DO Qualification Kit

Simulink® Verification and Validation™

Tool Operational Requirements

R2015a, March 2015

How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
DO Qualification Kit: Simulink® Verification and Validation™ Tool Operational Requirements
© COPYRIGHT 2009–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
March 2009 New for Version 1.0 (Applies to Release 2009a)
September 2009 Revised for Version 1.1 (Applies to Release 2009b)
April 2010 Rereleased for Version 1.1.1 (Applies to Release 2009bSP1)
March 2010 Revised for Version 1.2 (Applies to Release 2010a)
September 2010 Revised for Version 1.3 (Applies to Release 2010b)
April 2011 Revised for Version 1.4 (Applies to Release 2011a)
September 2011 Revised for Version 1.5 (Applies to Release 2011b)
March 2012 Revised for Version 1.6 (Applies to Release 2012a)
September 2012 Revised for Version 2.0 (Applies to Release 2012b)
March 2013 Revised for Version 2.1 (Applies to Release 2013a)
September 2013 Revised for Version 2.2 (Applies to Release 2013b)
March 2014 Revised for Version 2.3 (Applies to Release 2014a)
October 2014 Revised for Version 2.4 (Applies to Release 2014b)
March 2015 Revised for Version 2.5 (Applies to Release 2015a)
Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Simulink Verification and Validation Product Description ..................................................... 1-2
2 Operational Requirements ................................................................................................................ 2-1
2.1 DO-178C/DO-331 Checks Operational Requirements ........................................................... 2-2
2.2 DO-178C/DO-331 Checks and Model Advisor User Information ........................................ 2-18
2.3 Model Coverage Operational Requirements ......................................................................... 2-19
2.4 Model Coverage User Information ........................................................................................ 2-29
3 Installation ........................................................................................................................................ 3-1
4 Operational Environment ................................................................................................................. 4-1

v
vi
1 Introduction

This document comprises the Tool Operational Requirements (reference DO-330 Section
10.3.1) for the following capabilities of the Simulink® Verification and Validation™ verification
product:

 DO-178C/DO-331 checks
 Model coverage

The document identifies:

 Features of the Simulink Verification and Validation product.

 The environment in which the Simulink Verification and Validation product is installed
(reference DO-330, Sections 10.2.4 and 10.3.2).

This document is intended for use in the DO-330 tool qualification process for TQL-5 tools. The
applicant needs to:

 Review the Tool Operational Requirements for applicability in the project or program
under consideration.
 Configure the Tool Operational Requirements in the project or program’s configuration
management system.
 Complete the Tool Operational Requirements and make the document available for review.

See documentation for the following products at the MathWorks® Documentation Center,
R2015a:

 DO Qualification Kit (for DO-178)

 Simulink Verification and Validation
 Simulink®
 Stateflow®
1.1 Simulink Verification and Validation Product
Description
Verify models and generated code
Simulink Verification and Validation automates requirements tracing, modeling standards
compliance checking, and model coverage analysis.

You can create detailed requirements traceability reports, author your own modeling style
checks, and develop check configurations to share with engineering teams. Requirements
documentation can be linked to models, test cases, and generated code. You can generate
harness models for testing model components and code, and use model coverage analysis to
ensure that models have been thoroughly tested.

Simulink Verification and Validation provides modeling standards checks for the DO-178, ISO
26262, IEC 61508 and related industry standards.

Key Features

 Compliance checking for MAAB style guidelines and high-integrity system design
guidelines (DO-178, ISO 26262, IEC-61508, and related industry standards)
 Model Advisor Configuration Editor, including custom check authoring
 Requirements Management Interface for traceability of model objects, code, and tests to
requirements documents
 Automatic test-harness generation for subsystems
 Component testing via simulation, software-in-the-loop (SIL), and processor-in-the-loop
(PIL)
 Programmable scripting interface for automating compliance checking, requirements
traceability analysis, and component testing

1-2
2 Operational Requirements
2.1 DO-178C/DO-331 Checks Operational
Requirements
The Simulink Verification and Validation product includes the Model Advisor
DO-178C/DO-331 modeling standards checks, which help you define and implement consistent
design guidelines. These guidelines can be applied across projects and development teams. The
Model Advisor finds unwanted model properties, such as incorrect or deprecated blocks and
block parameters, incorrect fonts, and misplaced objects.

Types of checks include:

 Block parameter settings

 Model configuration parameter settings
 Code generator settings
 Production hardware parameter settings
 Simulink and Stateflow diagnostic parameter settings
 Model connections
 Compatibility of reference models, libraries and S-functions
 Model style considerations
 Requirement management interface consistency

The purpose of this capability is to verify that Simulink and Stateflow models comply with
modeling standards, and to verify that the code generator settings are set properly to provide
traceable code that complies with standards.

