ISO 26262 Conform Model Based Development and …

1 ISO 26262 Conform Model Based Development and Verification Process dSPACE User Conference India 2010 Adrian ValeaBTC Embedded Systems AG2 BTC Embedded Systems AG proprietary All rights reservedAgendapIntroductionpTheoretical aspects of the ISO 26262 standard, its terminology, methodology and mappingpISO 26262 New Functional Safety StandardpEnhanced Model Based Development and TestingpModel- Based Reference WorkflowpModeling and Coding GuidelinespFormal Specifications and Formal Verification pAutomatic Test Generation and ExecutionpRequirements Based Testing and TraceabilitypQualification of software tools in the context of ISO 26262 pConclusions3 BTC Embedded Systems AG proprietary All rights reservedBTC Embedded Systems AGpOSC GmbH Company established in 1999pOSC Embedded Systems AGfounded in 2002pBeginning 2009 OSC became BTC-ES pas part of BTC AG Corporation with1400 EmployeespBTC-ES Headquarter in Oldenburg (D)pSubsidiary in Munich (D)pBTC Japan Co.

2 , Ltd. pExpert in Automatic Test- and Validation TechnologiesdSPACES trategic Partner provider of Automatic Test and Verification Products for TargetLinkpCommon Activities especially together with dSPACEGER/JP/FRAT okyo Munich Oldenburg4 BTC Embedded Systems AG proprietary All rights reservedISO 26262 New Functional Safety StandardpNew Automotive Standard addressing functional safetypDerived from IEC 61508pDraft International Standard (DIS) published in July 2009 pOfficial release planned for 2011pBut already used by OEMs and suppliers5 BTC Embedded Systems AG proprietary All rights reservedpISO 26262 defines four Automotive Safety Integrity Levels (ASIL)pDefinition of ASIL: one class to specify the necessary safety requirements items for achieving an acceptable residual risk with D representing the highest and A the lowest 26262 Automotive Safety Integrity LevelsIEC 61508-SIL 1 SIL 2 SIL 3 SIL 4 ISO 26262 (normal QM)ASIL AASIL BASIL CASIL D-6 BTC Embedded Systems AG proprietary All rights reservedpISO 26262 specifically addresses Model - Based Development and testingISO 26262 Model - Based DevelopmentOne characteristic of the Model - Based Development paradigm is the fact that the functional Model not only specifies the desired function but also provides design information and finally even serves as the basis of the implementation by means of code generation.

3 In contrast to code- Based software Development with a clear separation of phases in Model - Based Development a stronger coalescence of the phases Software Safety requirements, Software Architectural Design, and Software unit design and implementation can be noted. Moreover, one and the same graphical modeling notation is used during the consecutive Development stages. Testing activities are also treated differently since models can be used as a useful source of information for the testing process ( Model - Based testing). The seamless utilization of models facilitates a highly consistent and efficient Embedded Systems AG proprietary All rights reservedATGFVA utomatic Test GenerationEnhanced Model Based Development and Testing ProcessTest ManagementTest ManagementTextualRequirementsSpecificati onModelMILO bject CodePILS ource CodeSILI ntegrationComponentPIL/HILS ystem ComponentHILD esignModelMILS tructural TestsModelingFunctional TestsCode VerificationDesignFormal SpecificationCode GenerationCoverage ReportsBuildSoftware IntegrationRequirements Test SpecificationSystem IntegrationAutomatic Test Execution (ATE)Automatic Test ExecutionAutomatic Test ExecutionATEATEF ormal Verification (FV)

4 FVFV8 BTC Embedded Systems AG proprietary All rights reservedModel- Based Reference WorkflowpWell suited to develop safety-related software according to ISO 26262 and IEC 61508pMany of the proposed methods are directly recommended by ISO 26262 and IEC 615081 EN 50128, standard for software for railway control and protection systems, is considered as a sector-specific standard derived from IEC 61508. T V Certification Workflow has been approved by T V TargetLink and EmbeddedTester are fit for purpose to develop safety-related software according to ISO DIS 26262 , IEC 61508 and derivative standards such as EN 501281 T V Certification Workflow has been approved by T V TargetLink and EmbeddedTester are fit for purpose to develop safety-related software according to ISO DIS 26262 , IEC 61508 and derivative standards such as EN 5012819 BTC Embedded Systems AG proprietary All rights reservedModel- Based Reference WorkflowTextual Requirements(High Level Req.)

