Professional Documents
Culture Documents
Day3 English 2017
Day3 English 2017
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 2
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 3
CONSIDERED PARTS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 4
RESPONSIBILITIES AND TARGETS
Responsibilities
The hardware development phase typically is in the responsibility of the
hardware suppliers ( also Chip supplier, IP supplier), who have the
knowledge for the implementation of safety mechanisms at hardware level
Chip and IPs can be either developed as so called Safety Element out of
Context (SEooC) or in line with given customer requirements as Safety
Element in Context (SEiC)
Targets
In the hardware development phase an electronic circuit is designed in
accordance with the required safety integrity of safety requirements derived
from the system development phase. The evaluation of the achieved safety
integrity is done by calculation of probabilistic hardware metrics.
Input
Initiation of the
Input
Hardware Development
Hardware Safety
Requirements
Specification
Hardware Design
Design Verification
Hardware Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED
INITIATION OF HW-DEVELOPMENT
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 8
ALLOCATION OF HW REQUIREMENTS
Allocation to Allocation to
Hardware Software
Recon-
cilement
of
Refinement of HSI Refinement of
requirement requirement
HW specification SW specification
The interface between hardware and software has to be clarified
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 9
DERIVATION OF
HW-SAFETY REQUIREMENTS
Refinement
VBAT
Hardware Development
HW-Safety Supply HS
Driver
Out1
GND
Diagnostics
IC
LS
Driver Out2
Design
Refinement
HW-Safety 1
1
2
2
3
3
4 5 6
Requirements 4
1
5
2
6
3
Block design
7 8 9
(e.g. IC / IP)
Part 7 8 9
Part
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 10
HARDWARE SAFETY REQUIREMENTS
EXAMPLE INTRODUCTION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 11
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 12
HARDWARE DESIGN
ASIL
Properties
A B C D
1 Hierarchical design + + + +
Precisely defined interfaces of safety-related hardware
2 ++ ++ ++ ++
components
Introduction of possible
hardware design for the
example component
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 15
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 16
DEFINITIONS
Fault
abnormal condition that can cause an element or an item to fail
Error
discrepancy between a computed, observed or measured
value or condition and the true, specified, or theoretically
correct value or condition
Failure
termination of the ability of an element or an item to perform a
function as required
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 17
DIFFERENCE:
FAULT – ERROR - FAILURE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 18
MORE DEFINITIONS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 19
RANDOM HARDWARE FAULT CATEGORIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 21
SINGLE POINT FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 22
EXAMPLE „SINGLE POINT FAULT“
Failure mode
Input 1
IN_1 “stuck-at high” at A3 is a
“single point fault”
Input 2
IN_2 Microcontroller
Input 3
IN_3
A1
A3 Output
SPI &
A2
External ok
Window
Safety related Watchdog Failure mode
HW elements “short-circuit” at Output
driver is a “single point
Non-safety related fault”
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 23
RESIDUAL FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 24
EXAMPLE „RESIDUAL FAULT“
Input 3
IN_3
A1
A3 Output
SPI &
A2
External ok
Window
Safety related Watchdog
HW elements
Non-safety related
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 25
DUAL POINT FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 26
EXAMPLE „DUAL POINT FAULT“
Example: Microcontroller with external Watchdog
The microcontroller shall activate the Output, if Input 1 has the state low and Input 2 the state high.
Stuck-at low:
dual point fault
Input 1 A fault of a diagnosis mechanism (Safety
IN_1 Mechanism) of µC leads in association with
Input 2 an otherwise diagnosed fault in the µC to a
AND IN_2 Microcontroller safety goal violation. It is a “dual point fault”.
