Functional Safety – ISO 26262

ETAS Tools and Services support Functional Safety of Electronic Systems

Interview with Dr. Nigel Tracey on the VIP Stage of WEKA Fachmedien about “safety & security in focus” (embedded world 2020).

To be allowed to participate in road traffic, road vehicles must conform to the state of the art in terms of scientific and technological maturity. The prevention of product liability claims requires, at minimum, adherence to applicable industrial standards. All products being introduced to the market should have been developed in accordance with such standards.

Achieving safety depends on:

  • Appropriate system design: Diagnostics, redundancy etc.
  • Hardware reliability: Analysis of failure modes and failure rates
  • Software: State-of-the-art approach to software development
  • Disciplined approach to quality management: Analysis, test, and review
  • Ability to demonstrate that all safety goals have been met: Through product and process measures as well as documentation

In order to accomplish this, we offer a broad portfolio supporting functional safety in software development that includes qualified tools, engineering services, trainings as well as expert consultancy.

The challenge:
ISO 26262 as well as other related domain specifications such as ISO 25119 and EN ISO 13849 has been derived from the generic standard IEC 61508 for the functional safety of electronic systems as the binding standard for road vehicles. All new E/E systems need to be in conformance with the appropriate safety standard. The development processes, methods and tool chains all play a significant role in achieving the standard. Therefore development tools for future E/E systems also need to be ISO 26262 compliant.

The solution:
Our portfolio combine a high level of competence in methods, process and tools, embedded software and practical experience in the development safety-critical systems to support our customers in all aspects of functional safety up to ASIL D. It includes:

  • Development Tools
    ETAS software development tools solutions including ASCET, EHOOKS, INCA, INTECRIO, ISOLAR-EVE, RTA, and SCODE product families for the development and test of safety-critical automotive systems according standards like ISO 26262. Our tools support full and flexible implementation of AUTOSAR 4.x safety concepts at the operating systems and basic software level. Our certified code generators ensure integrity of generated software.
    Our function and software development tools are successfully deployed in engine management, ABS, and ESP projects.
  • Engineering Services
    Our Engineering Services are available to assist with all your development needs. The open architecture, modular design, and support of industrial and automotive standards common to all ETAS products allow for flexible adaptation to different development requirements and existing infrastructures.
  • RTA Consulting Services
    With our RTA Consulting Services we support our customers deploying functional safety in their series development, and processes. In addition, we can make our customers’ tool-chain qualifiable according to ISO 26262, by applying the ETAS Safety Manuals.

Our consulting team consists of a global network of consultants with many years’ experience of series development and research projects in the area of functional safety.

What is IEC 61508?
IEC 61508 is an international standard relating to the functional safety of electrical/electronic/programmable electronic safety-related systems. In this context, a system is defined to include sensors and other input devices, the programmable electronics itself and all actuators and other output devices.

What is ISO 26262?
ISO 26262 is the sector-specific adaptation of IEC 61508 that applies to electronic/electrical safety related systems, comprising both software and hardware, installed in passenger cars, trucks, busses and motorcycles, not including eBikes, mopeds and special vehicles such as electric wheelchairs.

The standard consists of 10 parts, covering the full lifecycle of E/E/PE safety related systems from functional safety management over concept, design and development to production and operation. ISO 26262 is therefore state of the art with regard to product liability.

The implementation of ISO 26262 has an impact across the software development process. Some of the most important Areas that need to be considered can be summarized as follows:

  • Architectural design:
    • Low coupling, high cohesion
    • Expressed semi-formally
  • Design and implementation:
    • Guidelines like MISRA-C:2004
    • Freedom from memory/timing interference
  • Software testing:
    • Systematic approach to testing
    • High level of coverage
  • System testing:
    • Fault injection/robustness tests
    • Software testing in target environment

Do IEC 61508 and ISO 26262 require the use of certified tools?
IEC 61508 and ISO 26262 do not require that development tools are certified against the safety standards. However, both standards require that the system developer can establish that all tools used during development do not violate any system safety requirements to the extent required to support the claimed system safety integrity level (SIL or ASIL as appropriate).

In terms of safety engineering, the system developer needs to provide a valid safety argument for the tool chain, supported by appropriate evidence. A good tool chain safety argument should successfully argue that no single failure in any tool can leave an undetected critical flaw in the system.

