21
Access Certification Artifacts for Simulink Design Verifier
1-22
Access Certification Artifacts for Simulink Verification and

Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-23
Access Certification Artifacts for Polyspace Bug Finder . .
1-24
Access Certification Artifacts for Polyspace Code Prover .
1-25
Access Supporting Artifacts for ISO 26262 . . . . . . . . . . . . . .
1-26
Access Supporting Artifacts for EN 50128 . . . . . . . . . . . . . .
1-27
Access Supporting Artifacts for IEC 61508 . . . . . . . . . . . . . .
1-28
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-29
ISO 26262 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is ISO 26262? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ISO 26262 Compliance Considerations . . . . . . . . . . . . . . . .
ISO 26262 Tool Qualification Considerations . . . . . . . . . . .
1-30
1-30
1-30
1-31
IEC 61508 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is IEC 61508? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IEC 61508 Compliance Considerations . . . . . . . . . . . . . . . .
IEC 61508 Tool Certification Considerations . . . . . . . . . . . .
1-32
1-32
1-32
1-33
EN 50128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is EN 50128? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EN 50128 Software Tool Considerations . . . . . . . . . . . . . . .
1-35
1-35
1-35
IEC 61511 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Is IEC 61511? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-36
1-36
Reference Workflows
Embedded Coder Reference Workflow Overview . . . . . . . . .
2-2
Simulink PLC Coder Reference Workflow Overview . . . . . .
2-5
Simulink Design Verifier Reference Workflow Overview . . .
2-8
Simulink Verification and Validation Reference Workflow

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vi
Contents
2-10
Polyspace Bug Finder Reference Workflow Overview . . . .
2-12
Polyspace Code Prover Reference Workflow Overview . . .
2-13
Certification Process
Define Certification Objectives and Requirements . . . . . . . .
3-2
Certify or Qualify Software Tools . . . . . . . . . . . . . . . . . . . . . .
3-3
Document Evidence of Using Tools Within Referenced

Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ISO 26262 Tool Qualification Artifacts . . . . . . . . . . . . . . . . .
IEC 61508 Tool Certification Artifacts . . . . . . . . . . . . . . . . .
EN 50128 Tool Certification Artifacts . . . . . . . . . . . . . . . . . .
3-4
3-4
3-5
3-7
Validate Software Tools

Software Tool Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2
Run Test Cases and Procedures for Embedded Coder . . . . .
4-3
Run Test Cases and Procedures for Simulink Verification and

Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-4
Run Test Cases and Procedures for Polyspace Bug Finder .
4-6
Run Test Cases and Procedures for Polyspace Code Prover
4-7
vii
viii
Contents
Access and Manage Certification Artifacts

Access Artifacts Using the Certification Artifacts Explorer .
Certification Artifacts in the IEC Certification Kit Product . .
What Is a Certification Package? . . . . . . . . . . . . . . . . . . . . .
How To Access Certification Artifacts . . . . . . . . . . . . . . . . . .
5-2
5-2
5-2
5-2
Manage Artifacts Using the Certification Artifacts

Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-5
Delete Certification Packages from Certification Artifacts

Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-6
Certification Artifacts Explorer Limitations . . . . . . . . . . . . .
5-7
Certification Artifacts Explorer on Linux and Mac

Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5-8
Support Certification-Related Development

Activities
Generate a Traceability Matrix . . . . . . . . . . . . . . . . . . . . . . . .
About Traceability Matrices . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites for Generating a Traceability Matrix . . . . . . . .
How to Generate a Traceability Matrix . . . . . . . . . . . . . . . . .
6-2
6-2
6-3
6-3
Add Comments to a Traceability Matrix . . . . . . . . . . . . . . . .

Requirements for Adding Comments to a Traceability Matrix
How To Retain Comments . . . . . . . . . . . . . . . . . . . . . . . . . .
6-6
6-6
6-7
Traceability Matrix Limitations . . . . . . . . . . . . . . . . . . . . . . .
6-8
Display Bug Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-9
Functions Alphabetical List
Model Advisor Checks

IEC Certification Kit Checks . . . . . . . . . . . . . . . . . . . . . . . . . .
Display bug reports using IEC Certification Kit checks . . . . .
Display bug reports for Simulink Verification and Validation
Display bug reports for Simulink Design Verifier . . . . . . . . .
Display bug reports for Simulink PLC Coder . . . . . . . . . . . .
Display bug reports for IEC Certification Kit . . . . . . . . . . . .
Display bug reports for Polyspace Bug Finder . . . . . . . . . . . .
Display bug reports for Polyspace Code Prover . . . . . . . . . . .
Display bug reports for Embedded Coder . . . . . . . . . . . . . . .
8-2
8-3
8-4
8-5
8-6
8-7
8-8
8-9
8-9
ix
1
Getting Started with IEC Certification
Kit
IEC Certification Kit Product Description on page 1-2
Required Knowledge on page 1-3
IEC Certification Kit Component Overview on page 1-4
Tool Artifacts on page 1-6
Supporting Artifacts on page 1-13
Products Supported by IEC Certification Kit for Each MathWorks Release on page
1-14
Access Certification Artifacts for Embedded Coder on page 1-19
Access Certification Artifacts for Simulink PLC Coder on page 1-21
Access Certification Artifacts for Simulink Design Verifier on page 1-22
Access Certification Artifacts for Simulink Verification and Validation on page
1-23
Access Certification Artifacts for Polyspace Bug Finder on page 1-24
Access Certification Artifacts for Polyspace Code Prover on page 1-25
Access Supporting Artifacts for ISO 26262 on page 1-26
Access Supporting Artifacts for EN 50128 on page 1-27
Access Supporting Artifacts for IEC 61508 on page 1-28
Limitations on page 1-29
ISO 26262 on page 1-30
IEC 61508 on page 1-32
EN 50128 on page 1-35
IEC 61511 on page 1-36
IEC Certification Kit Product Description

Qualify code generation and verification tools for ISO 26262 and IEC 61508 certification
IEC Certification Kit provides tool qualification artifacts, certificates, and test suites,
and generates traceability matrices. The kit helps you qualify code generation and
verification products and streamline certification of your embedded systems to ISO
26262, IEC 61508, EN 50128, and related functional-safety standards such as IEC
62304. Certificates and assessment reports from the certification authority TV SD are
included in the kit for the supported products and standards.
IEC Certification Kit provides ISO 26262 tool classification and qualification work
products, together with test suites. It includes templates that let you adapt the work
products to meet specific project needs. You can generate project-specific artifacts,
including traceability matrices covering requirements, models, and generated code.
Project- and product-specific artifacts can be combined to produce a complete ISO 26262
tool qualification package for embedded system certification.
Key Features
TV SD certificates and reports for supported Simulink products
TV SD certificates and reports for supported Polyspace products
ISO 26262 tool classification and qualification work products and test suites
Traceability matrix generation covering requirements, models, and generated code
Customizable templates for delivering documentation to certification authorities
Artifacts explorer for navigating and viewing artifacts for each supported product and
standard
Checks for tool-associated bug reports
1-2
Required Knowledge
Required Knowledge
Before using the IEC Certification Kit product, make sure that you have:
Knowledge about developing safety-related software.
Knowledge of the applicable safety standard:
ISO 26262 Road vehicles - Functional safety
IEC 61508 Functional safety of electrical/electronic/programmable electronic
safety-related systems
EN 50128 Railway Applications - Communications, Signalling and Processing
Systems - Software for Railway Control and Protection Systems
IEC 61511 Functional safety - Safety Instrumented Systems for the process industry
sector
Experience with MathWorks products that you use to develop, verify, or validate
software for systems that are required to comply with the applicable standard.
If you have an Embedded Coder license, also review the following information:
ISO 26262 Standard in the Embedded Coder documentation
IEC 61508 Standard in the Embedded Coder documentation
1-3
IEC Certification Kit Component Overview

The table summarizes the certification artifacts and tools provided with the IEC
Certification Kit.
Component
Description
More Information
Certification and
qualification evidence
Certificates and certification Tool Artifacts on page

reports issued by TV SD,
1-6
a German-based certification Certificate on page
authority, as evidence that
1-7
the product is suitable for
use in development processes Certificate Report on
page 1-7
which need to comply with
IEC 61508, EN 50128, or
IEC 61511 or qualified
according to ISO 26262.
Documents and templates
Artifacts and templates that Tool Artifacts on page

you can use to document
1-6
compliance with the
Supporting Artifacts on
standards.
page 1-13
Tools for certificationrelated development

activities
Generate traceability
matrices covering model
requirements, model
objects, and generated
code.
Generate a Traceability
Matrix on page 6-2
Display Bug Reports on
page 6-9
Model Advisor checks

for tool-associated bug
reports.
Tool for managing
certification artifacts
1-4
An Artifacts Explorer
that you can use to
access and manage work
products created during
the development of highintegrity systems, including
certification artifacts.
Artifact Management
IEC Certification Kit Component Overview

Component
Description
More Information
Test cases and test

procedures to support tool
validation
Test procedures that

Tool Validation
you can use to automate
Automation
tool validation tests
for Embedded Coder,
Simulink Verification and
Validation, Polyspace Bug
Finder, and Polyspace
Code Prover
Note: The rights.txt file describes allowed uses of the IEC Certification Kit product.
You can find the file at matlabroot/toolbox/qualkits/iec.
1-5
Tool Artifacts
Tool certification artifacts support you when you use MathWorks products in the
context of the ISO 26262, IEC 61508, EN 50128, or IEC 61511 standards. You can
submit certification artifacts, or derivatives thereof, as evidence of compliance with the
standards. The artifacts in the kit are not accessible from the MathWorks website.
The IEC Certification Kit provides the following types of tool artifacts:
Certificate on page 1-7
Certificate Report on page 1-7
Reference Workflow on page 1-8
Conformance Demonstration Template (CDT) on page 1-9
ISO 26262 Tool Qualification Package (TQP) on page 1-9
Test Procedure and Test Cases on page 1-10
To familiarize yourself with the artifacts, see Exploring the Artifacts on page 1-10.
To access the certification artifacts, open the Artifacts Explorer and navigate to the
product folder.
Tool Artifacts For MathWorks Products
Tool Artifact
Embedded
Coder
Simulink PLC Simulink

Coder
Verification
and
Validation
Simulink
Design
Verifier
Polyspace
Bug Finder
Polyspace
Code Prover
Certificate on
page 1-7
Certificate
Report on page
1-7
Reference
Workflow on page
1-8
Conformance
Demonstration
1-6
Tool Artifacts
Tool Artifact
Embedded
Coder
Template (CDT)
on page 1-9
Simulink PLC Simulink

Coder
Verification
and
Validation
ISO 26262 Tool
Qualification
Package (TQP) on
page 1-9
Test Procedure
and Test Cases on

page 1-10
Simulink
Design
Verifier
Polyspace
Bug Finder
Polyspace
Code Prover
Certificate
A PDF file issued by TV SD as evidence that the product is suitable for use in
development processes which need to comply with IEC 61508, EN 50128, or IEC 61511 or
qualified according to ISO 26262. Each certificate has a certificate number.
Certificate Report
TV SD, a German-based certification authority, issues an audit report evaluating the
product suitability for use in development processes that must comply with IEC 61508,
EN 50128, or IEC 61511 or qualified according to ISO 26262.
The report has the following sections:
Purpose and Scope - Provides the purpose and scope of the TV SD evaluation of
the product. TV SD audits the MathWorks development organization responsible
for the product to assess their development and quality assurance processes.
Product Overview - Provides a general description and overview of how the product is
used with other products in development processes that must comply with standards.
Identification - Identifies product releases that are covered by the audit report.
Certification - Provides descriptions of the standards and the basis of the TV SD
certification.
Results - Provides the audit results, including:
1-7
Software development and quality engineering processes.

