Software Testing
Tools for ISO 26262


Achieve compliance with certified
dynamic and static testing

ISO 26262

 

ISO 26262, Road vehicles - Functional Safety, is a risk-based safety standard that defines functional safety for all automotive electronic and electrical safety-related systems. The standard is an adaptation of the Functional Safety standard, IEC 61508, and is applicable throughout the lifecycle of all safety-related systems that include electronic and/or electrical systems.

 

The full version of the ISO 26262:2011 standard was published in late 2011 and supersedes earlier DIS 2009 and FDIS 2011 versions. While ISO 26262:2011 is an international standard for road vehicles, it applies only to series production passenger cars of up to 3500 kg mass, not to busses or trucks. ISO 26262 specifies four Automotive Safety Integrity Levels (ASIL A to D) with ASIL D as the highest safety level. This enables hazards to be classified based on a combination of the likelihood of the event occurring and the probable severity of the event should it occur.

 

Fitness for purpose litigation against companies and individuals is now an increasing risk. ISO 26262:2011 is a technical standard used by lawyers to interpret laws. The relevant law in question for Europe is the General Product Safety Directive 2001/95/EC (GPSD). This states that the product creator has the responsibility to develop a safety critical product in a way which is compliant with ‘State-of-the-Art’ development principles. ‘State-of-the-Art’ simply refers to commonly accepted best practices, which in the case of passenger road vehicles are now embodied in ISO 26262:2011. Where companies fail to employ accepted industry practices, they cannot use the “State-of-the-Art” legal defence against such litigation.

Automotive image with safety standard of ISO 26262 - functional safety for all automotive electronic and electrical safety-related systems
ISO 26262 for road vehicles and functional safety

Testing tools for compliance with ISO 26262 recommendations

 

QA Systems enables organisations to accelerate ISO 26262 compliance with automated static and dynamic testing tools:

Tool Certification

ISO 26262, Part 8 section 11 recommends that software tools are independently qualified. In accordance with this QA Systems’ tools have been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Each tool has been classified as a Tool Confidence Level (TCL) 1 tool, and is usable in development of safety related software according to ISO 26262:2011 up to the Automotive Safety Integrity Level (ASIL) D.

 

Tool certification kits for ISO 26262 are available to ease our customers’ path to certification. This contains everything needed to prove that our tools fulfill ISO 26262 recommendations as well as guidance to help you to achieve compliance.

 

Please contact us for more information about tool certification kits.

SGS Tuev Saar Logo - Funktionale Sicherheit geprueft - Functional Safety approved - certified
Cantata unit testing tool for C & C++ - functional safety approved - testing requirements - SGS-TUV SAAR - ISO 26262 - IEC 60880 - IEC 62304 - IEC 61508 - EN 50128 - safety critical - certified

      Cantata Certificate

PRQA Certificate - QA-C with MISRA - QA-C++ with MISRA C++ - SGS TUEV Saar - certified - Programming Research Ltd.

 QA-C/QA-C++ Certificate

Dynamic testing for ISO 26262 compliance

 

Section 6 of ISO 26262 recommends unit and integration testing. The Cantata testing tool enables developers to automate their unit and integration testing and to verify ISO 26262 compliant code on host native and embedded target platforms. 

 

Cantata helps accelerate compliance with the standard’s dynamic testing requirements by automating:

  • Test framework generation
  • Test case generation
  • Test execution
  • Results diagnostics and report generation

 

Our ISO 26262 Standard Briefing traces the requirements of ISO 26262, identifying the scope of those which are supported by Cantata and identifies how the requirements are supported by Cantata.

 

Please contact us for more information on Cantata for ISO 26262. 

Cantata testing model with logo- Dynamic testing for IEC 62304 compliance - acceptance test and system requirements - system test and architectural design - integration test and detailed design - unit test and unit design then code

The ISO 26262 dynamic testing recommendations by ASIL and where these are supported by Cantata are summarised in the tables below:

ISO 26262 Table 10 – Methods for software unit testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + + ++ Yes
1d. Resource usage test + + + ++ Yes
1e. Back-to-back comparison test between model
      and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 11– Methods for deriving test cases for software unit testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 12 - Structural coverage metrics at the software unit level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Statement coverage ++ ++ + + Yes
1b. Branch coverage + ++ ++ ++ Yes
1c. MC/DC Modified Condition/Decision Coverage) + + + ++ Yes

ISO 26262 Table 13 – Methods for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + ++ ++ Yes
1d. Resource usage test + + + ++ Yes
1e. Back-to-back comparison test between model
     and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 14 – Methods for deriving test cases for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 15 – Structural coverage metrics at the architecture level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Function coverage + + ++ ++ Yes
1b. Call coverage + + ++ ++ Yes

Start a free trial to evaluate Cantata using your code.

