BTC TestStack

Back-to-Back Test

Back-to-Back Testing closes the gap between model behavior and production code behavior.

The problem

Testing the model proves nothing about the code generated from it.

In model-based development, the production code is generated from the model. A discrepancy between model behavior and code behavior means the code cannot be trusted, regardless of how well the model itself has been tested. Back-to-Back Testing closes this gap systematically.

Definition

What Back-to-Back Testing verifies.

Back-to-Back Testing verifies that two different implementations of the same function — for example, a Simulink model and its generated production code — produce structurally identical behavior across all inputs.

01

Generate stimuli vectors

Stimuli vectors are generated automatically to achieve all desired structural coverage goals.

02

Run on the reference

The vectors are simulated against the reference implementation — for example, the model at MIL level.

03

Run on the comparison

The same vectors are then applied to the comparison implementation — for example, production code at SIL level.

04

Compare and flag deviations

Outputs are compared step by step; any deviation is flagged, with automated tools to localize the root cause.

Where it applies

One mechanism, five use cases.

The primary use case is MIL vs. SIL, but Back-to-Back Testing applies wherever two implementations must be proven equivalent.

Use caseReferenceComparison
Standard MBDSimulink / TargetLink model (MIL)Generated production code (SIL)
Cross-model checkSimulink modelTargetLink model
Handwritten vs. modelModelHandwritten C/C++ implementation
Software regressionPrevious model / code versionCurrent version
Tool qualificationPrevious MATLAB / TargetLink versionCurrent version

Why this matters for tool qualification: when teams upgrade their code-generation toolchain, B2B testing provides formal evidence that the generated code has not changed behavior — replacing manual re-review with automated, traceable comparison.

Structural Test Generation

Stimuli vectors — not test cases.

Stimuli vectors are automatically generated test inputs designed exclusively to achieve structural coverage — not to represent functional or requirements-based scenarios. They contain only input and calibration values and carry no expected output behavior. Their purpose is to exercise every reachable structural element of the model or code.

Because they target structure rather than function, stimuli vectors are complementary to requirements-based test cases — not a replacement. Both types are maintained in the same BTC TestStack profile and contribute to the overall coverage picture. Requirements-based test cases already in the profile count as stimuli vectors, too: any structural coverage they achieve is subtracted from the remaining workload, so requirements-based testing and Back-to-Back Testing reinforce each other rather than running as parallel tracks.

Two engines, one workflow

ATG for speed. CV for proof.

BTC TestStack provides two independent engines for stimuli vector generation. Using both in sequence is the recommended practice: run ATG first to reach high initial coverage rapidly, then run CV on the remaining uncovered goals.

ATG engine

Approach
Heuristic code analysis and randomization.
Strengths
Very fast, scales to large subsystems, covers many goals quickly.
Trade-offs
May not reach every goal; cannot prove unreachability.

CV engine

Approach
Complete formal, model-checking analysis.
Strengths
Exhaustive — covers all remaining goals, mathematically proves unreachability, and produces the minimum, shortest possible set of vectors.
Trade-offs
Slower than ATG due to full mathematical analysis.

CV delivers unreachable proofs for goals that truly cannot be exercised — no vector is created for these, because no trace to them exists. For complex subsystems, child scopes can be analyzed independently, keeping generation tractable as complexity grows.

Coverage goals

Every structural and robustness goal, in one pass.

Coverage goals don't have to be tested all at once — they can be selected per run based on project needs.