Customer bug reporting processes.
Requirements on software tools in IEC 61508, ISO 26262, and EN 50128.
Tool classification and validation according to IEC 61508 and ISO 26262.
General Conditions and Restrictions - Provides conditions and restrictions on the
product suitability for use in development processes that must comply with ISO
26262, IEC 61508, EN 50128, or IEC 61511.
Summary and Certificate Number
Reference Workflow
A PDF file describing a reference workflow in which the product is used in Model-Based
Design development processes that must comply with ISO 26262, IEC 61508, EN 50128,
or IEC 61511.
The IEC Certification Kit product follows an in-context approach to tool certification and
qualification. This approach is based on the reference workflows used when applying the
certified and qualified tools to develop or verify software for ISO 26262, IEC 61508, and
EN 50128 applications. You must establish that the tools are used within the referenced
workflows and constraints specified in the Certificate Reports.
The reference workflow:
Describes activities intended to comply with applicable requirements of the overall
software safety lifecycles defined by IEC 61508-3, ISO 26262, and EN 50128.
Provides tool use cases detailing how the tool is used in Model-Based Design
development processes that must comply with ISO 26262, IEC 61508, EN 50128, or
IEC 61511.
Addresses risk levels:
ASIL A - ASIL D, according to ISO 26262
SIL 1 - SIL 3, according to IEC 61508
SIL 0 - SIL 3/4, according to EN 50128
You can use the conformance demonstration template (CDT) to assess your workflow
conformance to ISO 26262, IEC 61508, or EN 50128.
1-8
Tool Artifacts
Conformance Demonstration Template (CDT)

A PDF and editable .docx template that you can use to demonstrate your workflow
conformance to ISO 26262, IEC 61508, or EN 50128.
The conformance demonstration template provides checklists with measures and
techniques that you can use to assess your workflow conformance to the standards.
The reference workflow describes how the product is used in Model-Based Design
development processes that must comply with the standards.
For each technique or measure in the checklist, you can state the degree to which you
applied the technique or measure for application under consideration:
Used
Used to a limited degree
Not used
Additionally, you can state how you used the technique or measure in the application
under consideration. If the reference workflow includes alternative means for compliance,
you can indicate what variant you used.
ISO 26262 Tool Qualification Package (TQP)

A PDF and editable .docx file that contains templates intended for use in the ISO
26262 tool classification and qualification process for software tools. The TQP contains
templates for these ISO 26226 tool qualification work products (see ISO 26262-8, Clause
11):
Software Tool Criteria Evaluation Report documenting the tool classification. The
report lists the tool environment, configuration, reference workflow, and use cases.
Software Tool Qualification Report documenting the tool qualification, if required.
Confirmation Review of Tool Classification and Qualification.
ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor
activities or tasks required by ISO 26262. To establish the required confidence in such
tools, the standard outlines a two-step approach:
Tool classification determines the required Tool Confidence Level (TCL) of the
software tool.
1-9
Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.
Test Procedure and Test Cases

Test cases and procedures used to support tool validation. Tool validation is a method
listed in ISO 26262 and IEC 615033 for tool qualification. Based on your adherence
to the reference workflow, desired certification rigor, or project-specific needs, the tool
might require tool qualification.
Exploring the Artifacts

The ISO 26262, IEC 61508, and EN 50128 standards include requirements or
recommendations to use certified or qualified tools. You can use the artifacts provided
with the IEC Certification Kit to document compliance with the requirements or
recommendations. To familiarize yourself with the artifacts available for each
MathWorks product:
1
Open the Artifacts Explorer to access the certification artifacts.
Open the certificate and certificate report for a product. For example, in the Artifacts
Explorer, navigate to Embedded Coder > r2015a and open the product certificate
and certificate report:
certkitiec_ecoder_certificate.pdf
certkitiec_ecoder_certreport.pdf
The certificate certkitiec_ecoder_certificate.pdf has a number, date, TV
certification mark, and the Embedded Coder product name. It indicates that TV
assessed Embedded Coder as suitable for use in development processes that must
comply with ISO 26262, IEC 61508, EN 50128, or IEC 61511.
The certificate report certkitiec_ecoder_certreport.pdf is an audit report
detailing the TV evaluation of Embedded Coder for use in development processes
that must comply with ISO 26262, IEC 61508, EN 50128, or IEC 61511.
To comply with ISO 26262, IEC 61508, EN 50128, or IEC 61511, the certificate
report section General conditions and restrictions recommends use of the
Embedded Coder Reference Workflow for safety-related applications.
1-10
Tool Artifacts
Open the Reference Workflow for a product for a product. For example, in
the Artifacts Explorer, navigate to Embedded Coder > r2015a and open
certkitiec_ecoder_workflow.pdf.
The Embedded Coder Reference Workflow describes a workflow for applicationspecific verification and validation of models and generated C and C++ code
developed using Model-Based Design with product code generation. To comply with
ISO 26262, IEC 61508, EN 50128, or IEC 61511, you should use this reference
workflow in safety-related applications.
The Embedded Coder Reference Workflow addresses these risk levels
ASIL A - ASIL D, according to ISO 26262
SIL 1 - SIL 3, according to IEC 61508
SIL 0 - SIL 3/4, according to EN 50128
Open the Conformance Demonstration Template (CDT) for a product. For example,
in the Artifacts Explorer, navigate to Embedded Coder > r2015a and open
certkitiec_ecoder_cdt.docx.
You can use the Embedded Coder Conformance Demonstration Template to
demonstrate conformance with the parts of ISO 26262-6/8, IEC 61508-3, or EN
50128 covered in the Embedded Coder Reference Workflow.
For example, in the Embedded Coder Conformance Demonstration Template,
checklist 1 lists the Technique / Measure Model Review with a reference to the
Review and Static Analysis at the Model Level in the Embedded Coder Reference
Workflow. In the third column of the checklist, you can state to what degree you
applied the Model Review technique when assessing compliance to the standard.
Open the ISO 26262 Tool Qualification Package for a product. For example,
in the Artifacts Explorer, navigate to Embedded Coder > r2015a and open
certkitiec_ecoder_tqp.docx.
The Embedded Coder Tool Qualification Package has templates for the following ISO
26262 work products:
Software Tool Criteria Evaluation Report
Software Tool Qualification Report
Confirmation Review of Tool Classification and Qualification
1-11
The Software Tool Criteria Evaluation Report provides Embedded Coder use cases
and a tool classification summary. The tool classification summary establishes these
required tool confidence levels:
TCL1 for the code generator if you follow the Embedded Coder Reference
Workflow.
TCL2 for the code generator if you follow a subset of the Embedded Coder
Reference Workflow.
6
If applicable, explore the Test Procedure / Test Cases for a product. For example, in
the Artifacts Explorer, navigate to Embedded Coder > r2015a.
To execute the test cases, see Run Test Cases and Procedures for Embedded Coder
on page 4-3.
1-12
Create a certification package containing the artifacts of interest. See Manage

Artifacts Using the Certification Artifacts Explorer on page 5-5.
Supporting Artifacts
Supporting Artifacts
The following artifacts provide certification support when you use MathWorks products
in the context of the ISO 26262, IEC 61508 or EN 50128 standards. The artifacts in the
kit are not accessible from the MathWorks website.
To access the supporting artifacts, open the Artifacts Explorer.
Supporting Artifact
ISO 26262
EN 50128
IEC 61508
Model-Based Design
Information on page
1-13
Software Tool Inventory

on page 1-13
Model-Based Design Information

A PDF and .docx file that provides suggestions for leveraging MathWorks products to
address the techniques, methods, and measures required by the standards.
The IEC Certification Kit provides the following Model-Based Design Information
artifacts:
Model-Based Design for ISO 26262
Model-Based Design for EN 50128
Model-Based Design for IEC 61508

A PDF and editable .docx template that you can use to list the software tools you used
in your project, along with the corresponding tool classification, qualification, and
certification documentation.
1-13
Products Supported by IEC Certification Kit for Each MathWorks

Release
MathWorks product releases supported by the IEC Certification Kit are listed in the
following table.
Summary of IEC Certification Kit Support for MathWorks Products
Supported Product
Product Releases Supported by IEC Certification Kit
Embedded Coder
R2011a - R2015a
Real-Time Workshop Embedded Coder
R2008a - R2010b, R2009bSP1, R2010bSP1,

R2010bSP2
Simulink PLC Coder
R2010a - R2015a
Simulink Verification and Validation
R2011a - R2015a, R2010bSP1
Simulink Design Verifier
R2011a - R2015a, R2010bSP1
Polyspace Client for C/C++ and Polyspace R2008a - R2008b, R2009b - R2013a, R2009a+
Server for C/C++
Polyspace Bug Finder
R2013b - R2015a
Polyspace Code Prover
R2013b - R2015a
Polyspace Verifier for C
R2007a+
IEC Certification Kit support for products, releases, and standards is shown in the IEC
Certification Kit Support for Standards table. The IEC Certification Kit for a release can
include certification artifacts for products in a previous release. This inclusion occurs, for
example, when the IEC Certification Kit supports a new standard or a new product.
You can use the information in the IEC Certification Kit Support for Standards table to
determine the products and standards that are supported for each release. For example:
Initial support of Embedded Coder for ISO 26262 8:2011 is provided in IEC
Certification Kit R2012a.
IEC Certification Kit R2012a provides ISO 26262 8:2011 certification artifacts for
R2011a through R2012a of Embedded Coder.
Initial support of Simulink PLC Coder for IEC 61511:2003 is provided in IEC
Certification Kit R2010b.
1-14
Products Supported by IEC Certification Kit for Each MathWorks Release
IEC Certification Kit R2010b provides IEC 61511:2003 certification artifacts for
R2010a and R2010b of Simulink PLC Coder .
Initial support of Simulink Verification and Validation for IEC 61508:2010 is provided
by IEC Certification Kit R2011a.
IEC Certification Kit R2011a provides IEC 61508:2010 certification artifacts for
R2010bSP1 and R2011a of Simulink Verification and Validation .
IEC Certification Kit Support for Standards
Supported
Product
Supported
Product
Release
Initial
Support
IEC 615083:
2010
Support
ISO 26262
8:
2011
Support
EN 50128:
2011
Support
IEC 61511:
2003
Support
Embedded
Coder
R2015a
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013b
R2013a
R2013a
R2013a
R2013a
R2013a
R2012b
R2012b
R2012b
R2012b
R2012b
R2012a
R2012a
R2012a
R2012a
R2012a
R2011b
R2011b
R2011b
R2011a
R2011a
R2011a
R2010bSP2
R2012b
R2012b
R2012b
R2012b
R2010bSP1
R2011a
R2011a
R2012a
R2012a
R2010b
R2010b
R2010a
R2010a
R2009bSP1
R2010b
R2009b
R2009b+
R2009a
R2009a+
Real-Time
Workshop
Embedded
Coder
IEC Certification Kit Release
R2008b
R2008a
1-15
Supported
Product
Supported
Product
Release

