QGen helps decrease software life cycle costs in the Simulink® and Stateflow® environments in several ways:
- A safe subset of Simulink® blocks is enforced
- The code generator is customizable for high-level model transformations
- The code generator produces efficient code in MISRA C and in SPARK (a formally verifiable subset of Ada)
- Static analysis detects and reports potential errors at the model level
- A model-level debugger provides synchronized views across the model, the generated source code, and the final assembly code
- Processor-in-the-Loop (PIL) execution is supported on hardware and emulator
- Consistent code is generated across multiple versions of the Simulink® and Stateflow® environments
- Tool qualification is supported under ISO 26262, DO-178B/C, and EN 50128 for both the code generator and the model verifier
QGen also decreases tool integration costs by integrating smoothly with AdaCore’s qualifiable compilation, target emulation, and structural coverage analysis products.
Support for Simulink® and Stateflow® models
QGen supports a wide range of features from the Simulink® and Stateflow® environments, including more than 100 blocks, Simulink® signals and parameters objects, and several Matlab operations. The supported feature set has been carefully selected to ensure code generation that is amenable to safety-critical systems. MISRA Simulink® constraints can be optionally checked with QGen. Features that would imply unpredictable behavior, or that would lead to the generation of unsafe code, have been removed. The modeling standard enforced by QGen is then suitable out-of-the-box for developing systems that are to be certified under ISO 26262, DO-178B/C, and EN 50128.
Qualification material
Complete qualification material for QGen is scheduled for later availability. This qualification material complies with the DO-178C standard at Tool Qualification Level 1 (TQL-1, equivalent to a Development Tool in DO-178B). This will make QGen the only code generator for Simulink® and Stateflow® models for which a TQL-1 qualification kit is available. TQL-1 qualification for the code generator brings a major benefit: the savings in verification effort. For example, there is no need to review or to create low-level requirements or tests for the generated code.
Support for model static analysis
QGen supports the static verification that three kinds of issues are prevented: run-time errors, logical errors, and safety violations. Run-time errors, such as division by zero or integer overflow, may lead to exceptions being raised during system execution. Logical errors, for example a Simulink® “If” block condition that is always true, imply a defect in the designed model. And safety properties, which can be modeled using Simulink® Model Verification blocks, represent safety requirements that are embedded in the design model. QGen is able to statically verify all these properties and generate run-time checks as well if configured to do so.
Support for Model-Level Debugging
The QGen debugger tool offers a synchronized view across the Simulink® model, the generated MISRA C or SPARK code, and the final assembly code. Users can set model-level breakpoints (for example, stopping on block entry or signal computation), display and update model-level data, and step through model execution (for example performing a single block computation or stepping into and out of a subsystem).
Support for Processor-in-the-Loop testing
QGen can be integrated with AdaCore’s GNATemulator and GNATcoverage tools to support streamlined Processor-In-the-Loop (PIL) testing. The simulation of Simulink® models can be tested back-to-back against the generated code, which is cross-compiled and deployed on a GNATemulator installation on the user workstation. While conducting PIL testing, GNATcoverage can also perform structural coverage analysis up to MC/DC without any code instrumentation. Both GNATcoverage and GNATemulator have been already qualified in an operational context.