Key for ISO26262 - for ASIL

Static testing for ISO 26262 compliance

 

Part 6 of ISO 26262 addresses product development at the software level including several tables that define the methods that must be considered in order to achieve compliance with the standard.

 

Static Analysis is most useful for meeting clause 8 “Unit design and implementation”, within part 6 of the standard. QA-C/QA-C++ can be used to make sure that the software conforms to coding standards as specified by section 5.4.7 and required by section 8.4.3.d. QA-MISRA provides a tool configuration for QA-C or QA-C++ specifically for ensuring compliance with the MISRA guidelines.

 

Please contact us for more information on QA-C, QA-C++ and QA-MISRA for ISO 26262. 

 

The ISO 26262 static testing recommendations by ASIL and where these are supported by QA-C and QA-C++ are summarised in the tables below.  

Static testing for IEC 61506 compliance - Advanced static analysis - Coding standards compliance - sophisticated bug detection

ISO 26262 Table 1 – Topics to be covered by modelling and coding guidelines

Methods ASIL A ASIL B ASIL C ASIL D QA-C QA-C++
1a. Enforcement of low complexity ++ ++ ++ ++ Yes Yes
1b. Use of language subsets ++ ++ ++ ++ Yes Yes
1c. Enforcement of strong typing ++ ++ ++ ++ Yes Yes
1d. Use of defensive implementation techniques                    0 + ++ ++ Yes Yes
1e. Use of established design principles + + + ++ Yes Yes
1f. Use of unambiguous graphical representation + ++ ++ ++ Yes Yes
1g. Use of style guides + ++ ++ ++ - -
1h. Use of naming conventions ++ ++ ++ ++ Yes Yes

ISO 26262 Table 3 – Principles for software architectural design

Methods ASIL A ASIL B ASIL C ASIL D QA-C QA-C++
1a. Hierarchical structure of software components ++ ++ ++ ++ - -
1b. Restricted size of software components ++ ++ ++ ++ Yes Yes
1c. Restricted size of interfaces + + + + Yes Yes
1d. High cohesion within each software component                + ++ ++ ++ Yes Yes
1e. Restricted coupling between software components + ++ ++ ++ - Yes
1f. Appropriate scheduling properties ++ ++ ++ ++ - -
1g. Restricted use of interrupts + + + ++ - -

ISO 26262 Table 8 – Design principles for software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D QA-C QA-C++
1a. One entry and one exit point in subprograms and functions ++ ++ ++ ++ Yes Yes
1b. No dynamic objects or variables, or else online test
      during their creation
+ ++ ++ ++ Yes Yes
1c. Initialization of variables ++ ++ ++ ++ Yes Yes
1d. No multiple use of variable names + ++ ++ ++ Yes Yes
1e. Avoid global variables or else justify their usage + + ++ ++ Yes Yes
1f. Limited use of pointers 0 + + ++ Yes Yes
1g. No implicit type conversions + ++ ++ ++ Yes Yes
1h. No hidden data flow or control flow + ++ ++ ++ Yes Yes
1i. No unconditional jumps ++ ++ ++ ++ Yes Yes
1j. No recursions + + ++ ++ Yes Yes

ISO 26262 Table 9 – Methods for the verification of software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D QA-C QA-C++
1a. Walk-through ++ + 0 0 - -
1b. Inspection + ++ ++ ++ - -
1c. Semi-formal verification                                                + + ++ ++ - -
1d. Formal verification 0 0 + + - -
1e. Control flow analysis + + ++ ++ Yes Yes
1f. Data flow analysis + + ++ ++ Yes Yes
1g. Static code analysis + ++ ++ ++ Yes Yes
1h. Semantic code analysis + + + + Yes Yes
Key for ISO26262 - for ASIL

Start a free trial to evaluate QA-C or QA-C++ using your code.

Start
Trial
QA-Systems