Input 3
IN_3
A1
Stuck-at high: A3 Output
SPI &
dual point fault A2
External ok
Window
Safety related Watchdog
HW elements
Non-safety related
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 27
MULTIPLE POINT FAULT
Input 1
IN_1
Input 2
IN_2 Microcontroller
Input 3
IN_3
A1
A3 Output
SPI &
A2
External ok
Window
Safety related nok
Watchdog L1 A fault of the scheduling of the
HW elements µC is detected by the
watchdog and the driver is in
Non-safety related formed by L1 detected
multiple point fault
HW elements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 29
LATENT FAULT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 30
SUMMARY OF
HW FAULT CATEGORIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 31
QUANTITATIVE DESIGN VERIFICATION IN
PRACTICE
B recommended recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 33
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
Calculation of
Single Point Fault Metric (SPFM)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 34
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
Calculation of
Latent Fault Metric (LFM)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 35
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 36
DAY 2
EXERCISE 1
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 37
STEP 1
VERIFICATION OF HARDWARE
ARCHITECTURE METRICS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 38
STEP 1.1
DETERMINE THE ARCHITECTURE METRIC
1.2
manufacturers’ information:
– IEC 62380, SN29500 , MIL HDBK 217 F notice 2, RAC HDBK 217 Plus,
1.3
NPRD95, EN50129 Annex C, EN 62061 Annex D, RAC FMD97 und MIL
HDBK 338.
1.4
Procedure:
1.5
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 39
DAY 2
EXERCISE 2
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 40
STEP 1.2
DETERMINE THE ARCHITECTURE METRIC
1.4
1.5
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 41
DAY 3
EXERCISE 3
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 42
STEP 1.3
DETERMINE THE ARCHITECTURE METRIC
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 44
STEP 1.4
DETERMINE THE ARCHITECTURE METRIC
1.2 sequence:
– Direct safety goal violation as single point failure?
1.3 – Is there a possibility of failure detection and control by safety
mechanism?
– Safety goal violation in combination with a failure, which slips
1.4
through the safety mechanism?
– Is there a possibility to detect or identity the slipping „multiple point
1.5 fault” and to control it?
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 45
DAY 3
EXERCISE 5
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 46
STEP 1.5
DETERMINE THE ARCHITECTURE METRIC
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 48
STEP 1.6
DETERMINE THE ARCHITECTURE METRIC
1.2
Fill in the sums in the formulas for SPFM and LFM.
Comparison with the required target values
1.3
If necessary, optimize the HW architecture
1.4
1.5
1.6
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 49
DAY 3
EXERCISE 7
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 50
STEP 2A
VERIFICATION OF SAFETY GOAL VIOLATING
FAILURE RATE
B verification recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 51
STEP 2A
VERIFICATION OF SAFETY GOAL VIOLATING
FAILURE RATE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 53
DAY 3
EXERCISE 8
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 54
STEP 2A
VERIFICATION OF SAFETY GOAL VIOLATING
FAILURE RATE
Note: This formula will be deleted in Edition 2 and substituted by more detailled considerations
Calculation of PMHF acc. to ISO 26262-10
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 55
STEP 2A
VERIFICATION OF SAFETY GOAL VIOLATING
FAILURE RATE
Attention: Above formula represents a rough and usually conservative estimation, which is
not shown in ISO 26262.
We recommend to use instead mathematical models (e.g. quantitative FTA).
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 56
STEP 2B
VERIFICATION OF FAILURE CLASSES PER
HARDWARE COMPONENT
B verification recommended
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 57
STEP 2B
VERIFICATION OF FAILURE CLASSES PER
HARDWARE COMPONENT
Process for single point faults (SPF and RF)
Begin
Single-point fault?
No
Yes
Residual fault? Evaluation procedure
No for dual-point failures
Yes
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 58
STEP 2B
VERIFICATION OF FAILURE CLASSES PER
HARDWARE COMPONENT
Begin
No
Plausible dual-
point failure?
