IEC Certification Kit

Polyspace Code ProverTM

Reference Workflow
R2015b

How to Contact MathWorks

Latest news:

www.mathworks.com

Sales and services:

www.mathworks.com/sales_and_services

User community:

www.mathworks.com/matlabcentral

Technical support:

www.mathworks.com/support/contact_us

Phone:

508-647-7000

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Polyspace Code ProverTM Reference Workflow

COPYRIGHT 20132015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the governments needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.

Revision History
September 2013
March 2014
October 2014
March 2015
September 2015

New for Version 3.2 (Applies to Release 2013b)

Revised for Version 3.3 (Applies to Release 2014a)
Revised for Version 3.4 (Applies to Release 2014b)
Revised for Version 3.5 (Applies to Release 2015a)
Revised for IEC Certification Kit Version 3.6 (Applies to Release 2015b)

Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Overview ................................................................................................................................. 1-2
2 Integration of Polyspace Code Prover into the Software Life Cycle ................................................ 2-1
2.1 Workflow Overview ................................................................................................................ 2-2
2.2 Tool Use Cases ........................................................................................................................ 2-5
[PCP_UC1] Semantic code analysis with abstract interpretation of C/C++ code to detect
systematic and potential run-time errors ...................................................................................... 2-5
[PCP_UC2] Semantic code analysis with abstract interpretation of C/C++ code to detect
unreachable code .......................................................................................................................... 2-5
[PCP_UC3] Semantic analysis of the calling relationships in the C/C++ code ........................... 2-5
[PCP_UC4] Semantic analysis of global variable usage in the C/C++ code ............................... 2-6
[PCP_UC5] Reporting of software quality metrics ...................................................................... 2-6
[PCP_UC6] Semantic analysis of C/C++ code to assess interface between components ............ 2-6
Applicable ISO 26262, IEC 61508, and EN 50128 Requirements............................................... 2-7
Error Prevention and Detection Measures.................................................................................... 2-8
[M1] Preceding or Subsequent Dynamic Verification (Testing) of the Software ........................ 2-8
[M1_lim] Limited Preceding or Subsequent Dynamic Verification (Testing) of the Software ... 2-8
[M2] Specified Procedure for Corrective Action on Failure of Source Code Verification or
Analysis........................................................................................................................................ 2-8
[M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ............. 2-9
[M4] Check of the underlying verification and analysis results for critical issues....................... 2-9
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Verified; Use of Checksums ........................................................................................................ 2-9
[M_MISC2] Competency of the Project Team ............................................................................ 2-9
[M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation ..................... 2-9
[M_MISC4] Analysis of Available Bug Report Information ....................................................... 2-9
3 Additional Considerations ................................................................................................................ 3-1
3.1 Options Impacting Analysis or Verification ............................................................................ 3-2
3.2 Configuration Management and Revision Control .................................................................. 3-3
3.3 Competency of the Project Team ............................................................................................ 3-4
3.4 Installation Integrity and Release Compatibility ..................................................................... 3-5
3.5 Bug Reporting ......................................................................................................................... 3-6
3.6 Deviation from the Reference Workflow ................................................................................ 3-7
3.7 Integration with the Software Safety Life Cycle ..................................................................... 3-8
4 Workflow Overview......................................................................................................................... 4-1
5 Conformance Demonstration Template ........................................................................................... 5-1
6 References ........................................................................................................................................ 6-1

vi

1 Introduction

1.1 Overview
Polyspace Code Prover detects and proves the absence of overflow, divide-by-zero, out-ofbounds array access, and certain other run-time errors in embedded software written in the C and
C++ programming languages.
Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove runtime attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status
of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges for
variables and operator parameters at any point of the program, taking into account every
possible configuration (inputs, global variables).
Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as
well as to define, determine, and report software quality metrics.
This document provides a reference workflow for Polyspace Code Prover. In particular, it
describes how to:

Leverage the code verification, unreachable code analysis, call tree computation, global
variable usage analysis, and quality metrics reporting capabilities of Polyspace Code
Prover in the software life cycle