You can find the DO-178C/DO-331 checks in the Model Advisor > By Product > Simulink
Verification and Validation > Modeling Standards > DO-178C/DO-331 Checks subfolder.

2-2
 The following table lists the Simulink Verification and Validation DO-178C/DO-331 checks
that are provided with the DO Qualification Kit, along with the corresponding DO-331 section
to which each check applies. To claim certification credit, the user is responsible for determining
the applicability of the DO-178C/DO-331 checks supported by the DO Qualification Kit to their
project.

Note The DO-178C/DO-331 checks can contain two sections: an analysis section
for reviewing the model and an action section for automatically fixing warnings
and failures. The DO Qualification Kit covers the DO-178C/DO-331 check
analysis, not the check actions.

The DO Qualification Kit does not cover Model Advisor check exclusions.

DO-178C/DO-331 Checks — Operational Requirements Summary

Check Title Requirement Description DO-331 References

Check ID ID
Check safety-related optimization DO178C_01 Simulink Verification and MB.6.3.1.e High-level
settings Validation shall verify that therequirements conform to
model optimization standards
mathworks.do178.OptionSet configuration parameters MB.6.3.2.e Low-level
comply with the Modeling requirements conform to
Guidelines for High-Integrity standards
Systems, R2015a. MB.6.3.1.g Algorithms are
accurate
For details, refer to “Check MB.6.3.2.g Algorithms are
safety-related optimization accurate
settings” in Simulink MB.6.3.3.b Software
Verification and Validation DO- architecture is consistent
178C/DO-331 Checks and
Model Advisor User MB.6.3.4.e Source code is
Information. traceable to low-level
requirements

2-3
Check Title
Check ID
Check safety-related diagnostic
settings for solvers
mathworks.do178.SolverDiagnost
icsSet
Check safety-related diagnostic
settings for sample time
mathworks.do178.SampleTimeDi
agnosticsSet
Requirement Description DO-331 References
ID
DO178C_02 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration MB.6.3.3.e Software
parameters pertaining to solvers architecture conforms to
comply with the Modeling standards
Guidelines for High-Integrity
Systems, R2015a.
For details, refer to “Check
safety-related diagnostic settings
for solvers” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_03 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration MB.6.3.3.e Software
parameters pertaining to sample architecture conforms to
time comply with the Modeling standards
Guidelines for High-Integrity
Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
sample time” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-4
Check Title
Check ID
Check safety-related diagnostic
settings for signal data
mathworks.do178.DataValiditySi
gnalsDiagnosticsSet
Check safety-related diagnostic
settings for parameters
mathworks.do178.DataValidityPar
amDiagnosticsSet
Requirement Description DO-331 References
ID
DO178C_04 Simulink Verification and MB.6.3.1.e High-level
Validation shall verify that therequirements conform to
model diagnostic configuration standards
parameters pertaining to signal MB.6.3.2.e Low-level
data comply with the Modeling requirements conform to
Guidelines for High-Integrity standards
Systems, R2015a. MB.6.3.1.g Algorithms are
accurate
For details, see “Check safety- MB.6.3.2.g Algorithms are
related diagnostic settings for accurate
signal data” in Simulink MB.6.3.3.b Software
Verification and Validation DO- architecture is consistent
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_05 Simulink Verification and MB.6.3.1.g Algorithms are
Validation shall verify that the accurate
model diagnostic configuration MB.6.3.2.g Algorithms are
parameters pertaining to accurate
parameters comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
parameters” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-5
Check Title
Check ID
Check safety-related diagnostic
settings for data used for
debugging
mathworks.do178.DataValidityD
ebugDiagnosticsSet
Requirement Description
ID
DO178C_06 Simulink Verification and
Validation shall verify that the
model diagnostic configuration
parameters pertaining to
debugging comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
DO-331 References
MB.6.3.1.e High-level
requirements conform to
standards
MB.6.3.2.e Low-level
requirements conform to
standards

For details, see “Check safety-

Check safety-related diagnostic
settings for data store memory
mathworks.do178.DataStoreMem
oryDiagnosticsSet
related diagnostic settings for
data used for debugging” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
DO178C_07 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration
parameters pertaining to data
store memory comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.

For details, see “Check safety-

related diagnostic settings for
data store memory” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.