Initial
Support
IEC 615083:
2010
Support
ISO 26262
8:
2011
Support
EN 50128:
2011
Support
IEC 61511:
2003
Support
Simulink
PLC Coder
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013a
R2013a
R2013a
R2013a
R2012b
R2012b
R2012b
R2012b
R2012a
R2012a
R2012a
R2012a
R2011b
R2011b
R2011b
R2011b
R2011a
R2011a
R2011a
R2011a
R2010b
R2010b
R2010b
R2010a
Simulink
Verification
and
Validation
R2015a
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013b
R2013a
R2013a
R2013a
R2013a
R2013a
R2012b
R2012b
R2012b
R2012b
R2012b
R2012a
R2012a
R2012a
R2012a
R2012a
R2011b
R2011b
R2011b
R2011a
R2011a
R2011a
R2015a
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013b
R2010bSP1
Simulink
Design
Verifier
1-16
Products Supported by IEC Certification Kit for Each MathWorks Release
Supported
Product
Supported
Product
Release

Initial
Support
IEC 615083:
2010
Support
ISO 26262
8:
2011
Support
EN 50128:
2011
Support
R2013a
R2013a
R2013a
R2013a
R2013a
R2012b
R2012b
R2012b
R2012b
R2012b
R2012a
R2012a
R2012a
R2012a
R2012a
R2011b
R2011b
R2011b
R2011a
R2011a
R2011a
R2015a
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013b
Polyspace
R2015a
Code Prover R2014b
R2015a
R2015a
R2015a
R2015a
R2014b
R2014b
R2014b
R2014b
R2014a
R2014a
R2014a
R2014a
R2014a
R2013b
R2013b
R2013b
R2013b
R2013b
R2013a
R2013a
R2013a
R2013a
R2013a
R2012b
R2012b
R2012b
R2012b
R2012b
R2012a
R2012a
R2012a
R2012a
R2012a
R2011b
R2011b
R2011b
R2011a
R2011a
R2011a
R2010b
R2010b
R2010a
R2010a
R2009b
R2009b+
IEC 61511:
2003
Support
R2010bSP1
Polyspace
Bug Finder
Polyspace
Client for
C/C++ and
Polyspace
Server for C/
C++
R2009a+
R2008b
R2008a
1-17
Supported
Product
Supported
Product
Release
Initial
Support
IEC 615083:
2010
Support
ISO 26262
8:
2011
Support
EN 50128:
2011
Support
IEC 61511:
2003
Support
Polyspace
Verifier for
C
R2007a+
R2009a+
R2011a
R2012a
1-18
Access Certification Artifacts for Embedded Coder
Access Certification Artifacts for Embedded Coder

TV SD has certified specific versions of the Embedded Coder and product for use
in development processes that are required to comply with ISO 26262, IEC 61508, or
EN 50128. These product versions are also prequalified according to ISO 26262-8 for
Automotive Safety Integrity Levels ASIL A through ASIL D.
The IEC Certification Kit product contains certification artifacts for the following
versions of the Embedded Coder product:
Version 6.8 (R2015a)
Previous releases of the Embedded Coder product are certified or prequalified. For
supporting certification artifacts, see previous releases of the IEC Certification Kit
product.
Note: The Embedded Coder product was not developed using an IEC 61508 certified
process.
Open the Artifacts Explorer to access the certification artifacts. Alternatively, on the
MATLAB command line, type certkitiec. The certification artifacts are located in
Embedded Coder > r2015a.
Details on the certification artifacts are in the certificate reports.
Component
File
certkitiec_ecoder_certificate.pdf
certkitiec_ecoder_certreport.pdf
Reference Workflow Embedded Coder

Reference Workflow Overview
certkitiec_ecoder_workflow.pdf

on page 1-9
certkitiec_ecoder_cdt.docx/.pdf

on page 1-9
certkitiec_ecoder_tqp.docx/.pdf
certkitiec_ecoder_tests.m
certkitiec_ecoder_modelList.m
/tests/*
1-19
Component
1-20
File
/outputs/*
/baseline/*
Access Certification Artifacts for Simulink PLC Coder
Access Certification Artifacts for Simulink PLC Coder

TV SD certified specific versions of the Simulink PLC Coder product for use in
development processes that are required to comply with IEC 61508 or IEC 61511.
versions of the Simulink PLC Coder product:
Previous releases of the Simulink PLC Coder product are certified. For supporting
certification artifacts, see previous releases of the IEC Certification Kit product.
Note: The Simulink PLC Coder product was not developed using an IEC 61508 certified
process.
Simulink PLC Coder > r2015a.
Component
File
certkitiec_plccoder_certificate.pdf
certkitiec_plccoder_certreport.pdf
Reference Workflow Simulink PLC Coder

certkitiec_plccoder_workflow.pdf

on page 1-9
certkitiec_plccoder_cdt.docx/.pdf
1-21
Access Certification Artifacts for Simulink Design Verifier

TV SD has certified specific versions of the Simulink Design Verifier product for use
in development processes that are required to comply with ISO 26262, IEC 61508, or
versions of the Simulink Design Verifier product:
Note: The Simulink Design Verifier product was not developed using an IEC 61508
certified process.
Simulink Design Verifier > r2015a.
Component
File
certkitiec_sldv_certificate.pdf
certkitiec_sldv_certreport.pdf
Reference Workflow Simulink Design Verifier certkitiec_sldv_workflow.pdf

on page 1-9
certkitiec_sldv_cdt.docx/.pdf

on page 1-9
certkitiec_sldv_tqp.docx/.pdf
1-22
Access Certification Artifacts for Simulink Verification and Validation
Access Certification Artifacts for Simulink Verification and

Validation
TV SD has certified specific versions of the Simulink Verification and Validation
product for use in development processes that are required to comply with ISO 26262,
IEC 61508, or EN 50128. These product versions are also prequalified according to ISO
26262-8 for Automotive Safety Integrity Levels ASIL A through ASIL D.
versions of the Simulink Verification and Validation product:
Note: The Simulink Verification and Validation product was not developed using an IEC
61508 certified process.
Simulink Verification and Validation > r2015a.
Component
File
certkitiec_slvnv_certificate.pdf
certkitiec_slvnv_certreport.pdf
Reference Workflow Simulink Verification

and Validation Reference Workflow Overview
certkitiec_slvnv_workflow.pdf

on page 1-9
certkitiec_slvnv_cdt.docx/.pdf

on page 1-9
certkitiec_slvnv_tqp.docx/.pdf
certkitiec_slvnv_tests*.rpt/.xls
/tests/*
/outputs/*
1-23
Access Certification Artifacts for Polyspace Bug Finder

TV SD certified specific versions of the Polyspace Bug Finder product for use in
development processes that are required to comply with ISO 26262, IEC 61508, or
versions of the Polyspace Bug Finder product:
Note: The Polyspace Bug Finder product was not developed using an IEC 61508 certified
process.
Polyspace Bug Finder > r2015a.
Component
File
certkitiec_bugfinder_certificate.pdf
certkitiec_bugfinder_certreport.pdf
Reference Workflow Polyspace Bug Finder

certkitiec_bugfinder_workflow.pdf

on page 1-9
certkitiec_bugfinder_cdt.docx/.pdf

on page 1-9
certkitiec_bugfinder_tqp.docx/.pdf
/tests/* (including /tests/

certkitiec_bugfinder_tests.bat/.sh)
/outputs/*
Software Quality Objectives for Source Code
certkitiec_bugfinder_sqo.pdf
1-24
Access Certification Artifacts for Polyspace Code Prover
Access Certification Artifacts for Polyspace Code Prover

TV SD certified specific versions of the Polyspace Code Prover product for use in
development processes that are required to comply with ISO 26262, IEC 61508, or
versions of the Polyspace Code Prover product:
Note: The Polyspace Code Prover product was not developed using an IEC 61508
certified process.
Polyspace Code Prover > r2015a.
Component
File
certkitiec_codeprover_certificate.pdf
certkitiec_codeprover_certreport.pdf
Reference Workflow Polyspace Code Prover

certkitiec_codeprover_workflow.pdf

on page 1-9
certkitiec_codeprover_cdt.docx/.pdf

on page 1-9
certkitiec_codeprover_tqp.docx/.pdf
/tests/* (including /tests/

certkitiec_codeprover_tests.bat/.sh)
/outputs/*
Software Quality Objectives for Source Code
certkitiec_codeprover_sqo.pdf
1-25
Access Supporting Artifacts for ISO 26262

The IEC Certification Kit product contains the following artifacts to support ISO 26262
compliance:
Model-Based Design for ISO 26262 Provides suggestions for leveraging MathWorks
tools and workflows for Model-Based Design when applying the ISO 262626 and ISO
262628 standards.
Software Tool Inventory Provides a template for listing the software tools used
in the project under consideration and their corresponding tool classification/
qualification documentation.
MATLAB command line, type certkitiec. The supporting artifacts are located in
Supporting Artifacts.
Component
File
Model-Based Design for ISO 26262
certkitiec_mbd_iso26262.docx/.pdf
certkitiec_tools.docx/.pdf
1-26
Access Supporting Artifacts for EN 50128
Access Supporting Artifacts for EN 50128

The IEC Certification Kit product contains the following artifact to support EN 50128
compliance:
Model-Based Design for EN 50128 Provides suggestions for leveraging MathWorks
tools and workflows for Model-Based Design when applying the EN 50128 standard.
Component
File
Model-Based Design for EN 50128
certkitiec_mbd_en50128.docx/.pdf
1-27
Access Supporting Artifacts for IEC 61508

The IEC Certification Kit product contains the following artifact to support IEC 61508
compliance:
Model-Based Design for IEC 61508 Provides suggestions for leveraging MathWorks
tools and workflows for Model-Based Design when applying the IEC 61508 standard.
Component
File
Model-Based Design for IEC 61508
certkitiec_mbd_iec61508.docx/.pdf
1-28
Limitations
Limitations
Neither compliance with nor certification to the applicable safety standard ensure the
safety of the software or the system under consideration. However, the applicable safety
standard may be considered a state-of-the-art or generally accepted rules of technology
(GART) for the development of safety-related systems in your industry. A certification
might be used as evidence that state-of-the-art procedures were applied during system
development.
1-29
ISO 26262
In this section...
What Is ISO 26262? on page 1-30
ISO 26262 Compliance Considerations on page 1-30
ISO 26262 Tool Qualification Considerations on page 1-31
What Is ISO 26262?

