ISO 26262
ISO 26262, Road vehicles – Functional Safety, is a risk-based safety standard that defines functional safety for all automotive electronic and electrical (E/E) safety-related systems. The standard is an adaptation of the Functional Safety standard, IEC 61508, and is applicable throughout the life-cycle of all safety-related systems that include electronic and/or electrical systems.
The latest version of the standard, ISO 26262:2018, was published in late 2018 and supersedes the earlier ISO 26262:2011 as well as previous drafts (DIS & FDIS) for all systems commencing development after the 2018 publication date. ISO 26262:2018 is an international standard for road vehicles. It applies not only to series production passenger cars but also provides guidance on developing E/E systems for use in trucks, buses, trailers and semi-trailers. Motorcycles (but not mopeds) are also covered by the 2018 version of the standard. ISO 26262 specifies four Automotive Safety Integrity Levels (ASIL A to D) with ASIL D as the highest safety level. This enables hazards to be classified based on a combination of the likelihood of the event occurring and the probable severity of the event should it occur.
Fitness for purpose litigation against companies and individuals is now an increasing risk. ISO 26262:2018 is a technical standard used by lawyers to interpret laws. The relevant law in question for Europe is the General Product Safety Directive 2001/95/EC (GPSD). This states that the product creator has the responsibility to develop a safety critical product in a way which is compliant with ‘State-of-the-Art’ development principles. ‘State-of-the-Art’ simply refers to commonly accepted best practices, which in the case of passenger road vehicles are now embodied in ISO 26262:2018. Where companies fail to employ accepted industry practices, they cannot use the “State-of-the-Art” legal defence against such litigation.
Recommended tools for compliance with ISO 26262
QA Systems enables organisations to accelerate ISO 26262 compliance with automated static analysis and software testing tools:
STATIC ANALYSIS
INTEGRATED STATIC ANALYSIS
Automated analysis synchronised with Cantata
CANTATA TEST ARCHITECT
Understand, define and control software architecture
SOURCE CODE METRICS
Automated source code metrics for C/C++
SOFTWARE TESTING
CANTATA
Automated unit and integration testing for C/C++ code
CANTATA TEAM REPORTING
Test status management dashboard add-on
ADATEST 95
Automated unit and integration testing for Ada code
Tool Certification
ISO 26262, Part 8 section 11 recommends that software tools are independently qualified. In accordance with this our Cantata testing tool has been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Cantata has been classified as a Tool Confidence Level (TCL) 1 tool, and is usable in development of safety related software according to ISO 26262:2018 up to the Automotive Safety Integrity Level (ASIL) D.
The tool certification kit for ISO 26262 is available to ease our customers’ path to certification. This contains everything needed to prove that Cantata fulfills ISO 26262 recommendations as well as guidance to help you to achieve compliance.
Please contact us for more information about the tool certification kit.
Cantata Certificate
Dynamic testing for ISO 26262 compliance
Section 6 of ISO 26262 recommends unit and integration testing. The Cantata testing tool enables developers to automate their unit and integration testing and to verify ISO 26262 compliant code on host native and embedded target platforms.
Cantata helps accelerate compliance with the standard’s dynamic testing requirements by automating:
Our ISO 26262 Standard Briefing traces the requirements of ISO 26262, identifying the scope of those which are supported by Cantata and identifies how the requirements are supported by Cantata.
Please contact us for more information on Cantata for ISO 26262.
The ISO 26262 dynamic testing recommendations by ASIL and where these are supported by Cantata are summarised in the tables below:
ISO 26262 Table 10 – Methods for software unit verification
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Walk-through | ++ | + | 0 | 0 | – |
| 1b. Pair-programming | + | + | + | + | – |
| 1c. Inspection | + | ++ | ++ | ++ | – |
| 1d. Semi-formal verification | + | + | ++ | ++ | – |
| 1e. Formal verification | 0 | 0 | + | + | – |
| 1f. Control flow analysis | + | + | ++ | ++ | ? |
| 1g. Data flow analysis | + | + | ++ | ++ | ? |
| 1h. Static code analysis | ++ | ++ | ++ | ++ | ? |
| 1i. Static analysis based on abstract interpretation | + | + | + | + | – |
| 1a. Requirement-based test | ++ | ++ | ++ | ++ | Yes |
| 1b. Interface test | ++ | ++ | ++ | ++ | Yes |
| 1c. Fault injection test | + | + | + | ++ | Yes |
| 1d. Resource usage evaluation | + | + | + | ++ | Yes |
| 1e. Back-to-back comparison test between model and code (if applicable) | + | + | ++ | ++ | Yes |
ISO 26262 Table 11– Methods for deriving test cases for software unit testing
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Analysis of requirements | ++ | ++ | ++ | ++ | Yes |
| 1b. Generation and analysis of equivalence classes | + | ++ | ++ | ++ | Yes |
| 1c. Analysis of boundary values | + | ++ | ++ | ++ | Yes |
| 1d. Error guessing | + | + | + | + | Yes |
ISO 26262 Table 12 – Structural coverage metrics at the software unit level