2-6
Check Title
Check ID
Check safety-related diagnostic
settings for type conversions
mathworks.do178.TypeConversio
nDiagnosticsSet
Check safety-related diagnostic
settings for signal connectivity
mathworks.do178.ConnectivitySi
gnalsDiagnosticsSet
Requirement Description DO-331 References
ID
DO178C_08 Simulink Verification and MB.6.3.1.g Algorithms are
Validation shall verify that the accurate
model diagnostic configuration MB.6.3.2.g Algorithms are
parameters pertaining to type accurate
conversions comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
type conversions” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_09 Simulink Verification and MB.6.3.1.e High-level
Validation shall verify that the requirements conform to
model diagnostic configuration standards
parameters pertaining to type MB.6.3.2.e Low-level
conversions comply with the requirements conform to
Modeling Guidelines for High- standards
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
signal connectivity” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-7
Check Title
Check ID
Check safety-related diagnostic
settings for bus connectivity
mathworks.do178.ConnectivityB
ussesDiagnosticsSet
Check safety-related diagnostic DO178C_11
settings that apply to function-call
connectivity
mathworks.do178.FcnCallDiagno
sticsSet
Requirement Description DO-331 References
ID
DO178C_10 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration
parameters pertaining to bus
connectivity comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
bus connectivity” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration
parameters pertaining to
function-call connectivity
comply with the Modeling
Guidelines for High-Integrity
Systems, R2015a.
For details, see “Check safety-
related diagnostic settings that
apply to function-call
connectivity” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-8
Check Title
Check ID
Check safety-related diagnostic
settings for compatibility
mathworks.do178.Compatability
DiagnosticsSet
Check safety-related diagnostic
settings for model referencing
mathworks.do178.MdlRefDiagno
sticsSet
Requirement Description DO-331 References
ID
DO178C_12 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration
parameters pertaining to
compatibility comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
compatibility” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_13 Simulink Verification and MB.6.3.1.d High-level
Validation shall verify that the requirements are verifiable
model diagnostic configuration MB.6.3.2.d Low-level
parameters pertaining to model requirements are verifiable
referencing comply with the MB.6.3.3.b Software
Modeling Guidelines for High- architecture is consistent
Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
model referencing” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-9
Check Title
Check ID
Check safety-related model
referencing settings
mathworks.do178.MdlRefOptSet
Check safety-related code
generation settings
mathworks.do178.CodeSet
Display model version
information
mathworks.do178.MdlChecksum
Requirement Description DO-331 References
ID
DO178C_14 Simulink Verification and MB.6.3.1.b High-level
Validation shall verify that the requirements are accurate and
model configuration parameters consistent
for model referencing are set to MB.6.3.2.b Low-level
generate code for a safety- requirements are accurate and
related application. consistent
MB.6.3.3.b Software
For details, see “Check safety- architecture is consistent
related model referencing
settings” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_15 Simulink Verification and MB.6.3.1.c High-level
Validation shall verify that the requirements are compatible
model configuration parameters with target computer
for code generation comply with MB.6.3.2.c Low-level
the Modeling Guidelines for requirements are compatible
High-Integrity Systems, R2015a. with target computer
MB.6.3.1.e High-level
For details, see “Check safety- requirements conform to
related code generation settings” standards
in Simulink Verification and MB.6.3.2.e Low-level
Validation DO-178C/DO-331 requirements conform to
Checks and Model Advisor User standards
Information. MB.6.3.4.e Source code is
traceable to low-level
requirements
DO178C_16 Simulink Verification and Not Applicable (for
Validation shall verify that the documentation only)
report displays model version
information.
For details, see “Display model
version information” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-10
Check Title
Check ID
Check safety-related diagnostic
settings for saving
mathworks.do178.SavingDiagnos
ticsSet
Check for blocks that do not link DO178C_18
to requirements
mathworks.do178.RequirementIn
fo
Check safety-related diagnostic
settings for model initialization
mathworks.do178.InitDiagnostics
Set
Requirement Description DO-331 References
ID
DO178C_17 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model configuration parameters
on the Diagnostics > Saving
pane are set for a safety-related
application.
For details, see “Check safety-
related diagnostic settings for
saving” in Simulink Verification
and Validation DO-178C/DO-
331 Checks and Model Advisor
User Information.
Simulink Verification and MB.6.3.1.f High-level
Validation shall verify that the requirements trace to system
model blocks and objects link to requirements
requirements document. MB.6.3.2.f Low-level
requirements trace to high-
For details, see “Check for level requirements
blocks that do not link to
requirements” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_19 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that the architecture is consistent
model diagnostic configuration
parameters pertaining to
initialization are set according to
the Modeling Guidelines for
High-Integrity Systems, R2015a.
For details, see “Check safety-
related diagnostic settings for
model initialization” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-11
Check Title
Check ID
Check state machine type of
Stateflow charts
mathworks.do178.hisf_0001
Check Stateflow charts for
ordering of states and transitions
mathworks.do178.hisf_0002
Requirement Description DO-331 References
ID
DO178C_20 Simulink Verification and MB.6.3.1.b High-level
Validation shall verify that state
requirements are accurate and
machine types comply with the consistent
Modeling Guidelines for High- MB.6.3.1.e High-level
Integrity Systems, R2015a. requirements conform to
standards
For details, see “Check state MB.6.3.2.b Low-level
machine type of Stateflow requirements are accurate and
charts” in Simulink Verification consistent
and Validation DO-178C/DO- MB.6.3.2.e Low-level
331 Checks and Model Advisor requirements conform to
User Information. standards
MB.6.3.3.b Software
architecture is consistent
MB.6.3.3.e Software
architecture conforms to
standards
DO178C_21 Simulink Verification and MB.6.3.3.b Software
Validation shall verify that chart architecture is consistent
state/transition execution order MB.6.3.3.e Software
complies with the Modeling architecture conforms to
Guidelines for High-Integrity standards
Systems, R2015a.
For details, see “Check
Stateflow charts for ordering of
states and transitions” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
2-12
Check Title
Check ID
Check Stateflow debugging
options
mathworks.do178.hisf_0011
Check usage of lookup table
blocks
mathworks.do178.LUTRangeChe
ckCode
Check Stateflow charts for
uniquely defined data objects
mathworks.do178.hisl_0061
Requirement Description DO-331 References
ID
DO178C_22 Simulink Verification and MB.6.3.1.b High-level
Validation shall verify that therequirements are accurate and
Stateflow debugging options consistent
comply with the Modeling MB.6.3.1.e High-level
Guidelines for High-Integrity requirements conform to
Systems, R2015a standards
MB.6.3.2.b Low-level
For details, see “Check requirements are accurate and
Stateflow debugging options” in consistent
Simulink Verification and MB.6.3.2.e Low-level
Validation DO-178C/DO-331 requirements conform to
Checks and Model Advisor User standards
Information.
DO178C_23 Simulink Verification and MB.6.3.1.g Algorithms are
Validation shall verify that accurate
lookup table blocks are MB.6.3.2.g Algorithms are
configured to generate out-of- accurate
range checking code.
For details, see “Check usage of
lookup table blocks” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO178C_24 Simulink Verification and MB.6.3.2.b Accuracy and
Validation shall verify that Consistency of Low-Level
Stateflow charts using data Requirement
objects comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.
For details, see “Check
Stateflow charts for uniquely
defined data objects” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
2-13
Check Title Requirement Description DO-331 References
Check ID ID
Check usage of Math Operations DO178C_25 Simulink Verification and MB.6.3.1.g Algorithms are
blocks Validation shall verify that math accurate
operations blocks comply with MB.6.3.2.g Algorithms are
mathworks.do178.MathOperation the Modeling Guidelines for accurate
sBlocksUsage High-Integrity Systems, R2015a.

