IEC Certification Kit

Model-Based Design for ISO 25119:2018

R2020b

July 23, 2020 certkitiec_mbd_iso25119

How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000

The MathWorks, Inc.

1 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit Model-Based Design for ISO 25119:2018
© COPYRIGHT 2020 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or
copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced
in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or
through the federal government of the United States. By accepting delivery of the Program or Documentation, the
government hereby agrees that this software or documentation qualifies as commercial computer software or
commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part
227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights
specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance,
display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for
or through the federal government) and shall supersede any conflicting contractual terms or conditions. If this
License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See
www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be
trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents
for more information.

July 23, 2020 certkitiec_mbd_iso25119

Revision History
March 2020 New for IEC Certification Kit Version 3.15 (Applies to Release 2020a)
September 2020 Revised for IEC Certification Kit Version 3.16 (Applies to Release 2020b)

July 23, 2020 certkitiec_mbd_iso25119

Contents
1 Model-Based Design for ISO 25119:2018 ................................................................................................... 1-1
1.1 Software Requirement Level (SRL) in ISO 25119 ................................................................................ 1-1
2 ISO 25119-3: Series development, hardware and software ....................................................................... 2-1
2.1 Software ............................................................................................................................................. 2-1
Table 1 — Software safety requirements specification ....................................................................... 2-1
Table 2 — Software architecture design .............................................................................................. 2-2
Table 3 — Software design and development - Support tools and programming language ............... 2-3
Table 4 — Software component testing............................................................................................... 2-9
Table 5 — Software Integration testing (component) ....................................................................... 2-12
Table 6 — Software safety testing ..................................................................................................... 2-13

July 23, 2020 certkitiec_mbd_iso25119 i

1 Model-Based Design for ISO
25119:2018

This documentation provides annotated versions of method tables that appear in the ISO 25119-3:2018
standard.

The annotated tables provide suggestions on how to use Model-Based Design products from MathWorks®
to apply the methods listed in the standard for different Software Requirement Levels (SRLs).

The IEC Certification Kit provides additional support when using Model-Based Design for ISO 25119
applications, including reference workflows for verifying and validating models and generated code.

1.1 Software Requirement Level (SRL) in ISO 25119

As defined in ISO 25119-1:2018, Software Requirement Level (SRL) represents the ability of safety-related
parts to perform a software safety-related function under foreseeable conditions. There are four SRLs: B, 1,
2, and 3.

The tables in this document use these ratings to specify whether the technique/measure is recommended
based on the SRL:

• “+” ― Technique or measure shall be used for this SRL, unless there is reason not to, in which case that
reason shall be documented during the planning phase.
• “o” ― There is no recommendation for or against the use of technique or measure for this SRL.
• “x” ― Technique or measure is not suitable for to meet this SRL.

July 23, 2020 certkitiec_mbd_iso25119 1-1

2 ISO 25119-3: Series development,
hardware and software

2.1 Software
Table 1 — Software safety requirements specification

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1 Requirements specification in + + + + Simulink® Simulink Requirements can be used to author
natural language Requirements™ textual software safety requirements using
natural language.

2a Informal methods a, b + + X X Simulink Requirements Simulink Requirements can be used to author

textual software safety requirements in informal
notation.

2b Semi-formal methods b + + + + Simulink® Simulink, Stateflow, and System Composer can be

used to represent software safety requirements
Stateflow®
(e.g. performance or interfaces) using semiformal
System Composer™ notations.

2c Formal methods b + + + + Simulink – Model Model Verification blocks can be used to

Verification block library formalize software safety requirements, which
can be formally proven with Simulink Design
Simulink® Design
Verifier™ Verifier.