Development tools for safety critical applications

ASCET: Simulation, rapid prototyping and target execution
The following standard features of ASCET make it a good choice for engineering safety-related software, as they actively support the software development according to ISO 26262:

  • Support for modularity, abstraction and encapsulation: ASCET has an object-based programming model and generated code has an identical modular structure. Models are uniquely partitioned into clear two layers of abstraction, encapsulating the design of the high-level system and isolating it from changes resulting from low level design considerations.
  • Unambiguous definition: Implicit assumptions about data and control flow that typically occur in graphical modelling techniques are removed by explicitly formalizing ordering in the design through sequence numbering. ASCET graphical models have the same behavior, regardless of how they are drawn.
  • Support for real-time: Simple integration with real-time operating systems like RTA-OSEK with thread-safe communication using ASCET’s state-based message communication scheme.
  • Prevention of runtime errors: ASCET automatically adds defensive programing checks to prevent common numerical errors like division by zero, underflow, overflow etc.
  • Satisfaction of software implementation requirements: generation of up to 100 % MISRA-C:2004 compliant source code, no uncontrolled data or control flow, no dynamic data structures, no data use before initialization.

IEC 61508 and ISO 26262 certification for ASCET

ASCET-MD V6.1 and ASCET-SE V6.1 have been certified by TÜV-SÜD as “fit for purpose” for use in the development of safety related systems according to IEC 61508:2010 and ISO/DIS 26262:2009. The certification covers code generation for all currently supported microcontroller targets for systems with a safety integrity level up to and including SIL 3 for IEC 61508 and ASIL D for ISO/DIS 26262.

EHOOKS: Performing safety-critical ECU tests
Verifying ECU software according to ISO 26262 requires testing in a target environment whilst ensuring a high level of controllability and observability in the software. ETAS offers a tool called EHOOKS which provides a sophisticated configuration, build and patching mechanism.

The features of testing safety-critical ECU software with EHOOKS:

  • Testing is performed on the target ECU hardware using production software, access to the ECU is achieved using an ETAS ETK interface
  • Data variables and functions can be directly manipulated allowing the targeted testing of critical functionality
  • Fault injection can be efficiently performed by either manipulating variables, bypassing functions with incorrect implementations or simulating incorrect sensor data
  • Seamless integration into the INCA environment to allow for efficient control and observation as well as low learning curve for experienced measurement and test engineers

The prototype create with EHOOKS is extremely close to the final ECU and therefore very useful for validation and verification purpose as requested by ISO 26262.

INTECRIO: Integration and build tool for virtual prototyping
As INTECRIO integrates on C-code level, our customers are able to use C-code debuggers and development environments to trace the code etc. in order to measure metrics like code or decision coverage easily. This helps to understand if the conversion of function model to C-code requires additional test cases or not. Therefore INTECRIO can be used to fulfill the software development and test methods proposed by ISO 26262.

ISOLAR-EVE: Shorter feedback loops with critical errors found earlier
The ISO 26262 standard requires software integration testing in a realistic target environment. Virtualizing ECU hardware allows for a software integration test at an early stage using target ECU basic software. The identical source code of an ECU can be executed with ISOLAR-EVE in a virtual environment for early validation.

RTA-OS, RTA-RTE, RTA-BSW: AUTOSAR compliant implementation of safety concepts
AUTOSAR specifies a number of concepts at the operating system level for ensuring functional safety of ECU software. We deliver AUTOSAR conformant implementation of OS, RTE and BSW.

The three tools:

  • Generate MISRA compliant source code
  • Support multi-core concepts and OS applications that support partitioning of safety-critical and non-safety-critical software
  • Support the AUTOSAR approaches to timing and memory partitioning
  • Are certified according to ISO 26262 by TÜV Süd

SCODE Workbench: Modeling, analyzing, verifying, and implementing control systems

Using the software tools of SCODE Workbench (System CO-DEsign), engineers, control systems technicians, and software developers, among others, can create model-based, structured, and easily understood solutions for ECU software that are then automatically verified.

Area of application:

  • Description and simultaneously automatic verification of functional relationships
  • Automatic testing


  • 100 % coverage of the functional logic
  • Evidence of functional correspondence between model and executable on the ECU

SCODE-ANALYZER provides the control flow analysis method required for safety analysis, which is necessary to verify the software architecture and software unit design. The tool supports to fulfill relevant ISO 26262 requirements by means of semi-formal notation, semi-formal verification, simplicity at system level and restricted size of (software) complexity.

SCODE-CONGRA provides the data flow analysis method required for safety analysis, which is necessary to verify the software architecture and software unit design.