Main Content

Math Operations

hisl_0001: Usage of Abs block

ID: Titlehisl_0001: Usage of Abs block
DescriptionTo support robustness of generated code, when using the Abs block,
AAvoid Boolean and unsigned data types as inputs to the Abs block.
BSelect block parameter Saturate on integer overflow.
Notes

The Abs block does not support Boolean data types. Specifying an unsigned input data type, might optimize the Abs block out of the generated code, resulting in a block you cannot trace to the generated code.

For signed data types, Simulink® does not represent the absolute value of the most negative value. When you select Saturate on integer overflow, the absolute value of the data type saturates to the most positive representable value. When you clear Saturate on integer overflow, absolute value calculations in the simulation and generated code might not be consistent or expected.

RationaleASupport generation of traceable code.
BAchieve consistent and expected behavior of model simulation and generated code.
Model Advisor Checks Check usage of Abs blocks (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset'
    IEC 61508-3, Table A.4 (3) 'Defensive programming'
    IEC 61508-3, Table A.3 (2) 'Strongly typed programming language’
    IEC 61508-3, Table B.8 (3) 'Control Flow Analysis'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1d) 'Use of defensive implementation techniques'
    ISO 26262-6, Table 7 (1f) 'Control flow analysis'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'
    EN 50128, Table A.4 (8) 'Strongly Typed Programming Language'
    EN 50128, Table A.19 (3) 'Control Flow Analysis'

  • DO-331, Section MB.6.3.2.d 'Low-level requirements are verifiable'
    DO-331, Section MB.6.3.2.g – 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

  • INT32-C. Ensure that operations on signed integers do not result in overflow

Last ChangedR2021b
Examples

Recommended

Not Recommended

hisl_0002: Usage of remainder and reciprocal operations

ID: Titlehisl_0002: Usage of remainder and reciprocal operations
Description

To support robustness of generated code, when using the Math Function block with remainder-after-division (rem) or reciprocal (reciprocal) operations:

A

Protect the input of the reciprocal function from going to zero.

B

Protect the second input of the rem function from going to zero.

Note

You can get a divide-by-zero operation, resulting in an infinite (Inf) output value for the reciprocal function, or a Not-a-Number (NaN) output value for the rem function. To avoid overflows or undefined values, protect the corresponding input from going to zero.

RationaleProtect against overflows and undefined numerical results.
Model Advisor ChecksCheck usage of remainder and reciprocal operations (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(b) 'Use of language subsets'
    ISO 26262-6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

  • INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors

Last ChangedR2021b
Examples

In the following example, when the input signal oscillates around zero, the output exhibits a large change in value. You need further protection against the large change in value.

hisl_0003: Usage of square root operations

ID: Titlehisl_0003: Usage of square root operations
Description

To support robustness of generated code, when using the Square Root operations, do one of the following:

A

Account for complex numbers as the output.

B

Protect the input from going negative.

RationaleAvoid undesirable results in generated code.
Model Advisor ChecksCheck usage of square root operations (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(b) 'Use of language subsets'
    ISO 26262-6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

Last ChangedR2021b
Examples

hisl_0028: Usage of Reciprocal Square Root blocks

ID: Titlehisl_0028: Usage of Reciprocal Square Root blocks
Description

To support robustness of generated code, when using the Reciprocal Square Root block, do one of the following:

A

Protect the input from going negative.

B

Protect the input from going to zero.

Note

You can get a divide-by-zero operation, resulting in an (Inf) output value for the reciprocal function. To avoid overflows or undefined values, protect the corresponding input from going to zero.

RationaleA, BAvoid undesirable results in generated code.
Model Advisor ChecksCheck usage of Reciprocal Sqrt blocks (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(b) 'Use of language subsets'
    ISO 26262-6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

  • INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors

Last ChangedR2021b
Examples

hisl_0004: Usage of natural logarithm and base 10 logarithm operations

ID: Titlehisl_0004: Usage of natural logarithm and base 10 logarithm operations
Description

To support robustness of generated code, when using the math operations like natural logarithm (log) or base 10 logarithm (log10) :

A

Protect the input from going negative.

B

Protect the input from equaling zero.

C

Account for complex numbers as the output value.

Notes

If you set the output data type to complex, the natural logarithm and base 10 logarithm functions output complex values for negative input values. If you set the output data type to real, the functions output NAN for negative numbers, and minus infinity (-inf) for zero values.

RationaleA, B, CSupport generation of robust code.
Model Advisor ChecksCheck usage of log and log10 operations (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(1b) 'Use of language subsets'
    ISO 26262-6, Table 1(1d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

  • INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors

Last ChangedR2024a
Examples

You can protect against:

  • Negative numbers using an Abs block.

  • Zero values using a combination of the MinMax block and a Constant block, with Constant value set to eps (epsilon).

The following example displays the resulting output for input values ranging from -100 to 100.

hisl_0005: Usage of Product blocks

ID: Titlehisl_0005: Usage of Product blocks
Description

When the Product block parameter Multiplication is set to Matrix(*), protect divisor inputs from becoming singular input matrices.

