Software Unit Verification in IEC 62304 - MedConf · 2018. 11. 29. · Software Unit Verification in IEC 62304 Founded 1976 in Karlsruhe, Germany Approx. 50 employees Subsidiary in

Building a safe and secure embedded world

Frank Büchner, Hitex GmbH, Karlsruhe

Software Unit Verificationin IEC 62304

Founded 1976 in Karlsruhe, Germany

Approx. 50 employees

Subsidiary in UK (20 employees)

Part of the Infineon Group since 2003

Tools for safety & security

Test services

Engineering, production, consulting

AURIX preferred design house (PDH)

Software Unit Verification, Frank Büchner, Nov. 2018 Copyright © Hitex GmbH 2018. All rights reserved. 2

Hitex GmbH

Inspiration by a look in non-medical standards

IEC 61508

ISO 26262

DIN EN 50128

ISO 14971

ISO 13485

IEC 60601-1

IEC 61010-1

ISO/IEC 12207


Motivation

1. A Look in 62304

2. A Look in Other Standards

2.1 26262 and Code Coverage

2.2 50128 and Independent Testing

2.3 61508 and Software Complexity Control

2.4 26262 and Test Case Specification

2.5 26262 and Tool Qualification


Contents

Software Unit Verification


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 24(Copyright der VDE VERLAG GmbH)

DIN EN 62304:2018-06, p. 28(Copyright der VDE VERLAG GmbH)

What is an unit?

Three criteria

1. Not subdivided / not further decomposed

2. Separately testable

3. Defined by manufacturer

Software item


A Look in 62304


A Look in 62304

Software Unit

U

U

U U

U

U U

Software System

Software Item

Software Items:

What is an unit?

What is an unit?


Conclusion

Programming language Unit

C Function

C++, Java, C#, … Method

Ada Procedure / Function

…

Second term: verification

Verification


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 14

Verification

Where do the requirements come from?

Includes

• Requirements Decomposition + Risk Analysis


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 23

Verification

Strategies, methods, and procedures


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 24


Excursus

Test

dynamicstatic

manual (by human)

automated (by tool)

automated (by tool)

Verification Acceptance Criteria

Software Unit Acceptance Criteria


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 19

IEC 62304:2006+AMD1:2015, 5.5.3, p. 24

Requirements

Link Matrix


Discussion Acceptance Criteria

Interface

Structure



Coding standards (1/2)



IEC 62304:2006+AMD1:2015, p. 49

Coding standards (2/2)

Proprietary coding rules

Ready-made, e.g. MISRA, CERT-C

Checked by static analysis

Preferrably checked by tool



Additional acceptance criteria


A Look in 62304

IEC 62304:2006+AMD1:2015, p. 24

Proper Event Sequence

E.g. by checking the „Call Trace“


Discussion Additional Acceptance Criteria

Data flow

A variable can have 3 states:

1. d: defined (= value assigned)

2. r: referenced (= value used)

3. u: undefined (= not initialized)

Three data flow anomalies:

1. ur

2. du

3. dd

A data flow anomaly does not need to result in a failure



Control flow

Example: Unreachable code



Fault handling

Needs requirement

Initialization of variables

This is a data flow anomaly

Self-diagnostic

Needs requirement

Boundary conditions

Relates to test case specification



[ [

1. A Look in 62304








Contents

62304 mentions

Coverage of requirements

But not code coverage for unit verification

Code coverage in ISO 26262:2011 for Unit Testing


26262 and Code Coverage

Part 6, Table 12

Recommendation


26262 and Code Coverage

Safety Class 62304 Coverage Measure

A Statement Coverage

B Branch Coverage

C Modified Condition / Decision Coverage (MC/DC)

1. A Look in 62304








Inhalt

62304


50128 and Independent Testing

IEC 62304:2006+AMD1:2015, p. 8

IEC 62304:2006+AMD1:2015, p. 64

50128 – Bahnanwendungen / Railway

At SIL 0: A person, who is … implementer of a software component must not be tester … of the same software component.


50128 and Independent Testing

DIN EN 50128:2012-03(Copyright der VDE VERLAG GmbH)

(translation by the author)

Why is independent testing important? (1/3)

Example of a specification

A start value and a length define a range of values. Determine if a given value is within the defined range or not. The end of the range shall not be inside the range. Only integer numbers are to be considered.


Independent Testing

value

startlength

[ [

outside outsideinside


This case is simple


Independent Testing

Value = 6 inside!

Start = 5Length= 2

[ [5 6 7


But this case?


Independent Testing

Value = -6 ???

Start = -5

] ]-7 -6 -5

Length= -2

1. A Look in 62304








Contents

IEC 61508


61508 and Software Complexity Control

IEC 61508-3:2010, Table B.9

Metrics for software complexity control

Examples

• Cyclomatic complexity according to McCABE

• Volume according to Halstaed

Tool support necessary!



Software module size limit

61508-7, section C.2.9: „typically 2 to 4 screen sizes“

Metric Lines-of-code (LOC)



Parameter number limit



One entry / one exit

Rule 15.5 from MISRA-C:2012

• Only one return statement at the end



1. A Look in 62304








Contents

How to find test cases for black-box unit tests?


26262 and Test Case Specification

ISO 26262:2011, part 6, table 11

Methods from ISO 26262 for deriving test cases

Equivalence classes



Test case specification using the Classification Tree Method


Excursus



Methods from ISO 26262 for deriving test cases

Error guessing

aka “intuitive testing”

aka “experienced-based testing”

1. A Look in 62304








Contents

Methods for tool qualification


26262 and Tool Qualification

ISO 26262:2011, part 8, table 4

Any questions?

Unit test tool TESSY by Razorcat

www.hitex.de/tessy

Static analysis tool KLOCWORK by Roguewave

www.hitex.de/klocwork


Thank you for listening!

Frank BüchnerDipl.-Inform.Principal Engineer Software Quality

Hitex GmbHGreschbachstr. 12KarlsruheGermany

Tel.: +49 / 721 / 9628 – 125frank.buechner(at)hitex.de


Contact & Additional Information

Documents

Software Unit Verification in IEC 62304 - MedConf · 2018. 11. 29. · Software Unit Verification in IEC 62304 Founded 1976 in Karlsruhe, Germany Approx. 50 employees Subsidiary in