Some time ago I was having a discussion with my colleague Sarah Dagen, from our Consulting Services, and she began explaining Simulink Code Inspector™ to me. I immediately stopped her and said: Wait! Write me a blog post instead!.
Here is the result:
Why Simulink Code Inspector?
You are designing a high-integrity software application using Simulink (good idea!). Once you have an excellent design that has been tested and meets the design requirements, you use Embedded Coder to generate C code that you will then compile, link, and load to your embedded hardware target.
You know your Simulink design does exactly what you want it to do - nothing more, nothing less. But you are not going to be running Simulink on the embedded hardware - you will be running an executable built from the automatically generated C code.
So what about that C code - does it still represent your exact design? How can you tell? You could use Processor-in-the-Loop (PIL) and re-run your requirements-based tests on the target processor to verify that the outputs match your simulation outputs. That's a good start. However, this is not necessarily going to prove the absence of unintended code. So, what can?
So... what is Simulink Code Inspector?
Simulink Code Inspector automatically compares generated code with its source model. It examines the generated code and the model to determine if they are structurally equivalent. After inspection is complete, it produces detailed reports with model-to-code and code-to-model traceability analysis.
Because Simulink Code Inspector has been implemented completely independently of Embedded Coder, it can be used as a means of compliance for DO-178C/DO-331 certification objectives. These structural equivalence and traceability reports can be submit to certification authorities as evidence of code reviews for high-integrity standards such as DO-178C. Simulink Code Inspector is supported by our DO-178C/DO-331 Qualification Kit, allowing you to obtain certification credit when using it for DO-178C/DO-331 applications.
How does it do that?
Ok, magic and abstract syntax trees.
Working with Simulink Code Inspector
To highlight what Code Inspector can do for you, let's take a very simple model to be deployed to an embedded target.
Not all Simulink/Stateflow features are supported by Code Inspector. Before running an inspection, you need to check that your model is compatible with Code Inspector. A set of Model Advisor checks, included with Code Inspector, can be run to verify compatibility.
I run these checks on the model and review the Model Advisor report.
No compatibility issues, so let's go ahead with inspection.
Open the Simulink Code Inspector window from the 'Code' menu...
And get this window:
Once code generation and inspection are complete, a report with the results will open.
Code Inspection Report
Here's the report from the inspection - we passed!
The report is extremely detailed - let's look at some of the information it includes.
Model-to-code traceability - with hyperlinks for navigating to the exact model object for convenience.
Depending on your goal, it might be more convenient to know which block corresponds to a specific line of code. The report also includes a code-to-model traceability section.
I guess it's your turn now...
We've introduced some of the basic features of Simulink Code Inspector. Obviously there's quite a bit more to this tool, but I hope that this overview will inspire you to think about your processes for verifying autogenerated code for high-integrity applications.
Does your organization's development process for high-integrity embedded software include manual code reviews or manual tracing from model to code? Are you interested in seeing more posts about high-integrity software development with Simulink? Let us know what you think by leaving a comment below.