Notes

When using Product blocks to compute the inverse of a matrix, or a matrix division, you might get a divide by a singular matrix. This division results in a NaN output. To avoid overflows, protect divisor inputs from becoming singular input matrices.

RationaleProtect against overflows and support robustness of generated code.
Model Advisor ChecksAdherence to this modeling guideline cannot be verified by using a Model Advisor check.
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate

  • MISRA C:2012, Dir 4.1

Prerequisiteshisl_0314: Configuration Parameters > Diagnostics > Data Validity > Signals
Last ChangedR2021a

hisl_0029: Usage of Assignment blocks

ID: Titlehisl_0029: Usage of Assignment blocks
Description

To support robustness of generated code, when using the Assignment block, initialize array fields before their first use.

Notes

If the output vector of the Assignment block is not initialized with an input to the block, elements of the vector might not be initialized in the generated code.

When the Assignment block is used iteratively and array fields are assigned during one simulation time step, you do not need initialization input to the block.

Accessing uninitialized elements of block output can result in unexpected behavior.

For a partial write operations, maintain a persistent output buffer (for example, see cgsl_0408: Partial data send for component deployment).

RationaleAvoid undesirable results in generated code.
Model Advisor ChecksCheck usage of Assignment blocks (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’
    IEC 61508-3, Table A.4 (3) 'Defensive programming’
    IEC 61508-3, Table A.3 (2) ‘Strongly typed programming language’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262–6, Table 1(b) 'Use of language subsets'
    ISO 26262–6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'
    EN 50128, Table A.4 (8) 'Strongly Typed Programming Language'

  • DO-331, Section MB.6.3.2.g – 'Algorithms are accurate'

  • MISRA C:2012, Rule 9.1

  • EXP33-C. Do not read uninitialized memory

Last ChangedR2023a
Examples

Not Recommended: No initialization input Y0 when block is not used iteratively


Recommended: Initialization input Y0 when block is not used iteratively


Recommended: Initialize array fields when block is used iteratively

hisl_0066: Usage of Gain blocks

ID: Titlehisl_0066: Usage of Gain blocks
DescriptionTo support traceability of generated code, the value of the Gain block must not resolve to 1.
Notes

The code generation process can remove Gain values equal to 1 during optimization, resulting in model elements with no traceable code.

An exception to this rule is setting the Gain value to a named parameter data object with a non-auto storage class.

RationaleSupport the generation of traceable code.
Model Advisor ChecksCheck usage of Gain blocks (Simulink Check)
References

  • DO-331, Section MB 6.3.2.b 'Low-level requirements are accurate and consistent'

  • IEC 61508-3, Table A.3 (3) 'Language subset'
    IEC 61508-3, Table A.4 (3) 'Defensive programming'
    IEC 61508-3, Table B.8 (3) 'Control Flow Analysis'

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1 (1b) 'Use of language subsets'
    ISO 26262-6, Table 1 (1d) 'Use of defensive implementation techniques'
    ISO 26262-6, Table 7 (1f) 'Control flow analysis'

  • EN 50128, Table A.4 (11) 'Language Subset'
    EN 50128, Table A.3 (1) 'Defensive Programming'
    EN 50128, Table A.19 (3) 'Control Flow Analysis'

Last ChangedR2018a

hisl_0067: Protect against divide-by-zero calculations

ID: Titlehisl_0067: Protect against divide-by-zero calculations
DescriptionTo support robustness of generated code, when performing divide operations, protect the divisor from going to zero.
Note

To prove that division-by-zero is not possible, perform a static analysis of the model.

If division-by-zero is possible, implement one of the following. Using more than one option can result in redundant protection operations:

Using CRLs or clearing configuration parameter Remove code that protects against division arithmetic exceptions (Embedded Coder) protects division operations against divide-by-zero operations. However, this action does introduce additional computational and memory overhead, as well as the potential to introduce unreachable code.

RationaleImprove code compliance of generated code
Model Advisor ChecksCheck for divide-by-zero calculations (Simulink Check)
References

  • IEC 61508-3, Table A.3 (3) 'Language subset’

    IEC 61508-3, Table A.4 (3) 'Defensive programming’

  • IEC 62304, 5.5.3 - Software Unit acceptance criteria

  • ISO 26262-6, Table 1(b) 'Use of language subsets'

    ISO 26262-6, Table 1(d) 'Use of defensive implementation techniques'

  • EN 50128, Table A.4 (11) 'Language Subset'

    EN 50128, Table A.3 (1) 'Defensive Programming'

  • DO-331, Section MB.6.3.2.g 'Algorithms are accurate'

  • MISRA C:2012, Dir 4.1

See Also
Last ChangedR2021a
Example

Incorrect

Division operation can result in a divide-by-zero scenario.

Divide-by-zero exists in model example.

Correct

Graphical function to model divide-by-zero check.

Correct example of modeling to prevent divide-by-zero.