For details, see “Check usage of

Check usage of Signal Routing
blocks
mathworks.do178.SignalRouting
BlockUsage
Math Operations blocks” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
DO178C_26 Simulink Verification and MB.6.3.1.g Algorithms are
Validation shall verify that accurate
Signal Routing blocks comply MB.6.3.2.g Algorithms are
with the Modeling Guidelines accurate
for High-Integrity Systems,
R2015a.

For details, see “Check usage of

Check usage of Logic and Bit
Operations blocks
mathworks.do178.LogicBlockUs
age
Signal Routing blocks” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
DO178C_27 Simulink Verification and MB.6.3.1.g Algorithms are
Validation shall verify that accurate
Logic and Bit Operations blocks MB.6.3.2.g Algorithms are
comply with the Modeling accurate
Guidelines for High-Integrity
Systems, R2015a.

For details, see “Check usage of

Logic and Bit Operations
blocks” in Simulink Verification
and Validation DO-178C/DO-
331 Checks and Model Advisor
User Information.

2-14
Check Title
Check ID
Check usage of Ports and
Subsystems blocks
mathworks.do178.PortsSubsyste
msUsage
Check for inconsistent vector
indexing methods
mathworks.do178.hisl_0021
Check for blocks not
recommended for C/C++
production code deployment
mathworks.do178.PCGSupport
Requirement Description DO-331 References
ID
DO178C_28 Simulink Verification and MB.6.3.1.e High-level
Validation shall verify that Ports requirements conform to
and Subsystems blocks comply standards
with the Modeling Guidelines MB.6.3.2.e Low-level
for High-Integrity Systems, requirements conform to
R2015a. standards
For details, see “Check usage of
Ports and Subsystems blocks” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
DO-178C_29 Simulink Verification and MB.6.3.2.b Accuracy and
Validation shall verify that the Consistency of Low-Level
vector indexing methods comply Requirements
with the Modeling Guidelines
for High-Integrity Systems,
R2015a.
For details, see “Check for
inconsistent vector indexing
methods” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
DO-178C_30 Simulink Verification and MB.6.3.2.b Accuracy and
Validation shall identify blocks Consistency of Low-Level
not supported by code Requirements
generation or not recommended
for C/C++ production code
deployment.
For details, see “Check for
blocks not recommended for
C/C++ production code
deployment” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
2-15
Check Title Requirement Description DO-331 References
Check ID ID
Check for MATLAB Function DO-178C_31 Simulink Verification and MB.6.3.2.b Accuracy and
interfaces with inherited Validation shall verify that Consistency of Low-Level
properties MATLAB Functions comply Requirements
with the Modeling Guidelines
mathworks.do178.himl_0002 for High-Integrity Systems,
R2015a.