ISO 26262 is an international functional safety standard titled Road vehicles
Functional safety. ISO 26262 is the adaptation of IEC 61508 to comply with needs
specific to the application sector of E/E systems1 within road vehicles.
ISO published the ISO 26262 standard in 2011. It consists of ten parts, referred to as ISO
26262-1 to ISO 26262-10.
Part 2 (ISO 26262-2) Management of functional safety specifies the requirements
on functional safety management for automotive applications. Part 6 (ISO 26262-6)
Product development: software level pertains to software development, verification,
and validation. It includes guidance for projects using Model-Based Design2 and code
generation. Part 8 (ISO 26262-8) Supporting processes addresses multiple crossfunctional topics, including the classification and qualification of software tools.
The required degree of rigor for software development, verification, and validation varies,
depending on how critical the software is. It is expressed in terms of Automotive Safety
Integrity Levels (ASILs) A to D. For example, a measure or technique listed in ISO 26262
might be recommended for ASIL A and ASIL B, and highly recommended for ASIL C and
ASIL D.
ISO 26262 Compliance Considerations

ISO 26262-2 lays out confirmation measures to be carried out in order to claim
compliance with the standard.
1.
2.
1-30
Systems that consists of electrical and electronic elements, including: programmable electronic elements,
power supplies, input devices, communication paths, and output devices.
Referred to as model-based development.
ISO 26262
ISO 26262 Tool Qualification Considerations

ISO 26262-8 provides a framework for software tool classification and qualification to
provide evidence that a software tool is suitable for use when developing safety-related
software. In this way, confidence can be achieved in the correct execution of the activities
and tasks supported by this tool (see ISO 26262-8, clause 11).
To determine the required level of confidence in a software tool (tool confidence level,
TCL), the applicant shall analyze the use cases for the software tool. The analysis
determines:
If a malfunctioning software tool and the erroneous output of the tool can lead to the
violation of a safety requirement.
The probability of preventing or detecting such errors in the output.
The evaluation considers tool-internal measures (for example, monitoring), as well
as tool-external measures (for example, guidelines, tests, reviews) that the applicant
implements in the development process for the safety-related software.
The required TCL, together with the ASIL of the software developed using the tool,
determines whether the tool must be qualified and allows the selection of relevant
qualification methods.
Regardless of the tool qualification, the tool user is and remains fully responsible for the
safety of the system and its embedded software.
1-31
IEC 61508
In this section...
What Is IEC 61508? on page 1-32
IEC 61508 Compliance Considerations on page 1-32
IEC 61508 Tool Certification Considerations on page 1-33
What Is IEC 61508?

IEC 61508 is an international, industry-independent functional safety standard, titled
Functional safety of electrical/electronic/programmable electronic safety-related systems.
The seven parts of the standard (referred to as IEC 61508-1 to IEC 61508-7) were
published in 2010.
IEC 61508-3 Software Requirements concerns software development, verification, and
validation. By constraining the processes used for software development and quality
assurance, the intention of the IEC 61508-3 standard is to:
Reduce the number of errors introduced during software development.
Increase the number of errors revealed by verification and validation activities.
IEC 61508 is a prescriptive standard, providing detailed lists of techniques and
measures with recommendations. The required degree of rigor for software development,
verification, and validation varies, depending on how critical the software is. The
standard expresses the degree of rigor in terms of Safety Integrity Levels (SILs). For
example, IEC-61508-3 might recommend a measure or technique for SIL 1 and 2, and
highly recommend it for SIL 3 and 4.
To help with the selection of techniques and measures relevant for a required SIL,
annexes A and B of IEC 61508-3 provide software safety integrity tables. The tables
list the techniques and measures recommended for each SIL. The standard organizes
the tables based on the different software lifecycle phases. IEC 61508-7 Overview
of techniques and measures provides detailed descriptions of selected measures and
techniques.
IEC 61508 Compliance Considerations

IEC 61508 certification confirms that a product or system complies with objectives set by
the standard.
1-32
IEC 61508
You can get IEC 61508 compliance certified by an independent, external certification
authority, such as Technischer berwachungsverein (TV) in Germany. Upon granting
certification, the certification authority issues a certificate and, if applicable, a certificate
report. A certificate report is a technical report that accompanies the certificate. The
certificate report documents details of the certification process and constraints for the
certificate.
An applicant might self-certify a system. Self-certification requires the applicant to
demonstrate IEC 61508 compliance to an internal assessor, without requiring external
certification. In this case, aspects of the standard might be relaxed or tightened.
Regardless of how an applicant achieves certification, the applicant shall document
compliance with the relevant set of IEC 61508 requirements. For software, the applicant
typically creates customized instances of software safety integrity tables. The tables
describe how you interpreted and applied each recommended technique and measure for
the software under development. If a highly recommended technique or measure is not
used, the rationale shall be documented and agreed upon with the certification authority
or internal assessor.
The customized software safety integrity tables serve as partial evidence to demonstrate
that the objectives of the standard are met. To facilitate certification, the applicant
should submit an initial version of the tables early in the software development lifecycle
to the certification authority or internal assessor for discussion and approval.
IEC 61508 Tool Certification Considerations

The intention of the IEC 61508 standard is to regulate the development of safety-related
systems, not the development of software tools used to design, verify, and validate these
systems. However, IEC 61508 includes some requirements on the usage of software tools.
In particular, IEC 61508-3, clause 7.4.4 provides requirements for tools used to develop
safety-related software, including a tool classification scheme and requirements for tool
validation.
IEC 61508-3, table A.3 highly recommends certified tools and translators for safety
integrity levels SIL 2 and higher.
Different tool certification approaches have been proposed and pursued in practice. A
recent approach is in-context certification of tools. In-context certification is based on
a specific workflow or set of workflows to be used when applying the tool to develop
or verify software for IEC 61508 compliant or certified applications. For an in-context
certification, the certification package includes a reference workflow document in
1-33
addition to a certificate and certificate report. The applicant shall ensure the tool is
used within the workflows referenced and the constraints specified in their respective
certificates.
Regardless of the tool certification, the tool user is and remains fully responsible for the
safety of the system and its embedded software.
1-34
EN 50128
EN 50128
In this section...
What Is EN 50128? on page 1-35
EN 50128 Software Tool Considerations on page 1-35
What Is EN 50128?
EN 50128 is a European safety standard titled Railway applications - Communications,
signalling and processing systems - Software for railway control and protection systems.
The standard specifies procedures and technical requirements for the development of
programmable electronic systems for use in railway control and protection applications.
EN 50128, developed by the European Committee for Electrotechnical Standardization
(CENELEC), is part of a series of standards that represent the railway applicationspecific interpretation of the IEC 61508 standard series.
EN 50128 Software Tool Considerations

Requirements for support tools are specified in clause 6.7 of the EN 50128 standard.
The objective of this clause is to provide evidence that potential failures of tools do
not adversely affect the integrated toolset output in a safety related manner that
is undetected by technical and/or organizational measures outside the tool. (EN
50128:2011).
1-35
IEC 61511
What Is IEC 61511?
IEC 61511 is an international functional safety standard titled Functional safety - Safety
Instrumented Systems for the process industry sector. IEC 61511 has been developed
as a process sector implementation of IEC 61508. The standard consists of three parts,
referred to as IEC 61511-1 to IEC 61511-3. Part 1 (IEC 61511-1) covers framework,
definitions, and system, hardware, and software requirements.
1-36
2
Reference Workflows
Reference Workflows
Embedded Coder Reference Workflow Overview

The Embedded Coder Reference Workflow describes a workflow for application-specific
verification and validation of models and generated C and C++ code developed using
Model-Based Design with production code generation. Users of the Embedded Coder
software shall carry out this workflow as part of the overall ISO 26262, IEC 61508, or
EN 50128 software safety lifecycle. Model-Based Design enables automatic generation
of production-quality code from executable graphical models that you can deploy onto
embedded systems. Simulink products from MathWorks have become an accepted
standard for Model-Based Design. Simulink, Fixed-Point Designer, and Stateflow
software support graphical modeling with time-based block diagrams and event-based
state machines. Embedded Coder supports code generation for embedded systems.
If generated C or C++ code is being deployed in safety-related applications, modeling
and code generation are to be complemented by measures and techniques to verify
and validate the model and the generated C or C++ code. Applying these measures
and techniques in an application-specific manner serves the purpose of translation
validation.3 A successful translation validation provides a high degree of confidence
that for the design instance under consideration the output of the code generator,
compiler, and linker tool chain exhibits equivalent input-output behavior as the model
used for production code generation.
The workflow presented in the Embedded Coder Reference Workflow describes a
translation validation process intended to comply with applicable requirements of the
overall software safety lifecycle defined by ISO 26262-6, IEC 61508-3, and EN 50128
respectively, as they relate to verification and validation of models and generated code.
The workflow addresses risk levels ASIL A ASIL D according to ISO 26262, SIL 1 SIL
3 according to IEC 61508, and SIL 0 SIL 4 according to EN 50128.
Completing the verification and validation workflow is considered to be equivalent to
the use of a certified code generation tool chain consisting of a code generator, compiler,
and linker to develop the application under consideration (justification specified in IEC
61508-3 clause 7.4.4.3).
To fulfill objectives of ISO 26262-6, IEC 61508-3, or EN 50128 related to software
development processes, verifying and validating the application software under
development (translation validation) is required regardless of the tool chain you use.
The workflow for application-specific verification and validation of models and generated
C and C++ code outlined in the Embedded Coder Reference Workflow divides the
translation validation process into two steps:
3.
2-2
A. Pnueli, M. Siegel, E. Singerman: Translation Validation. Lecture Notes in Computer Science, Vol.
1384, pp. 151-166. Springer, 1998
Embedded Coder Reference Workflow Overview
Design verification: Demonstrate that the model used for production code generation
behaves as specified in its requirements.
Code verification: Demonstrate equivalence between the model and the

corresponding object code.
The first step combines suitable verification and validation techniques at the model level.
The second step mainly relies on behavioral and structural comparison between the
model and the generated code.
This two-step approach allows you to complete verification and validation activities, for
the most part, at the model level. You can take advantage of the fact that you can reuse
model-level tests that are required to verify the generated code.
The following figure shows the suggested translation validation workflow. This workflow
is concerned with verifying and validating the model used for production code generation,
the generated source code, and the executable object code.
4.
Other development artifacts are grayed out.
2-3
Reference Workflows
Module and integration

testing at the model level
Review and static analysis

at the model level
Textual
requirements
Executable
specification
Modeling
...
Equivalence testing
Prevention of
unintended functionality
Model used for

production
code generation
Generated
C/C++ code
Code
generation
Design verification
Object
code
Compilation
and linking
Code verification
Development artifact
Software development activity
Verification and validation activity
Overview of the Workflow for Application-Specific Verification and Validation of Models and Generated C
and C++ Code4
Open the Artifacts Explorer to access the Embedded Coder Reference Workflow.
Alternatively, on the MATLAB command line, type certkitiec. The Embedded Coder
Reference Workflow file certkitiec_ecoder_workflow.pdf is located in Embedded
Coder > r2015a.
2-4
Simulink PLC Coder Reference Workflow Overview