3 Computer-aided specification O O + + Simulink Requirements See above.

tools Simulink
Stateflow
System Composer

4a Inspection of software safety + + + + Simulink Requirements Inspection of the requirements authored using
requirements a Simulink
Simulink Requirements can be supported using
traceability, implementation status, and report
Stateflow generation features of the tool.
System Composer Inspection of the requirements authored with
Simulink® Report Simulink, Stateflow, and System Composer can be
Generator™ − Web View, facilitated using a System Composer spotlight
view, a generated Web View, or an SDD report.
System Design
Description (SDD) report

July 23, 2020 certkitiec_mbd_iso25119 2-1

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
4b Walk-through of software + + X X Simulink Requirements Walk-through of the requirements authored using
safety requirements Simulink Requirements can be supported using
Simulink
traceability, implementation status, and report
Stateflow generation features of the tool.
System Composer Walk-through of the requirements authored with
Simulink® Report Simulink, Stateflow, and System Composer can be
Generator™ − Web View, facilitated using a System Composer spotlight
view, a generated Web View, or an SDD report.
System Design
Description (SDD) report

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated
by a letter following the number. Only one of the techniques/measures needs be satisfied.
b) In case of model-based development with code generation, the methods and measures for software architectural design have to be
applied to the functional model, which will serve as the basis for code generation.7.2.4.1.1

Table 2 — Software architecture design

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1a Informal methods a + + X X Simulink – Model Info Referenced blocks can be used to integrate
and DocBlock blocks informal textual descriptions into an architecture
model.
Simulink®
Requirements™ – System
Requirements block

Simulink Requirements Simulink Requirements can be used to create

textual description of software architecture.
Architecture models created with System
Composer or Simulink can be linked to informal
descriptions in Microsoft® Word, Microsoft®
Excel®, ASCII text, and PDF files.

1b Semi-formal methods + + + + System Composer System Composer, Simulink, and Stateflow

provides semiformal notation for development of
Simulink
software architecture.
Stateflow

1c Formal methods + + + + Simulink – Model Model Verification blocks can be used to

Verification block library formalize properties in Simulink architecture
models, which can be formally proven with
Simulink Design Verifier
Simulink Design Verifier.

2 Computer-aided specification O O + + Simulink Requirements See above.

tools
Simulink
Stateflow
System Composer

July 23, 2020 certkitiec_mbd_iso25119 2-2

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
3a Inspection of software + + + + System Composer Inspection of software architecture designed with
architecture a Simulink
Simulink, Stateflow, and System Composer can be
facilitated using a System Composer spotlight
Stateflow view, a generated Web View, or an SDD report.
Simulink® Report Inspection of software architecture created with
Generator™ − Web View, Simulink Requirements can be supported using
System Design traceability, implementation status and report
Description (SDD) report generation features of the tool.

Simulink Requirements

3b Walk-through of software + + X X System Composer Walk-through of software architecture designed

architecture with Simulink, Stateflow, and System Composer
Simulink
can be facilitated by using a System Composer
Stateflow spotlight view, a generated Web View, or an SDD
Simulink® Report report.
Generator™ − Web View, Walk-through of software architecture created
System Design with Simulink Requirements can be supported by
Description (SDD) report using traceability, implementation status, and
report generation features of the tool.
Simulink Requirements

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated
by a letter following the number. Only one of the techniques/measures needs to be satisfied.

Table 3 — Software design and development - Support tools and programming language

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1 Tools and programming language

1.1 Suitable programming + + + + Embedded Coder® C or C++ programming languages with subset and
language coding standard is a common industry practice for
Simulink® Coder™
embedded systems development.
MATLAB® Coder™
MATLAB Coder, Simulink Coder, and Embedded
Coder can generate C or C++ code. Language
subsets, coding standards, and static analysis
tools are discussed elsewhere in this document.

1.2 Strongly typed programming O + + + Simulink, Simulink – Simulink and Stateflow can be configured to
language Configuration facilitate strong typing at the model level.
Stateflow Type compatibility constraints can be embedded
in the math operator or logical blocks at the
model level.