For details, see “Check for

MATLAB Function interfaces
with inherited properties” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.
Check for MATLAB Function DO-178C_32 Simulink Verification and MB.6.3.1.e High-level
metrics Validation shall verify that requirements conform to
complexity and code metrics for standards
mathworks.do178.himl_0003 MATLAB functions comply MB.6.3.2.e Low-level
with the Modeling Guidelines requirements conform to
for High-Integrity Systems, standards
R2015a.

For details, see “Check for

MATLAB Function metrics” in
Simulink Verification and
Validation DO-178C/DO-331
Checks and Model Advisor User
Information.

2-16
Check Title Requirement Description DO-331 References
Check ID ID
Check MATLAB Code Analyzer DO-178C_33 Simulink Verification and MB.6.3.1.g Algorithms are
messages Validation shall verify that accurate
MATLAB Functions for MB.6.3.2.g Algorithms are
mathworks.do178.himl_0004 %#codegen directive, accurate
MATLAB Code Analyzer
messages, and justification
message IDs comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.

For details, see “Check

Check MATLAB code for global DO-178C_34
variables
mathworks.do178.himl_0005
MATLAB Code Analyzer
messages” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.
Simulink Verification and MB.6.3.3.b Software
Validation shall verify that architecture is consistent
global variables comply with the
Modeling Guidelines for High-
Integrity Systems, R2015a.

For details, see “Check

MATLAB code for global
variables” in Simulink
Verification and Validation DO-
178C/DO-331 Checks and
Model Advisor User
Information.

2-17
2.2 DO-178C/DO-331 Checks and Model Advisor User
Information
The Simulink® Verification and Validation™ user information for the DO-178C/DO-331 checks
is in the Simulink Verification and Validation DO-178C/DO-331 Checks and Model Advisor
User Information.

To access the user information document, on the MATLAB ® command line, type qualkitdo
to open the Artifacts Explorer. The document is in Simulink Verification and Validation >
r2015a.

2-18
2.3 Model Coverage Operational Requirements
The Simulink Verification and Validation product includes model coverage, which helps you
assess the extent to which test cases exercise the pathways through a model. Model coverage
works for Simulink blocks, including the MATLAB Function block, and Stateflow charts.

The following table lists the Simulink Verification and Validation model coverage capabilities
supported by the DO Qualification Kit. Also listed are the corresponding DO-178C or DO-331
(references that include MB prefix) section to which each capability applies. To claim
certification credit, the user is responsible for determing the applicability of the model coverage
capabilities supported by the DO Qualification Kit to their project.

Model Coverage — Operational Requirements Summary

Model Coverage Requirement Description
Capability ID
Cumulative Coverage MC_SL_CUMC Simulink Verification and
Validation shall determine the
accumulated coverage results
of model coverage analysis.
For details, see “Cumulative
Coverage” in Simulink
Verification and Validation
Model Coverage User
Information.
Simulink Cyclomatic MC_SL_CYC Simulink Verification and
Complexity Validation shall determine the
cyclomatic complexity of a
model.
For details, see “Cyclomatic
Complexity” in Simulink
Verification and Validation
Model Coverage User
Information.
DO-178C/DO-331 References
MB.6.3.1.d High-level requirements are
verifiable
MB.6.3.2.d Low-level requirements are
verifiable
MB.6.3.3.d Software architecture is
verifiable
6.4.5 Test cases and procedures are
correct
6.4.4.1 Test coverage of high-level
requirements is achieved
6.4.4.1 Test coverage of low-level
requirements is achieved
MB.6.3.1.d High-level requirements are
verifiable
MB.6.3.1.e High-level requirements
conform to standards
MB.6.3.2.d Low-level requirements are
verifiable
MB.6.3.2.e Low-level requirements
conform to standards
MB.6.3.3.d Software architecture is
verifiable
MB.6.3.3.e Software architecture
conforms to standards

2-19
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Decision Coverage MC_SL_DC Simulink Verification and MB.6.3.1.d High-level requirements are
(DC) Validation shall determine the verifiable
DC of a model.

