© Programming Research

www.programmingresearch.com

Achieving ISO 26262 Compliance

with QA·C & QA·C++

Adrian Hunt

Pre-Sales Consultant

© Programming Research2

Agenda

• Overview

• Automotive Safety Integrity Levels

• ISO 26262 Qualifications

• Classification of Tools

• ISO 26262 Compliance with PRQA Tools

• ISO 26262 Compliance Tables

• Coding Standards

• Certification Report

© Programming Research3

Overview

• ISO 26262 is an adaptation of the IEC 61508 functionalsafety standard for electronic / electrical /programmable electronic safety-related systems.

• ISO 26262 focuses on the specific needs of electricaland/or electronic systems installed in series-productionpassenger cars, and applies to all activities within thesafety lifecycle of these safety related systems.

• As the complexity of a system increases, the risk ofsystematic failures and random hardware failuresincreases.

© Programming Research4

Overview

• Examples of systems for which the standard was

developed include:

Driver assistance

Propulsion and vehicle dynamics control

Active and passive safety systems

• The standard includes guidance that helps developers

mitigate these risks through the provision of

appropriate requirements and processes.

© Programming Research5

Automotive Safety Integrity Levels

• ISO 26262 introduces four Automotive Safety Integrity Levels (ASIL A –

D), where ASIL D represents the most stringent level.

• This allows different methods to be applied depending upon the ASIL of

the system at a functional level.

IEC 61508

SIL level

ISO 26262

ASIL level

Consequences of a failure

1 A Potential for minor injuries

2 B Possible major injuries or one fatality

3 C Possible fatalities

4 D Possible fatalities in the community

Less critical

More criticalNote: The letter levels follows the opposite pattern when compared to DO-178B

© Programming Research6

ISO 26262 Qualification

• The method used to verify these requirements must

be qualified

• Why?

– Evidence that the method used are suitable for use in a safety

critical project

– Confidence that the method proceeds correctly and doesn’t

introduce bugs

• Software automation is the only effective option

© Programming Research7

ISO 26262 Qualification - Methods

• Allowed qualification methods• Confidence from use

• Evaluation of the development process

• Validation of the software tool

• Development in compliance with a safety standard

• Choose an uncertified tool and certify it yourself?• Time and money!

• Choose a professional tool from respected company

• Choose a tool certified by a specialist certification company

© Programming Research8

Classification of Tools

Class T1 tools : cannot introduce defects into the code, even if they malfunction

no requirement to formally justify them

Class T2 tools: tools which test or verify code cannot themselves introduce a fault into the code

however, they can fail to detect existing faults.

Class T3 tools: can / will introduce defects directly into the compiled code

© Programming Research9

Classification of Tools

Class T2 and T3 tools must be justified – there must be evidence that the tools can meet the

requirements demanded of them.

Additionally, tools in class T2 and T3 must be deployed in accordance with a ‘Safety Manual’ which

ensures that the tool is installed, configured and operated correctly.

© Programming Research10

ISO 26262 Compliance with PRQA Tools

• QA·C 8.1.2 with MISRA-C and QA·C++ 3.1 with an extended MISRA C++

have been certified by SGS TÜV-SAAR as fit for purpose to develop safety

related software up to ASIL D according to ISO 26262.

• Safety Manual

• QA·C with MISRA C

• ISO 26262 Certificate

• Report to the Certificate

• Safety Manual

• QA·C with MISRA C++ Extended

• ISO 26262 Certificate

• Report to the Certificate

© Programming Research11

ISO 26262 Compliance with PRQA Tools

© Programming Research12

ISO 26262 Compliance Tables

• Part 6 of ISO 26262 addresses product development at the software

level including several tables that define the methods that must be

considered in order to achieve compliance with the standard.

• The following tables identify where QA·C with MISRA C (referred to

as “QA·C”) and QA·C++ with MISRA C++ Extended (referred to as

“QA·C++”) can be used to ensure and demonstrate compliance.

• For each method, the degree of recommendation to use the

corresponding method depends on the ASIL and is categorized as

follows:

– “++” indicates that the method is highly recommended for the identified ASIL;

– “+” indicates that the method is recommended for the identified ASIL;

– “o” indicates that the method has no recommendation for or against its usage for

the identified ASIL.

© Programming Research13

Table 1 – Topics to be covered by modelling and coding

guidelines

“++” indicates that the method is highly recommended for the identified ASIL;

“+” indicates that the method is recommended for the identified ASIL;

“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.

© Programming Research14

Table 3 – Principles of software architectural design

“++” indicates that the method is highly recommended for the identified ASIL;

“+” indicates that the method is recommended for the identified ASIL;

“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.

© Programming Research15

Table 8 – Design principles for software design and

implementation

“++” indicates that the method is highly recommended for the identified ASIL;

“+” indicates that the method is recommended for the identified ASIL;

“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.

© Programming Research16

Table 9 – Methods for the verification of software unit

design and implementation

“++” indicates that the method is highly recommended for the identified ASIL;

“+” indicates that the method is recommended for the identified ASIL;

“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.

© Programming Research17

Coding Standards

• Prevent the use of undefined or unspecified behavior

• Prevent the programmer making common mistakes

• Limit the use of certain constructs

• Remove potential ambiguity

• Restrict library usage

JSF++MISRA

C++

C++

HIC+

+

© Programming Research18

Coding Standards

© Programming Research19

Certification Report

The analysis results are fully certified

along with our report generation.

© Programming Research20

Certification Report – Example 1

© Programming Research21

Certification Report – Example 2

© Programming Research22

Summary

• QA·C with the MISRA C Compliance Module and QA·C++ withthe MISRA C++ Extended Compliance Module have beencertified as “fit for purpose” for achieving compliance with ISO26262.

• The time and cost of meeting many of the standard’srequirements associated with development at the software levelcan be reduced by using these tools.

• The long history of widespread use of QA·C and QA·C++ inautomotive development, demonstrates its suitability for usewithin this industry.

• QA·C and QA·C++ with MISRA are highly effective tools for anycompany that needs to achieve ISO 26262 compliance for itsproducts.

© Programming Research23

Thank you

Whitepaper: http://www.programmingresearch.com/resources/, incl:

Achieving ISO 26262 Compliance with QA·C and QA·C++

Independent Research on MISRA C Compliance Tools

MISRA: An Overview

MISRA C:2012

The Best Coding Standards Eliminate Bugs

Webinar: http://www.programmingresearch.com/resources/, incl:

An introduction to MISRA C:2012

Software Development For Safety-Critical Environments, How Safe Are You?

An Overview of Coding Standards

Video: http://www.programmingresearch.com/resources/, incl:

Principals of Functional Safety with ISO 26262

Coding Standard Compliance – Some Facts and Some Fallacies

Training: http://www.programmingresearch.com/services/training/, incl:

The MISRA C:2012 (2-day public and onsite)

Additional resources