Simulink® Check™ – IEC IEC 61508 and custom checks in Model Advisor
61508 Model Advisor can be used to check typing considerations within
checks the model.

Polyspace® Code Polyspace Code Prover, Polyspace Code Prover

Prover™ and Polyspace® Server, Polyspace Bug Finder, and Polyspace Bug
Code Prover Server™ – Finder Server can be used to restrict data values
Code verification to a subrange of the underlying data type.
Attempts to violate the defined subranges will be
Polyspace® Bug Finder™
flagged.
and Polyspace® Bug
Finder Server™ – MISRA
C checker

July 23, 2020 certkitiec_mbd_iso25119 2-3

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1.3 Language subset O + + + Simulink – Modeling Modeling Guidelines for High-Integrity Systems
Guidelines for High- and custom guidelines can support the definition
Integrity Systems of analysable programs at the model level.

Simulink Check – IEC Language subset considerations at the model

61508 Model Advisor level can be supported by IEC 61508 and custom
checks checks in Model Advisor.

Polyspace Bug Finder Polyspace Bug Finder, Polyspace Bug Finder

and Polyspace Bug Server, Polyspace Code Prover, and Polyspace
Finder Server Code Prover Server can be used to check
compliance with MISRA C®:2004, MISRA C:2012,
Polyspace Code Prover
and Polyspace Code MISRA® C++, or JSF®++ coding rules.
Prover Server– MISRA-C
checker

1.4 Tools and translators:
increased confidence from use
O + + + MATLAB® and Simulink MATLAB and Simulink product family have a
product family broad user base. The products are subjected to
extensive in-house testing.
Bug reports can be accessed by on the
MathWorks website.

1.5 Use of trusted/verified
software components (if
available)
O O + + Simulink – Block library, Model blocks (model referencing) facilitate the
Model block creation and re-use of trusted / verified software
System Composer elements by the user.
Blocks from this standard library can be
preconfigured, verified, and grouped into custom
libraries to facilitate creation and re-use of
trusted/verified software elements by the user.
System Composer enables decomposition and
reuse of component within the same model, as
well as across architecture models.

2 Design methods

2.1a Informal methods a + + X X Simulink – Model Info Referenced blocks can be used to integrate
and DocBlock blocks informal textual descriptions into a design model.

Simulink®
Requirements™ – System
Requirements block

Simulink Requirements Simulink Requirements can be used create textual

description of software design.
Design models created with Simulink can be
linked to informal descriptions in Microsoft®
Word, Microsoft® Excel®, ASCII text, and PDF files.

2.1b Semi-formal methods + + + + System Composer System Composer, Simulink, and Stateflow
provide semiformal notation for software design.
Simulink
Stateflow

2.1c Formal methods + + + + Simulink – Model Model Verification blocks can be used to
Verification block library formalize properties of in Simulink design models,
which can be formally proven with Simulink
Simulink Design Verifier
Design Verifier.

2.2 Defensive programming O O O + Simulink Defensive programming can be implemented in

Simulink and Stateflow.
Stateflow

July 23, 2020 certkitiec_mbd_iso25119 2-4

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
Simulink – Modeling Modeling Guidelines for High-Integrity Systems
Guidelines for High- guidelines facilitate defensive programming at the
Integrity Systems model level.

2.3 Structured programming O + + + System Composer System Composer enables definition of software
architecture through hierarchical decomposition
of components and definition of control and data
flow.

Simulink – Model block, Model blocks (model referencing), subsystems,

Ports & Subsystems libraries, and Stateflow charts support
block library hierarchical decomposition of models and
Stateflow definition of control and data flow.

2.4 Modular approach

2.4.1 Software component size limit O + + + System Composer Software components can be structured
Simulink hierarchically to limit component size.

Embedded Coder

Simulink Check – Simulink Check provides the ability to measure

Cyclomatic Complexity model size.
Metric, IEC 61508 checks ISO IEC 61508 Advisor check “Display model
metrics and complexity report” provides
information on the size and of models and
subsystems.

