Professional Documents
Culture Documents
17 06929 K5 EPS SW Development Rules and SW Safety Management
17 06929 K5 EPS SW Development Rules and SW Safety Management
Modifications
on for the K5 EPS project bid
Software development rules and software safety managem
This document is applied to all embedded software developed for PSA. The supplier must apply each requirement. Howeve
an alternative solution or explain the reason why it cannot fulfill the requirement. The aim is not to get all requirements appli
of applied requirements, especially in term of software safety.
These requirements are not exhaustive and it is up to the supplier to apply other requirements, for example based on its les
ensure the robustness of its product.
Even if PSA answer is "OK", the supplier stays responsible of its technical choices, implementation and tests.
- In column C, the supplier indicates the expected level of conformity. if it is "FC : Fully Compliant" - "LC : Largely Compliant
- "NC: No Compliant" or if the requirement is "NA: Not Applicable".
- In column D, the supplier indicates the current implementation status.
- In column E, the supplier indicates the software version for which the implementation of the requirement is planned.
- In column F, the supplier indicates in which software version the requirement is really implemented.
- In column G, the supplier indicates the current validation status.
- In column H, the supplier indicates the software version for which the validation of the requirement is planned.
- In column I, the supplier indicates in which software version the requirement is really validated.
- In column J, the supplier adds a comment to explain its choices, and all necessary informations on implementation and va
n and tests.
irement is planned.
ed.
nt is planned.
Supplier answer
Generic rules
REGLESSW-ST-5-003(1) The reason for the last reset must be memorized and accessible to the supplier.
A mechanism must be developed to detect microcontroller continuously resetting
(succession of wake up / reset).
Once detected, the associated behaviour should:
REGLESSW-ST-5-002(2)
• First assure security,
• Then protect the rest of the car against battery failure,
• Last avoid system failure
For any usage of CRC mechanism, the choice of the polynomial (size and degree) should be
REGLESSW-ST-5-001(1)
justified.
Memory management
Tests during initialisation
After wake up, RAM must be tested.
This test could consist in writing then reading a pattern (0x55AA classically), in every RAM
REGLESSW-ST-61-001(2) address. In case of error, a reset must be forced.
If the complete test is not compatible with the init timing required for the component, test can
be reduced to critical variables.
After wake up, flash must be tested.
This test could consist in reading flash and calculate a CRC, which CRC must be equal to a
REGLESSW-ST-61-002(2) CRC already written in flash.
If the complete test is not compatible with the init timing required for the component, test can
be reduced to critical code areas.
RAM must be initialized at each wake up with a justified value.
If this is not possible (RAM_NO_INIT mechanism for example), supplier must justify its
REGLESSW-ST-62-001(2)
choice.
Supplier must provide to PSA the list of data stored in the non initialized memory.
If microcontroller contains some non used FLASH or ROM, this one must be initialized with
REGLESSW-ST-62-003(2)
the code of an instruction forcing a reset.
Executable code loading from FLASH, EEPROM or ROM to RAM must be justified and
REGLESSW-ST-63-001(1)
protected (specific CRC for example).
EEPROM data blocks must be protected with CRC. This CRC must be calculated at each
writing and checked at each reading. Every non protected area must be justified.
Supplier must manage two constraints :
- Ageing EEPROM memory cells after many writings (number of writings depends upon the
EEPROM used).
REGLESSW-ST-63-002(3)
- Power off during writing in EEPROM
Supplier will provide to PSA mechanisms used to manage these two cases.
Copying an EEPROM block into RAM memory, in order to increase response time at runtime
or to reduce EEPROM access is possible.
Supplier will provide to PSA mechanism used to guarantee a safe behavior at the init time
REGLESSW-ST-63-003(3)
after the reset.
file:///conversion/tmp/activity_task_scratch/753102565.xlsx 05/10/2024
COMPLIANCE MATRIX Page 6 to 55
Answer to PSA SW dev. rules
Supplier answer
An interrupt function must be associated with every interrupt vectors. If an interrupt is not
REGLESSW-ST-7-001(1)
used, it is associated with a function forcing a reset and keeping a trace of the reset
REGLESSW-ST-7-002(0)
Requirement A non used interrupt must be masked Description
A protection mechanism must be developed against inopportune interrupts (more than x
execution of the interrupt in less than y ms) to protect the execution of the rest of the
program.
This mechanism is mandatory when the interrupt is due to an external event (edge on an
REGLESSW-ST-7-003(3) input, network message, …)
This mechanism must not be developed for critical input (i.e. input directly linked with a
feared event).