No
Yes
Yes
ISO 26262-5, Figure 4
End
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 59
STEP 2B
VERIFICATION OF FAILURE RATE CLASSES
PER HARDWARE PART
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 60
STEP 2B
VERIFICATION OF FAILURE CLASSES PER
HARDWARE COMPONENT
ASIL of the
Safety Goal Failure rate Failure rate Failure rate Failure rate class 2 +
C
class 5 class 4 class 3 dedicated measures
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 62
STEP 2B
VERIFICATION OF FAILURE CLASSES PER
HARDWARE COMPONENT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 63
DAY 2
EXERCISE 9
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 64
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 65
DERIVING TEST CASES (1)
ASIL
Methods
A B C D
1a Analysis of requirements ++ ++ ++ ++
1b Analysis of internal and external interfaces + ++ ++ ++
1c Generation and analysis of equivalence classesa + + ++ ++
1d Analysis of boundary valuesb + + ++ ++
1e Knowledge or experience based error guessingc ++ ++ ++ ++
1f Analysis of functional dependencies + + ++ ++
1g Analysis of common limit conditions, sequences and sources of common
cause failures
+ + ++ ++
1h Analysis of environmental conditions and operational use cases + ++ ++ ++
1i Standards if existingd + + + +
1j Analysis of significant variantse ++ ++ ++ ++
a In order to derive the necessary test cases efficiently, analysis of similarities can be conducted.
b EXAMPLE values approaching and crossing the boundaries between specified values, and out of range values
c “Error guessing tests” can be based on data collected through a lessons learned process, or expert judgment, or both. It can be supported by
FMEA.
d Existing standards include ISO 16750 and ISO 11452.
e The analysis of significant variants includes worst case analysis.
ISO 26262, Table 10 — Methods for deriving test cases for hardware integration testing
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 66
DERIVING TEST CASES (1)
ASIL
Methods
A B C D
1a Analysis of requirements ++ ++ ++ ++
1b Analysis of internal and external interfaces + ++ ++ ++
1c Generation and analysis of equivalence classesa + + ++ ++
1d Analysis of boundary valuesb + + ++ ++
1e Knowledge or experience based error guessingc ++ ++ ++ ++
1f Analysis of functional dependencies + + ++ ++
1g Analysis of common limit conditions, sequences and sources of common
cause failures
+ + ++ ++
1h Analysis of environmental conditions and operational use cases + ++ ++ ++
1i Standards if existingd + + + +
1j Analysis of significant variantse ++ ++ ++ ++
a In order to derive the necessary test cases efficiently, analysis of similarities can be conducted.
b EXAMPLE values approaching and crossing the boundaries between specified values, and out of range values
c “Error guessing tests” can be based on data collected through a lessons learned process, or expert judgment, or both. It can be supported by
FMEA.
d Existing standards include ISO 16750 and ISO 11452.
e The analysis of significant variants includes worst case analysis.
ISO 26262, Table 10 — Methods for deriving test cases for hardware integration testing
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 67
CHOICE OF TEST METHODS (1)
ASIL
Methods
A B C D
1 Functional testinga ++ ++ ++ ++
2 Fault injection testing + + ++ ++
3 Electrical testing ++ ++ ++ ++
ISO 26262-5, Table 11 — Hardware integration tests to verify the completeness and correctness of the safety
mechanisms implementation with respect to the hardware safety requirements
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 68
CHOICE OF TEST METHODS (2)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 69
CHOICE OF TEST METHODS (3)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 70
MORE HW INTEGRATION TESTS
ISO 26262-5, Table 12 — Hardware integration tests to verify robustness and operation under external stresses
ASIL
Methods
A B C D
1a Environmental testing with basic functional verification a ++ ++ ++ ++
1b Expanded functional testingb o + + ++
1c Statistical testingc o o + ++
1d Worst case testingd o o o +
1e Over limit testing e + + + +
1f Mechanical testing ++ ++ ++ ++
1g Accelerated life testf + + ++ ++
1h Mechanical Endurance testg ++ ++ ++ ++
1i EMC and ESD testh ++ ++ ++ ++
1j Chemical testingi ++ ++ ++ ++
a During environmental testing with basic functional verification the hardware is put under various environmental conditions during which the hardware requirements are
assessed. ISO 16750-4 (Road vehicles -- Environmental conditions and testing for electrical and electronic equipment -- Part 4: Climatic loads) can be applied.