The Simulink PLC Coder Reference Workflow describes a workflow for applicationspecific verification and validation of models and structured text code developed using
Model-Based Design with PLC code generation. Users of the Simulink PLC Coder
software shall carry out this workflow as part of the overall IEC 61508 or IEC 61511
safety lifecycle. Model-Based Design enables automatic generation of IEC 61131-3
structured text code from executable graphical models that can be deployed onto
Programmable Logic Controllers (PLCs). Simulink products from MathWorks have
become an accepted standard for Model-Based Design. Simulink and Stateflow
software support graphical modeling with time-based block diagrams and event-based
state machines. The MATLAB Function block allows including MATLAB algorithms in
Simulink models.Simulink PLC Coder software supports the generation of IEC 61131
compliant Structured Text code based on Simulink models and Stateflow charts.
If generated structured text is being deployed in safety-related applications, modeling
and PLC code generation are to be complemented by measures and techniques to
verify and validate the model and the generated PLC code. Applying these measures
and techniques in an application-specific manner serves the purpose of translation
validation.5 A successful translation validation provides a high degree of confidence that
for the design instance under consideration the output of the code generator and
programmable logic controller integrated development environment (PLC IDE) tool chain
exhibits equivalent input-output behavior as the model used for PLC code generation.
The workflow presented in the Simulink PLC Coder Reference Workflow describes
a translation validation process intended to comply with applicable requirements of
the overall safety lifecycle defined by IEC 61508-3 and IEC 61511, as they relate to
verification and validation of models and generated structured text code. The workflow
addresses risk levels SIL 1 SIL 3 according to IEC 61511.
Completing the verification and validation workflow is considered to be equivalent to
the use of a certified PLC code generation tool chain to develop the application under
consideration (IEC 61508-3, clause 7.4.4.10).
Fulfilling the objectives of IEC 61508-3 and IEC 61511-1 related to software development
processes requires verifying and validating the PLC application software under
development (translation validation).
The workflow for application-specific verification and validation of models and generated
PLC code outlined in the Simulink PLC Coder Reference Workflow divides the translation
validation process into two steps:
5.
A. Pnueli, M. Siegel, E. Singerman: Translation Validation. Lecture Notes in Computer Science, Vol.
1384, pp. 151-166. Springer, 1998
2-5
Reference Workflows
Design verification: Demonstrate that the model used for production code generation
behaves as specified in its requirements.
PLC code verification: Demonstrate equivalence between the model and the
generated PLC code.
The first step combines suitable verification and validation techniques at the model level.
The second step mainly relies on comparing the model and the generated PLC code.
This two-step approach allows you to complete verification and validation activities, for
the most part, at the model level. You can take advantage of the fact that you can reuse
model-level tests that when verifying the generated PLC code.
The following figure shows the suggested translation validation workflow. This workflow
is concerned with verifying and validating the model used for PLC code generation and
the generated PLC code.
2-6
Module and integration

testing at the model level
Equivalence testing
Review and static analysis

at the model level
Textual
requirements
Executable
specification
...
Modeling
Prevention of
unintended functionality
Model used for

PLC
code generation
Generated
PLC code
PLC Code
generation
Design verification
PLC IDE
project with
test bench
Import to
PLC IDE
PLC Code verification
Verification and validation activity
Overview of the Workflow for Application-Specific Verification and Validation of Models and Generated
PLC Code6
Open the Artifacts Explorer to access the Simulink PLC Coder Reference Workflow.
Alternatively, on the MATLAB command line, type certkitiec. The Simulink PLC
Coder Reference Workflow file certkitiec_plccoder_workflow.pdf is located in
Simulink PLC Coder > r2015a.
6.
Other development artifacts are grayed out.
2-7
Reference Workflows
Simulink Design Verifier Reference Workflow Overview

Simulink Design Verifier allows users to generate test cases for Simulink models. The
generated test cases provide simulation inputs that exercise functionality captured in the
model structure and specified by the test objectives. The test cases, together with the test
objectives, are used to verify the model or code running in software-in-the-loop (SIL) or
processor-in-the-loop (PIL) modes.
The Simulink Design Verifier Reference Workflow provides a reference workflow for
Simulink Design Verifier. In particular, it describes how to:
Leverage the test case generation capability of Simulink Design Verifier in a ModelBased Design process.
Facilitate seamless functioning of the test case generation capability of the Simulink
Design Verifier tool.
Assess the completeness and adequacy of the generated test cases.
Users of the Simulink Design Verifier software seeking to leverage the certification or
qualification credit afforded by the IEC Certification Kit shall carry out this workflow as
part of the overall ISO 26262, IEC 61508, or EN 50128 software safety lifecycle.
The Simulink Design Verifier Reference Workflow describes use cases for the test case
generation capability of Simulink Design Verifier as part of a Model-Based Design
process.
During the development of embedded application software, you can use graphical
modeling with Simulink, Fixed-Point Designer, and Stateflow to conceptualize
the functionality to be implemented. Using this modeling paradigm, the application
software to be developed is modeled using time-based block diagrams and event-based
state machines. Such a model of the application software is simulated (executed) within
the Simulink environment. The model serves as the primary representation of the
application software throughout the development process, specifying functionality
and design information, and serving as a source for automated code generation with
Embedded Coder. In practice, this model elaboration is characterized by a step-wise
transformation of the application software model from an early executable specification
into a model suitable for production code generation, and then finally into productionquality C or C++ code. To accomplish the transformation, the model is enhanced by
adding design information and implementation details. The development process
becomes the successive refinement of models, followed by automatic code generation
and compilation and linking, as shown in the following figure. For details about this
development process, see IEC Certification Kit Embedded Coder Reference Workflow.
2-8
Simulink Design Verifier Reference Workflow Overview
Textual
requirements
Executable
specification
Modeling
...
Model used for

production
code generation
Generated
C/C++ code
Code
generation
Object
code
Compilation
and linking
Model-Based Design Process7

You can use the test case generation capability provided by the Simulink Design Verifier
to generate test cases for the executable specification, the model used for production code
generation, or any other interim model created during the modeling phase. You can use
the generated test cases to stimulate the executable specification or another stage of the
model-based design process.
Open the Artifacts Explorer to access the Simulink Design Verifier Reference Workflow.
Alternatively, on the MATLAB command line, type certkitiec. The Simulink Design
Verifier Reference Workflow file certkitiec_sldv_workflow.pdf is located in
Simulink Design Verifier > r2015a.
7.
Solid arrows in the figure indicate the succession of software development activities.
2-9
Reference Workflows
Simulink Verification and Validation Reference Workflow

Overview
Simulink Verification and Validation allows users to:
Check Simulink and Stateflow models for compliance with design and coding
guidelines.
Identify untested portions of models using structural coverage metrics.
The Simulink Verification and Validation Reference Workflow provides a reference
workflow for Simulink Verification and Validation. In particular, it describes how to:
Leverage the model compliance checking and model coverage analysis capabilities of
Simulink Verification and Validation in a Model-Based Design process.
Check these capabilities are functioning as expected.
Users of the Simulink Verification and Validation tool seeking to leverage the
certification or qualification of the tool shall carry out this workflow as part of the overall
ISO 26262, IEC 61508, or EN 50128 software safety lifecycle.
The Simulink Verification and Validation Reference Workflow describes use cases for the
following capabilities of Simulink Verification and Validation as part of a Model-Based
Design process:
Model compliance checking
Model coverage analysis
During the development of embedded application software, you can use graphical
modeling with Simulink, Fixed-Point Designer, and Stateflow to conceptualize
the functionality to be implemented. Using this modeling paradigm, the application
software to be developed is modeled using time-based block diagrams and event-based
state machines. Such a model of the application software is simulated (executed) within
the Simulink environment. The model serves as the primary representation of the
application software throughout the development process, specifying functionality
and design information, and serving as a source for automated code generation with
Embedded Coder. In practice, this model elaboration is characterized by a step-wise
transformation of the application software model from an early executable specification
into a model suitable for production code generation, and then finally into C or C++ code.
To accomplish the transformation, the model is enhanced by adding design information
and implementation details. The development process becomes the successive refinement
2-10
Simulink Verification and Validation Reference Workflow Overview
of models, followed by automatic code generation and compilation and linking, as shown
in the following figure. For details about this development process, see the Embedded
Coder Reference Workflow .
Textual
requirements
Executable
specification
Modeling
...
Model used for

production
code generation
Generated
C/C++ code
Code
generation
Object
code
Compilation
and linking
Model-Based Design Process8

You can use the model compliance checking and model coverage analysis capabilities of
Simulink Verification and Validation to verify or validate the executable specification,
the model used for production code generation, or other interim models created during
the modeling phase.
Open the Artifacts Explorer to access the Simulink Verification and Validation
Reference Workflow. Alternatively, on the MATLAB command line, type
certkitiec. The Simulink Verification and Validation Reference Workflow file
certkitiec_slvnv_workflow.pdf is located in Simulink Verification and
Validation > r2015a.
8.
Solid arrows in the figure indicate the succession of software development activities.
2-11
Reference Workflows
Polyspace Bug Finder Reference Workflow Overview

Polyspace Bug Finder supports the detection of MISRA-C:2004, MISRA-C++: 2008,
MISRA-C:2012, and JSF++ coding standard violations in embedded software written
in the C and C++ programming languages. Polyspace Bug Finder also generates code
size and complexity metrics and produces reports that you can use to monitor and help
improve code reliability and quality.
Polyspace Bug Finder Reference Workflow provides a reference workflow for the
Polyspace Bug Finder. In particular, the document describes how to:
Leverage the coding standard compliance analysis, code size and complexity metrics
determination, and software quality metrics determination capabilities of Polyspace
Bug Finder in the software life cycle.
Check that these capabilities are functioning as expected.
The reference workflow presented in Polyspace Bug Finder Reference Workflow describes
activities intended to comply with applicable requirements of the overall software
safety lifecycles defined by IEC 61508-3, ISOS 26262, and EN 50128 as they relate to
verification and analysis of hand-written, generated, or mixed source code. The workflow
addresses risk levels ASIL A - ASIL D according to ISO 26262, SIL 1 - SIL 3 according to
IEC 61508, and SIL 0 - SIL 4 according to EN 50128
Open the Artifacts Explorer to access the Polyspace Bug Finder Reference Workflow.
Alternatively, on the MATLAB command line, type certkitiec. The Polyspace Bug
Finder Reference Workflow file certkitiec_bugfinder_workflow.pdf is located in
Polyspace Bug Finder > r2015a.
2-12
Polyspace Code Prover Reference Workflow Overview
Polyspace Code Prover Reference Workflow Overview

Polyspace Code Prover detects and proves the absence of overflow, divide-by-zero,
out-of-bounds array access, and certain other run-time errors in embedded software
written in the C and C++ programming languages. Polyspace Code Prover uses formal
methods-based abstract interpretation to formally prove run-time attributes of software.
Additionally, Polyspace Code Prover calculates and provides ranges for variables and
operator parameters at any point of the program, taking into account all possible
configurations (inputs, global variables).
Polyspace Code Prover Reference Workflow provides a reference workflow for the
Polyspace Code Prover. In particular, the document describes how to:
Leverage the code verification, unreachable code analysis, call tree computation,
global variable usage analysis, and quality metrics determination capabilities of
Polyspace Code Prover in the software life cycle
Check that these capabilities are functioning as expected.
The reference workflow presented in Polyspace Code Prover Reference Workflow describes
activities intended to comply with applicable requirements of the overall software
safety lifecycles defined by IEC 61508-3, ISOS 26262, and EN 50128 as they relate to
verification and analysis of hand-written, generated, or mixed source code. The workflow
addresses risk levels ASIL A - ASIL D according to ISO 26262, SIL 1 - SIL 3 according to
IEC 61508, and SIL 0 - SIL 4 according to EN 50128
Open the Artifacts Explorer to access the Polyspace Code Prover Reference Workflow.
Alternatively, on the MATLAB command line, type certkitiec. The Polyspace Code
Prover Reference Workflow file certkitiec_codeprover_workflow.pdf is located in
Polyspace Code Prover > r2015a.
2-13
3
Define Certification Objectives and Requirements on page 3-2
Certify or Qualify Software Tools on page 3-3
Document Evidence of Using Tools Within Referenced Workflows on page 3-4
Define Certification Objectives and Requirements

Before using the IEC Certification Kit product, define your certification objectives and
requirements.
Identify the scope of your certification activities, such as the application to certify.
Decide on the applicable safety standards and the required Safety Integrity Level
(SIL) or Automotive Safety Integrity Level (ASIL).
Determine the software development processes and software tool chain to use.
Define tool certification or qualification requirements, including the tools and versions
to certify or qualify.
3-2
Certify or Qualify Software Tools
Certify or Qualify Software Tools

