Transcription
W H I T E PA P E RGuide to ISO 26262Software ComplianceAchieving Functional Safety in the Automotive Industry
Technical WhitepaperGuide to ISO 26262 Software ComplianceINTRODUCTIONSome modern automobiles have more lines of code than a jet fighter. Even moderately sophisticatedcars ship with larger and more complex codebases than the same line from just a few years ago.The inclusion of multi-featured infotainment systems, driver-assist technologies, and electronicallycontrolled safety features as standard components—even in economy models—have fueled thegrowth of software in the automotive industry. Additionally, the emergence of driverless technologyand “connected” cars that function as IoT systems on wheels will mean even larger and morecomplex codebases.All of the innovation taking place in the automotive industry, though, raises concerns over the safety,security, and reliability of automotive electronic systems. The concerns are appropriate given thatthe automotive software supply chain is a long convoluted system of third-party providers spanningseveral tiers. Consider, for example, that software developed for a specific microcontroller unit (MCU)may be integrated by a third-tier provider into a component they’re shipping to a second-tier providerand so on—until a composite component is delivered for final integration by the automaker.While not all automotive software is critical to the safe operation of the vehicle, code that carries outfunctional safety operations must be safe, secure, and reliable. Organizations must implement strongsoftware quality process controls around the development of safetycritical software in accordancewith ISO 26262, which is a functional safety standard for automotive software. ISO 26262 providesguidance on processes associated with software development for electrical and/or electronic (E/E)systems in automobiles. The standard is aimed at reducing risks associated with software for safetyfunctions to a tolerable level by providing feasible requirements and processes.In this paper, we provide background information on ISO 26262 and its goals. We also discuss someof the policy-related issues associated with developing embedded software that complies with ISO26262. Finally, we describe how Parasoft can help automotive software development organizationsachieve compliance with ISO 26262.2
Technical WhitepaperGuide to ISO 26262 Software ComplianceWHAT ISO 26262 COVERSISO 26262 is a functional safety standard thatcovers the entire automotive product developmentprocess (including such activities as requirementsspecification, design, implementation, integration,verification, validation, and configuration). Thestandard provides guidance on automotive safetylifecycle activities by specifying the followingrequirements:» Functional safety management for automotiveapplications» The concept phase for automotive applications» Product development at the system level forautomotive applications software architecturaldesign» Product development at the hardware level forautomotive applications software unit testing» Product development at the software level forautomotive applications» Production, operation, service anddecommissioning» Supporting processes: interfaces withindistributed developments, safety managementrequirements, change and configurationmanagement, verification, documentation, useof software tools, qualification of softwarecomponents, qualification of hardwarecomponents, and proven-in-use argument» Automotive Safety Integrity Level (ASIL)oriented and safety-oriented analysesWHAT ISO 26262 DOES NOTCOVER» Unique E/E systems in special purposevehicles such as vehicles designed for driverswith disabilities» Safety standards for large vehicles, suchas those over 3500KB (7700 pounds) grossweight» Hazards related to electric shock, fire,smoke, heat, radiation, toxicity, flammability,reactivity, corrosion, release of energy andsimilar hazards, unless directly caused bymalfunctioning behavior of E/E safety-relatedsystems» Nominal performance of E/E systemsSOFTWARE-SPECIFICSECTIONS OF ISO 26262Part 6 of the standard specifically addressesproduct development at the software level.Requirements for the following developmentactivities are specified:» Initialization of product development» Specification of software safety requirements» Software architectural design» Unit design and implementation» Unit testing» Software integration and testing» Verification of software safety requirements.Methods defined by the ISO 26262 standardshould be selected depending on the ASIL(automotive safety integrity level). The higher theASIL, the more rigorous the methods.3
Technical WhitepaperGuide to ISO 26262 Software CompliancePart 8, section 11, describes the softwaretool qualification process. Tools that automatesoftware development activities and tasks cansignificantly help organizations meet ISO 26262requirements. Software tool qualification isintended to provide evidence that tools aresuitable for developing a safety-related itemor element. One of the qualification methodsdefined in ISO 26262 relies on running thedevelopment tool on a control codebase andmaking sure that the product is consistentand accurate.Qualifying Parasoft defect prevention tools andtechnologies involves running static analysis,flow analysis, unit tests, and any other testingpractice used in your development process ona set of control code. Parasoft will consistently,accurately and objectively report errors, whichensures that the tool functions properly.Item definitions that includeassumptions, dependencies,and a preliminary architectureare written.ItemDefinitionISO 26262 COMPLIANCEAND POLICY-DRIVENDEVELOPMENTA particular feature that makes developingcompliant embedded software so challengingis the gap between software development andbusiness expectations. Software engineers makebusiness-critical decisions every day in the formof their coding practices, quality activities, andengineering