b Expanded functional testing checks the functional behaviour of the item in response to input conditions that are expected to occur only rarely (for instance extreme mission
profile values), or that are outside the specification of the hardware (for instance an incorrect command). In these situations, the observed behaviour of the hardware element is
compared with the specified requirements.
c Statistical tests aim at testing the hardware element with input data selected in accordance with the expected statistical distribution of the real mission profile. The
acceptance criteria are defined so that the statistical distribution of the results confirms the required failure rate.
d Worst case testing aims at testing cases found during worst case analysis. In such a test, environmental conditions are changed to their highest permissible marginal values
defined by the specification. The related responses of the hardware are inspected and compared with the specified requirements.
e In over limit testing, the hardware elements are submitted to environmental or functional constraints increasing progressively to values more severe than specified until they
stop working or they are destroyed. The purpose of this test is to determine the margin of robustness of the elements under test with respect to the required performance.
f Accelerated life test aims at predicting the behaviour evolution of a product in its normal operational conditions by submitting it to stresses higher than those expected during
its operational lifetime. Accelerated testing is based on an analytical model of failure mode acceleration.
g The aim of these tests is to study the mean time to failure or the maximum number of cycles that the element can withstand. Test can be performed up to failure or by damage
evaluation.
h ISO 11452-2; ISO 11452-4; ISO 7637-2; ISO 10605 and ISO 7637- 3 can be applied for EMC tests and ISO 16750-2 can be applied for ESD tests.
I For chemical test, ISO 16750–5 can be applied.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 71
HARDWARE TESTS SUMMARY
Test methods are the same for safety relevant and non-
safety relevant requirements
Reference to other well-known industry standards
An analysis of the existing test strategies is required,
whether they are sufficient
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 73
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 74
CONSIDERED PARTS
OF THE SOFTWARE DEVELOPMENT
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 75
RESPONSIBILITIES AND TARGETS
Responsibilities
The software development phase typically is in the responsibility of the
software suppliers, who have the knowledge for the implementation of
software safety mechanisms at component level
Targets
In the software development phase a software is designed in
accordance with the required safety integrity of safety requirements
derived from the system development phase (TSC)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 77
INITIATION OF PRODUCT DEVELOPMENT AT
SOFTWARE LEVEL - ACTIVITIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 79
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 80
SPECIFICATION OF SOFTWARE SAFETY
REQUIREMENTS
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 81
SPECIFICATION OF SOFTWARE SAFETY
REQUIREMENTS - ACTIVITIES
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 85
CONTENTS
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 86
SOFTWARE ARCHITECTURAL DESIGN
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 87
WHAT IS A SOFTWARE ARCHITECTURE?
Component
2
Dispatcher
Interface 2-3
Component
Handler 1 Handler 2 ... Handler 3 3
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 88
SOFTWARE ARCHITECTURE DESIGN
ACTIVITIES
ASIL
Methods
A B C D
1a Informal notations ++ ++ + +
1b Semi-formal notations + ++ ++ ++
1c Formal notations + + + +
Table 2 — Notations for software architectural design from ISO 26262-6
Informal Notation
Drawings and diagrams with no fixed syntax and semantic
Example:
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 91
EXAMPLES
SEMI-FORMAL NOTATION
Semi-formal Notation
The syntax is defined, the sematic is not completely fixed
Examples:
logic/function block diagrams: described in IEC 61131-3
sequence diagrams: described in IEC 61131-3
data flow diagrams: see IEC 61508-3, ref. C.2.2
finite state machines/state transition diagrams: see IEC 61508-3, ref. B.2.3.2
time Petri nets: see IEC 61508-3, ref. B.2.3.3
entity-relationship-attribute Data models: see IEC 61508-3, ref. B.2.4.4
message sequence charts: see IEC 61508-3, ref. C.2.14
decision/truth tables: see IEC 61508-3, ref. C.6.1
UML: see IEC 61508-3, ref. C.3.12
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 92
EXAMPLE:
SEMI-FORMAL NOTATION
DATA FLOW DIAGRAM
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 93
FORMAL NOTATION
Formal Notation
Syntax and semantic is defined
Based on mathematics
Very rare use, because difficult to implement
Examples:
CCS, CSP, HOL, LOTOS, OBJ, temporal logic, VDM
and Z ( methods not described in detail)
Other techniques like “finite state machines” and “Petri
nets”, are often seen as formal methods, depending on
their mathematical basics
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 94
SOFTWARE ARCHITECTURE
with
Modular structure
Encapsulation principle
Low complexity
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 95
BASIC PRINCIPLES OF SW ARCHITECTURE
ASIL Examples
Methods
A B C D Tool / Metric Interpretation
a McCabe,
1b Restricted size of software components ++ ++ ++ ++ SW modularisation, use of HIS metric
LOC metric
a
1c Restricted size of interfaces + + + + DoxyGen Is it understandable?