The ISO 26262, IEC 61508, and EN 50128 standards include requirements or
recommendations to use certified or qualified tools. You can use tool certification or
prequalification evidence from the IEC Certification Kit product to document compliance
with the requirements or recommendations concerning tool certification or qualification.
Note: Using certified or qualified tools does not ensure the safety of the application under
development.
The IEC Certification Kit product provides tool certification and prequalification
evidence for the following MathWorks products:
Embedded Coder
Simulink PLC Coder
The IEC Certification Kit product follows an in-context approach to tool certification and
qualification. This approach is based on specific workflows to be used when applying the
certified and qualified tools to develop or verify software for ISO 26262, IEC 61508, and
EN 50128 applications. The applicant must ensure that the tools are used within the
referenced workflows and constraints specified in the certificates.
3-3
Document Evidence of Using Tools Within Referenced Workflows

Use IEC Certification Kit artifact templates to document evidence of using MathWorks
tools within referenced workflows and with the constraints specified in the corresponding
certificate. The documentation activities for each tool can include the following:
Customize and complete the Conformance Demonstration Template provided for the
tool.
For ISO 26262 tool qualification, review the ISO 26262 Tool Qualification Package
template provided for the tool for applicability to the application under consideration,
and tailor and complete the information.
In this section...
ISO 26262 Tool Qualification Artifacts on page 3-4
IEC 61508 Tool Certification Artifacts on page 3-5
EN 50128 Tool Certification Artifacts on page 3-7
ISO 26262 Tool Qualification Artifacts

The IEC Certification Kit product provides support for creating ISO 26262 tool
qualification artifacts for the following products:
Embedded Coder
For details, see the ISO 26262 Tool Qualification Package documents for these products.
Note: Some safety standards, including IEC 61508, do not have a formal concept of
certification credits. The amount of credit for the use of certified or qualified tools is
dependent on the applicant's development, verification and validation processes, and how
the applicant uses the tools within those processes. The applicant should propose and
discuss an initial version of the compliance package, including tool qualification data,
with the certification authority or internal assessor early in the development lifecycle.
3-4
IEC 61508 Tool Certification Artifacts

The IEC Certification Kit product provides support for creating the following artifacts
related to tool certification according to IEC 61508.
Artifacts and Documents1
Products
Purpose
References
Embedded Coder
Tool certification
evidence for code
generator
IEC 61508-3 Clause Certificate Z10 11

7.4.4
12 67052 014
IEC 61508-3 Table
A-3 (4a) Certified
tools and certified
translators
Certificate report
MN72051C
Documentation of
reference workflow
N/A
Embedded Coder
Reference Workflow
Evidence for using

the code generator
within the referenced
workflows and within
the constraints
specified in its
certificate
N/A
Customized and
completed Conformance
Demonstration
Template
Tool certification
evidence for code
generator

7.4.4
01 67052 007
IEC 61508-3 Table
A-3 (4a) Certified
tools and certified
translators
Certificate report
MN76171C
Documentation of
reference workflow
N/A
Simulink PLC Coder

Reference Workflow
Evidence for using

the code generator
the constraints
specified in its
certificate
N/A
Customized and
Demonstration
Template
Simulink PLC Coder
3-5
Products
Purpose
References
Simulink Design
Verifier
Tool certification
evidence for model
verification tool

7.4.4
12 67052 013
IEC 61508-3 Table
A-3 (4a) Certified
tools and certified
translators
Certificate report
MN83534C
Documentation of
reference workflow
N/A
Simulink Design
Verifier Reference
Workflow
Evidence for using

the verification tool
the constraints
specified in its
certificate
N/A
Customized and
Demonstration
Template
Tool certification
evidence for model
verification tool

7.4.4
12 67052 013
IEC 61508-3 Table
A-3 (4a) Certified
tools and certified
translators
Certificate report
MN83534C
Documentation of
reference workflow
N/A
Simulink Verification
and Validation
Reference Workflow
Evidence for using

the constraints
specified in its
certificate
N/A
Customized and
Demonstration
Template
Simulink Verification
and Validation
3-6
Products
Purpose
References
Polyspace Bug Finder;

Tool certification
evidence for code
verification tool

7.4.4
06 67052 012
IEC 61508-3 Table
A-3 (4a) Certified
tools and certified
translators
Certificate Report
MN74651C
Documentation of
reference workflow
N/A

Reference Workflow
Reference Workflow
Evidence for using

the constraints
specified in its
certificate
N/A
Customized and
Demonstration
Template
For file names and locations, see IEC Certification Kit Component Overview on page 1-4.
EN 50128 Tool Certification Artifacts

The IEC Certification Kit product provides support for creating EN 50128 tool
qualification artifacts for the following products:
Embedded Coder
3-7
4
Software Tool Validation on page 4-2
Run Test Cases and Procedures for Embedded Coder on page 4-3
Run Test Cases and Procedures for Simulink Verification and Validation on page
4-4
Run Test Cases and Procedures for Polyspace Bug Finder on page 4-6
Run Test Cases and Procedures for Polyspace Code Prover on page 4-7
Software Tool Validation

Some safety standards recommend the validation of software tools, using applicationindependent test cases to:
Demonstrate that a software tool complies with its specified requirements.
Examine the reaction of the software tool to anomalous operating conditions.
The IEC Certification Kit product provides exemplary test cases and test procedures that
you can use to automate tool validation tests for the following products:
Embedded Coder
Simulink Verification and Validation (Model Coverage Analysis, Model Compliance
Checking)
The exemplary test cases provided with the IEC Certification Kit product are templates
that you can modify and extend to create test suites that cover the requirements that are
relevant for your application, your specific tool configuration, operating environment, and
so on.
Note: MathWorks acknowledges the Automotive Code Validation Suite (AVS) as the
initial test suite used with Embedded Coder, as described in the following article:
http://www.mathworks.com/company/pressroom/article31185.html
4-2
Run Test Cases and Procedures for Embedded Coder
Run Test Cases and Procedures for Embedded Coder

Based on your adherence to the Embedded Coder Reference workflow, desired
certification rigor or project-specific needs, the tool confidence level may be TCL-2 or
higher and require tool qualification. You can use the test cases and procedures to
support tool validation, a method listed in ISO 26262 for tool qualification. You might
need additional test cases, based on your tool usage, to validate Embedded Coder,
Stateflow and Simulink.
To execute the test cases and procedures for Embedded Coder:
1
Copy the matlabroot/toolbox/qualkits/iec/ecoder/r2015a folder and its

subfolders to a location to which you have write access. Use that location to run the
test cases and procedures.
Note:
To execute the test procedure, you must have an Embedded Coder license.
Some test models require Stateflow and Simulink licenses.
Open the file certkitiec_ecoder_modelList.m in the relocated folder.
Edit the file to specify the test cases (that is, test models and supporting files) that
you want to execute. Check that the models and files that you specify exist in their
specified locations in the /tests subfolder.
Optionally, edit the file to specify baselines corresponding to the tests. Check that
the baselines that you specify exist in the /baselines subfolder.
Save the file.
To run the tests and generate a validation report, execute the file
certkitiec_ecoder_tests.m. You can invoke it from the MATLAB command
line or in the Certification Artifacts Explorer. Test reports are generated in HTML
format and are placed in the outputs subfolder.
Confirm that the test reports are generated without errors or warnings.
Review the generated test reports for expected results.
4-3
Run Test Cases and Procedures for Simulink Verification and

Validation
To execute the test cases and procedures for Simulink Verification and Validation (Model
Coverage Analysis, Model Compliance Checking):
1
Copy the matlabroot/toolbox/qualkits/iec/slvnv/r2015a folder and its

subfolders to a location to which you have write access. Use that location to run the
test cases and procedures.
Note:
To run the tests and generate reports, you must have MATLAB Report
Generator and Simulink Report Generator licenses.
Some model coverage RPT files require Fixed-Point Designer, Stateflow,
and Simulink Design Verifier licenses.
Open the files certkitiec_slvnv_tests*.xls in the relocated folder.
Edit the files to specify the test cases (that is, test models and supporting files) that
you want to execute, the expected results, and additional information. Check that
the models and files that you specify exist in their specified locations in the /tests
subfolder.
Save the files.
To run the tests and generate reports, execute the files

certkitiec_slvnv_tests*.rpt. You can invoke them in the Certification
Artifacts Explorer, from the MATLAB command line, or from the Report Explorer, as
follows:
In the Certification Artifacts Explorer, right-click an RPT file and select Execute
Tests.
At the MATLAB command line, enter the command
report ('rpt_file')
where rpt_file is the name of the test procedure.
4-4
Run Test Cases and Procedures for Simulink Verification and Validation
To open Report Explorer, double-click an RPT file, or in Certification Artifacts

Explorer, right-click an RPT file and select Open File. In Report Explorer, select
File > Report.
Simulink Report Generator creates the test reports and places them in the outputs
subfolder.
Note:
Before you execute model coverage RPT files, set the Java heap size for your
MATLAB session to at least 512 MB. To check the Java heap size, open the
MATLAB Preferences dialog box and select General > Java Heap Memory.
If the Java Heap Size value is less than 512 MB, change it to 512 MB,
click OK, and restart MATLAB. (If the maximum available heap size value
is less than 512 MB, select the maximum value.) This may help you avoid
java.lang.OutOfMemoryError messages.
Before you execute each model coverage RPT file, start a new MATLAB
session.
6
Review the generated test reports for expected results. The tool validation report for
the ISO 26262 Model Advisor checks provides the expected and actual results for the
overall check and subchecks. If one of the subchecks warns, the overall check result
is a warning.
4-5
Run Test Cases and Procedures for Polyspace Bug Finder

To execute test cases and procedures for Polyspace Bug Finder:
1
On the Polyspace server machine, copy the matlabroot/toolbox/qualkits/iec/

bugfinder/r2015a folder and its subfolders to a location to which you have write
access. Use that location to run the test cases and procedures.
From the top level of the relocated folder, cd into the subfolder tests.
To run the tests and generate reports:

On a Windows system, use the command
certkitiec_bugfinder_tests.bat.
On a Linux system, make sure that Perl and Polyspace are in the current PATH
and use the command certkitiec_bugfinder_tests.sh.
As the tests run, reports are generated in the outputs subfolder of the relocated
folder.
For examples of generated reports, see the outputs subfolder of the relocated folder:
certkitiec_bugfinder_qualificationreport_code_metrics.txt
certkitiec_bugfinder_qualificationreport_misrac.txt
certkitiec_bugfinder_qualificationreport_misracpp.txt
certkitiec_bugfinder_qualificationreport_tor.txt
4-6

To execute test cases and procedures for Polyspace Code Prover:
1
On the Polyspace server machine, copy the matlabroot/toolbox/qualkits/iec/

codeprover/r2015a folder and its subfolders to a location to which you have write
access. Use that location to run the test cases and procedures.
From the top level of the relocated folder, cd into the subfolder tests.
To run the tests and generate reports:

On a Windows system, use the command
certkitiec_codeprover_tests.bat.
On a Linux system, make sure that Perl and Polyspace are in the current PATH
and use the command certkitiec_codeprover_tests.sh.
As the tests run, reports are generated in the outputs subfolder of the relocated
folder.
For examples of generated reports, see the outputs subfolder of the relocated folder:
certkitiec_codeprover_qualificationreport_code_metrics.txt
certkitiec_codeprover_qualificationreport_misrac.txt
certkitiec_codeprover_qualificationreport_misracpp.txt
certkitiec_codeprover_qualificationreport_tor.txt
4-7
5
Access and Manage Certification
Artifacts
Access Artifacts Using the Certification Artifacts Explorer on page 5-2
Manage Artifacts Using the Certification Artifacts Explorer on page 5-5
Delete Certification Packages from Certification Artifacts Explorer on page 5-6
Certification Artifacts Explorer Limitations on page 5-7
Certification Artifacts Explorer on Linux and Mac Platforms on page 5-8
Access Artifacts Using the Certification Artifacts Explorer

In this section...
Certification Artifacts in the IEC Certification Kit Product on page 5-2
What Is a Certification Package? on page 5-2
How To Access Certification Artifacts on page 5-2
Certification Artifacts in the IEC Certification Kit Product

The IEC Certification Kit product includes the following certification artifacts:
Certification and qualification evidence
Documents and templates
For more information about the certification artifacts that are part of the IEC
Certification Kit product, see IEC Certification Kit Component Overview on page 1-4.
For more information about certifying or qualifying software tools, see Process for
Standard Compliance or Certification.
What Is a Certification Package?