Structural coverage goals
Statement Coverage
Every executable statement.
Decision / Branch Coverage
Every branch of every decision.
Condition Coverage
Every boolean sub-condition.
Condition/Decision Coverage (C/DC)
Conditions and decisions together.
MC/DC
Independent influence of each condition — required for DO-178C DAL A/B and ISO 26262 ASIL C/D.
Switch-Case Coverage
Every case of every switch statement.
Function Coverage
Every function is called.
Function-Call Coverage
Every call site of every function.
Relational Operators
Both outcomes — true and false — of every relational expression.
Domain Checks
Equivalence classes and boundary value analysis on signal ranges.
Robustness coverage goals
Division-by-Zero
Inputs that produce a division by zero.
Down-Casting
Values that overflow when narrowing data types.
Boundary Value Analysis
Behavior at signal range boundaries.
Array Out-of-Bounds
Index values that exceed array dimensions.
Unreachable Proof
Mathematically proves a goal cannot be reached — no vector needed.
Domain Checks, in detail

Domain Checks are defined per input signal and specify valid ranges — the expected operating range test generation must cover — and invalid ranges, values the signal should never take. The CV engine can prove invalid ranges unreachable if the implementation enforces the constraint. Range notation: [ / ] inclusive, ( / ) exclusive — for example [0.0, 0.45] for a full valid range, or !(0.45, 65.535] for a range violation that should be unreachable.

The workflow

From stimuli vectors to a clean report.

01

Generate stimuli vectors

Select the structural and robustness coverage goals you need — including valid and invalid ranges — configure engine settings such as timeouts and parallel CV execution, and run generation. A healthy result shows every goal "Handled": covered by a vector, or proven unreachable. Both are complete outcomes.

02

Create and execute the test

Select stimuli vectors by folder or scope, set your reference (e.g. the model at MIL) and comparison (e.g. production code at SIL), and optionally configure tolerances. BTC TestStack simulates the vectors against the reference, replays them on the comparison, and compares outputs step by step.

03

Review the report

The Back-to-Back Test Report gives pass/fail counts and overall coverage at a glance, a per-vector comparison table for every signal and timestep, and — for any failure — Deviation Analysis that pinpoints exactly where reference and comparison first diverge.

04

Debug failures

Debug environment export generates a standalone model containing just the failed vector and the affected subsystem, reproducing the failure in an isolated context. Fix the root cause, refresh the profile, and re-run: a clean report confirms it. Note: a profile update invalidates existing unreachable proofs, since the analyzed code has changed — re-running the CV engine re-establishes them.

Reporting

Evidence for every level.

All three reports are accessible from the Profile Navigator and can be exported for tool qualification packages or customer documentation.

Back-to-Back Test Report

Pass/fail per vector, deviation details, tolerance settings, and a comparison overview per scope — the primary evidence document for a B2B test run.

Code Analysis Report

Code coverage per subsystem for all structural and robustness goals, with a detailed goal-level breakdown.

Model Coverage Report

Coverage at model level per subsystem — model-level evidence, requiring a Simulink Verification and Validation toolbox license.

Built for ISO 26262

Proof that counts as evidence.

MC/DC coverage, required at ASIL C/D, is a first-class goal in stimuli vector generation.
Unreachable proofs produced by the CV engine are formal evidence, not estimates — they count toward coverage objectives under ISO 26262.
Reports are part of the test documentation package, alongside the TÜV Süd ISO 26262 certificate provided free of charge.
Results link back to scopes, stimuli vectors, and requirements — visible inside connected ALM/PLM systems like IBM DOORS, Siemens Polarion or codeBeamer.
Certified

BTC TestStack

is ISO 26262 certified

The certificate addresses functional-safety standards across multiple industries:

ISO 26262
Automotive
IEC 61508-3:2010
Industrial / cross-industry functional safety
ISO 25119
Agricultural & forestry machinery
IEC 62304
Medical device software
EN 50716
Railway / rail applications

For ISO 26262, BTC TestStack is certified with the highest Tool Confidence Level (TCL), valid for all ASIL levels including ASIL D. We provide the certificate and report to customers free of charge on request — removing most tool-qualification effort on the customer side.

Get started

Talk to our engineering team.

Tell us where your engineering problem actually is. We'll tell you whether an evaluation license, a workshop, or a conversation is the right next step.