measure of tightness of the connections
High cohesion within each software LCOM4,
1d + ++ ++ ++ between data and subprograms within one
component b Cohesion metric
module
Restricted coupling between software measure for the tightness of connections
1e + ++ ++ ++ RFC metric
components a, b, c between modules
Operating Ckeck of the maximum task run time,
1f Appropriate scheduling properties ++ ++ ++ ++
System (OS) TTA Architektur feasible?
Only 1 timer, 1 teceive and 1 transmission-
interrupt is allowed
a, d Otherwise: Interrupts to be prioritized
1g Restricted use of interrupts + + + ++
correctly, Interrupts closed only for a short
time for critical SW areas, Interrupts to be
documented in details
a In methods 1b, 1c, 1e and 1g "restricted" means to minimize in balance with other design considerations.
b Methods 1d and 1e can, for example, be achieved by separation of concerns which refers to the ability to identify, encapsulate, and
manipulate those parts of software that are relevant to a particular concept, goal, task, or purpose.
c Method 1e addresses the limitation of the external coupling of software components.
d Any interrupts used have to be priority-based.
ISO26262-6, Table 3 — Principles for software architectural design (with add ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 96
ERROR DETECTION (ARCHITECTURE)
ASIL
Methods Comments
A B C D
Online check of valid input and
1a Range checks of input and output data ++ ++ ++ ++
output data range
ISO26262-6, Table 4 — Mechanisms for error detection at the software architectural level (with add ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 97
ERROR CONTROL (ARCHITECTURE)
ASIL
Methods Comments
A B C D
If a fault is detected the system will be reset to
a
1a Static recovery mechanism + + + + an earlier internal operating condition, which
correctness is known or recovery by repeating
a Static recovery mechanisms can include the use of recovery blocks, backward recovery, forward recovery and recovery through
repetition.
b Graceful degradation at the software level refers to prioritizing functions to minimize the adverse effects of potential failures on
functional safety.
c Independent parallel redundancy can be realized as dissimilar software in each parallel path.
ISO 26262-6, Table 5 — Mechanisms for error handling at the software architectural level (with add ons from SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 98
VERIFICATION OF SW ARCHITECTURE:
METHODS
Objectives :
Compliance with SW SRS
Compatibility with the target hardware
Demonstration of guidelines
ASIL
Methods Comments
A B C D
a
1a Walk-through of the design ++ + o o Discussion with reviewer
a
1b Inspection of the design + ++ ++ ++ Review acc. a defined process (e.g. use of check lists)
Simulation of dynamic parts of
1c b + + + ++ Model based development
the design
1d Prototype generation o o + ++ Model based development
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 101
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 102
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION - ACTIVITIES
ASIL
Methods Comments
A B C D
ISO 26262-6, Table 7 — Notations for software unit design (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 103
SOFTWARE UNIT
AND EMBEDDED SOFTWARE
A software unit is
An atomic level software component of the software architecture that
can be subjected to stand-alone testing.