A certification package is a group of certification artifacts that you use to certify your
project. The Certification Artifacts Explorer displays:
The certification artifacts that are part of the IEC Certification Kit product.
Certification packages that you create.
How To Access Certification Artifacts

You can use the Certification Artifacts Explorer to access certification artifacts. To start
the Certification Artifacts Explorer, use one of the following methods.
5-2
To start the Certification Artifacts

Explorer...
Do this:
From the MATLAB Toolstrip
Install the Compliance Artifacts Explorer app:
Access Artifacts Using the Certification Artifacts Explorer
To start the Certification Artifacts

Explorer...
Do this:
Click the Apps tab and select Install App.
Navigate to matlabroot/toolbox/
qualkits/iec/
and open Compliance Artifacts
Explorer.mlappinstall.
2
From the MATLAB command

line
Click the Apps tab and select Compliance

Artifacts Explorer.
Enter certkitiec.
The Certification Artifacts Explorer window displays the certification artifacts that are
available with the IEC Certification Kit product. If the IEC Certification Kit product
contains artifacts for more than one release, the window lists the artifacts for each
release. As you select folders and files, relevant information about the current selection is
dynamically displayed in the status bar. Additionally,
To display the properties of a certification package, right-click the package name and
select Properties.
To open an artifact, right-click the artifact and select Open File.
Depending on the type or state of an artifact, other right-click actions might
be available, including Copy, Paste, Delete, Open Folder, and Generate
Traceability Matrix.
5-3
5-4
Manage Artifacts Using the Certification Artifacts Explorer
Manage Artifacts Using the Certification Artifacts Explorer

To manage certification artifacts using the Certification Artifacts Explorer:
1
Create a new certification package using one of the following methods:

Select the menu item File > New.
Click the toolbar icon Create new certification package.
Right-click an existing package and select New.
Name the new certification package.
Define the location where the Certification Artifacts Explorer stores the new
certification package (use right-click > Properties).
Save the new certification package. The saved package has a KIT extension.
Copy the certification artifacts for the product of interest and paste them into the
new certification package:
To copy, select the artifacts of interest and use Edit > Copy.
To paste, select the new certification package and use Edit > Paste.
To create top-level folders within the new certification package, use the copy and
paste operations in the Certification Artifacts Explorer.
Delete certification artifacts that are not required for your project.
Optionally, add related files to the certification package top-level folders using a file
browser such as Microsoft Windows Explorer. When you add files, to refresh the file
list, use File > Refresh.
Use the Certification Artifacts Explorer to access certification artifacts. For a list of
artifacts that you might need to access and modify, see Certify or Qualify Software
Tools on page 3-3.
When you create and save new certification packages, the Certification Artifacts Explorer
displays them. The certification packages that are listed remain visible unless you delete
them from the Certification Artifacts Explorer.
5-5
Delete Certification Packages from Certification Artifacts Explorer

The Certification Artifacts Explorer displays certification packages that you create or
open. If you delete a certification package from the Certification Artifacts Explorer, the
files associated with the package are still available on your computer. To delete the files,
use a file browser such as Windows Explorer.
5-6
Certification Artifacts Explorer Limitations
Certification Artifacts Explorer Limitations

The Certification Artifacts Explorer has the following limitation:
For optimal performance, Microsoft Internet Explorer must be available on your
machine. Internet Explorer does not have to be your default web browser.
5-7
Certification Artifacts Explorer on Linux and Mac Platforms

You can use the Certification Artifacts Explorer to access certification artifacts on Linux
and Mac platforms.
Platform
Artifacts of file type
Software that Certification Artifacts

Explorer opens
Linux
PDF
Ghostview
If you are not able to open or view

the PDF, use Document Viewer to
open the file.
Microsoft Word .doc, .docx or
.rtf
OpenOffice
When viewing the artifacts, if you

encounter formatting issues:
1
Save the file as an

OpenDocument Text (.odt)
file, using Microsoft Word on a
Windows platform.
Open the OpenDocument Text

(.odt) version of the artifact,
using OpenOffice on a Linux
platform.
Formatting issues can include

problems with page breaks, tables,
or line breaks.
Mac
Microsoft Excel .xls or .xlsx
OpenOffice
HTML
MATLAB Web browser
PDF
Preview
Files opened with Preview are read
only.
Microsoft Word .doc or .docx
5-8
Microsoft Word for Mac, if it is

installed.
Certification Artifacts Explorer on Linux and Mac Platforms
Platform
Artifacts of file type
Software that Certification Artifacts

Explorer opens
TextEdit, if Microsoft Word for
Mac is not installed.
.rtf
TextEdit
Microsoft Excel .xls or .xlsx
Microsoft Excel for Mac, if it is

installed.
Preview, if Microsoft Excel for
Mac is not installed. Files opened
with Preview are read only.
HTML
MATLAB Web browser
5-9
6
Support Certification-Related
Development Activities
Generate a Traceability Matrix on page 6-2
Add Comments to a Traceability Matrix on page 6-6
Traceability Matrix Limitations on page 6-8
Display Bug Reports on page 6-9
Support Certification-Related Development Activities
Generate a Traceability Matrix

In this section...
About Traceability Matrices on page 6-2
Prerequisites for Generating a Traceability Matrix on page 6-3
How to Generate a Traceability Matrix on page 6-3
About Traceability Matrices

When you use Model-Based Design and production code generation to develop application
software components, you can generate a traceability matrix. The traceability matrix
provides traceability among model objects, generated code, and model requirements. You
can add comments to the generated traceability matrix. If you change the model and
regenerate the traceability matrix, the software retains your comments.
For a given model, the generated traceability matrix can provide information about:
Model objects that are traceable between the model and generated code, such as
Simulink blocks, Stateflow objects, and MATLAB functions.
Model objects that are untraceable between the model and generated code, such as
eliminated and virtual blocks.
Requirements documents that you link to model objects using the Simulink
Verification and Validation Requirements Management Interface (RMI).
Generate the traceability matrix using either the iec.ExportTraceReport function
from the MATLAB Command Window or the Generate Traceability Matrix button in
the generated HTML code generation report for your model. Either method creates an
XLS file that contains the following worksheets:
Model Information Summary of the model configuration and checksum. The
summary includes the model name, version, author, creation date, last saved by,
last updated date, checksum, and the selection of Traceability Report Contents
parameters.
Code Interface Information about the generated code interface, such as function
prototype and timing information for the model initialize and step functions.
Code Files File folders and names of the generated code files.
Report Traceability information for each model object, including model, generated
code, and requirements. Each row in the worksheet pertains to a single occurrence
6-2
of a model object. The information for a model object is in more than one row if the
object:
Appears more than once in the generated code.
Links to more than one requirement.
Prerequisites for Generating a Traceability Matrix

Before generating a traceability matrix for model objects, generated code, and model
requirements, perform the following steps:
1
Optionally, attach requirements documents. For more information, see

Requirements Traceability in the Simulink Verification and Validation
documentation.
In the Configuration Parameters dialog box, on the Code Generation > Report
pane, select:
a
Create code generation report
At least one of the following Traceability Report Contents parameters:

Eliminated / virtual blocks
Traceable Simulink blocks
Traceable Stateflow objects
Traceable MATLAB functions
Tip If you want to generate the traceability matrix directly from the code
generation report, select Open report automatically.
Generate code for the model.

Tip You do not have to build an executable to generate a traceability matrix. To
generate code only, on the Code Generation > General pane, select Generate
code only.
How to Generate a Traceability Matrix

To generate a traceability matrix:
6-3
Open the model if it is not already open.
Check that you have completed the Prerequisites for Generating a Traceability
Matrix on page 6-3.
Generate the traceability matrix using one of the following methods:

In the MATLAB Command Window, enter the following command, where
model_name is the name of the model:
iec.ExportTraceReport('model_name')
The software generates the traceability matrix.

Open the code generation report for the model if it is not already open. Go to the
Traceability Report section and click the Generate Traceability Matrix
button. For example:
When you click the button, the Generate Traceability Matrix dialog box appears.
6-4
You can use this dialog box to browse to an existing matrix file to update or
specify a new matrix file to create. Optionally, you can also use this dialog box to
select and order the columns that appear in the generated matrix. Click OK to
update or create the specified report.
4
Review the traceability matrix and add comments in new columns. For more
information, see Add Comments to a Traceability Matrix on page 6-6.
6-5
Add Comments to a Traceability Matrix

In this section...
Requirements for Adding Comments to a Traceability Matrix on page 6-6
How To Retain Comments on page 6-7
Requirements for Adding Comments to a Traceability Matrix

You can add comments to the traceability matrix that you generated using the
iec.ExportTraceReport function.
To add comments to the traceability matrix, you must:
Create new columns for your comments.
Use unique column headings. Columns that you add must have headings.
Add at least one entry to the column, other than the column heading.
Retain the following columns:
Model Object Name
Model Object Path
Model Object Subsystem
Code File Location
Code File Name
Code Function
Code Line Number
Model Object Unique ID
Model Object Optimized
Code Comment Checksum
Note: Comments must resolve to a text string. For example, a link to an image resolves
to a text string, but a copy of the image does not.
6-6
Add Comments to a Traceability Matrix
How To Retain Comments

To regenerate a traceability matrix and retain your comments:
1
Navigate to the working folder of the model.
Optionally, regenerate code for your model. Regenerating code before generating the
traceability matrix increases the likelihood that you have the latest model-to-code
traceability information.
In the MATLAB Command Window, enter the following command. file_name is

the name of the existing traceability matrix that you are regenerating. If the existing
traceability matrix is in a different folder, include the full path to that folder in
path.
iec.ExportTraceReport('model_name', 'file_name', 'path')
The traceability matrix regenerates.
6-7
Traceability Matrix Limitations

The traceability matrix generation capability has the following limitations:
Works with the Microsoft Windows platform only.
Does not support referenced models. When you generate a traceability matrix for a
model that contains referenced models, the traceability matrix contains information
about the Model block only. The traceability matrix does not contain information
about the contents of the referenced model. If your model contains referenced models,
generate a traceability matrix for the top-level model and each referenced model
separately.
Does not support models that use the model configuration option Classic call
interface (GRTInterface).
In most cases, identifies comments that you add to the traceability matrix, but when
comments cannot be identified, the traceability matrix includes the text:
Row is not unique: comment
If a requirement is linked to an annotation not contained in a DocBlock block, the
traceability matrix does not contain the requirement link. To generate a traceability
report containing a requirement link to an annotation, put the annotation in a
DocBlock block.
6-8
Display Bug Reports
Display Bug Reports

