Pi Technology and the Ford Motor Company are using MATLAB Simulink/Stateflow model based design and automatic code generation in C, for the main software development for three electronic control units targeted at the Ford Focus fuel cell vehicle.
The automatic generation of code for embedded automotive applications offers a number of potential advantages over traditional methods. These include faster development, the avoidance of coding errors and avoiding inconsistencies with the design specification. However, the use of automatically generated code in production-intent safety-related systems requires at least the same standard of validation and verification. If code generation were perfect, one could validate only the design. However, it is impractical to require that the code generator must be validated for all possible input designs. Furthermore it must be assumed that the compiler and the hardware can also introduce faults. Therefore we adopt the approach of testing output code for the particular designs we wish to implement, in the same manner as we would test hand-written code for production systems [1]. This retains the additional benefits of exposing the design to further detailed scrutiny in test preparation, and encouraging designs that are straightforward to test.
This paper discusses the development lifecycle employed on this project, highlighting the particular benefits, issues, and challenges surrounding the use of automatically generated code for these production-quality safety-related automotive controllers.