An embedded software is
A fully-integrated software to be executed on a processing element
(e.g. Microcontroller, Field Programmable Gate Array (FPGA) or an
Application Specific Integrated Circuit (ASIC))
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 104
ISO 26262-6, Table 8 — Design principles for software unit design and implementation (ergänzt durch SGS TÜV Saar)
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION - METHODS
ASIL Umsetzung (Beispiele)
Methods
A B C D Tool Interpretation
One entry and one exit point in
1a ++ ++ ++ ++ MISRA-Rules
subprograms and functions a
No dynamic objects or variables, or else
1b + ++ ++ ++ MISRA-Rules
online test during their creation a,b
1c Initialization of variables ++ ++ ++ ++ MISRA-Rules
a
1d No multiple use of variable names + ++ ++ ++ MISRA-Rules
Avoid global variables or else justify their
1e + + ++ ++ MISRA-Rules
usage a
No pointer arithmetic, no pointres at fucntcions,
no pointer at.
1f Limited use of pointers a o + + ++ MISRA-Rules
Arrayindexing with pointers is allowed, HW access
with pointers is allowed
a,b
1g No implicit type conversions + ++ ++ ++ MISRA-Rules
c No: continue statements, backwards gotos,
1h No hidden data flow or control flow + ++ ++ ++ MISRA-Rules
unreachable code, dead code (e.g. A=A;)
1i No unconditional jumps a,b,c ++ ++ ++ ++ MISRA-Rules No: continue statements, backwards gotos
1j No recursions + + ++ ++ MISRA-Rules
a Methods 1a, 1b, 1d, 1e, 1f, 1g and 1i may not be applicable for graphical modelling notations used in model-based development.
b Methods 1g and 1i are not applicable in assembler programming.
c Methods 1h and 1i reduce the potential for modelling data flow and control flow through jumps or global variables.
ISO 26262-6, Table 8 — Design principles for software unit design and implementation (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 105
SOFTWARE UNIT DESIGN AND
IMPLEMENTATION - VERIFICATION
ASIL
Methods Comments
A B C D
a
1a Walk-through ++ + o o
a
1b Inspection + ++ ++ ++
1c Semi-formal verification + + ++ ++
1d Formal verification o o + +
b,c See next slides
1e Control flow analysis + + ++ ++
b,c
1f Data flow analysis + + ++ ++
1g Static code analysis + ++ ++ ++
d
1h Semantic code analysis + + + +
a In the case of model-based software development the software unit specification design and implementation can be verified at
the model level.
b Methods 1e and 1f can be applied at the source code level. These methods are applicable both to manual code development
and to model-based development.
c Methods 1e and 1f can be part of methods 1d, 1g or 1h.
d Method 1h is used for mathematical analysis of source code by use of an abstract representation of possible values for the
variables. For this it is not necessary to translate and execute the source code.
ISO 26262-6, Table 9 — Methods for the verification of software unit design and implementation (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 106
SW UNIT DESIGN
VERIFICATION BY INSPECTION
Example: Checklist
Checklist for Code Reviews, (list is not complete)
1. Has the design properly been translated into code? (The results of the procedural design should be
available during this review.)
2. Is the document header complete:
a) the title, referring to the scope of the content,
b) the author and approver,
c) unique identification of each different revision (version) of a document,
d) the change history,
e) the status. E.g.: “draft", "released".
3. Are there misspellings and typos?
4. Is there compliance with coding standards for language style, comments, module prologue?
5. Are there incorrect or ambiguous comments?
6. Are comments useful or are they simply alibis for poor coding?
7. Are data types and data declarations proper?
8. Are physical constants correct?
9. Has maintainability been considered?
and so on ….
