Functional Safety – ISO 26262

What is IEC 61508?
IEC 61508 is an international standard relating to the functional safety of electrical/electronic/programmable electronic safety-related systems. In this context, a system is defined to include sensors and other input devices, the programmable electronics itself and all actuators and other output devices.

What is ISO 26262?
ISO 26262 is the sector-specific adaptation of IEC 61508 that applies to electronic/electrical safety related systems, comprising both software and hardware, installed in passenger cars, trucks, busses and motorcycles, not including eBikes, mopeds and special vehicles such as electric wheelchairs.

The standard consists of 10 parts, covering the full lifecycle of E/E/PE safety related systems from functional safety management over concept, design and development to production and operation. ISO 26262 is therefore state of the art with regard to product liability.

The implementation of ISO 26262 has an impact across the software development process. Some of the most important Areas that need to be considered can be summarized as follows:

• Architectural design:
  • Low coupling, high cohesion
  • Expressed semi-formally
• Design and implementation:
  • Guidelines like MISRA-C:2004
  • Freedom from memory/timing interference
• Software testing:
  • Systematic approach to testing
  • High level of coverage
• System testing:
  • Fault injection/robustness tests
  • Software testing in target environment

Do IEC 61508 and ISO 26262 require the use of certified tools?
IEC 61508 and ISO 26262 do not require that development tools are certified against the safety standards. However, both standards require that the system developer can establish that all tools used during development do not violate any system safety requirements to the extent required to support the claimed system safety integrity level (SIL or ASIL as appropriate).

In terms of safety engineering, the system developer needs to provide a valid safety argument for the tool chain, supported by appropriate evidence. A good tool chain safety argument should successfully argue that no single failure in any tool can leave an undetected critical flaw in the system.

ASCET: Simulation, rapid prototyping and target execution
The following standard features of ASCET make it a good choice for engineering safety-related software, as they actively support the software development according to ISO 26262:

• Support for modularity, abstraction and encapsulation: ASCET has an object-based programming model and generated code has an identical modular structure. Models are uniquely partitioned into clear two layers of abstraction, encapsulating the design of the high-level system and isolating it from changes resulting from low level design considerations.
• Unambiguous definition: Implicit assumptions about data and control flow that typically occur in graphical modelling techniques are removed by explicitly formalizing ordering in the design through sequence numbering. ASCET graphical models have the same behavior, regardless of how they are drawn.
• Support for real-time: Simple integration with real-time operating systems like RTA-OSEK with thread-safe communication using ASCET’s state-based message communication scheme.
• Prevention of runtime errors: ASCET automatically adds defensive programing checks to prevent common numerical errors like division by zero, underflow, overflow etc.
• Satisfaction of software implementation requirements: generation of up to 100 % MISRA-C:2004 compliant source code, no uncontrolled data or control flow, no dynamic data structures, no data use before initialization.

IEC 61508 and ISO 26262 certification for ASCET

ASCET-MD V6.1 and ASCET-SE V6.1 have been certified by TÜV-SÜD as “fit for purpose” for use in the development of safety related systems according to IEC 61508:2010 and ISO/DIS 26262:2009. The certification covers code generation for all currently supported microcontroller targets for systems with a safety integrity level up to and including SIL 3 for IEC 61508 and ASIL D for ISO/DIS 26262.

EHOOKS: Performing safety-critical ECU tests
Verifying ECU software according to ISO 26262 requires testing in a target environment whilst ensuring a high level of controllability and observability in the software. ETAS offers a tool called EHOOKS which provides a sophisticated configuration, build and patching mechanism.

The features of testing safety-critical ECU software with EHOOKS:

• Testing is performed on the target ECU hardware using production software, access to the ECU is achieved using an ETAS ETK interface
• Data variables and functions can be directly manipulated allowing the targeted testing of critical functionality
• Fault injection can be efficiently performed by either manipulating variables, bypassing functions with incorrect implementations or simulating incorrect sensor data
• Seamless integration into the INCA environment to allow for efficient control and observation as well as low learning curve for experienced measurement and test engineers

The prototype create with EHOOKS is extremely close to the final ECU and therefore very useful for validation and verification purpose as requested by ISO 26262.

INTECRIO: Integration and build tool for virtual prototyping
As INTECRIO integrates on C-code level, our customers are able to use C-code debuggers and development environments to trace the code etc. in order to measure metrics like code or decision coverage easily. This helps to understand if the conversion of function model to C-code requires additional test cases or not. Therefore INTECRIO can be used to fulfill the software development and test methods proposed by ISO 26262.

ISOLAR-EVE: Shorter feedback loops with critical errors found earlier
The ISO 26262 standard requires software integration testing in a realistic target environment. Virtualizing ECU hardware allows for a software integration test at an early stage using target ECU basic software. The identical source code of an ECU can be executed with ISOLAR-EVE in a virtual environment for early validation.

SCODE Workbench: Modeling, analyzing, verifying, and implementing control systems

Using the software tools of SCODE Workbench (System CO-DEsign), engineers, control systems technicians, and software developers, among others, can create model-based, structured, and easily understood solutions for ECU software that are then automatically verified.

Area of application:

• Description and simultaneously automatic verification of functional relationships
• Automatic testing

Characteristics:

• 100 % coverage of the functional logic
• Evidence of functional correspondence between model and executable on the ECU

SCODE-ANALYZER provides the control flow analysis method required for safety analysis, which is necessary to verify the software architecture and software unit design. The tool supports to fulfill relevant ISO 26262 requirements by means of semi-formal notation, semi-formal verification, simplicity at system level and restricted size of (software) complexity.

SCODE-CONGRA provides the data flow analysis method required for safety analysis, which is necessary to verify the software architecture and software unit design.