Skip to main content
SAIF Autonomy to use RVS to verify their groundbreaking AI platform
RVS 3.22 Launched
Hybrid electric pioneers, Ascendance, join Rapita Systems Trailblazer Partnership Program
Magline joins Rapita Trailblazer Partnership Program to support DO-178 Certification
How emulation can reduce avionics verification costs: Sim68020
Multicore timing analysis: to instrument or not to instrument
How to certify multicore processors - what is everyone asking?
Data Coupling Basics in DO-178C
DO-278A Guidance: Introduction to RTCA DO-278 approval
ISO 26262
Data Coupling & Control Coupling
Verifying additional code for DO-178C
DASC 2025
DO-178C Multicore In-person Training (Fort Worth, TX)
DO-178C Multicore In-person Training (Toulouse)
HISC 2025
Model-based software testing
Timing and code coverage metrics are widely used for assessing the quality of safety-critical software. Guidance for aerospace (DO-178C) and automotive (ISO 26262) software development both recommend or mandate the use of these metrics.
MATLAB® Simulink® is a popular model-based development tool. When used in the safety-critical arena, code generated by model-based development technologies like Simulink still needs to be tested to the same level as hand-written code. There are different ways to perform code coverage and timing analysis on model-generated code, including using native tools created by MathWorks® and third-party solutions.
Back-to-back testing through MIL, SIL, PIL & HIL
'Back-to-back' model-based testing is the optimal testing method for projects using model-based development. Using this method, it is only necessary to write your tests once, and then the same tests can be used all the way from initial model-based analysis to the final target hardware environment.
Back-to-back testing massively improves efficiency and ensures that requirements are traced in the same way through the entire software development lifecycle. There are four widely recognized phases of model-based testing: MIL, SIL, PIL and HIL.
Testing phase | Explanation |
|---|---|
Model In the Loop (MIL) | MIL testing is done on-host within Simulink and applies tests at the model level. No code has been generated at this point, let alone compiled. It's a simulation. |
Software In the Loop (SIL) | SIL testing is again performed on-host, but this time it is the compiled software that was generated from the model that is tested. This is often performed in some kind of emulated environment. |
Processor In the Loop (PIL) | This is the first phase of on-target testing, i.e. not running on the development machine alongside Simulink. It is common for this testing to be performed on a development board. |
Hardware In the Loop (HIL) | HIL testing uses the final target hardware that the software is designed to be run on. This is often a more complex test rig and is designed to exactly mirror the real environment. |
On-target testing using Rapita Verification Suite (RVS)
RVS can be used for back-to-back testing of your Simulink project through the software development lifecycle.
Timing analysis, including WCET
RapiTime, the timing analysis component of the RVS toolsuite can be used to find the worst-case-execution-time (WCET) of code generated by Simulink Embedded Coder. This lets you generate reports on WCET at the source level, which can then be manually related back to the Simulink model.
RapiTime reports data including:
- Worst-case execution time, which can also be shown as a path through the code
- Execution Time Profiles that show the distribution of execution times for functions and their children
- High water mark execution time, which shows the path of the longest observed execution time
- Contribution reports, which show what percentage of the worst-case or high water mark path a specific piece of code is responsible for
- Which code has been tested and which hasn't
Code coverage, including MC/DC
For coverage analysis, RapiCover can be used to automate the collection of code coverage metrics on Simulink-generated code up to and including MCDC. Flexible integration strategies ensure efficient verification, regardless of the target hardware.
RapiCover is an advanced code coverage tool designed for on-host and target analysis. DO-178C guidance places significant value on achieving coverage via system tests, which in the case of model-based development can be defined at the model level. RapiCover supports performing this type of system level testing both at early stages all the way through to the hardware-in-the-loop phase of testing.
RapiCover also measures code that other tools don’t, such as treating Boolean and bitwise operators as decisions, and supports testing decisions with up to 1,000 conditions.
What do Mathworks offer for testing?
Mathworks have addressed the need for coverage analysis (including MC/DC) in their toolchain with Simulink Coverage™. This supports code and model coverage analysis by and producing interactive reports that show how much of your model, C/C++ S-functions, MATLAB functions, and code generated by Embedded Coder® have been exercised during testing.
Mathworks offer timing analysis features through their embedded code generation products. These features include the ability to analyze model execution performance and produce task-level performance and block-level timing information. They do not, however, support the determination of software worst-case execution time (WCET), which is needed for DO-178C and ISO 26262 certification. This is supported by RapiTime.
MathWorks®, MATLAB® and Simulink® are registered trademarks of The MathWorks, Inc. See mathworks.com/trademarks for a list of additional trademarks.