Check that these capabilities are functioning as expected

This workflow addresses handwritten, automatically generated, and mixed code. It is applicable
for developing code as well as for auditing code received from others.
Note If you are verifying only generated C or C++ code, see the Embedded Coder reference
workflow provided in IEC Certification Kit: Embedded Coder Reference Workflow before using
this document. Polyspace Code Prover products provide added assurance to the reference
workflow for models and generated code.
The reference workflow presented in this document describes activities intended to comply with
applicable requirements of the overall software safety lifecycles defined by IEC 61508-3[1], ISO
26262[2], and EN 50128[3] respectively, as they relate to verification and analysis of
handwritten, generated, or mixed source code. The workflow addresses risk levels ASIL A ASIL D according to ISO 26262, SIL 1 - SIL 3 according to IEC 61508, and SIL 0 - SIL 4
according to EN 50128.

1-2

The document is organized as follows:

Chapter 2, Integration of Polyspace Code Prover into the Software Life Cycle
provides a reference workflow for the Polyspace Code Prover tool. It describes
reference use cases and measures to prevent or detect potential tool errors.

Chapter 3, Additional Considerations describes tool options that impact verification

results, and other considerations such as tailoring and bug reporting.

Chapter 4, Workflow Overview summarizes the workflow in a tabular way.

Chapter 5, Conformance Demonstration Template references a template that can be

used to demonstrate conformance with this reference workflow.

Chapter 6, References lists the standards and guidelines referenced in this document

Disclaimer
While adhering to the recommendations in this document will reduce the risk
that an error is introduced in development and not be detected, it is not a guarantee that the
system being developed will be safe. Conversely, if some of the recommendations in this
document are not followed, it does not mean that the system being developed will be unsafe.

1-3

1-4

2 Integration of Polyspace Code

Prover into the Software Life
Cycle

2.1 Workflow Overview

This section describes use cases for the following capabilities of Polyspace Code Prover as part
of the software life cycle:

Code verification
Unreachable code analysis
Call tree computation
Global variable usage analysis
Software quality metrics reporting

During the development of embedded application software, C or C++ code can be used to
implement the required functionality. The source code can be the result of manual
implementation (see upper part of Figure 1) or automatic code generation (see lower part of
Figure 1) or a combination of both. Handwritten source code and source code created using code
generation can be combined to create the application software for an embedded system.

2-2

Figure 1: Software life cycle (development activities and artifacts)1,2

You can use the code verification, unreachable code analysis, call tree computation, global
variable usage analysis, and software quality metrics reporting capabilities of Polyspace Code
Prover to verify or analyze C or C++ source code regardless of its origin. Figure 2 identifies the
development artifacts that can be verified or analyzed by Polyspace Code.

Solid arrows in the figure indicate the succession of software development activities.

The model uses for production code generation can contain handwritten source code. For example: C code contained in user Sfunctions. This mixed-code use case is indicated by the dashed arrow in the figure.

2-3

Figure 2: Integration of source code analysis and verification into the software
life cycle
Note For generated code, this workflow can also be used to provide added assurance to the
one described in
IEC Certification Kit: Embedded Coder Reference Workflow

2-4

2.2 Tool Use Cases

The Polyspace Bug Finder tool use cases, described in the Polyspace Bug Finder Reference
Workflow, R2015b, are applicable Polyspace Code Prover use cases.
Additionally, it is assumed that the Polyspace Code Prover tool is used as described by one or
more of the following use cases:

[PCP_UC1] Semantic code analysis with abstract

interpretation of C/C++ code to detect systematic and
potential run-time errors
The Polyspace Code Prover tool is used to identify systematic and potential run-time errors in C
or C++ source code.
Code verification provided by Polyspace Code Prover proves the absence of overflow, divideby-zero, out-of-bounds array access, and certain other run-time errors in the source code, as
described in the Polyspace Code Prover Users Guide, R2015b.
This verification uses formal-methods based on abstract interpretation techniques. It can be
applied to handwritten as well as generated source code.

[PCP_UC2] Semantic code analysis with abstract

interpretation of C/C++ code to detect unreachable code
Gray checks provided by the Polyspace Code Prover tool are used to identify unreachable code
branches in C or C++ source code. This verification uses formal-methods based on abstract
interpretation of the source code.
This analysis can be applied to handwritten as well as generated source code.

