Chart Architecture

hisf_0003: Usage of bitwise operations

ID: Titlehisf_0003: Usage of bitwise operations
Description

When using bitwise operations in Stateflow® blocks,

AAvoid signed integer data types as operands to the bitwise operations.
Notes

Normally, bitwise operations are not meaningful on signed integers. Undesired behavior can occur. For example, a shift operation might move the sign bit into the number, or a numeric bit into the sign bit.

RationaleAPromote unambiguous modeling style.
Model Advisor ChecksCheck usage of bitwise operations in Stateflow charts (Simulink Check)
References
  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.3 (2) 'Strongly typed programming language’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1c) 'Enforcement of strong typing'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section 6.3.1.g 'Algorithms are accurate'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'
    DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Rule 10.1

See Alsohisl_0019: Usage of bitwise operations
Last ChangedR2016a

hisf_0004: Usage of recursive behavior

ID: Titlehisf_0004: Usage of recursive behavior
Description

To support bounded function call behavior, avoid using design patterns that include unbounded recursive behavior. Recursive behavior is bound if you do the following:

AUse an explicit termination condition that is local to the recursive call.
BMake sure the termination condition is reached.
Notes

This rule only applies if a chart is a classic Stateflow chart. If Mealy and Moore semantics are followed, recursive behavior is prevented due to restrictions in the chart semantics. To detect the error during chart simulation, open your Stateflow chart and, in the Debug tab, select Diagnostics > Detect Cyclical Behavior.

RationaleA, BPromote bounded function call behavior.
Model Advisor ChecksAdherence to this modeling guideline cannot be verified by using a Model Advisor check.
References
  • IEC 61508-3, Table B.1 (6) 'Limited use of recursion'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 6 (1j) 'No recursions'

  • EN 50128, Table A.12 (6) 'Limited Use of Recursion'

  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section MB.6.3.1.g 'Algorithms are accurate'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'
    DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Rule 17.2

Last ChangedR2016a
Examples

There are multiple patterns in Stateflow that can result in unbounded recursion.

Recursive Function Calls

When the default state A is entered, event Evn is broadcast in the entry action of A. Evn results in a recursive call of the interpretation algorithm. Since A is active, the outgoing transition of A is tested. Since the current event Evn matches the transition event (and because of the absence of condition) the condition action is executed, broadcasting Evn again. This results in a new call of the interpretation algorithm which repeats the same sequence of steps until stack overflow.

Recursive Function Calls

hisf_0007: Usage of junction conditions (maintaining mutual exclusion)

ID: Title

hisf_0007: Usage of junction conditions (maintaining mutual exclusion)

Description

To enhance clarity and prevent the generation of unreachable code:

AMake junction conditions mutually exclusive.
Notes

You can use this guideline to maintain a modeling language subset in high-integrity projects.

RationaleAEnhance clarity and prevent generation of unreachable code.
References
  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.d 'High-level requirements are verifiable'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.d 'Low-level requirements are verifiable'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'

Model Advisor ChecksAdherence to this modeling guideline cannot be verified by using a Model Advisor check.
Last ChangedR2012b
Example

hisf_0013: Usage of transition paths (crossing parallel state boundaries)

ID: Title

hisf_0013: Usage of transition paths (crossing parallel state boundaries)

Description

To avoid creating diagrams that are hard to understand,

AAvoid creating transitions that cross from one parallel state to another.
Notes

You can use this guideline to maintain a modeling language subset in high-integrity projects.

RationaleAEnhance model readability.
Model Advisor Checks

Check Stateflow charts for transition paths that cross parallel state boundaries (Simulink Check)

References
  • IEC 61508-3, Table A.3 (3) 'Language subset’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'

  • EN 50128, Table A.4 (11) 'Language Subset'

  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'

Last ChangedR2017b
Example

In the following example, when Out_A is 4, both parent states (A_Parent and B_Parent) are reentered. Reentering the parent states resets the values of Out_A and Out_B to zero.

hisf_0014: Usage of transition paths (passing through states)

ID: Title

hisf_0014: Usage of transition paths (passing through states)

Description

To avoid creating diagrams that are confusing and include transition paths without benefit,

AAvoid transition paths that go into and out of a state without ending on a substate.
Notes

You can use this guideline to maintain a modeling language subset in high-integrity projects.

RationaleAEnhance model readability.
Model Advisor Checks

Check for inappropriate use of transition paths (Simulink Check)

References
  • IEC 61508-3, Table A.3 (3) 'Language subset’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'

  • EN 50128, Table A.4 (11) 'Language Subset'

  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'

Last ChangedR2018b
Examples

hisf_0015: Strong data typing (casting variables and parameters in expressions)

ID: Title

hisf_0015: Strong data typing (casting variables and parameters in expressions)

Description

To facilitate strong data typing,

A

Explicitly type cast variables and parameters of different data types in:

  • Transition evaluations

  • Transition assignments

  • Assignments in states

Notes

The Stateflow software automatically casts variables of different type into the same data type. This guideline helps clarify data types of the intermediate variables.

RationaleAApply strong data typing.
Model Advisor Checks

Check Stateflow charts for strong data typing (Simulink Check)

References
  • IEC 61508-3, Table A.3 (2) ‘Strongly typed programming language’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1c) 'Enforcement of strong typing'

  • EN 50128, Table A.4 (8) 'Strongly Typed Programming Language'

  • DO-331, Section MB.6.3.1.b 'High-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.1.e 'High-level requirements conform to standards'
    DO-331, Section MB.6.3.1.g 'Algorithms are accurate'
    DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'
    DO-331, Section MB.6.3.2.e 'Low-level requirements conform to standards'
    DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

Last ChangedR2017b
Examples

Recommended

Not Recommended

hisf_0016: Stateflow port names

ID: Title

hisf_0016: Stateflow port names

DescriptionThe name of a Stateflow input or output must be the same as the corresponding signal. An exception to the guideline is that reusable Stateflow blocks can have different port names.
RationaleSupport generation of traceable code.
Model Advisor Checks

Check naming of ports in Stateflow charts (Simulink Check)

References
  • DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'

  • IEC 61508-3, Table A.3 (3) 'Language subset'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'

  • EN 50128, Table A.4 (11) 'Language Subset'

Last Changed2018a

hisf_0017: Stateflow data object scoping

ID: Title

hisf_0017: Stateflow data object scoping

DescriptionStateflow data objects with local scope must be defined at the chart level or below.
RationaleSupport generation of traceable code.
Model Advisor Checks

Check scoping of Stateflow data objects (Simulink Check)

References
  • DO-331, Section MB.6.3.2.b 'Low-level requirements are accurate and consistent'

  • IEC 61508-3, Table A.3 (3) 'Language subset'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'

  • EN 50128, Table A.4 (11) 'Language Subset'

Last Changed2018a
Examples

Recommended

Not Recommended