SOFTWARE TESTING TOOLS FOR ISO 26262

Achieve compliance with certified
Software Testing & Static Analysis

Slider

ISO 26262

ISO 26262, Road vehicles – Functional Safety, is a risk-based safety standard that defines functional safety for all automotive electronic and electrical (E/E) safety-related systems. The standard is an adaptation of the Functional Safety standard, IEC 61508, and is applicable throughout the life-cycle of all safety-related systems that include electronic and/or electrical systems.

The latest version of the standard, ISO 26262:2018, was published in late 2018 and supersedes the earlier ISO 26262:2011 as well as previous drafts (DIS & FDIS) for all systems commencing development after the 2018 publication date. ISO 26262:2018 is an international standard for road vehicles. It applies not only to series production passenger cars but also provides guidance on developing E/E systems for use in trucks, buses, trailers and semi-trailers. Motorcycles (but not mopeds) are also covered by the 2018 version of the standard. ISO 26262 specifies four Automotive Safety Integrity Levels (ASIL A to D) with ASIL D as the highest safety level. This enables hazards to be classified based on a combination of the likelihood of the event occurring and the probable severity of the event should it occur.

Fitness for purpose litigation against companies and individuals is now an increasing risk. ISO 26262:2018 is a technical standard used by lawyers to interpret laws. The relevant law in question for Europe is the General Product Safety Directive 2001/95/EC (GPSD). This states that the product creator has the responsibility to develop a safety critical product in a way which is compliant with ‘State-of-the-Art’ development principles. ‘State-of-the-Art’ simply refers to commonly accepted best practices, which in the case of passenger road vehicles are now embodied in ISO 26262:2018. Where companies fail to employ accepted industry practices, they cannot use the “State-of-the-Art” legal defence against such litigation.

Testing tools for with ISO 26262 recommendations

QA Systems enables organisations to accelerate ISO 26262 compliance with automated static analysis and software testing tools:

STATIC ANALYSIS

INTEGRATED STATIC ANALYSIS

Automated analysis synchronised with Cantata

CANTATA TEST ARCHITECT

Understand, define and control software architecture

SOURCE CODE METRICS

Automated source code metrics for C/C++

SOFTWARE TESTING

CANTATA

Automated unit and integration testing for C/C++ code

CANTATA TEAM REPORTING

Test status management dashboard add-on

ADATEST 95

Automated unit and integration testing for Ada code

Tool Certification

ISO 26262, Part 8 section 11 recommends that software tools are independently qualified. In accordance with this our Cantata testing tool has been classified and certified by SGS-TÜV GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS). Cantata has been classified as a Tool Confidence Level (TCL) 1 tool, and is usable in development of safety related software according to ISO 26262:2018 up to the Automotive Safety Integrity Level (ASIL) D.

The tool certification kit for ISO 26262 is available to ease our customers’ path to certification. This contains everything needed to prove that Cantata fulfills ISO 26262 recommendations as well as guidance to help you to achieve compliance.

Please contact us for more information about the tool certification kit.

Cantata Certificate

Dynamic testing for ISO 26262 compliance

Section 6 of ISO 26262 recommends unit and integration testing. The Cantata testing tool enables developers to automate their unit and integration testing and to verify ISO 26262 compliant code on host native and embedded target platforms.

Cantata helps accelerate compliance with the standard’s dynamic testing requirements by automating:

  • Test framework generation
  • Test case generation
  • Test execution
  • Results diagnostics and report generation

Our ISO 26262 Standard Briefing traces the requirements of ISO 26262, identifying the scope of those which are supported by Cantata and identifies how the requirements are supported by Cantata.

Please contact us for more information on Cantata for ISO 26262. 

The ISO 26262 dynamic testing recommendations by ASIL and where these are supported by Cantata are summarised in the tables below:

ISO 26262 Table 10 – Methods for software unit verification

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Walk-through ++ + 0 0
1b. Pair-programming + + + +
1c. Inspection + ++ ++ ++
1d. Semi-formal verification + + ++ ++
1e. Formal verification 0 0 + +
1f. Control flow analysis + + ++ ++ ?
1g. Data flow analysis + + ++ ++ ?
1h. Static code analysis ++ ++ ++ ++ ?
1i. Static analysis based on abstract interpretation + + + +
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + + ++ Yes
1d. Resource usage evaluation + + + ++ Yes
1e. Back-to-back comparison test between model
      and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 11– Methods for deriving test cases for software unit testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 12 – Structural coverage metrics at the software unit level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Walk-through ++ + 0 0
1b. Pair-programming + + + +
1c. Inspection + ++ ++ ++
1d. Semi-formal verification + + ++ ++
1e. Formal verification 0 0 + +
1f. Control flow analysis + + ++ ++ ?
1g. Data flow analysis + + ++ ++ ?
1h. Static code analysis ++ ++ ++ ++ ?
1i. Static analysis based on abstract interpretation + + + +
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + + ++ Yes
1d. Resource usage evaluation + + + ++ Yes
1e. Back-to-back comparison test between model
      and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 13 – Methods for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Requirement-based test ++ ++ ++ ++ Yes
1b. Interface test ++ ++ ++ ++ Yes
1c. Fault injection test + + ++ ++ Yes
1d. Resource usage test + + + ++ Yes
1e. Back-to-back comparison test between model
     and code (if applicable)
+ + ++ ++ Yes

ISO 26262 Table 14 – Methods for deriving test cases for software integration testing

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Analysis of requirements ++ ++ ++ ++ Yes
1b. Generation and analysis of equivalence classes + ++ ++ ++ Yes
1c. Analysis of boundary values + ++ ++ ++ Yes
1d. Error guessing + + + + Yes

ISO 26262 Table 15 – Structural coverage metrics at the architecture level

Methods ASIL A ASIL B ASIL C ASIL D Cantata
1a. Function coverage + + ++ ++ Yes
1b. Call coverage + + ++ ++ Yes

Start a free trial & get a complete copy of Cantata to evaluate using your code.

Static Analysis for ISO 26262 compliance

Part 6 of ISO 26262 addresses product development at the software level including several tables that define the methods that must be considered in order to achieve compliance with the standard.

Static Analysis is most useful for meeting clause 8 “Unit design and implementation”, within part 6 of the standard. Cantata is integrated with leading static analysis tools which can be used to make sure that the software conforms to coding standards such as MISRA guidelines as specified by section 5.4.7 and required by section 8.4.3.d.

Please contact us for more information on Static Analysis. 

The ISO 26262 static analysis recommendations by ASIL are summarised in the tables below.

ISO 26262 Table 1 – Topics to be covered by modelling and coding guidelines

Methods ASIL A ASIL B ASIL C ASIL D
1a. Enforcement of low complexity ++ ++ ++ ++
1b. Use of language subsets ++ ++ ++ ++
1c. Enforcement of strong typing ++ ++ ++ ++
1d. Use of defensive implementation techniques                    + + ++ ++
1e. Use of well-trusted design principles + + ++ ++
1f. Use of unambiguous graphical representation + ++ ++ ++
1g. Use of style guides + ++ ++ ++
1h. Use of naming conventions ++ ++ ++ ++
1i. Concurrency aspects + + + +

ISO 26262 Table 3 – Principles for software architectural design

Methods ASIL A ASIL B ASIL C ASIL D
1a. Appropriate hierarchical structure of software components ++ ++ ++ ++
1b. Restricted size and complexity of software components ++ ++ ++ ++
1c. Restricted size of interfaces + + + ++
1d. Strong cohesion within each software component                + ++ ++ ++
1e. Loose coupling between software components + ++ ++ ++
1f. Appropriate scheduling properties ++ ++ ++ ++
1g. Restricted use of interrupts + + + ++
1h. Appropriate spatial isolation of the software components + + + ++
1i. Appropriate management of shared resources ++ ++ ++ ++

ISO 26262 Table 6 – Design principles for software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D
1a. One entry and one exit point in subprograms and functions ++ ++ ++ ++
1b. No dynamic objects or variables, or else online test
      during their creation
+ ++ ++ ++
1c. Initialization of variables ++ ++ ++ ++
1d. No multiple use of variable names ++ ++ ++ ++
1e. Avoid global variables or else justify their usage + + ++ ++
1f. Restricted use of pointers + ++ ++ ++
1g. No implicit type conversions + ++ ++ ++
1h. No hidden data flow or control flow + ++ ++ ++
1i. No unconditional jumps ++ ++ ++ ++
1j. No recursions + + ++ ++

ISO 26262 Table 9 – Methods for the verification of software unit design and implementation

Methods ASIL A ASIL B ASIL C ASIL D
1a. Walk-through ++ + 0 0
1b. Inspection + ++ ++ ++
1c. Semi-formal verification                                                + + ++ ++
1d. Formal verification 0 0 + +
1e. Control flow analysis + + ++ ++
1f. Data flow analysis + + ++ ++
1g. Static code analysis + ++ ++ ++
1h. Semantic code analysis + + + +
Download test

Please fill out the form to get your resource