[PCP_UC3] Semantic analysis of the calling relationships

in the C/C++ code
The Polyspace Code Prover tool is used to extract control flow information from C or C++
source code. The extracted information is used by Polyspace Code Prover to generate an
application call tree.
Generated call graphs can e.g. be reviewed to analyze the control flow or to identify recursive
function calls.

2-5

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC4] Semantic analysis of global variable usage in

the C/C++ code
The Polyspace Code Prover tool is used to extract data flow information from C or C++ source
code with regards to the usage of global variables. For each global variable in the source code,
Polyspace Code Prover provides the following information:

Number and location(s) of read and write access(es) to global variables, directly or
through pointer access
Type value ranges for individual access operations
Shared variables and associated concurrent access protection

The variable access information can e.g. be reviewed to analyze the data flow.
This analysis can be applied to handwritten as well as generated source code.

[PCP_UC5] Reporting of software quality metrics

The Polyspace Code Prover tool is used to define, determine, and report quality metrics for C or
C++ source code. The reports are based on analysis and verification results provided by
Polyspace Code Prover and Polyspace Bug Finder.
Software quality metrics can be applied to handwritten as well as generated source code.
Note The analysis and verification results provided by Polyspace Code Prover can be used to
assess the quality of the C or C++ source code with respect to defined software quality goals, for
example Software Quality Objectives SQO-2 to SQO-6 according to [4].

[PCP_UC6] Semantic analysis of C/C++ code to assess

interface between components
The Polyspace Code Prover tool is used to detect interface error between components.
Polyspace Code Prover provides the following information:

Function-call with an incorrect number of arguments.

Function-call with an incorrect type of arguments.

This analysis can be applied to handwritten and generated source code.

2-6

Applicable ISO 26262, IEC 61508, and EN 50128

Requirements
Using Polyspace Code Prover to perform the verification and analysis activities described in the
above use cases supports a variety of objectives and measures listed in functional safety
standards.
ISO 26262, IEC 61508, and EN 50128 techniques and measures that can be supported by using
Polyspace Code Prover are described in:
IEC Certification Kit: Model-Based Design for ISO 26262
IEC Certification Kit: Model-Based Design for IEC 61508
IEC Certification Kit: Model-Based Design for EN 50128
In these documents, for information on use cases, refer to items labeled with:

Polyspace Code Prover Code verification for use case [PCP_UC1], [PCP_UC6]
Polyspace Code Prover Unreachable code analysis for use case [PCP_UC2] ,
[PCP_UC6]
Polyspace Code Prover Call tree computation for use case [PCP_UC3]
Polyspace Code Prover Global variable usage analysis for use case [PCP_UC4]
Polyspace Code Prover Code metrics and Polyspace Bug Finder Code metrics
for use case [PCP_UC5]

2-7

Error Prevention and Detection Measures

It is assumed that the user carries out the following measures to check the seamless functioning
of the verification and analysis capabilities provided by Polyspace Code Prover and to verify
their results.

[M1] Preceding or Subsequent Dynamic Verification

(Testing) of the Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

Dynamically verify (test) the executable code corresponding to the C or C++ source
code.

[M1_lim] Limited Preceding or Subsequent Dynamic

Verification (Testing) of the Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

Dynamically verify (test) the executable code corresponding to the C or C++ source
code without specifically aiming at detecting run-time errors.

Note [M1_lim] is a variation of [M1] where the test process is not be optimized to detect runtime errors. For example, you can specifically detect run-time errors by injecting random
samples of software inputs that stress the software, without checking the functional results. The
likelihood of detecting systematic or potential run-time errors by testing might be low when
using [M1_lim]. For details see section Tool Classification Summary in IEC Certification Kit:
Polyspace Code Prover ISO 26262 Tool Qualification Package.

[M2] Specified Procedure for Corrective Action on Failure

of Source Code Verification or Analysis
After verifying or analyzing the source code with Polyspace Code Prover:

Analyze the identified issues using a defined procedure for corrective action.

