Electronic engine control is an important component of all Cummins engines. However, developing reliable engine controllers that work without failure under a variety of conditions can be challenging.
This PolySpace reliability metric indicates how software quality has improved over time. The dashed blue lines represent the start of verification with PolySpace and the period in which new code was added for verification.
Traditional software development and verification techniques at Cummins were based on manual interaction including code review and white-box code testing followed by component and integration tests. While most errors eventually manifested themselves in system-level testing, software complexity compounds the error isolation effort. This resulted in cumbersome debugging efforts.
To address this complexity, Cummins created a product-line approach to increase software reuse. Its developers used MathWorks’ Simulink and Stateflow software for engine control design. The automatic code generation reduces development cycle time and costs. For software verification, Cummins engineers agreed that relying on testing at the component or system level was not sufficient. They were not completely confident with the data. They needed a way to augment unit test and improve overall software testing processes.
Automatic code generation can eliminate syntactic and sub-function coding errors. However, errors continued at Cummins. For example, when inputs that have dynamic ranges are combined, overflows may occur. Run-time errors such as divide-by-zero and out-of-bound array access may also surface in hand written and automatically generated code when these types of codes are combined into the full system.
Traditional unit testing called for creating labor-intensive test cases to simulate failure modes. To remedy this situation, the company added MathWorks’ PolySpace code verification software to its existing software tool set. Cummins’ goal was to detect and prove the absence of certain types of run-time errors. Operating directly on C or C++ source code, PolySpace uses a mathematical proof-based technique known as abstract interpretation. The verified source code is linked back to the Simulink model and is annotated in four colors.
PolySpace products determine potential run-time error violations automatically. As a result, there is no need to develop test cases for run-time error conditions. This approach improved the unit test process. Developers now spend time analyzing test results, not creating unit test cases.
The verification source code is linked to the Simulink model and is annotated in four colors.
Cummins has experienced successes using the new tool set. For instance, an OEM experienced intermittent engine shutdowns. Prior to using the software products, Cummins and the OEM spent three weeks trying to isolate the problem. Using PolySpace, they discovered that the root cause was a decremented index that may go beyond zero, resulting in a reset. After the code was corrected, the OEM never experienced the issue again. In other cases, problems were resolved earlier in the development process.
Cummins also developed a Simulink style guide with best practices for the product-line architecture implementation. Defects found in unit tests are corrected and applied across the product line. Cummins estimated that this workflow saved them $250,000.
Cummins Engines, Inc.
www.cummins.com
The MathWorks
www.mathworks.com
Filed Under: Automotive, ENGINEERING SOFTWARE, ELECTRONICS • ELECTRICAL