Signal Routing

hisl_0013: Usage of data store blocks

ID: Titlehisl_0013: Usage of data store blocks
Description

To support deterministic behavior across different sample times or models when using data store blocks, including Data Store Memory, Data Store Read, and Data Store Write:

A

In the Configuration Parameters dialog box, on the Diagnostics > Data Validity pane, under Data Store Memory block, set the following parameters to error:

  • Detect read before write

  • Detect write after read

  • Detect write after write

  • Multitask data store

  • Duplicate data store names

B

Avoid data store reads and writes that occur across model and atomic subsystem boundaries.

C

Avoid using data stores to write and read data at different rates, because different rates can result in inconsistent exchanges of data. To provide deterministic data coupling in multirate systems, use Rate Transition blocks before Data Store Write blocks, or after Data Store Read blocks.

Notes

The sorting algorithm in Simulink® does not take into account data coupling between models and atomic subsystems.

Using data store memory blocks can have significant impact on your software verification effort. Models and subsystems that use only inports and outports to pass data provide a directly traceable interface, simplifying the verification process.

RationaleA, B, CSupport consistent data values across different sample times or models.
Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Configuration > Check safety-related diagnostic settings for data store memory

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Configuration > Check safety-related diagnostic settings for data store memory

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Configuration > Configuration > Check safety-related diagnostic settings for data store memory

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Configuration > Configuration > Check safety-related diagnostic settings for data store memory

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Configuration > Configuration > Check safety-related diagnostic settings for data store memory

For more details, see Check safety-related diagnostic settings for data store memory.

References
  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.3.b 'Software architecture is consistent’

Last ChangedR2017b
Examples

The following examples use Rate Transition blocks to provide deterministic data coupling in multirate systems

  • For fast-to-slow transitions:

    Set the rate of the slow sample time on either the Rate Transition block or the Data Store Write block.

    Do not place the Rate Transition block after the Data Store Read block.

  • For slow-to-fast transitions:

    If the Rate Transition block is after the Data Store Read block, specify the slow rate on the Data Store Read block.

    If the Rate Transition block is before the Data Store Write block, use the inherited sample time for the blocks.

hisl_0015: Usage of Merge blocks

ID: Titlehisl_0015: Usage of Merge blocks
Description

To support unambiguous behavior from Merge blocks,

A

Use Merge blocks only with conditionally executed subsystems.

B

Specify execution of the conditionally executed subsystems such that only one subsystem executes during a time step.

C

Clear the Merge block parameter Allow unequal port widths.

DSet the Outport block parameter Output when disabled to held for each conditionally executed subsystem being merged.
Notes

Simulink combines the inputs of the Merge block into a single output. The output value at any time is equal to the most recently computed output of the blocks that drive the Merge block. Therefore, the Merge block output is dependent upon the execution order of the input computations.

To provide predictable behavior of the Merge block output, you must have mutual exclusion between the conditionally executed subsystems feeding a Merge block.

Merge block parameter Allow unequal port widths is only available when configuration parameter Underspecified initialization detection is set to Classic.

Prerequisites

hisl_0303: Configuration Parameters > Diagnostics > Merge block

hisl_0304: Configuration Parameters > Diagnostics > Model initialization

RationaleA, B, C, DAvoid unambiguous behavior.
Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Simulink > Check usage of Merge blocks

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Simulink > Check usage of Merge blocks

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Simulink > Check usage of Merge blocks

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Simulink > Check usage of Merge blocks

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Simulink > Check usage of Merge blocks

For check details, see Check usage of Merge blocks.

References
  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(b) 'Use of language subsets'
    ISO 26262-6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.3.b 'Software architecture is consistent’

See Also

Merge block in the Simulink documentation

Last ChangedR2018b
Examples

Recommended

Not Recommended

hisl_0021: Consistent vector indexing method

ID: Titlehisl_0021: Consistent vector indexing method
DescriptionWithin a model, use:
A

Consistent vector indexing method.

Supports configurable indexing:

Support only one-based indexing:

Supports only zero-based indexing:

  • Stateflow chart with C action language

  • Truth Table function with C action language

RationaleAReduce the risk of introducing errors due to inconsistent indexing.
Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Simulink > Check for inconsistent vector indexing methods

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Simulink > Check for inconsistent vector indexing methods

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Simulink > Check for inconsistent vector indexing methods

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Simulink > Check for inconsistent vector indexing methods

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Simulink > Check for inconsistent vector indexing methods

For check details, see Check for inconsistent vector indexing methods.