Embedded Coder − Code The code metrics report provides the amount of
metrics report memory used by the generated code.

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server support the generation of size metrics for
Finder Server – Code source code.
metrics

2.4.2 Software complexity control O O O + Simulink Check – Simulink Check provides the ability to measure a
Cyclomatic Complexity model.
Metric, IEC 61508 checks IEC 61508 Model Advisor check “Display model
metrics and complexity report” provides
information on the complexity of models and
subsystems.

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server –support the generation of size and
Finder Server – Code complexity metrics for source code.
metrics

2.4.3 Information O O + + Simulink – Model block, Model blocks (model referencing), subsystems,
hiding/encapsulation Ports & Subsystems libraries, and Stateflow charts can support
block library information encapsulation and hiding.
Stateflow System Composer enables definition of
architecture through hierarchical decomposition
System Composer
of components supporting encapsulation and
hiding.

Simulink – Model When using Model blocks or libraries to structure

Dependency Viewer a model, the Model Dependency Viewer can
display a graph of models and libraries referenced
by the top model.

July 23, 2020 certkitiec_mbd_iso25119 2-5

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
2.4.4 One entry/one exit point in O + + + Simulink − Modeling Adherence can be facilitated by applying
subroutines and functions Guidelines modeling guidelines in combination with
analysing generated code. MAB guideline jc_0511
provides corresponding modeling
recommendations.

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server can assess compliance with MISRA C rules
Finder Server − MISRA C for subroutines and functions.
checker

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server support the generation of return points
Finder Server – metrics for source code.
Code metrics

2.4.5 Fully defined interface O + + + System Composer System Composer can be used to define
interfaces for architecture models and produce
Simulink – Model blocks
interface control documents for architecture
models.
The usage of model blocks facilitates fully defined
interface specifications at model block
boundaries.

Simulink Check – IEC IEC 61508 Model Advisor check “Check for fully
61508 checks defined interface” identifies root model Inport
blocks that do not have fully defined attributes.

2.5 Library of trusted/verified
software components
+ + + + Simulink – Block library, Model blocks (model referencing) facilitate the
Model block creation and re-use of trusted / verified software
elements by the user.
System Composer
Blocks from this standard library can be
preconfigured, verified, and grouped into custom
libraries to facilitate creation and re-use of
trusted/verified software elements by the user.
System Composer enables decomposition and
reuse of component within the same model as
well as across architecture models.

2.6 Computer-aided design tools O O O + Simulink See above.

Stateflow
System Composer
Simulink Check
Polyspace Bug Finder
and Polyspace Bug
Finder Serve

3 Design and coding standard

3.1 Use of coding standard O + + + Simulink − Modeling The Modeling Guidelines for High-Integrity
Guidelines Systems and MAB provide guidelines at the model
level.

July 23, 2020 certkitiec_mbd_iso25119 2-6

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
Simulink Check – IEC The MISRA AC AGC guidelines provide guidelines
61508 Model advisor at the code level.
checks, MAAB Model Model Advisor checks can be used to check
Advisor checks, MISRA modeling or coding standards considerations at
checks, secure coding
the model level.
checks, and custom
checks
Embedded Coder –
MISRA C:2012 Model
Advisor checks

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server MISRA C checker can be used to check
Finder Server – MISRA C MISRA AC AGC compliance considerations at the
checker source code level.

3.2a No dynamic variables or O O O + Embedded Coder – Embedded Coder can be configured to generate C
objects Configuration code that does not include dynamic
objects/variables.

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server can assess compliance with MISRA C rules
Finder Server – MISRA C for dynamic objects.
checker

3.2b Online checking of the O O O +

creation of dynamic variables

3.3 Limited use of interrupts O O O + Embedded Coder – Embedded Coder can be configured to not insert
Configuration interrupts into step function code.

