Upload
prqa
View
9.022
Download
5
Embed Size (px)
Citation preview
© Programming Research
www.programmingresearch.com
Achieving ISO 26262 Compliance
with QA·C & QA·C++
Adrian Hunt
Pre-Sales Consultant
© Programming Research2
Agenda
• Overview
• Automotive Safety Integrity Levels
• ISO 26262 Qualifications
• Classification of Tools
• ISO 26262 Compliance with PRQA Tools
• ISO 26262 Compliance Tables
• Coding Standards
• Certification Report
© Programming Research3
Overview
• ISO 26262 is an adaptation of the IEC 61508 functionalsafety standard for electronic / electrical /programmable electronic safety-related systems.
• ISO 26262 focuses on the specific needs of electricaland/or electronic systems installed in series-productionpassenger cars, and applies to all activities within thesafety lifecycle of these safety related systems.
• As the complexity of a system increases, the risk ofsystematic failures and random hardware failuresincreases.
© Programming Research4
Overview
• Examples of systems for which the standard was
developed include:
Driver assistance
Propulsion and vehicle dynamics control
Active and passive safety systems
• The standard includes guidance that helps developers
mitigate these risks through the provision of
appropriate requirements and processes.
© Programming Research5
Automotive Safety Integrity Levels
• ISO 26262 introduces four Automotive Safety Integrity Levels (ASIL A –
D), where ASIL D represents the most stringent level.
• This allows different methods to be applied depending upon the ASIL of
the system at a functional level.
IEC 61508
SIL level
ISO 26262
ASIL level
Consequences of a failure
1 A Potential for minor injuries
2 B Possible major injuries or one fatality
3 C Possible fatalities
4 D Possible fatalities in the community
Less critical
More criticalNote: The letter levels follows the opposite pattern when compared to DO-178B
© Programming Research6
ISO 26262 Qualification
• The method used to verify these requirements must
be qualified
• Why?
– Evidence that the method used are suitable for use in a safety
critical project
– Confidence that the method proceeds correctly and doesn’t
introduce bugs
• Software automation is the only effective option
© Programming Research7
ISO 26262 Qualification - Methods
• Allowed qualification methods• Confidence from use
• Evaluation of the development process
• Validation of the software tool
• Development in compliance with a safety standard
• Choose an uncertified tool and certify it yourself?• Time and money!
• Choose a professional tool from respected company
• Choose a tool certified by a specialist certification company
© Programming Research8
Classification of Tools
Class T1 tools : cannot introduce defects into the code, even if they malfunction
no requirement to formally justify them
Class T2 tools: tools which test or verify code cannot themselves introduce a fault into the code
however, they can fail to detect existing faults.
Class T3 tools: can / will introduce defects directly into the compiled code
© Programming Research9
Classification of Tools
Class T2 and T3 tools must be justified – there must be evidence that the tools can meet the
requirements demanded of them.
Additionally, tools in class T2 and T3 must be deployed in accordance with a ‘Safety Manual’ which
ensures that the tool is installed, configured and operated correctly.
© Programming Research10
ISO 26262 Compliance with PRQA Tools
• QA·C 8.1.2 with MISRA-C and QA·C++ 3.1 with an extended MISRA C++
have been certified by SGS TÜV-SAAR as fit for purpose to develop safety
related software up to ASIL D according to ISO 26262.
• Safety Manual
• QA·C with MISRA C
• ISO 26262 Certificate
• Report to the Certificate
• Safety Manual
• QA·C with MISRA C++ Extended
• ISO 26262 Certificate
• Report to the Certificate
© Programming Research11
ISO 26262 Compliance with PRQA Tools
© Programming Research12
ISO 26262 Compliance Tables
• Part 6 of ISO 26262 addresses product development at the software
level including several tables that define the methods that must be
considered in order to achieve compliance with the standard.
• The following tables identify where QA·C with MISRA C (referred to
as “QA·C”) and QA·C++ with MISRA C++ Extended (referred to as
“QA·C++”) can be used to ensure and demonstrate compliance.
• For each method, the degree of recommendation to use the
corresponding method depends on the ASIL and is categorized as
follows:
– “++” indicates that the method is highly recommended for the identified ASIL;
– “+” indicates that the method is recommended for the identified ASIL;
– “o” indicates that the method has no recommendation for or against its usage for
the identified ASIL.
© Programming Research13
Table 1 – Topics to be covered by modelling and coding
guidelines
“++” indicates that the method is highly recommended for the identified ASIL;
“+” indicates that the method is recommended for the identified ASIL;
“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
© Programming Research14
Table 3 – Principles of software architectural design
“++” indicates that the method is highly recommended for the identified ASIL;
“+” indicates that the method is recommended for the identified ASIL;
“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
© Programming Research15
Table 8 – Design principles for software design and
implementation
“++” indicates that the method is highly recommended for the identified ASIL;
“+” indicates that the method is recommended for the identified ASIL;
“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
© Programming Research16
Table 9 – Methods for the verification of software unit
design and implementation
“++” indicates that the method is highly recommended for the identified ASIL;
“+” indicates that the method is recommended for the identified ASIL;
“o” indicates that the method has no recommendation for or against its usage for the identified ASIL.
© Programming Research17
Coding Standards
• Prevent the use of undefined or unspecified behavior
• Prevent the programmer making common mistakes
• Limit the use of certain constructs
• Remove potential ambiguity
• Restrict library usage
JSF++MISRA
C++
C++
HIC+
+
© Programming Research18
Coding Standards
© Programming Research19
Certification Report
The analysis results are fully certified
along with our report generation.
© Programming Research20
Certification Report – Example 1
© Programming Research21
Certification Report – Example 2
© Programming Research22
Summary
• QA·C with the MISRA C Compliance Module and QA·C++ withthe MISRA C++ Extended Compliance Module have beencertified as “fit for purpose” for achieving compliance with ISO26262.
• The time and cost of meeting many of the standard’srequirements associated with development at the software levelcan be reduced by using these tools.
• The long history of widespread use of QA·C and QA·C++ inautomotive development, demonstrates its suitability for usewithin this industry.
• QA·C and QA·C++ with MISRA are highly effective tools for anycompany that needs to achieve ISO 26262 compliance for itsproducts.
© Programming Research23
Thank you
Whitepaper: http://www.programmingresearch.com/resources/, incl:
Achieving ISO 26262 Compliance with QA·C and QA·C++
Independent Research on MISRA C Compliance Tools
MISRA: An Overview
MISRA C:2012
The Best Coding Standards Eliminate Bugs
Webinar: http://www.programmingresearch.com/resources/, incl:
An introduction to MISRA C:2012
Software Development For Safety-Critical Environments, How Safe Are You?
An Overview of Coding Standards
Video: http://www.programmingresearch.com/resources/, incl:
Principals of Functional Safety with ISO 26262
Coding Standard Compliance – Some Facts and Some Fallacies
Training: http://www.programmingresearch.com/services/training/, incl:
The MISRA C:2012 (2-day public and onsite)
Additional resources