PAGE

19

DAIMLER/MES

can be scaled for many electrified

drivetrains. The complete control

software is developed with the model-

based design method according to

the V-cycle. TargetLink, dSPACE’s

production code generator, is a core

component of the development tool

chain. TargetLink supports modeling

and code generation of an AUTOSAR-

compliant software architecture and

is certified up to ASIL D for safety-

related software. Modeling the func-

tion software in Simulink

®

and Target-

Link plays a central role for early re-

quirement validation, because a higher

quality of the models used for code

generation directly translates into a

higher quality of the generated soft-

ware. Using Simulink/TargetLink for

software modeling is an accepted,

industry-proven method to generate

high-quality software. This is also in

line with ISO 26262, which recom-

mends using a semi-formal modeling

language such as Simulink. MBRDNA

uses a combination of static and ana-

lytical validation measures to ensure

a high model quality. Independently

of the functional customer require-

ments, MBRDNA defined develop-

ment methods that ensure an opti-

mal integration of the software into

the target environment.

Rules for the Software Design

An important part of this method is

the consistent use of modeling and

conformity rules for software design.

The rules used at MBRDNA are based

on Daimler-internal regulations for

model development and have been

adapted to the development require-

ments of the e-drive software. The

Daimler modeling guidelines are ba-

sed on modeling standards and tool-

specific guidelines such as MAAB,

MISRA Simulink/Stateflow, MES

Functional Safety Guidelines, MISRA

TargetLink, and the dSPACE TargetLink

Modeling Guidelines (figure 1). Be-

cause all of these guidelines have a

different focus, a smart combination

of them is needed to cover all aspects

required for modeling safety-related

software according to ISO 26262. The

rules of the MAAB (MathWorks Auto-

motive Advisory Board) focus on de-

sign aspects of simulation and con-

troller models with an emphasis on

readability, serviceability, and best

practices. The MAAB rules do not accen-

tuate production code generation. The

MISRA Simulink/Stateflow and MISRA

TargetLink guidelines, however, focus

on safety aspects of the models and

the code generated from them. They

define a safe language range for Simu-

link and Stateflow, modeling patterns

for safe code patterns, and an appro-

priate configuration of the simulation

environment. Tool-specific guidelines

such as the MISRA/TargetLink and

dSPACE TargetLink Modeling Guide-

lines predominantly refer to code

generation with TargetLink. Compli-

ance with these guidelines means

that there must not be any modeling

patterns or configurations of the model

or code generator that can negatively

affect the properties of the generated

code. The MES Functional Safety Guide-

lines largely refer to safety consider-

ations of the model and the generated

code. These guidelines were derived

from the requirements of ISO 26262

and other safety standards, and com-

plement the existing guidelines for

the design of safety-related software.

Key elements of the analyses are checks

for data flow and control flow.

Automated Testing for Target-

Link Models

With its goal of making it easier to

use the modeling guidelines, MBRDNA

tailored the Daimler modeling guide-

“The increasing complexity of software systems

pushes traditional testing to its limits. Automa-

ted analyses of the created models and the

translated software are an integral part of our

software quality assurance.”

Alexander Dolpp, Mercedes-Benz Research & Development North America, Inc.

>>

dSPACE Magazine 1/2016 · © dSPACE GmbH, Paderborn, Germany ·

info@dspace.com

·

www.dspace.com