The procedure for corrective action includes manual analysis and review of the issues
uncovered.

2-8

[M3] Selective Review and Analysis of Source Code

Portions not Reached by Testing
After dynamically verifying (testing) the source code:

Review and analyze the portions of the C or C++ source code that were not reached by
testing.

Note [M3] is intended to be used in conjunction with [M1] or [M1_lim] respectively. For
details, see section Tool Classification Summary in IEC Certification Kit: Polyspace Code
Prover ISO 26262 Tool Qualification Package.

[M4] Check of the underlying verification and analysis

results for critical issues
Check the individual verification and analysis results that are the basis for the quality metrics
reported by Polyspace Code Prover for critical issues that require further attention.

[M_MISC1] Revision Control and Configuration

Management to Identify the Artifacts to be Verified; Use of
Checksums
Apply configuration management to the artifacts to be verified or analyzed using Polyspace
Code Prover.

[M_MISC2] Competency of the Project Team

Those carrying out verification or analysis activities using Polyspace Code Prover shall be
competent for the activities undertaken.

[M_MISC3] Adherence to Installation Instructions;

Integrity of Tool Installation
Adhere to the installation instructions for Polyspace Code Prover (including dependent tools)
and verify the version and integrity of the tool.
Validate modifications or additions made to the shipping product(s), if applicable.

[M_MISC4] Analysis of Available Bug Report Information

Assess and analyze bug report information for Polyspace Code Prover provided by MathWorks
and comply with the recommendations and workarounds, if applicable.

2-9

2-10

3 Additional Considerations
When implementing this reference workflow, consider the following topics:

3.1 Options Impacting Analysis or Verification

The options you select in your Polyspace project impact your analysis or verification results.
The options should be justified and selected to fit the needs of the project.
For more information on Polyspace options, see the Polyspace Code Prover Reference.

3-2

3.2 Configuration Management and Revision Control

Configuration management shall be applied to the artifacts to be verified or validated, as well as
to other work products specified in the respective standard or in this document.

3-3

3.3 Competency of the Project Team

As described in Software Quality Objectives for Source Code [4], Section 3.2.2:

Those carrying out coding and verification activities shall be competent for the
activities undertaken.
Coding and verification activities should be conducted by independent roles.

The applicable safety standard may provide additional guidance on the required degree of
independence.

3-4

3.4 Installation Integrity and Release Compatibility

The tool user shall adhere to the installation instructions for Polyspace Code Prover (including
dependent tools).
The tool user shall verify the version of Polyspace Code Prover and the integrity of the tools
installation (including dependent tools).
Note You can use the ver command in MATLAB to display the current versions of
MATLAB, Polyspace Bug Finder, Polyspace Code Prover, and other MathWorks products.
The tool user shall validate modifications or additions to shipping product(s), if applicable.

3-5

3.5 Bug Reporting

The tool user shall assess bug report information provided by the tool vendors and comply with
the recommendations and workarounds, if applicable.
After deployment of the application under development, bug report information shall also be
assessed by the tool user on a regular basis.
The tool user shall carry out corrective actions if deployed applications are affected by bugs in
the tools identified after deployment.
Issues with Polyspace Code Prover shall be reported.
Note

You can use the bug reports section of the MathWorks web site

www.mathworks.com/support/bugreports to view and report bugs related to Polyspace

Code Prover.

Note You can use the IEC Certification Kit Model Advisor check Display bug reports for
Polyspace Code Prover to display bug report information for this product.

3-6

3.6 Deviation from the Reference Workflow

In some instances, deviation from the reference workflow explained in this document might
occur. In these cases, a defined deviation procedure shall be used to document and justify
deviations from the workflow.

3-7

3.7 Integration with the Software Safety Life Cycle

The application-specific verification and validation activities shall be integrated with the overall
software safety life cycle for the application under consideration.
The applicable safety standard provides additional guidance on additional objectives and
requirements for the overall software safety life cycle.