For details, see “Decision

Coverage (DC)” in Simulink
Verification and Validation
Model Coverage User
Information.

Condition Coverage MC_SL_CC Simulink Verification and

(CC) Validation shall determine the
CC of a model.

For details, see “Condition

Coverage (CC)” in Simulink
Verification and Validation
Model Coverage User
Information.
Modified MC_SL_MCDC Simulink Verification and MB.6.3.2.d Low-level requirements are
Condition/Decision Validation shall determine the verifiable
Coverage (MC/DC) MC/DC of a model. MB.6.3.3.d Software architecture is
verifiable
For details, see “Modified MB.6.3.2.a Low-level requirements
Condition/Decision Coverage comply with high-level requirements
(MCDC)” in Simulink 6.4.5 Test cases and procedures are
Verification and Validation correct
Model Coverage User 6.4.4.1 Test coverage of high-level
Information. requirements is achieved
Saturation on integer MC_SATINT Simulink Verification and 6.4.4.1 Test coverage of low-level
overflow coverage Validation shall provide requirements is achieved
saturation on integer overflow
coverage.

For details, see “Saturation on

integer overflow coverage” in
Simulink Verification and
Validation Model Coverage
User Information.

2-20
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Lookup Table MC_SL_LUT Simulink Verification and 6.4.5 Test cases and procedures are
Coverage (LUT) Validation shall provide LUT correct
coverage. 6.4.4.1 Test coverage of high-level
requirements is achieved
For details, see “Lookup 6.4.4.1 Test coverage of low-level
Table Coverage” in Simulink requirements is achieved
Verification and Validation
Model Coverage User
Information.
Signal Range MC_SL_SR Simulink Verification and
Coverage Validation shall provide
signal range coverage.

For details, see “Signal Range

Coverage” in Simulink
Verification and Validation
Model Coverage User
Information.

Signal Size Coverage MC_SL_SS Simulink Verification and

Validation shall provide
signal size coverage.

For details, see “Signal Size

Coverage” in Simulink
Verification and Validation
Model Coverage User
Information.
Relational Boundary MC_SL_RELB Simulink Verification and MB.6.3.2.d Low-level requirements are
Coverage OUND Validation shall provide verifiable
relational boundary coverage. MB.6.3.3.d Software architecture is
verifiable
For details, see “Relational 6.4.5 Test cases and procedures are
Boundary Coverage” in correct
Simuink Verification and 6.4.4.1 Test coverage of high-level
Validation Model Coverage requirements is achieved
User Information. 6.4.4.1 Test coverage of low-level
requirements is achieved

2-21
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Abs block MC_SL_ABS Simulink Verification and MB.6.3.1.d High-level requirements are
Validation shall provide DC,
verifiable
saturate on integer overflow,
MB.6.3.2.d Low-level requirements are
and relational boundary verifiable
coverage for the Abs block.*
MB.6.3.3.d Software architecture is
verifiable
MB.6.3.2.a Low-level requirements
Combinatorial Logic MC_SL_COMB Simulink Verification and comply with high-level requirements
block LOGIC Validation shall provide DC 6.4.5 Test cases and procedures are
and CC for the Combinatorial correct
Logic block.* 6.4.4.1 Test coverage of high-level
requirements is achieved
Dead Zone block MC_SL_DEAD Simulink Verification and 6.4.4.1 Test coverage of low-level
Validation shall provide DC, requirements is achieved
saturate on integer overflow,
and relational boundary
coverage for the Dead Zone
block.*

Direct Lookup Table MC_SL_DLUT Simulink Verification and 6.4.5 Test cases and procedures are
(n-D) block ND Validation shall provide LUT correct
coverage for the Direct 6.4.4.1 Test coverage of high-level
Lookup Table (n-D) block.* requirements is achieved
6.4.4.1 Test coverage of low-level
requirements is achieved
Discrete-Time MC_SL_DINT Simulink Verification and MB.6.3.1.d High-level requirements are
Integrator block Validation shall provide DC verifiable
and saturate on integer MB.6.3.2.d Low-level requirements are
overflow coverage for the verifiable
Discrete-Time Integrator MB.6.3.3.d Software architecture is
block.* verifiable
MB.6.3.2.a Low-level requirements
Enabled and Triggered MC_SL_ENTR Simulink Verification and comply with high-level requirements
Subsystem block G Validation shall provide DC, 6.4.5 Test cases and procedures are
CC, and MCDC for the correct
Enabled and Triggered 6.4.4.1 Test coverage of high-level
Subsystem block.* requirements is achieved