In case of error detection, the supplier must provide a safe behavior of microcontroller (reset,
IT inhibition, …)
Non maskable interrupt usage (except for the watchdog) must be justified. Especially, every
REGLESSW-ST-7-004(0) parts of code developed to normally run with masked interrupts must be designed to be
interruptible by these non maskable interrupts.
REGLESSW-ST-7-005(1) Changing interrupt priority at runtime is forbidden.
Executing parts of code with interrupts masked or partially masked must be justified and be
REGLESSW-ST-7-006(1) as short as possible (typically 50µs). Supplier must calculate all critical sections in its code
and must guarantee that every real time requirements are fulfilled.
Possibility to enable disable interrupt « by cascading » must not be used:
Definition of CPU modes (Sleep, run, standby, ...) and transition (IT mask, Watchdog, ...)
REGLESSW-ST-8-003(3) must be provided. In particular, supplier must justify the link between theses modes and
supply/life phase requirements from PSA.
REGLESSW-ST-8-004(0) Outputs must be refreshed periodically with a justification of the periodicity.
REGLESSW-ST-8-005(0) Inputs must be read periodically with a justification of the periodicity.
All communications between microcontroller and external components like ASIC or another
REGLESSW-ST-8-006(0) microcontroller must be described. In particular, a specific behavior must be described in
case of loss of communication.
Low level software depending on microcontroller must be reviewed and approved by
REGLESSW-ST-8-007(0)
microcontroller maker.
Stack management
Static computation of maximum usage of the stack must be performed and results must be
REGLESSW-ST-9-001(2)
provided to PSA. Supplier must also provide computation method to PSA.
Checking on real case of stack usage is required (simulation with representative network
load and interrupt usage).
REGLESSW-ST-9-002(1)
During the development, PSA must be able to access to the maximum usage of the stack via
diagnostic.
REGLESSW-ST-9-003(0) Stack overflow detection mechanism is required, with a forced reset in case of detection.
Watchdog management
REGLESSW-ST-10-001(0) A Watchdog mechanism (hardware and/or software) is required.
Watchdog mechanism must be described to PSA (simple, windowed. Period and localization
REGLESSW-ST-10-002(0)
into the code of the WD counter update).
file:///conversion/tmp/activity_task_scratch/753102565.xlsx 05/10/2024
COMPLIANCE MATRIX Page 7 to 55
Answer to PSA SW dev. rules
Supplier answer
REGLESSW-ST-10-003(0) Supplier must never refresh watchdog in a loop without using a time-out.
Operating system
Requirement Function re-entry (calling the same function from two different tasks or from a task and an
Description
REGLESSW-ST-11-001(1)
interrupt at the same time) should not be used. If used, this must be justified.
Supplier must describe software behavior in case of high CPU load, whereas watchdog is
REGLESSW-ST-11-002(2) still refreshed (multiplication by two of CAN received frames frequency or/and limp home
mode application for examples).
REGLESSW-ST-11-003(1) Conception must assure that no deadlock will occur.
Deadlock detection mechanism is required. In case of dead lock detection, the system must
REGLESSW-ST-11-004(2)
stay in a safe state. A reset can be a solution.
The system should not dynamically allocate operating system elements: tasks, events,
REGLESSW-ST-11-005(1)
queues,...
All shared variables (between pre-emptive tasks, between tasks and interrupts or between
REGLESSW-ST-11-006(0)
interrupts in case of nesting of interrupts) must be listed and secured if necessary.
In case of use of pre-emptive operating system, a mechanism must be put in place to avoid
REGLESSW-ST-11-007(0)
priority inversion like Priority Inheritance Protocol (PIP) or Priority Ceiling Protocol (PCP).
Software safety
REGLESSW-ST-15-000(0) In case of ASIL A or more, sheet "ISO 26262 Checklist" must also be filled by the supplier.
Coding rules
REGLESSW-ST-12-003(1) Pointer use is forbidden in functional layer and must be justified for the remaining software.
REGLESSW-ST-12-004(0) Address computation on pointers must be justified.
REGLESSW-ST-12-005(0) Casting of pointer must be justified.
REGLESSW-ST-12-006(0) Use of function pointer must be justified.
REGLESSW-ST-12-007(0) Before any array access, the addressing range must be checked.
REGLESSW-ST-12-008(0) Before any division, the denominator must be tested different from zero.
REGLESSW-ST-12-009(2) Before any pointer access, the pointer value must be tested different from NULL.
Arithmetic computation should not use implicit cast, in order to avoid, among other problem,
REGLESSW-ST-12-010(0)
data overflow.
Variable type used in the software must be explicitly defined (not relying on the
REGLESSW-ST-13-001(1)
microcontroller architecture).