The IEC Certification Kit product provides a set of Model Advisor checks to display bug
reports for supported MathWorks products. Reports generated by these checks may be
used as artifacts in the compliance demonstration process.
See IEC Certification Kit Checks on page 8-2 for details on the available checks.
6-9
7
certkitiec
Open Certification Artifacts Explorer for IEC Certification Kit
Syntax
certkitiec
Description
certkitiec opens the Certification Artifacts Explorer and displays certification
artifacts.
Alternatives
Open the Certification Artifact Explorer from the MATLAB Toolstrip:
1
Install the Compliance Artifacts Explorer app:

Click the Apps tab and select Install App.
Navigate to matlabroot/toolbox/qualkits/iec/
and open Compliance Artifacts Explorer.mlappinstall.
Click the Apps tab and select Compliance Artifacts Explorer.
More About
Tips
For optimal performance, Microsoft Internet Explorer must be available on your
machine. Internet Explorer does not have to be your default web browser.
7-2
iec.ExportTraceReport
Generate XLS file that contains traceability matrix
Syntax
iec.ExportTraceReport('model_name')
iec.ExportTraceReport('model_name', 'file_name')
iec.ExportTraceReport('model_name', 'file_name', 'path')
Description
iec.ExportTraceReport('model_name') generates an XLS file that contains a
Traceability Matrix on page 7-4. model_name is the name of the model.
iec.ExportTraceReport('model_name', 'file_name') generates an XLS file
that contains a Traceability Matrix on page 7-4. file_name is a string that
specifies the name of the file. The first time that you call iec.ExportTraceReport,
file_name is optional. If you do not provide file_name, the function names the file
using the following convention. modelUpdate is the date and time that you last updated
the model:
model_name_Trace_modelUpdate.xls
To regenerate the traceability matrix, you must specify file_name.
iec.ExportTraceReport('model_name', 'file_name', 'path') generates
an XLS file that contains a Traceability Matrix on page 7-4. path is an optional
string that specifies the full path to the location where you want the software to save the
file.
Examples
Generate a traceability matrix with traceability between model objects and generated
code for the rtwdemo_hyperlinks model:
Note: This example requires an Embedded Coder license.
7-3
% Open the model.

open_system('rtwdemo_hyperlinks');
% Generate code only.
set_param('rtwdemo_hyperlinks', 'GenCodeOnly', 'on');
% Initiate the build process.
rtwbuild('rtwdemo_hyperlinks');
% Generate a traceability matrix.
iec.ExportTraceReport('rtwdemo_hyperlinks');
Generate a traceability matrix with traceability among model objects, generated code,
and model requirements for the slvnvdemo_fuelsys_docreq model:
Note: This example requires a Simulink Verification and Validation license.
% Open the model.
open_system('slvnvdemo_fuelsys_docreq');
% Select the code generation report and traceability report parameters.
set_param('slvnvdemo_fuelsys_docreq', 'GenerateReport', 'on');
set_param('slvnvdemo_fuelsys_docreq', 'GenerateTraceReport', 'on');
set_param('slvnvdemo_fuelsys_docreq', 'GenerateTraceReportSl', 'on');
set_param('slvnvdemo_fuelsys_docreq', 'GenerateTraceReportSf', 'on');
set_param('slvnvdemo_fuelsys_docreq', 'GenerateTraceReportEml', 'on');
% Generate code only.
set_param('slvnvdemo_fuelsys_docreq', 'GenCodeOnly', 'on');
% Initiate the build process.
rtwbuild('slvnvdemo_fuelsys_docreq');
% Generate a traceability matrix.
iec.ExportTraceReport('slvnvdemo_fuelsys_docreq');
Alternatives
You can generate a traceability matrix directly from the code generation report for your
model. Go to the Traceability Report section and click the Generate Traceability
Matrix button.
More About
Traceability Matrix
A traceability matrix provides traceability among model objects, generated code, and
model requirements. You can add comments to the generated traceability matrix. If
you change the model and regenerate the traceability matrix, the software retains your
comments.
7-4
Tips
The iec.ExportTraceReport function works on Microsoft Windows platforms only.
To include requirements documentation in the traceability matrix, attach
requirements documents to the model before using iec.ExportTraceReport.
You must generate a code generation traceability report (requires an Embedded Coder
license) for your model before using iec.ExportTraceReport.
The iec.ExportTraceReport function does not support referenced models. When
you generate a traceability matrix for a model that contains referenced models, the
traceability matrix contains information about the Model block only. The traceability
matrix does not contain information about the contents of the referenced model. If
your model contains referenced models, generate a traceability matrix for the toplevel model and each referenced model separately.
The iec.ExportTraceReport function does not support models that use the model
configuration option Classic call interface (GRTInterface).
In most cases, the iec.ExportTraceReport function identifies comments that
you add to the traceability matrix. When the function cannot identify comments, the
traceability matrix includes the text:
Row is not unique: comment
For more information, see Prerequisites for Generating a Traceability Matrix on page
6-3.
Generate a Traceability Matrix on page 6-2
Add Comments to a Traceability Matrix on page 6-6
Code Tracing
Requirements Traceability
7-5
8
IEC Certification Kit Checks

In this section...
Display bug reports using IEC Certification Kit checks on page 8-3
Display bug reports for Simulink Verification and Validation on page 8-4
Display bug reports for Simulink Design Verifier on page 8-5
Display bug reports for Simulink PLC Coder on page 8-6
Display bug reports for IEC Certification Kit on page 8-7
Display bug reports for Polyspace Bug Finder on page 8-8
Display bug reports for Polyspace Code Prover on page 8-9
Display bug reports for Embedded Coder on page 8-9
8-2
Display bug reports using IEC Certification Kit checks

You can use the IEC Certification Kit Model Advisor checks to display bug reports for
supported products.
8-3
Display bug reports for Simulink Verification and Validation

Display bug reports for the Simulink Verification and Validation R2015a product.
Description
Run this check to display the bug reports for Simulink Verification and Validation
R2015a that are available at www.mathworks.com/support/bugreports.
Note: This check does not determine whether your model might be affected by these
bugs.
Available with the IEC Certification Kit.
Input Parameters
To display bug reports modified after a certain date, use the Only show bug reports
modified after date (mm/dd/yyyy) field.
Results and Recommended Actions
Condition
Recommended Action
There are bug reports for the Simulink

Verification and Validation R2015a product.
Review the bug report descriptions and

workarounds provided in the links listed in the
ID column of the Model Advisor window.
See Also
Simulink Verification and Validation documentation
8-4
Display bug reports for Simulink Design Verifier

Display bug reports for the Simulink Design Verifier R2015a product.
Description
Run this check to display the bug reports for Simulink Design Verifier R2015a that are
available at www.mathworks.com/support/bugreports.
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the Simulink Design

Verifier R2015a product.

See Also
Simulink Design Verifier documentation
8-5
Display bug reports for Simulink PLC Coder

Display bug reports for the Simulink PLC Coder R2015a product.
Description
Run this check to display the bug reports for Simulink PLC Coder R2015a that are
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the Simulink PLC

Coder R2015a product.

See Also
Simulink PLC Coder documentation
8-6
Display bug reports for IEC Certification Kit

Display bug reports for the IEC Certification Kit R2015a product.
Description
Run this check to display the bug reports for IEC Certification Kit R2015a that are
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the IEC Certification

Kit R2015a product.

See Also
IEC Certification Kit (for ISO 26262 and IEC 61508) documentation
8-7
Display bug reports for Polyspace Bug Finder

Display bug reports for the Polyspace Bug Finder R2015a products.
Description
Run this check to display the bug reports for Polyspace Bug Finder R2015a that are
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the Polyspace Bug

Finder R2015a product.

See Also
8-8
Display bug reports for Polyspace Code Prover

Display bug reports for the Polyspace Code Prover R2015a products.
Description
Run this check to display the bug reports for Polyspace Code Prover R2015a that are
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the Polyspace Code

Prover R2015a product.

See Also
Display bug reports for Embedded Coder

Display bug reports for the Embedded Coder R2015a product.
Description
Run this check to display the bug reports for Embedded Coder R2015a that are available
at www.mathworks.com/support/bugreports.
8-9
bugs.
Input Parameters
Condition
Recommended Action
There are bug reports for the Embedded Coder

R2015a product.

See Also
Embedded Coder documentation
8-10

Certkitiec Ug

Uploaded by

Copyright:

Available Formats

Certkitiec Ug

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certkitiec Ug

Uploaded by

Copyright:

Available Formats

IEC Certification Kit

How to Contact MathWorks

Sales and services:

The MathWorks, Inc.

New for Version 1.0 (Applies to Releases 2007a

Getting Started with IEC Certification Kit

IEC Certification Kit Component Overview . . . . . . . . . . . . . .

Products Supported by IEC Certification Kit for Each

Access Certification Artifacts for Embedded Coder . . . . . .

Access Certification Artifacts for Simulink PLC Coder . . .

Access Certification Artifacts for Simulink Design Verifier

Access Certification Artifacts for Simulink Verification and

Access Certification Artifacts for Polyspace Bug Finder . .

Access Certification Artifacts for Polyspace Code Prover .

Access Supporting Artifacts for ISO 26262 . . . . . . . . . . . . . .

Access Supporting Artifacts for EN 50128 . . . . . . . . . . . . . .

Access Supporting Artifacts for IEC 61508 . . . . . . . . . . . . . .

Simulink PLC Coder Reference Workflow Overview . . . . . .

Simulink Design Verifier Reference Workflow Overview . . .

Simulink Verification and Validation Reference Workflow

Polyspace Bug Finder Reference Workflow Overview . . . .

Polyspace Code Prover Reference Workflow Overview . . .

Certify or Qualify Software Tools . . . . . . . . . . . . . . . . . . . . . .

Document Evidence of Using Tools Within Referenced

Validate Software Tools

Run Test Cases and Procedures for Embedded Coder . . . . .

Run Test Cases and Procedures for Simulink Verification and

Run Test Cases and Procedures for Polyspace Code Prover

Access and Manage Certification Artifacts

Manage Artifacts Using the Certification Artifacts

Delete Certification Packages from Certification Artifacts

Certification Artifacts Explorer Limitations . . . . . . . . . . . . .

Certification Artifacts Explorer on Linux and Mac

Support Certification-Related Development

Add Comments to a Traceability Matrix . . . . . . . . . . . . . . . .

Traceability Matrix Limitations . . . . . . . . . . . . . . . . . . . . . . .

Display Bug Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Functions Alphabetical List

Model Advisor Checks

Getting Started with IEC Certification Kit

IEC Certification Kit Product Description

Getting Started with IEC Certification Kit

IEC Certification Kit Component Overview

Certificates and certification Tool Artifacts on page

Documents and templates

Artifacts and templates that Tool Artifacts on page

Tools for certificationrelated development

Model Advisor checks

IEC Certification Kit Component Overview

IEC Certification Kit

Test cases and test

Test procedures that

Getting Started with IEC Certification Kit

Simulink PLC Simulink

Simulink PLC Simulink

ISO 26262 Tool

and Test Cases on

Getting Started with IEC Certification Kit

Software development and quality engineering processes.

Conformance Demonstration Template (CDT)