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 107
SW UNIT DESIGN
VERIFICATION BY THE USE OF CONTROL
FLOW ANALYSIS
Objective
Detection of bad or incorrect program structures
Description
The control flow analysis is a static analysis method. The
program is analysed to get a flow graph, which can be
analysed for:
• Unreachable code, as a result of unconditional jumps
• Knoted code bad structured code (see example next page)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 108
SW UNIT DESIGN
VERIFICATION BY THE USE OF CONTROL
FLOW ANALYSIS - EXAMPLE
Legend
= Knot = Instruction
= Path = Control Flow
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 109
SW UNIT DESIGN
VERIFICATION BY THE USE OF
DATA FLOW ANALYSIS
Objective
Identification of bad or incorrect program structures
Description
The data flow analysis is a static method, which is typically combined
with the information from the control flow analysis. The analysis checks
the following:
• Variables which can be read without initialization
• Variables which can be written several times, without reading. This could be
an indication for a skipped code
• Variables which are written but never read. This could be an indication for a
redundant code
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 110
SW UNIT DESIGN
VERIFICATION BY THE USE OF
STATIC ANALYSIS
Static code analysis can be seen as “state of the art” at software unit level
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 111
SW UNIT DESIGN
VERIFICATION BY THE USE OF
DATA FLOW ANALYSIS - EXAMPLE
1. Hardware Development
a. Overview
b. Hardware Safety Requirements
c. Hardware Design
d. Evaluation of Hardware Metrics
e. Hardware Tests
2. Software Development
a. Overview
b. Software Safety Requirements
c. Software Architecture and Design
d. Software Integration and Tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 114
SOFTWARE-INTEGRATION AND TEST
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 115
PLANNED INTEGRATION
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 117
SOFTWARE UNIT TESTING
ACTIVITIES AND AIMS
Objectives:
Compliance with SW unit design specification
Compliance with HW/SW interface specification
Demonstration of correct implementation of the functionality
Demonstration that no unintended functionality has been
implemented
Robustness
Demonstration that sufficient resources for functionality are available
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 120
SW UNIT TESTING
METHODS
ASIL
Methods Comments
A B C D
a
1a Requirements-based test ++ ++ ++ ++
1b Interface test ++ ++ ++ ++
b
1c Fault injection test + + + ++ See next slides
c
1d Resource usage test + + + ++
Back-to-back comparison test between model and
1e d + + ++ ++
code, if applicable
a The software requirements at the unit level are the basis for this requirements-based test.
b This includes injection of arbitrary faults (e.g. by corrupting values of variables, by introducing code mutations, or by corrupting
values of CPU registers).
c Some aspects of the resource usage test can only be evaluated properly when the software unit tests are executed on the
target hardware or if the emulator for the target processor supports resource usage tests.
d This method requires a model that can simulate the functionality of the software units. Here, the model and code are stimulated
in the same way and results compared with each other.
ISO 26262-6, Table 10 — Methods for deriving test cases for software unit testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 121
SW UNIT TESTING
REQUIREMENTS BASED TEST
EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 123
SW UNIT TESTING
FAULT INJECTION TEST
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 124
RESOURCE USAGE TESTING
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 125
SW UNIT TESTING
RESSOURCE USAGE TEST
EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 126
BACK-TO-BACK TESTING
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 127
SW UNIT TESTING
TEST COVERAGE
ASIL
Methods Comments
A B C D
1a Statement coverage ++ ++ + +
ISO 26262-6, Table 12 — Structural coverage metrics at the software unit level (add ons by SGS TÜV Saar)
There are no target values given for the structural test coverage.
This means 100% is the target
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 129
MC/DC (MODIFIED CONDITION/DECISION
COVERAGE)
MC/DC:
Every point of entry and exit in the program has been invoked at least once,
every condition in a decision in the program has taken on all possible outcomes at
least once,
and each condition has been shown to affect that decision outcome independently.
A condition is shown to affect a decision’s outcome independently by varying
just that condition while holding fixed all other possible conditions. The
condition/decision criterion does not guarantee the coverage of all conditions in
a module because in many test cases, some conditions of a decision are
masked by the other conditions.
Using the modified condition/decision criterion, each condition must be shown to
be able to act on the decision outcome by itself, everything else being held
fixed. The MC/DC criterion is thus much stronger than the condition/decision
coverage.