2-22
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Enabled Subsystem MC_SL_ENAB Simulink Verification and 6.4.4.1 Test coverage of low-level
block Validation shall provide DC, requirements is achieved
CC, and MCDC for the
Enabled Subsystem block.*
Fcn block MC_SL_FCN Simulink Verification and
Validation shall provide CC,
MCDC, and relational
boundary coverage for the
Fcn block.*
For Iterator, For MC_SL_FOR Simulink Verification and
Iterator Validation shall provide DC
Subsystem blocks for the For Iterator, For
Iterator Subsystem blocks.*
If, If Action MC_SL_IF Simulink Verification and
Subsystem blocks Validation shall provide DC,
CC, MCDC, and relational
boundary coverage for the If,
If Action Subsystem blocks.*
Interpolation Using MC_SL_PREL Simulink Verification and 6.4.5 Test cases and procedures are
Prelookup block UT Validation shall provide LUT correct
and saturate on integer 6.4.4.1 Test coverage of high-level
overflow coverage for the requirements is achieved
Interpolation Using Prelookup 6.4.4.1 Test coverage of low-level
blocks.* requirements is achieved
Logical Operator MC_SL_LOGI Simulink Verification and MB.6.3.1.d High-level requirements are
block C Validation shall provide CC verifiable
and MCDC coverage for the MB.6.3.2.d Low-level requirements are
Logical Operator blocks.* verifiable
MB.6.3.3.d Software architecture is
verifiable
MB.6.3.2.a Low-level requirements
comply with high-level requirements
6.4.5 Test cases and procedures are
correct
6.4.4.1 Test coverage of high-level
requirements is achieved
6.4.4.1 Test coverage of low-level
requirements is achieved

2-23
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
1-D Lookup Table MC_SL_LUT1 Simulink Verification and 6.4.5 Test cases and procedures are
block D Validation shall provide correct
lookup table and saturate on 6.4.4.1 Test coverage of high-level
integer overflow coverage for requirements is achieved
the 1-D Lookup Table block.* 6.4.4.1 Test coverage of low-level
2-D Lookup Table MC_SL_LUT2 Simulink Verification and requirements is achieved
block D Validation shall provide
lookup table and saturate on
integer overflow coverage for
the 2-D Lookup Table block.*
n-D Lookup Table MC_SL_LUTN Simulink Verification and
block D Validation shall provide
lookup table and saturate on
integer overflow coverage for
the n-D Lookup Table block.*
MATLAB Function MC_SL_EML Simulink Verification andMB.6.3.1.d High-level requirements are
block Validation shall provide DC,
verifiable
CC, MCDC, and relational MB.6.3.2.d Low-level requirements are
boundary coverage for theverifiable
MATLAB Function block.* MB.6.3.3.d Software architecture is
MinMax block MC_SL_MINM Simulink Verification and verifiable
AX Validation shall provide DC MB.6.3.2.a Low-level requirements
and saturate on integer comply with high-level requirements
overflow coverage for the 6.4.5 Test cases and procedures are
MinMax block.*
correct
Model block MC_SL_MDLR Simulink Verification and 6.4.4.1 Test coverage of high-level
EF Validation shall provide DC, requirements is achieved
CC, MCDC, LUT, Simulink 6.4.4.1 Test coverage of low-level
Design Verifier, saturate on requirements is achieved
integer overflow coverage,
and relational boundary
coverage for the Model
block.*
Multiport Switch MC_SL_MPSW Simulink Verification and
block ITCH Validation shall provide DC
and saturate on integer
overflow coverage for the
Multiport Switch block.*
Rate Limiter block MC_SL_RATLI Simulink Verification and
M Validation shall provide DC
relational boundary coverage
for the Rate Limiter block.*

2-24
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Relational Operator MC_SL_RELO Simuink Verification and
block P Validation shall provide
condition and relational
boundary coverage for the
Relational Operator block.*
Relay block MC_SL_RELA Simulink Verification and
Y Validation shall provide DC
and relational boundary
coverage for the Relay
block.*
Saturation block MC_SL_SATU Simulink Verification and
RATE Validation shall provide DC
and relational boundary
coverage for the Saturation
block.*
Sqrt, Signed Sqrt, MC_SL_SQRT Simulink Verification and
Reciprocal Sqrt Validation shall provide
saturate on integer overflow
coverage for the Sqrt, Signed
Sqrt, Reciprocal Sqrt blocks.*
Switch block MC_SL_SWIT Simulink Verification and
CH Validation shall provide DC,
saturate on integer overflow
coverage, and relational
boundary coverage for the
Saturation block.*
Switch Case, Switch MC_SL_CASE Simulink Verification and
Case Action Validation shall provide DC
Subsystem blocks for the Switch Case, Switch
Case Action Subsystem
blocks.*
Triggered Subsystem MC_SL_TRIG Simulink Verification and
block GER Validation shall provide DC,
CC, and MCDC for the
Triggered Subsystem block.*
While Iterator, While MC_SL_WHIL Simulink Verification and
Iterator Subsystem E Validation shall provide DC
blocks for the While Iterator, While
Iterator Subsystem blocks.*