processes. As software permeatescritical functions associated with functionalsafety, these engineering decisions can leadto significant business risks. E/E systems inautomobiles that must conform to ISO 26262are particularly vulnerable to risks becausethe standard specifies very detailed lifecycleprocesses throughout the approximately400 pages intended to answer a simple, yetambiguous, question: Is this safe?Item definitions are the basisof hazard analyses, whichresult in a list of terminedEach event is given an ASIL(automotive safety integritylevel) and assigned a safetygoal.Safety GoalsAssigned toEach EventAnalysisSafety GoalsInherit EventASILsFSRs are converted to TSRs.Figure 1:Software developmentlifecycle defined rementsISO 26262Each TSR isImplementedby a SoftwareSafetyRequirementAll steps output work products.Work products comprise a safety case.Additional arguments accompany thesafety case to answer the question of safety.4
Technical WhitepaperGuide to ISO 26262 Software ComplianceThe purpose of ISO 26262 is to outline thepolicy surrounding the processes in Figure 1,but policies specific to the organization can beintegrated at any step.The key to reining in these risks is to alignsoftware development activities with yourorganization’s business goals. This can beachieved through policy-driven development,which ensures that engineers deliver softwareaccording to your expectations. Policy-drivendevelopment involves:» Clearly defining expectations anddocumenting them in understandable polices.» Training the engineers on the businessobjectives driving those policies.» Enforcing the policies in an automated,unobtrusive way.By adopting a policy-driven strategy, businessesare able to accurate and objectively measureproductivity and application quality, whichlowers development costs and reduces risk.With public safety, potential litigation, marketposition and other consequences on the line,it behooves software development teams andpeople in the traditional business managementpositions to come together on policy andimplement the strategy into their softwaredevelopment lifecycle.TRY PARASOFT DTPLearn more about policy-driven development.PARASOFT SUPPORT FORISO 26262Parasoft DTP facilitates the software qualitytasks specified in ISO 26262, including staticanalysis, data flow static analysis, metricsanalysis, peer code review, unit testing andruntime error detection. This provides teams apractical way to prevent, expose, and correcterrors in automotive functional safety systems.DTP collects data generated by softwareengineering processes, such as static codeanalysis violations, test results, code metrics,coverage analysis, source control check-ins,defect tracking systems, etc., and generatesmeaningful views of the correlated andprioritized data.The real power of DTP is the Parasoft ProcessIntelligence Engine (PIE), which performs anadditional post analysis on the developmentartifacts collected in order to pinpoint risk inthe code while highlighting opportunities forimproving the your development processes. DTPreports the problematic code and a descriptionof how to fix it to the engineer’s IDE based onthe organization’s programming policy.The specific sections of the ISO 26262, part 6:Product development: software level that can beaddressed or partially addressed with Parasoftare described below. The information presentedhere is intended to serve as an introduction toISO 26262 software verification and validationprocesses with Parasoft. Please refer to thestandard and consult functional safety expertsfor clarification of any requirements defined bythe ISO 26262 standard.5
Technical WhitepaperGuide to ISO 26262 Software ComplianceINITIALIZATION OF PRODUCT DEVELOPMENT AT THESOFTWARE LEVELThis section of the ISO 26262 Part 6 standard defines general information about the process ofsoftware development and validation.5.4.6 Requirements for achieving correctness of software design and implementation.Methods described here apply to both modeling and programming languages.REQUIREMENTEnforcement of low complexityUse of language subsetsEnforcement of strong typingPARASOFT CAPABILITY» Reports cyclomatic complexity, essentialcomplexity, Halsted complexity, and othercode metrics» Coding standards enforcement,e.g., detection of unsafe languageconstructions» Implicit conversions detection» Enforces defensive programming againstUse of defensive implementation techniquesUse of established design principlesUse of unambiguous graphical representationUse of style guidesUse of naming conventionsappropriate coding standards rules, e.g.,checking the return value of malloc,checking the error code value returned bycalled functions, etc.» Enforcement of industry coding standardsrule sets, e.g. MISRA C/C , JSF, HISsource code metrics, etc.» Enforcement of specific formattingconventions» Enforcement of specific codingconventions» Enforcement of specific namingconventions6
Technical WhitepaperGuide to ISO 26262 Software ComplianceSOFTWARE UNIT DESIGN AND IMPLEMENTATIONThis section defines the process of specifying and implementing software units, as well as theverification of the design and implementation.8.4.4 Specifies the design principles for software unit design and implementation.REQUIREMENTPARASOFT CAPABILITYDesign principles for software unitimplementation, e.g. initialization ofvariables, No implicit type conversions, etc.»»»»»Static analysis:MISRA C rulesMISRA C rulesMISRA C 2012MISRA 2004Additional standardsPlease refer to the Satisfying ASIL Requirements with Parasoft C/C test paper for additional information about C/C test support for specificsoftware unit implementation design principles.8.4.5 Specifies the verification methods for checking software unit design and implementation.REQUIREMENTPARASOFT CAPABILITYControl flow analysis» Control Flow AnalysisData flow analysis» Data Flow AnalysisStatic code analysis» Coding standards enforcementInspection of the source code» DTP Change ExplorerWalkthrough of the source code» DTP Change Explorer7