3.4 Defined use of pointers O O O + Embedded Coder – Embedded Coder may generate pointer
Configuration arithmetic for certain language features, for
example, lookup tables or matrix multiplication.
Embedded Coder checks the data type and range
of values to avoid corruption of address spaces.

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server can assess compliance with MISRA C:2004
Finder Server – MISRA C rules 11.1 to 11.5 and 17.3 to 17.5 and MISRA
checker C:2012 rules 11.1 to 11.8 and 18.3 to 18.5, which
restrict use of pointers.
Polyspace Bug Finder and Polyspace Bug Finder
Server can check whether pointers refer to valid
objects. Violations are reported as IDP checks.

Polyspace Code Prover Polyspace Code Prover and Polyspace Code

and Polyspace Code Prover Server can check whether pointers refer to
Prover Server – valid objects. Violations are reported as IDP
Code verification checks.

3.5 Limited use of recursion O O O + Simulink – Modeling Adherence can be facilitated by applying
Guidelines modeling guidelines.
High-integrity guideline hisf_0004 provides
corresponding modeling recommendations.
Avoid using n-D Lookup Table and Interpolation
blocks and Prelookup blocks with dimensions of >
5.

July 23, 2020 certkitiec_mbd_iso25119 2-7

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
Polyspace Code Prover Generated call graphs can be reviewed to identify
and Polyspace Code recursive function calls.
Prover Server – Call tree
computation

Polyspace Code Prover Polyspace Code Prover, Polyspace Code Prover

and Polyspace Code Server, Polyspace Bug Finder, and Polyspace Bug
Prover Server Finder Server can assess compliance with MISRA C
Polyspace Bug Finder rules for recursion.
and Polyspace Bug
Finder Server – MISRA C
checker

Polyspace Bug Finder Polyspace Bug Finder and Polyspace Bug Finder
and Polyspace Bug Server support the generation of recursions and
Finder Server – Code direct recursions metrics for source code.
metrics

4 Design and coding verification

4a Inspection of software design + + + + Simulink Software design inspections can be based on a

and/or source code a Simulink Report model, a generated Web View, or an SDD report.
Generator – Web View,
System Design
Description (SDD) report

Simulink Check – Model Software design inspections can be supported by

Advisor checks ISO 26262, MAB guidelines, requirements
consistency, and custom checks in the Model
Advisor. A Model Advisor check configuration can
define a set of checks to pass as a prerequisite for
entering model inspection.

Embedded Coder – Code Code inspection can be based on HTML code

generation report generation reports.

IEC Certification Kit – Code inspection can be supported with model-to-

Traceability matrix code and code-to-model traceability matrices.

4b Walk-through of software + + X X Simulink Software design walk-through can be based on a

design and/or source code Simulink Report model, a generated Web View, or an SDD report.
Generator – Web View,
System Design
Description (SDD) report

Simulink Check – Model Software design walk-through can be supported

Advisor checks by ISO 26262, MAB guidelines, requirements
consistency, and custom checks in the Model
Advisor. A Model Advisor check configuration can
define a set of checks to pass as a prerequisite for
entering model walk-through.

Embedded Coder – Code Code walk-through can be based on HTML code

generation report generation reports.

IEC Certification Kit – Code walk-through can be supported with model-

Traceability matrix to-code and code-to-model traceability matrices.

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated
by a letter following the number. Only one of the techniques/measures needs to be satisfied.

July 23, 2020 certkitiec_mbd_iso25119 2-8

 Table 4 — Software component testing

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1 Static analysis

1.1 Boundary value analysis + + + + Simulink Design Verifier − The Simulink Design Verifier automatic test case
Test case generation generation feature in combination with Test
Objective blocks can be used to generate test cases
and test sequences for given boundary values.

1.2 Checklists O O O O Simulink - Modeling Modeling Guidelines for High-Integrity Systems

Guidelines for High- guidelines can be used to create a checklist for
Integrity Systems models.