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Walk-through | ++ | + | 0 | 0 | – |
| 1b. Pair-programming | + | + | + | + | – |
| 1c. Inspection | + | ++ | ++ | ++ | – |
| 1d. Semi-formal verification | + | + | ++ | ++ | – |
| 1e. Formal verification | 0 | 0 | + | + | – |
| 1f. Control flow analysis | + | + | ++ | ++ | ? |
| 1g. Data flow analysis | + | + | ++ | ++ | ? |
| 1h. Static code analysis | ++ | ++ | ++ | ++ | ? |
| 1i. Static analysis based on abstract interpretation | + | + | + | + | – |
| 1a. Requirement-based test | ++ | ++ | ++ | ++ | Yes |
| 1b. Interface test | ++ | ++ | ++ | ++ | Yes |
| 1c. Fault injection test | + | + | + | ++ | Yes |
| 1d. Resource usage evaluation | + | + | + | ++ | Yes |
| 1e. Back-to-back comparison test between model and code (if applicable) | + | + | ++ | ++ | Yes |
ISO 26262 Table 13 – Methods for software integration testing
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Requirement-based test | ++ | ++ | ++ | ++ | Yes |
| 1b. Interface test | ++ | ++ | ++ | ++ | Yes |
| 1c. Fault injection test | + | + | ++ | ++ | Yes |
| 1d. Resource usage test | + | + | + | ++ | Yes |
| 1e. Back-to-back comparison test between model and code (if applicable) | + | + | ++ | ++ | Yes |
ISO 26262 Table 14 – Methods for deriving test cases for software integration testing
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Analysis of requirements | ++ | ++ | ++ | ++ | Yes |
| 1b. Generation and analysis of equivalence classes | + | ++ | ++ | ++ | Yes |
| 1c. Analysis of boundary values | + | ++ | ++ | ++ | Yes |
| 1d. Error guessing | + | + | + | + | Yes |
ISO 26262 Table 15 – Structural coverage metrics at the architecture level
| Methods | ASIL A | ASIL B | ASIL C | ASIL D | Cantata |
|---|---|---|---|---|---|
| 1a. Function coverage | + | + | ++ | ++ | Yes |
| 1b. Call coverage | + | + | ++ | ++ | Yes |
Start a free trial & get a complete copy of Cantata to evaluate using your code.
Static Analysis for ISO 26262 compliance
Part 6 of ISO 26262 addresses product development at the software level including several tables that define the methods that must be considered in order to achieve compliance with the standard.
Static Analysis is most useful for meeting clause 8 “Unit design and implementation”, within part 6 of the standard. Cantata is integrated with leading static analysis tools which can be used to make sure that the software conforms to coding standards such as MISRA guidelines as specified by section 5.4.7 and required by section 8.4.3.d.
Please contact us for more information on Static Analysis.
The ISO 26262 static analysis recommendations by ASIL are summarised in the tables below.
ISO 26262 Table 1 – Topics to be covered by modelling and coding guidelines
| Methods | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| 1a. Enforcement of low complexity | ++ | ++ | ++ | ++ |
| 1b. Use of language subsets | ++ | ++ | ++ | ++ |
| 1c. Enforcement of strong typing | ++ | ++ | ++ | ++ |
| 1d. Use of defensive implementation techniques | + | + | ++ | ++ |
| 1e. Use of well-trusted design principles | + | + | ++ | ++ |
| 1f. Use of unambiguous graphical representation | + | ++ | ++ | ++ |
| 1g. Use of style guides | + | ++ | ++ | ++ |
| 1h. Use of naming conventions | ++ | ++ | ++ | ++ |
| 1i. Concurrency aspects | + | + | + | + |
ISO 26262 Table 3 – Principles for software architectural design
| Methods | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| 1a. Appropriate hierarchical structure of software components | ++ | ++ | ++ | ++ |
| 1b. Restricted size and complexity of software components | ++ | ++ | ++ | ++ |
| 1c. Restricted size of interfaces | + | + | + | ++ |
| 1d. Strong cohesion within each software component | + | ++ | ++ | ++ |
| 1e. Loose coupling between software components | + | ++ | ++ | ++ |
| 1f. Appropriate scheduling properties | ++ | ++ | ++ | ++ |
| 1g. Restricted use of interrupts | + | + | + | ++ |
| 1h. Appropriate spatial isolation of the software components | + | + | + | ++ |
| 1i. Appropriate management of shared resources | ++ | ++ | ++ | ++ |
ISO 26262 Table 6 – Design principles for software unit design and implementation
| Methods | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| 1a. One entry and one exit point in subprograms and functions | ++ | ++ | ++ | ++ |
| 1b. No dynamic objects or variables, or else online test during their creation | + | ++ | ++ | ++ |
| 1c. Initialization of variables | ++ | ++ | ++ | ++ |
| 1d. No multiple use of variable names | ++ | ++ | ++ | ++ |
| 1e. Avoid global variables or else justify their usage | + | + | ++ | ++ |
| 1f. Restricted use of pointers | + | ++ | ++ | ++ |
| 1g. No implicit type conversions | + | ++ | ++ | ++ |
| 1h. No hidden data flow or control flow | + | ++ | ++ | ++ |
| 1i. No unconditional jumps | ++ | ++ | ++ | ++ |
| 1j. No recursions | + | + | ++ | ++ |
ISO 26262 Table 9 – Methods for the verification of software unit design and implementation
| Methods | ASIL A | ASIL B | ASIL C | ASIL D |
|---|---|---|---|---|
| 1a. Walk-through | ++ | + | 0 | 0 |
| 1b. Inspection | + | ++ | ++ | ++ |
| 1c. Semi-formal verification | + | + | ++ | ++ |
| 1d. Formal verification | 0 | 0 | + | + |
| 1e. Control flow analysis | + | + | ++ | ++ |
| 1f. Data flow analysis | + | + | ++ | ++ |
| 1g. Static code analysis | + | ++ | ++ | ++ |
| 1h. Semantic code analysis | + | + | + | + |