Code Generation for Safety-Critical Systems – Open Questions and Possible Solutions 2008-01-0385

The approach taken in developing embedded software in the automotive field has shifted towards the paradigm of using executable graphical models at all stages of development: from the initial design phase through to implementation (model-based development). Models are designed with common graphical modeling languages, such as Simulink / Stateflow from The MathWorks. New approaches allow for the automatic generation of efficient controller code from the Simulink and Stateflow models directly via code generators, such as TargetLink by dSPACE or the Real-Time Workshop/Embedded Coder by The MathWorks. The usage of a code generator can lead to significant improvements in productivity in the software implementation phase. Furthermore, the level of quality gained by early quality assurance at the model level can also lead to higher quality code. Automotive software is often deployed in safety-critical systems and therefore cannot contain errors. In this context, it is crucial that the use of a code generator and its tool chain (editor, compiler, linker, loader, etc.) does not incorporate errors in the target system and leave them undetected. In general, even when using a code generator that is proven to be ‘correct-by-construction’, it is impossible to avoid generating erroneous code in every given case. Inappropriate modeling or faulty configuration of the code generator, for example, can lead to erroneous generated code.

This paper discusses experiences gained by the authors from previous projects with DaimlerChrysler and automotive supplier how code generators and the code they generate can be safeguarded through tool certification with regard to the safety standards that are relevant to the automotive industry. Specific, tool-related problems will be discussed and illustrated with practice-relevant examples.