1.3 Control flow analysis O O + + Coverage – Model Model coverage analysis can help to identify
coverage analysis unreachable portions of a model.

Simulink Coverage – Code During SIL and PIL execution, Simulink Coverage
coverage analysis can identify unreachable parts of the generated
code.

System Composer System Composer spotlight view can be used to

analyze the upstream and downstream
dependencies of architecture component.

Simulink Design Verifier – Automatic test case generation can be used to

Test case generation detect unreachable model constructs that could
result in unreachable code.

Polyspace Code Prover Polyspace Code Prover and Polyspace Code Prover
and Polyspace Code Server can partially extract control flow
Prover Server – Call tree information from C code and can create the
computation, unreachable application call tree. Gray checks detect
code analysis unreachable code.

1.4 Data flow analysis O O + + Simulink – Diagnostics Data Store Memory block diagnostics and Stateflow
diagnostics can be configured to identify data flow
Stateflow – Diagnostics
issues.

Polyspace Code Prover Polyspace Code Prover and Polyspace Code Prover
and Polyspace Code Server support static verification of dynamic
Prover Server – Code properties of generated code. This verification
verification technique is based on data flow analysis.

System Composer System Composer produces interface control

documents that can be used for data flow analysis.

2 Dynamic analysis and testing

2.1 Test case execution from O O O + Simulink Design Verifier − The Simulink Design Verifier automatic test case
boundary value analysis Test case generation generation feature in combination with Test
Objective blocks can be used to generate test cases
Simulink Test
and test sequences for given boundary values.
Simulink
Simulink Test can be used to execute generated
Stateflow tests using Simulink and Stateflow as a modeling
platform.

2.2a Structure test coverage O O + X Simulink Coverage − During model testing, Simulink Coverage can collect
(entry points) Model coverage analysis execution coverage at the model level, which
addresses entry point coverage metric.

July 23, 2020 certkitiec_mbd_iso25119 2-9

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
Simulink Coverage − Code During SIL and PIL execution, Simulink Coverage
coverage analysis can measure the function and function-call
coverage of the generated code, which addresses
entry points coverage.

2.2b Structure test coverage O O + + Simulink Coverage − During model testing, Simulink Coverage can collect
(statements) Model coverage analysis execution coverage at the model level, which
addresses the statement coverage metric.

Simulink Coverage − Code During SIL and PIL execution, Simulink Coverage
coverage analysis can measure the statement coverage of the
generated code.

2.2c Structural test coverage O O + + Simulink Coverage − During model testing, Simulink Coverage can collect
(branches) Model coverage analysis decision coverage (also known as branch coverage)
at the model level.

Simulink Coverage − Code During SIL and PIL execution, Simulink Coverage
coverage analysis can measure the decision coverage of the
generated code.

Simulink Design Verifier − Simulink Design Verifier can generate test cases
Test case generation that satisfy decision coverage at the model level.

3 Unit testing

3.1 Equivalence classes and input
partition testing
O O + + Simulink Design Verifier – The Simulink Design Verifier automatic test case
Test case generation generation feature in combination with Test
Objective blocks can be used to generate test cases
Simulink Test
and test sequences for given equivalence classes
Simulink and inputs partitions.
Stateflow The analysis of equivalence classes can be based on
the interfaces of the model.
Simulink Test can be used to execute generated
tests for equivalence classes and input partitioning
using Simulink and Stateflow as a modeling
platform.

3.2 Boundary value analysis O O + + Simulink Design Verifier − The Simulink Design Verifier automatic test case
Test case generation generation feature in combination with Test
Objective blocks can be used to generate test cases
Simulink Test
and test sequences for given boundary values.
Simulink
Simulink Test can be used to execute generated
Stateflow tests using Simulink and Stateflow as a modeling
platform.