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 130
SIMPLE C++ EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 132
SOFTWARE INTEGRATION AND TEST
METHODS
ASIL
Methods Comments
A B C D
a
1a Requirements-based test ++ ++ ++ ++
1b Interface test ++ ++ ++ ++
b
1c Fault injection test + + ++ ++
cd see SW-Unit Testing
1d Resource usage test + + + ++
Back-to-back comparison test between model and
1e e + + ++ ++
code, if applicable
a
The software requirements at the architectural level are the basis for this requirements-based test.
b
This includes injection of arbitrary faults in order to test safety mechanisms (e.g. by corrupting software or hardware
components).
c
To ensure the fulfilment of requirements influenced by the hardware architectural design with sufficient tolerance, properties such
as average and maximum processor performance, minimum or maximum execution times, storage usage (e.g. RAM for stack and
heap, ROM for program and data) and the bandwidth of communication links (e.g. data buses) have to be determined.
d
Some aspects of the resource usage test can only be evaluated properly when the software integration tests are executed on
the target hardware or if the emulator for the target processor supports resource usage tests.
e
This method requires a model that can simulate the functionality of the software components. Here, the model and code are
stimulated in the same way and results compared with each other.
ISO 26262-6, Table 13 — Methods for software integration testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 133
SOFTWARE INTEGRATION UND TEST
DERIVATION OF TEST CASES
ASIL
Methods Comments
A B C D
1a Analysis of requirements ++ ++ ++ ++
a
1b Generation and analysis of equivalence classes + ++ ++ ++
See SW-Unit Testing
b
1c Analysis of boundary values + ++ ++ ++
c
1d Error guessing + + + +
a Equivalence classes can be identified based on the division of inputs and outputs, such that a representative test value can be
selected for each class.
b This method applies to interfaces, values approaching and crossing the boundaries and out of range values.
c Error guessing tests can be based on data collected through a “lessons learned” process and expert judgment.
ISO 26262-6, Table 14 — Methods for deriving test cases for software integration testing (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 134
SOFTWARE INTEGRATION AND TEST
TEST COVERAGE
ASIL
Methods Comments
A B C D
a
1a Function coverage + + ++ ++
See next slides
b
1b Call coverage + + ++ ++
a Method 1a refers to the percentage of executed software functions. This evidence can be achieved by an appropriate
software integration strategy.
b Method 1b refers to the percentage of executed software function calls.
ISO 26262-6, Table 15 — Structural coverage metrics at the software architectural level (add ons by SGS TÜV Saar)
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 135
STRUCTURAL COVERAGE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 136
SIMPLE C++ EXAMPLE
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 138
VERIFICATION OF SOFTWARE SAFETY
REQUIREMENTS – ACTIVITIES AND AIMS
ASIL
Methods Comments
A B C D
1a Hardware-in-the-loop + + ++ ++ HIL-Test
a
1b Electronic control unit network environments ++ ++ ++ ++ Simulation
1c Vehicles ++ ++ ++ ++ Tests in the vehicle
a Examples include test benches partially or fully integrating the electrical systems of a vehicle, “lab-cars” or “mule” vehicles,
and “rest of the bus” simulations.
ISO 26262-6, Table 16 — Test environments for conducting the software safety requirements verification (add ons by SGS TÜV Saar)
Verification tests are typically done together with software integration tests
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 139
SUMMARY OF DAY 3
SOFTWARE DEVELOPMENT (1)
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 140
SUMMARY OF DAY 3
SOFTWARE DEVELOPMENT (2)
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 141
PLENUM: OPEN DISCUSSION
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 142
Thank you for your attention!
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 143
CONTACT GCC FS
Japan
SGS Japan Inc.
2-2-1, Minatomirai, Nishi-ku
The Landmark Tower Yokohama 38F Phone +81 45 330 5040
220-8138 Yokohama jp.fs@sgs.com
ISO 26262 Training - Day 2 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 144
Thank you for your attention !
ISO 26262 Training - Day 3 © SGS-TÜV Saar GmbH 2017 ALL RIGHTS RESERVED 145