References
  • IEC 61508–3, Table A.3 (3) 'Language subset'
    IEC 61508–3, Table A.4 (5) 'Design and coding standards'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1e) 'Use of well-trusted design principles'
    ISO 26262-6, Table 1 (1f) 'Use of unambiguous graphical representation'
    ISO 26262-6, Table 1 (1g) 'Use of style guide'
    ISO 26262-6, Table 1 (1h) 'Use of naming conventions'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.12 (1) 'Coding Standard'

  • DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'

See Alsocgsl_0101: Zero-based indexing
Last ChangedR2019a

hisl_0022: Data type selection for index signals

ID: Titlehisl_0022: Data type selection for index signals
DescriptionFor index signals, use:
AAn integer or enumerated data type
BA data type that covers the range of indexed values.

Blocks that use a signal index include:

  • Assignment

  • Direct Lookup Table (n-D)

  • Index Vector

  • Interpolation Using Prelookup

  • MATLAB® Function

  • Multiport Switch

  • Selector

  • Stateflow® Chart

RationaleAPrevent unexpected results that can occur with rounding operations for floating-point data types.
BEnable access to data in a vector.
Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Simulink > Check data types for blocks with index signals

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Simulink > Check data types for blocks with index signals

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Simulink > Check data types for blocks with index signals

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Simulink > Check data types for blocks with index signals

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Simulink > Check data types for blocks with index signals

For check details, see Check data types for blocks with index signals.

References
  • IEC 61508–3, Table A.3 (2) 'Strongly typed programming language'
    IEC 61508–3, Table A.4 (3) 'Defensive programming'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1c) 'Enforcement of strong typing'
    ISO 26262-6, Table 1 (1d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (8) 'Strongly Typed Programming Language'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.4.f 'Accuracy and Consistency of Source Code'

Last ChangedR2018b

hisl_0023: Verification of model and subsystem variants

ID: Titlehisl_0023: Verification of model and subsystem variants
DescriptionWhen verifying that a model is consistent with generated code, do the following:
AFor each Model Variant block, verify that block parameter Generate preprocessor conditionals is cleared.
BFor each Variant Subsystem block, verify that block parameter Analyze all choices during update diagram and generate preprocessor conditionals is cleared.
CVerify all combinations of model variants that might be active in the generated code.
RationaleA,BSimplify consistency testing between the model and generated code by restricting the code base to a single variant.
CMake sure that consistency testing between the model and generated code is complete for all variants.
Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Simulink > Check for variant blocks with 'Generate preprocessor conditionals' active

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Simulink > Check for variant blocks with 'Generate preprocessor conditionals' active

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Simulink > Check for variant blocks with 'Generate preprocessor conditionals' active

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Simulink > Check for variant blocks with 'Generate preprocessor conditionals' active

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Simulink > Check for variant blocks with 'Generate preprocessor conditionals' active

For check details, see Check for variant blocks with 'Generate preprocessor conditionals' active.

References
  • DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'

  • IEC 61508–3, Table A.4 (7) 'Use of trusted / verified software modules and components'

Last ChangedR2017b

hisl_0034: Usage of Signal Routing blocks

ID: Titlehisl_0034: Usage of Signal Routing blocks
Description

To support the robustness of the operations when using Switch blocks:

A

Avoid comparisons using the ~= operator on floating-point data types.

Note

Due to floating-point precision issues, do not test floating-point expressions for inequality (~=).

When the model contains a Switch block computing a relational operator with the ~= operator, the inputs to the block must not be single, double, or any custom storage class that is a floating-point type. Change the data type of the input signals, or rework the model to eliminate using the ~= operator within Switch blocks.

RationaleA

Improve model robustness.

Model Advisor Checks
  • By Task > Modeling Standards for DO-178C/DO-331 > High-Integrity Systems > Simulink > Check usage of Signal Routing blocks

  • By Task > Modeling Standards for IEC 61508 > High-Integrity Systems > Simulink > Check usage of Signal Routing blocks

  • By Task > Modeling Standards for IEC 62304 > High-Integrity Systems > Simulink > Check usage of Signal Routing blocks

  • By Task > Modeling Standards for EN 50128 > High-Integrity Systems > Simulink > Check usage of Signal Routing blocks

  • By Task > Modeling Standards for ISO 26262 > High-Integrity Systems > Simulink > Check usage of Signal Routing blocks

For check details, see Check usage of Signal Routing blocks.

References
  • DO-331, Sections MB.6.3.1.g and MB.6.3.2.g 'Algorithms are accurate'

  • IEC 61508-3, Table A.3 (3) – 'Language subset'
    Table A.4 (3) – 'Defensive programming'

  • IEC 62304, 5.5.3 - 'Software Unit acceptance criteria'

  • ISO 26262-6, Table 1 (1b) - 'Use of language subsets'
    Table 1 (1d) - 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) - 'Language Subset'
    Table A.3 (1) - 'Defensive Programming'

  • MISRA C:2012, Dir 1.1

Last ChangedR2017b