2-25
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Stateflow Cyclomatic MC_SF_CYC Simulink Verification and
Complexity Validation shall determine the
cyclomatic complexity of
Stateflow objects.**
Chart as triggered MC_SF_TRIG Simulink Verification and
Simulink block GER Validation shall provide DC
for Charts used as a triggered
Simulink block.**
Chart with Exclusive MC_SF_CHAR Simulink Verification and
OR Substates TSUB Validation shall provide DC
for Charts containing
exclusive OR substates.**
Superstate with MC_SF_SUPE Simulink Verification and
Exclusive OR RSUB Validation shall provide DC
Substates for Superstates containing
exclusive OR substates.**
State with On MC_SF_ONEV Simulink Verification and
Event_Name Action ENT Validation shall provide DC
Statement for States with ON
Event_Name Action
Statement.**
Conditional transition MC_SF_TRAN Simulink Verification and
decision DEC Validation shall provide DC
for conditional transitions.**
Condition coverage of MC_SF_TRAN Simulink Verification and
transition decision COND Validation shall provide CC
for transition decisions.**
MC/DC coverage of MC_SF_TRAN Simulink Verification and
transition decision MCDC Validation shall provide
MCDC for transition
decisions.**
Relational boundary MC_SF_BOUN Simulink Verification and
coverage for Stateflow DCOV Validation shall provide
boundary coverage for
Stateflow.**

2-26
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Truth Table conditions MC_SF_TTCO Simulink Verification and
ND Validation shall provide CC
for Truth Tables.

For details, see “Model

Coverage for Stateflow Truth
Tables” in Simulink
Verification and Validation
Model Coverage User
Information.
Truth Table decisions MC_SF_TTDE Simulink Verification and
C Validation shall provide DC
for Truth Tables.

For details, see “Model

Coverage for Stateflow Truth
Tables” in Simulink
Verification and Validation
Model Coverage User
Information.
Truth Table MC/DC MC_SF_TTMC Simulink Verification and
DC Validation shall provide
MCDC for Truth Tables.

For details, see “Model

Coverage for Stateflow Truth
Tables” in Simulink
Verification and Validation
Model Coverage User
Information.

2-27
Model Coverage Requirement Description DO-178C/DO-331 References
Capability ID
Simulink Design MC_SLDV_SL Simulink Verification and 6.4.5 Test cases and procedures are
Verifier Coverage DV Validation shall provide correct
Simulink Design Verifier
Coverage.

For details, see “Simulink

Design Verifier Coverage” in
Simulink Verification and
Validation Model Coverage
User Information.
Proof Assumption MC_SLDV_PR Simulink Verification and
block OOFASM Validation shall provide
Simulink Design Verifier
coverage for the Proof
Assumption block.*
Proof Objective block MC_SLDV_PR Simulink Verification and
OOFOBJ Validation shall provide
Simulink Design Verifier
coverage for the Proof
Objective block.*
Test Condition block MC_SLDV_TE Simulink Verification and
STCON Validation shall provide
Simulink Design Verifier
coverage for the Test
Condition block.
Test Objective block MC_SLDV_TE Simulink Verification and
STOBJ Validation shall provide
Simulink Design Verifier
coverage for the Test
Objective block.*
* See “Model Objects That Receive Coverage” in Simulink Verification and Validation Model Coverage User
Information.
** See “Model Coverage for Stateflow Charts” in Simulink Verification and Validation Model Coverage User
Information.

2-28
2.4 Model Coverage User Information
The Simulink® Verification and Validation™ user information for the model coverage is in the
Simulink Verification and Validation Model Coverage User Information.

To access the user information document, on the MATLAB® command line, type qualkitdo
to open the Artifacts Explorer. The document is in Simulink Verification and Validation >
r2015a.

2-29
3 Installation

To use the Simulink® Verification and Validation™ product, install the following MathWorks®
products:

 MATLAB®
 Simulink®
 Simulink Verification and Validation

Instructions for installing the products are available at the MathWorks Documentation Center,
R2015a:

Installation
3-2
4 Operational Environment

The DO Qualification Kit product supports the following operating environments for the
Simulink® Verification and Validation™ product:

 Personal computer
 One of the following operating systems:
- Microsoft® Windows®
- Linux®1
 MATLAB® Software
 Simulink® Software
 Simulink Verification and Validation software

1
Linux® is a registered trademark of Linus Torvalds.