Software Testing
Tools for ISO 26262


Achieve compliance with certified
dynamic and static testing

ISO 26262

 

ISO 26262, Road vehicles - Functional Safety, is a risk-based safety standard that defines functional safety for all automotive electronic and electrical (E/E) safety-related systems. The standard is an adaptation of the Functional Safety standard, IEC 61508, and is applicable throughout the life-cycle of all safety-related systems that include electronic and/or electrical systems. 

 

The latest version of the standard,  ISO 26262:2018, was published in late 2018 and supersedes the earlier ISO 26262:2011 as well as previous drafts (DIS & FDIS) for all systems commencing development after the 2018 publication date. ISO 26262:2018 is an international standard for road vehicles. It applies not only to series production passenger cars but also provides guidance on developing E/E systems for use in trucks, buses, trailers and semi-trailers. Motorcycles (but not mopeds) are also covered by the 2018 version of the standard. ISO 26262 specifies four Automotive Safety Integrity Levels (ASIL A to D) with ASIL D as the highest safety level. This enables hazards to be classified based on a combination of the likelihood of the event occurring and the probable severity of the event should it occur.

 

Fitness for purpose litigation against companies and individuals is now an increasing risk. ISO 26262:2018 is a technical standard used by lawyers to interpret laws. The relevant law in question for Europe is the General Product Safety Directive 2001/95/EC (GPSD). This states that the product creator has the responsibility to develop a safety critical product in a way which is compliant with ‘State-of-the-Art’ development principles. ‘State-of-the-Art’ simply refers to commonly accepted best practices, which in the case of passenger road vehicles are now embodied in ISO 26262:2018. Where companies fail to employ accepted industry practices, they cannot use the “State-of-the-Art” legal defence against such litigation.

Automotive image with safety standard of ISO 26262 - iso 26262 software testing tool for automotive electronic and electrical safety-related systems
Software Safety Standard ISO 26262 for road vehicles and functional safety

Testing tools for compliance with ISO 26262 recommendations

 

QA Systems enables organisations to accelerate ISO 26262 compliance with automated static analysis and software testing tools:

Tool Certification

ISO 26262, Part 8 section 11 recommends that software tools are independently qualified. In accordance with this our Cantata testing tool has been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Cantata has been classified as a Tool Confidence Level (TCL) 1 tool, and is usable in development of safety related software according to ISO 26262:2018 up to the Automotive Safety Integrity Level (ASIL) D.

 

The tool certification kit for ISO 26262 is available to ease our customers’ path to certification. This contains everything needed to prove that Cantata fulfills ISO 26262 recommendations as well as guidance to help you to achieve compliance.

 

Please contact us for more information about the tool certification kit. 

SGS TUEV Saar Logo - Functional Safety approved - certified

      Cantata Certificate

Dynamic testing for ISO 26262 compliance

 

Section 6 of ISO 26262 recommends unit and integration testing. The Cantata testing tool enables developers to automate their unit and integration testing and to verify ISO 26262 compliant code on host native and embedded target platforms. 

 

Cantata helps accelerate compliance with the standard’s dynamic testing requirements by automating:

  • Test framework generation
  • Test case generation
  • Test execution
  • Results diagnostics and report generation

 

Our ISO 26262 Standard Briefing traces the requirements of ISO 26262, identifying the scope of those which are supported by Cantata and identifies how the requirements are supported by Cantata.

 

Please contact us for more information on Cantata for ISO 26262. 

Cantata testing model with logo- Dynamic testing for IEC 62304 compliance - acceptance test and system requirements - system test and architectural design - integration test and detailed design - unit test and unit design then code

The ISO 26262 dynamic testing recommendations by ASIL and where these are supported by Cantata are summarised in the tables below:

ISO 26262 Table 10 – Methods for software unit verification

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Walk-through ++ + 0 0 -
1b. Pair-programming + + + + -
1c. Inspection + ++ ++ ++ -
1d. Semi-formal verification + + ++ ++ -
1e. Formal verification 0 0 + + -
1f. Control flow analysis + + ++ ++ ?
1g. Data flow analysis + + ++ ++ ?
1h. Static code analysis ++ ++ ++ ++ ?
1i. Static analysis based on abstract interpretation + + + + -
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + + ++ Yes
1d. Resource usage evaluation + + + ++ Yes
1e. Back-to-back comparison test between model
      and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 11– Methods for deriving test cases for software unit testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 12 - Structural coverage metrics at the software unit level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Statement coverage ++ ++ + + Yes
1b. Branch coverage + ++ ++ ++ Yes
1c. MC/DC Modified Condition/Decision Coverage) + + + ++ Yes

ISO 26262 Table 13 – Methods for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + ++ ++ Yes
1d. Resource usage test + + + ++ Yes
1e. Back-to-back comparison test between model
     and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 14 – Methods for deriving test cases for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 15 – Structural coverage metrics at the architecture level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Function coverage + + ++ ++ Yes
1b. Call coverage + + ++ ++ Yes

Start a free trial to evaluate Cantata using your code.

Key for ISO 26262 - for ASIL - Road Vehicles - Functional Safety

Static Analysis for ISO 26262 compliance

 

Part 6 of ISO 26262 addresses product development at the software level including several tables that define the methods that must be considered in order to achieve compliance with the standard.

 

Static Analysis is most useful for meeting clause 8 “Unit design and implementation”, within part 6 of the standard. Cantata is integrated with leading static analysis tools which can be used to make sure that the software conforms to coding standards such as MISRA guidelines as specified by section 5.4.7 and required by section 8.4.3.d.

 

Please contact us for more information on Static Analysis. 

 

The ISO 26262 static analysis recommendations by ASIL are summarised in the tables below.  

ISO 26262 Table 1 – Topics to be covered by modelling and coding guidelines

Methods ASIL A ASIL B ASIL C ASIL D
1a. Enforcement of low complexity ++ ++ ++ ++
1b. Use of language subsets ++ ++ ++ ++
1c. Enforcement of strong typing ++ ++ ++ ++
1d. Use of defensive implementation techniques                    + + ++ ++
1e. Use of well-trusted design principles + + ++ ++
1f. Use of unambiguous graphical representation + ++ ++ ++
1g. Use of style guides + ++ ++ ++
1h. Use of naming conventions ++ ++ ++ ++
1i. Concurrency aspects + + + +

ISO 26262 Table 3 – Principles for software architectural design

Methods ASIL A ASIL B ASIL C ASIL D
1a. Appropriate hierarchical structure of software components ++ ++ ++ ++
1b. Restricted size and complexity of software components ++ ++ ++ ++
1c. Restricted size of interfaces + + + ++
1d. Strong cohesion within each software component                + ++ ++ ++
1e. Loose coupling between software components + ++ ++ ++
1f. Appropriate scheduling properties ++ ++ ++ ++
1g. Restricted use of interrupts + + + ++
1h. Appropriate spatial isolation of the software components + + + ++
1i. Appropriate management of shared resources ++ ++ ++ ++

ISO 26262 Table 6 – Design principles for software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D
1a. One entry and one exit point in subprograms and functions ++ ++ ++ ++
1b. No dynamic objects or variables, or else online test
      during their creation
+ ++ ++ ++
1c. Initialization of variables ++ ++ ++ ++
1d. No multiple use of variable names ++ ++ ++ ++
1e. Avoid global variables or else justify their usage + + ++ ++
1f. Restricted use of pointers + ++ ++ ++
1g. No implicit type conversions + ++ ++ ++
1h. No hidden data flow or control flow + ++ ++ ++
1i. No unconditional jumps ++ ++ ++ ++
1j. No recursions + + ++ ++

ISO 26262 Table 9 – Methods for the verification of software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D
1a. Walk-through ++ + 0 0
1b. Inspection + ++ ++ ++
1c. Semi-formal verification                                                + + ++ ++
1d. Formal verification 0 0 + +
1e. Control flow analysis + + ++ ++
1f. Data flow analysis + + ++ ++
1g. Static code analysis + ++ ++ ++
1h. Semantic code analysis + + + +
Key for ISO 26262 - for ASIL - Road Vehicles - Functional Safety
Start
Trial
QA-Systems