Software should be compiled with every warning activated. The remaining warning should be
REGLESSW-ST-13-002(1)
justified.
REGLESSW-ST-13-003(1) For every function that returns an error code, the returned value must be tested.
REGLESSW-ST-13-004(0) Every loop on an external condition should be protected with a timeout.
Software metrics must be calculated (examples: number of lines of code vs number of lines
of comments, cyclomatic complexity, Myer’s interval, nesting of conditions, number of logical
REGLESSW-ST-13-005(0)
operator, number of lines of code …). For each metric, thresholds must be defined. Each
result beyond thresholds must be justified.
REGLESSW-ST-14-001(1) Used programming rules must be described and validated by PSA.
A mechanism must be developed to assume respect of the programming rules:
REGLESSW-ST-14-002(1) • using Tools (compiler option or QAC tool for example) for automatic verification
• by code review for the others (comments or naming rules for example)
The supplier must prove that lessons learned from PSA projects or other car makers are
taken into account. In particular, no major defect encountered in PSA projects, must be
REGLESSW-ST-14-003(2)
present in a new project for PSA.
This proof can be a code review, new tests, conception rules...
file:///conversion/tmp/activity_task_scratch/753102565.xlsx 05/10/2024
Number ISO 26262 reference
ISO26262-6.5_20 5.4.4
ISO26262-6.5_30 5.4.6
ISO26262-6.5_40 5.4.7
ISO26262-6.5_50 5.4.7
ISO26262-6.5_60 5.4.7
Specification of SW safety requirements
ISO26262-6.6_10 6.4.1
ISO26262-6.6_20 6.4.2
ISO26262-6.6_30 6.4.3
ISO26262-6.6_40 6.4.4
ISO26262-6.6_50 6.4.8
SW architectural design
ISO26262-6.7_10 7.4.1
ISO26262-6.7_20 7.4.2
7.4.3 Table 3
ISO26262-6.7_30 7.4.4
7.4.5
7.4.3
ISO26262-6.7_40
Table 3
ISO26262-6.7_50 7.4.3 Table 3
ISO26262-6.7_60 7.4.3 Table 3
ISO26262-6.7_70 7.4.3 Table 3
ISO26262-6.7_80 7.4.5
ISO26262-6.7_90 7.4.6
ISO26262-6.7_100 7.4.6
7.4.12
ISO26262-6.7_110
7.4.13
ISO26262-6.7_120 7.4.11
ISO26262-6.7_130 7.4.14
ISO26262-6.7_140 7.4.15
ISO26262-6.7_200 7.4.17
Software unit design and implementation
ISO26262-6.8_10 8.4.2 Table 7
ISO26262-6.8_20 8.4.3
ISO26262-6.8_30 8.4.4 Table 8
ISO26262-6.9_10 9.4.3
ISO26262-6.10_20 10.4.3
ISO26262-6.10_60 10.4.8
ISO26262-6.10_70
Verification of SW requirements
ISO26262-6.11_10 11.4.2 & 10.4.3
ISO26262-6.11_20 11.4.4
Annex - C
ISO26262-6.C_10 Annex - C
ISO26262-6.C_20 Annex - C
Question
What are the safety analyses applied at the architectural level? Describe the
methodologies and the link with the architecture justification and safety mechanisms.
How freedom from interference or sufficient independence between software
components is managed to analyse the dependent failures?
Which failures do you consider and what are the related safety mechanisms?
What are the mechanisms implemented for error detections at software architecture
level?
What are the safety mechanisms for handling error at software architecture level?
Are there sw components or functions safety related left without any technical safety
measures?
Is a prototype generated?
What is the strategy for software unit design review (walkthrough or inspection)?
What is the strategy for code review (walkthrough or inspection)?
Is semi-formal verification performed?
Is control flow analysis performed? If yes, how is it performed?
Is data flow analysis performed? If yes, how is it performed?
Is static code analysis performed? If yes, how is it performed?
Is semantic code analysis performed? If yes, how is it performed?
SW unit testing
Do unit testing methods demonstrate that the software units achieve:
- Compliance with the software unit design and hardware-software interface
specifications
- Confidence in the absence of unintended functionality
- Robustness?
What are the methods for software unit testing (see ISO 26262-Part 6 - Table 10)?
What are the methods for deriving test cases for software unit testing (see ISO
26262-Part 6 - Table 11)?
What is the structural coverage target?
What is the test environment for software unit testing?
Are resources consumptions measured and which ones?