Technical WhitepaperGuide to ISO 26262 Software ComplianceSOFTWARE UNIT TESTINGThis section defines the process of planning, defining, and executing software unit testing.9.4.1 Describes general information about unit test execution.REQUIREMENTPARASOFT CAPABILITYUnit test execution» Unit test execution module» Reports module for presenting results» Configurable unit test generation moduleUnit test specification»creates tests according to the definedspecification.Test Case Explorer module presentsa list of all defined test cases with pass/fail status.9.4.2 Describes methods used to specify and execute unit tests.REQUIREMENTRequirement-based testsPARASOFT CAPABILITY» Bidirectional traceability of test and»requirementsRequirements testing coverage reports» Maps test cases with requirements and/orUnit test specificationInterface tests»defects in conjunction with the DTP.Supports user defined test cases createdmanually and tests created with the TestCase Editor.» Uses function stubs and data sources toemulate behavior of external componentsfor automatic unit test execution.» Enforcing fault conditions using functionFault injection tests»stubs.Automatic unit test generation usingdifferent set of preconditions (min, max,heuristic values).Please note that Parasoft allows for packaging test cases into groups to allow easier management of the tests (such as execution of the tests from asingle group only).8
Technical WhitepaperGuide to ISO 26262 Software Compliance9.4.3 Defines methods that should be used to create test cases.REQUIREMENTAnalysis of requirementsPARASOFT CAPABILITY» Parasoft DTP provides requirements tocode and requirements to test traceability» Uses factory functions to prepare sets ofGeneration and analysis of equivalenceclasses»input parameter values for automated unittest generationUses data sources to efficiently use awide range of input values in tests» Automatically generates test cases (suchAnalysis of boundary values»as heuristic values, boundary values).Employs data sources to use a wide rangeof input values in tests.» Uses the function stubs mechanism toError guessing»inject fault conditions into tested code.Flow Analysis results can be used to writeadditional tests.9.4.4 Defines the methods for demonstrating the completeness of the test cases.REQUIREMENTPARASOFT CAPABILITYStatement coverage» Code Coverage moduleBranch coverage» Code Coverage moduleMC/DC (modified condition/decision coverage)» Code Coverage moduleNote that ISO 26262 Part 6, Point 9.4.4 states that if instrumented code is used to determine the degree of coverage, it may be necessary to show thatthe instrumentation has no effect on the test results. This is achieved by running the tests on non-instrumented code.9
Technical WhitepaperGuide to ISO 26262 Software Compliance9.4.5 Defines the requirements for the test environment.REQUIREMENTTest environment for unit testing shallcorrespond as far as possible to the targetenvironment.PARASOFT CAPABILITY» Unit test execution on both targetdevice and simulator to perform tests indifferent environments (like software inthe loop, processor in the loop, hardwarein the loop).SOFTWARE INTEGRATION AND TESTING10.4.2 Describes general information about executing software integration tests.REQUIREMENTIntegration testsPARASOFT CAPABILITY» Flexible configuration of tested software»scope (from single function to entireapplication)Multi-metric test coverage analysis10.4.5 Defines methods for demonstrating completeness of integration testing.REQUIREMENTPARASOFT CAPABILITYFunction Coverage» Code Coverage module10
Technical WhitepaperGuide to ISO 26262 Software Compliance10.4.7 Defines requirements for the integration test environment.REQUIREMENTTest environment for software integrationtesting shall correspond as far as possibleto the target environment.PARASOFT CAPABILITY» Flexible stub framework.» Service virtualization module is available»to thoroughly mimic complete system.Coverage analysis execution on bothtarget device and simulator to performtests in different environments (likesoftware in the loop, processor in theloop, hardware in the loop).SUMMARYDeveloping ISO 26262 compliant software for E/E systems in automobiles is no easy feat. ButParasoft eases the burden by offering a broad range of analysis tools and, more importantly, enablingyou to automatically monitor compliance with your development policy—bridging the gap betweendevelopment activities and business processes. Development teams can also generate configurabletest reports that contain a high level of detail, which helps facilitate the work required for thesoftware verification process.TAKE THE NEXT STEPTalk to an expert about accelerating the delivery of high-quality and compliant software withour ISO 26262 compliance tools.ABOUT PARASOFTParasoft helps organizations continuously deliver quality software with its market-proven, integratedsuite of automated software testing tools. Supporting the embedded, enterprise, and IoT markets,Parasoft’s technologies reduce the time, effort, and cost of delivering secure, reliable, and compliantsoftware by integrating everything from deep code analysis and unit testing to web UI and APItesting, plus service virtualization and complete code coverage, into the delivery pipeline. Bringingall this together, Parasoft’s award winning reporting and analytics dashboard delivers a centralizedview of quality enabling organizations to deliver with confidence and succeed in today’s moststrategic ecosystems and development initiatives — security, safety-critical, Agile, DevOps, andcontinuous testing.11
Guid ISO 26262 Softwar Compliance Technical Whitepaper 4 Part 8, section 11, describes the software . tool qualification process. Tools that automate . software development activities and tasks can significantly help organizations meet ISO 26262 requirements. Software tool qualification is intended to provide evidence that tools are