3-8

4 Workflow Overview

Table A. 1 Objectives, Prerequisites, and Work Products

Activity

Objective

Prerequisites

Code verification Prove the absence C source code (e.g. .c and

of certain classes
.h files) or C++ source
of run-time errors
(e.g. .cpp and .hpp files)
in C or C++ source code to be verified
code
Data range specification
Polyspace configuration
and project information
(.psprj and .ppm files)
Procedures for corrective
action
Unreachable code Identify
analysis
unreachable code
branches in C or
C++ source code

Call tree
computation

Analyze the calling

relationships in C
or C++ source code

Global variable
usage analysis

Analyze the usage

of global variables
in C or C++ source
code

C source code (e.g. .c and

.h files) or C++ source
(e.g. .cpp and .hpp files)
code to be analyzed
Data range specification
Polyspace configuration
and project information
(.psprj and .ppm files)
Procedures for corrective
action
C source code (e.g. .c and
.h files) or C++ source
(e.g. .cpp and .hpp files)
code to be analyzed
Polyspace configuration
and project information
(.psprj and .ppm files)
Procedures for corrective
action
C source code (e.g. .c and
.h files) or C++ source
(e.g. .cpp and .hpp files)
code to be analyzed
Polyspace configuration
and project information
(.psprj and .ppm files)
Procedures for corrective
action

Work Products
Raw code verification results with
potential and systematic run-time errors
(.pscp files and dependent files)
Reviewed and commented code
verification results (.pscp files and
dependent files)
Verified C or C++ source code

Raw code analysis results with

unreachable code branches (.pscp files
and dependent files)
Reviewed and commented code
analysis results (.pscp files and
dependent files)
Analyzed C or C++ source code

Call tree
<projectname>_Call_Tree file
(.html, .pdf, .rtf, .docx, or .xml)
Reviewed call tree
<projectname>_Call_Tree file
(.html, .pdf, .rtf, .docx, or .xml)
Analyzed C or C++ source code
Dictionary containing information about
global variables
<projectname>_Variable_View
file (.html, .pdf, .rtf, .docx, or .xml)
Reviewed dictionary
<projectname>_Variable_View
file (.html, .pdf, .rtf, .docx, or .xml)
Analyzed C or C++ source code

4-2

Activity

Objective

Prerequisites

Software quality Define, determine, C source code (e.g. .c and

metrics reporting and report quality
.h files) or C++ source
metrics for C or
(e.g. .cpp and .hpp files)
C++ source code
code to be analyzed
based on analysis / Analysis / verification
verification results
results provided by
provided by
Polyspace Bug Finder
Polyspace Bug
and / or Polyspace Code
Finder and/or
Prover
Polyspace Code
Prover

Work Products
Software quality level for the
application
Software quality objectives for each
module
Software quality metrics results
displayed in Web Dashboard or
exported via Polyspace GUI (.html,
.pdf, .rtf, .docx, or .xml file)

4-3

4-4

5 Conformance Demonstration
Template
To justify that the requirements outlined in this document have been satisfied you must provide
evidence for the activities that have been carried out.
The IEC Certification Kit product provides an editable Conformance Demonstration Template that can
be used to demonstrate conformance with the parts of ISO 26262-6, IEC 61508-3, or EN 50128
covered in this document.
To access the conformance demonstration template, on the MATLAB command line, type
certkitiec to open the Artifacts Explorer. The template is in Polyspace Code Prover.
For each technique or measure:

In the third column, state to what degree you applied the technique or measure for the
application under consideration by using one of the phrases Used, Used to a limited degree,
or Not used.
In the fourth column, state how you used the technique or measure in the application under
consideration. If the reference workflow includes alternative means for compliance, indicate
what variant you used. In addition, enter a reference to the document (for example, test
report or review documentation) that satisfies the requirement.

5-2

6 References
[1] IEC 61508-3:2010. International Standard IEC 61508 Functional safety of electrical / electronic /
programmable electronic safety-related systems Part 3: Software requirements. Second edition,
2010.
[2] ISO 26262-6:2011. Road vehicles Functional safety Part 6: Product development: software
level. International Standard, 2011.
[3] EN 50128:2011. Railway applications - Communication, signalling and processing systems Software for railway control and protection systems. International Standard 2011.
[4] The MathWorks. Software Quality Objectives for Source Code. Version 3.0, 2012.