Software integration and testing
What is the strategy applied for software integration?
lier answer
Conformity
Answer
Level
PSA answer
Verification &
Implementation
Validation
Level
Level
PSA answer
Comments
Workproducts or meeting minutes
associated
NA Not Applicable 0
NC Non Compliant 0
PC Partly compliant 0
LC Largely compliant 0
FC Fully compliant 0
OK OK 0
NOK NOK 0
NA 0
Not Applicable
OK OK 0
NOK NOK 0
TBA To Be Assessed 0
NA Not Applicable 0
DIA
OK
Conclusion
Level Current Global Evaluation
to be filled by PSA (mandatory)
(O)
(R)
nov.-13 juin-14 déc.-14 juil.-15 janv.-16 août-16 mars-17 sept.-17
140%
JAI / JINV JEOS Jnum2 JHLa JEL AMC
120%
Vf-2 Vf-1 Vf Vc1 Vc2 Vc3
100%
80%
Target Conf
60%
20%
Target V&V
0%
Theoritical Forecasted Safety (pre-)Assessment Dates at JST, JRO and JML
SUPPLIER ANSWER
Conformity Implementation
NA 0 #DIV/0! OK 0 #DIV/0!
NC 0 #DIV/0! NOK 0 #DIV/0!
PC 0 #DIV/0! NA 0 #DIV/0!
LC 0 #DIV/0!
FC 0 #DIV/0!
Total 0 0
Conformity Impl
NA
NC
PC
LC
FC
PSA DECISION
Conformity Implementation
OK 0 #DIV/0! OK 0 #DIV/0!
NOK 0 #DIV/0! NOK 0 #DIV/0!
TBA 0 #DIV/0! TBA 0 #DIV/0!
NA 0 #DIV/0! NA 0 #DIV/0!
Total 0 0
Conformity Imple
OK
NOK
TBA
OK
NOK
TBA
OS
Watchdog NA
NOK
Stack TBA
uC OK
Vides
Interrupts
Memories
GenRules
SUPPLIER ANSWER
Conformity Implementation
NA 0 #DIV/0! OK 0 #DIV/0!
NC 0 #DIV/0! NOK 0 #DIV/0!
PC 0 #DIV/0! NA 0 #DIV/0!
LC 0 #DIV/0!
FC 0 #DIV/0!
Total 0 0
Conformity Impl
NA
NC
PC
LC
FC
PSA DECISION
Conformity Implementation
OK 0 #DIV/0! OK 0 #DIV/0!
NOK 0 #DIV/0! NOK 0 #DIV/0!
TBA 0 #DIV/0! TBA 0 #DIV/0!
NA 0 #DIV/0! NA 0 #DIV/0!
Total 0 0
Conformity Imple
OK
NOK
TBA
OK
NOK
TBA
§11
§10 TBA
NA
§9 OK
NOK
§8 Vides
§7
§6
§5
Implementation Validation
OK
NOK
NA
Validation
OK 0 #DIV/0!
NOK 0 #DIV/0!
TBA 0 #DIV/0!
NA 0 #DIV/0!
Implementation Validation
OK
NOK
TBA
OK
NOK
TBA
OS OS
Watchdog NA Watchdog NA
NOK NOK
Stack TBA Stack TBA
OK uC OK
uC
Vides Vides
Interrupts Interrupts
Memories Memories
GenRules GenRules
Implementation Validation
OK
NOK
NA
Validation
OK 0 #DIV/0!
NOK 0 #DIV/0!
TBA 0 #DIV/0!
NA 0 #DIV/0!
Implementation Validation
OK
NOK
TBA
OK
NOK
TBA
SUPPLIER ANSWER
PPLIER Conformity Moyenne
§9 §10 §11 §C
#DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0!
LIER Implementation
§9 §10 §11 §C
0.0% 0.0% 0.0% 0.0% 0.0%
SUPPLIER V&V
§9 §10 §11 §C
0.0% 0.0% 0.0% 0.0% 0.0%
§11
§10 TBA
NA
§9 OK
NOK
§8 Vides
§7
§6
§5
-120% -100% -80% -60% -40% -20% 0% -120% -100% -80% -60
Validation
OK
NOK
NA
Validation
OK
NOK
TBA
OK
NOK
TBA
OS OS
dog NA Watchdog NA
NOK NOK
ack TBA Stack TBA
OK uC OK
uC
Vides Vides
pts Interrupts
ies Memories
les GenRules
Validation
OK
NOK
TBA
OK
NOK
TBA
§11
§10 TBA
NA
§9 OK
NOK
§8 Vides
§7
§6
§5
OS
og NA
NOK
ck TBA
C OK
Vides
ts
es
es
0%