The demand for qualified code is rising. It is already a requirement for applications such as avionics where the process is rigorous. A completely different process is needed for automotive and medical applications, but the need for using the proper process and tools is there, as well.
Many applications can be defined using model-based development tools like the Mathworks Simulink and Stateflow tools. There are other graphically oriented model-based tools like National Instruments' LabView. There is also the Object Management Group's (OMG) Unified Modeling Language (UML). UML is available from a number of vendors, and the open-source Eclipse project supports UML with its Model Development Tools (MDT).
Most of these model-based tools can be used to generate code using languages like C, C++, and Java. For example, The Eclipse UML to Java Generator uses the Acceleo code generator to transform UML code to Java code. This allows for the creation of applications directly from models without requiring manual translation. The challenge for developers requiring qualified code is that the process starts with the generated code. This can be challenging if changes need to be on the generated code side.
Adacore’s QGen generates qualifiable and tuneable MISRA C or SPARK, a subset of Ada 2012, code based on Mathworks Simulink and Stateflow models (Fig. 1). The keyword is qualifiable.
Adacore provides DO-178B/C, EN 50128 and ISO 26262 qualification material for both the code generator and the model verification tools that are part of QGen. The QGen code generator also has a TQL1 qualification kit.
In addition, QGen uses static analysis to detect errors. This addresses safety and logic errors, and run time checking can be included, as well. Functional and safety properties are modeled using the Assertion block.
There are some restrictions, though, because QGen works on a safe subset of more than 120 Simulink block types. This allows the models to be provable, and is also why MISRA C and SPARK are the targets. Both are subsets of their respective languages, C and Ada, that target qualifiable applications. Part of the idea is to remove error prone code before it can be included in an application. QGen is integrated with Simulink to allow compatibility checking of models (Fig. 2).
QGen is integrated with AdaCore’s GNATemulator and GNATcoverage tools. This allows streamlined Processor-In-the-Loop (PIL) testing. GNATcoverage structural coverage analysis is provided up to MC/DC without any code instrumentation during PIL testing.
Not all applications will require the level of qualification that QGen can deliver, but that does not mean it should not be considered for applications where qualification is not a requirement. One of the reasons for qualifying an application is to greatly reduce the number of or eliminate all errors. This is usually a goal for most applications, although attaining that level can be costly. Using a code generator like QGen can move towards that goal while reducing programming and debugging costs.