3.3 Test case execution from O O O + Simulink Design Verifier − Simulink Design Verifier can be used to auto-
model-based test case Test case generation generate tests for models to satisfy coverage and
generation test objective criteria.
Simulink Test
Simulink Test can be used for authoring tests and
Simulink
execution of manually created and auto-generated
Stateflow tests using Simulink and Stateflow as a modeling
platform.

4 Performance testing

4.1 Response timings and O + + + Embedded Coder − The execution profiling feature of Embedded Coder
memory constraints execution profiling and can be used to analyze execution timing of code
code metrics report components. The code metrics report provides the
amount of memory used by the generated code.

July 23, 2020 certkitiec_mbd_iso25119 2-10

 SRL Applicable Model-
Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
4.2 Performance requirements O + + + Simulink Test Simulink Test can be used to develop and execute
testing performance tests for components using Simulink
Simulink
and Stateflow as a modeling platform.
Stateflow

4.3 Avalanche/stress testing O O O + Simulink Test Simulink Test can be used to develop and execute
performance tests for components using Simulink
Simulink
and Stateflow as a modeling platform.
Stateflow

5 Interface testing O O O + Simulink Design Verifier – The Simulink Design Verifier automatic test case
Test case generation generation feature in combination with Test
Objective blocks can be used to generate interface
Simulink Test
tests.
Simulink
Simulink Test can be used to execute generated
Stateflow tests for equivalence classes and input partitioning
using Simulink and Stateflow as a modeling
platform.

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated by a
letter following the number. Only one of the techniques/measures needs to be satisfied.

July 23, 2020 certkitiec_mbd_iso25119 2-11

 Table 5 — Software Integration testing (component)

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1 Functional or black-box testing + + + + Simulink Test Simulink Test can be used to develop and execute
functional and black-box tests using Simulink and
Simulink
Stateflow as a modeling platform.
Stateflow

2 Equivalence classes and input
partition testing
O O + + Simulink Design Verifier The Simulink Design Verifier automatic test case
– Test case generation generation feature in combination with Test
Objective blocks can be used to generate test
Simulink Test
cases and test sequences for given equivalence
Simulink classes, boundary values, and inputs partitions.
Stateflow The analysis of equivalence classes can be based
on the interfaces of the model.
Simulink Test can be used to execute generated
tests for equivalence classes and input
partitioning using Simulink and Stateflow as a
modeling platform.

3 Performance testing

3.1a Resource budget analysis O + X X

3.1b Response timings and memory O + + + Embedded Coder − The execution profiling feature of Embedded
constraints execution profiling and Coder can be used to analyze execution timing of
code metrics report code sections. The code metrics report provides
the amount of memory used by the generated
code.

3.2 Performance requirements O O + + Simulink Test Simulink Test can be used to develop and execute
testing performance integration tests using Simulink and
Simulink
Stateflow as a modeling platform.
Stateflow

3.3 Avalanche/stress testing O O O + Simulink Test Simulink Test can be used to develop and execute
avalanche and stress integration tests using
Simulink
Simulink and Stateflow as a modeling platform.
Stateflow

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated
by a letter following the number. Only one of the techniques/measures needs to be satisfied.

July 23, 2020 certkitiec_mbd_iso25119 2-12

 Table 6 — Software safety testing

SRL Applicable Model-

Based Design Tools
Technique/Measure a B 1 2 3 and Processes Comments
1 Tests of software safety requirements

1.1a Tests within the ECU network a O + + X

1.1b Hardware-in-the-loop tests O + + + Simulink Real-Time Simulink Real-Time or Simulink Desktop Real-Time
can be used to create real-time applications from
Simulink Desktop Real-
Simulink models and run them on dedicated
Time target hardware connected to your physical
system for hardware-in-the-loop (HIL) testing.

1.1c Tests in the test machine O + + +

a) Appropriate techniques/measures shall be selected according to the SRL. Alternative or equivalent techniques/measures are indicated
by a letter following the number. Only one of the techniques/measures needs to be satisfied.

July 23, 2020 certkitiec_mbd_iso25119 2-13