Miele Proves Absence of Run-Time Errors in Control Software Across Its Entire Product Line

Miele considers it unacceptable for software defects to be discovered by the customer after a machine is produced and delivered. Not only do such errors damage Miele’s reputation, they also require expensive field operations to resolve. (An added complexity is that without a network connection, there is no way to update software automatically.) In the past, Miele relied on a combination of system tests and manual code reviews to uncover run-time errors, but the engineering team recognized that this approach was neither as efficient nor as thorough as they needed.

Their objectives in employing static analysis were twofold: to prove the absence of critical run-time errors in their source code, and to meet the requirements of IEC 60335 and other functional safety standards governing household and similar electrical appliances.

Miele wanted static analysis tools that could be fully integrated into their software development life cycle. The tools needed to support on-demand analysis and tests initiated by developers from within their integrated development environment (IDE) as well as automated nightly verification initiated by the team’s continuous integration server.

Miele engineers used Polyspace Code Prover™ and Polyspace Bug Finder™ to prove the absence of run-time errors in software across all Miele products.

Miele establishes clear software quality objectives (SQOs) for each release. Miele engineers use Polyspace Bug Finder to help achieve these objectives by ensuring that their code complies with MISRA C^® and custom rules.

They then set up Polyspace Code Prover to check for divide-by-zero errors, buffer overflows, uninitialized variables, and other run-time errors, both on demand and as part of their automated build process.

To make it easier for developers to initiate on-demand static code analysis, the team has integrated Polyspace products with their Microsoft^® Visual Studio^® IDE. From within the IDE, developers can select source code files to analyze and then initiate static analysis at the click of a button.

The team also integrates Polyspace into jobs run by their Jenkins continuous integration server. During nightly builds, Jenkins checks the version control system for source files that have been modified, and automatically invokes Polyspace Bug Finder checks on those files. During weekly builds, Jenkins invokes Polyspace Code Prover on all source code files that were modified during that week. Miele reduces the time needed to complete the nightly and weekly Polyspace analyses by executing them on a computing cluster using MATLAB Parallel Server™.

The results of these analyses are published to a web-based dashboard that the team uses to track quality metrics and progress against software quality objectives.

Miele has established guidelines for dealing with issues based on the color-coded status that Polyspace Code Prover assigns to each C operation: green for code proven free of run-time errors, red for code known to be faulty every time the operation is executed, gray for unreachable code, and orange for operations that might be faulty under certain conditions.

After resolving red operations, developers address orange operations, whenever possible making the changes needed to turn them green (proven free of errors). This effort helps save time on future projects: many software components are reused across as many as 100 different projects, and green code in these components requires no further manual review.

As Miele adds support for network connectivity to more of its products, the software team plans to expand its use of Polyspace by incorporating additional security checks to strengthen cyber security. 

• Hundreds of source files analyzed daily. “Every night we analyze the source code of 250 to 300 projects with Polyspace Bug Finder, and each weekend we check about 300 projects for run-time errors using Polyspace Code Prover,” says Trampe.
• Developer focus on core functionality enabled. “With Polyspace Code Prover, our developers no longer need to design tests to find run-time errors, so they have more time to focus on core functionality,” says Trampe. “Similarly, they use Polyspace Bug Finder to enforce MISRA compliance, so code reviews can concentrate on functionality rather than on rules violations.”
• Reusable, trusted components proven free of run-time errors. “Our goal is to reuse as much software as possible across our products,” says Trampe. “Using Polyspace Code Prover we have confidence that the code in our reusable components is robust. For most projects we have proven that 100% of the code is free from the run-time errors defined in our SQOs.”