5 CompileLinkObj. CodeBack-to-back testing(MIL vs. PIL simulation) Model verification(MIL simulation,Formal VerificationModel Review) Model (Low Level Req.)ModelingCodeCode generationSoftware Design Standard:Modeling guidelines and guideline checkingSoftware Coding Standard: Coding guidelines and guideline checkingTesting methods Requirements Based testing Structural testing for coverage analysis Performance testing10 BTC Embedded Systems AG proprietary All rights reservedModeling and Coding GuidelinesControl Design ImplementationobjRequirementsController modelImplementation modelSource codeModelingModelingCode GenerationCompileLinkObj. code11 BTC Embedded Systems AG proprietary All rights reservedRequirements TraceabilitypRequirements in DOORS Excel Word, etc.

6 Can be linked to the modelpLinks: Model CodepBi-Directional Traceability between Requirements and Test-CasesobjRequirementsController modelImplementation modelSource codeModelingModelingCode GenerationCompileLinkObj. codeTargetLinkRMIS imulink V&VEmbeddedTesterFormal Specifications and Formal VerificationFormal Specifications and Formal Verification in the context of ISO 2626213 BTC Embedded Systems AG proprietary All rights reservedFormal Specification and Formal Verification WorkflowTargetLink ModelTextualRequirementsFormalSpecificat ionEmbeddedValidator Formal VerificationModel CheckingModelingFormal Requirement14 BTC Embedded Systems AG proprietary All rights reservedISO 26262 - Notation RecommendationspFormal Notations are recommended for all Design levels starting with ASIL A15 BTC Embedded Systems AG proprietary All rights reservedISO 26262 Formal Verification RecommendationspSemi-formal Verification

7 ( Simulation) of Requirements is even highly recommended for levels greater than ASIL BpFormal Verification recommended from ASIL Bp inline with Model - Based DevelopmentpExecutable Specification/ Model allows Semi-formal verificationpFormal Verification becomes applicable in early Development stagesAutomatic Test Generation and ExecutionAutomatic Test Generation and Execution in the context of ISO 2626217 BTC Embedded Systems AG proprietary All rights reservedAutomatic Test Generation and Execution WorkflowTargetLinkModelCompilerSource CodeObject CodeEmbeddedTesterAutomatic HierarchicalBack-to-back testing (MIL vs. PIL)TargetLinkModelSource CodeTest VectorsEmbeddedTesterAutomatic HierarchicalTest Vector GenerationEmbeddedTesterCode CoverageMeasurementEmbeddedTesterModel CoverageMeasurement18 BTC Embedded Systems AG proprietary All rights reservedISO 26262 - Back-to-Back TestingpFor Testing of SW-Units, from ASIL C back-to-back-Tests are highly recommendedpModel- Based and Code Testing in MIL,SIL and PIL19 BTC Embedded Systems AG proprietary All rights reservedISO 26262 - Coverage Metrics (SW-Unit)pQuality of Test Cases by coverage of Requirements (just informally)

8 By structural Coverage metrics The higher the ASIL-Level, the stronger the MetricspStructural coverage metrics highly recommended for all ASIL Embedded Systems AG proprietary All rights reservedISO 26262 - Target Testing pPerfect Match for Model - Based DevelopmentpPIL-Tests are appropriateRequirements- Based TestingRequirements Based Testing and Traceability in the context of ISO2626222 BTC Embedded Systems AG proprietary All rights reservedRequirements- Based Testing WorkflowTargetLinkModelSource CodeObject CodeTest VectorsCompilerTextualRequirementsEmbedd edTesterAutomatic HierarchicalRequirement Based testingTest Execution PlatformRequirement BasedTest Vector CreationManual or Tool-BasedMiLSiLPiL23 BTC Embedded Systems AG proprietary All rights

9 ReservedISO 26262 - Requirements- Based TestpRequirements- Based Test is highly recommended for all ASIL Levels (also Integration Testing)pMetrics for Quality of Tests just intuitively definedTools coverage of ISO 26262 standard methodsTargetLink and EmbeddedTester features mapping on ISO26262 25 BTC Embedded Systems AG proprietary All rights reservedTools mapping to the WorkflowWhich portion of that workflow is covered by a tool?dSPACE TargetLinkBTC EmbeddedTester26 BTC Embedded Systems AG proprietary All rights reservedTargetLink Coverage of ISO26262 standard27 BTC Embedded Systems AG proprietary All rights reservedTargetLink Coverage of ISO26262 standard28 BTC Embedded Systems AG proprietary All rights reservedTargetLink Coverage of ISO26262 standard29 BTC Embedded Systems AG proprietary All rights reservedEmbeddedValidator/EmbeddedTester Coverage of ISO26262 standardProcess PhaseISO 26262 ReferenceISO 26262 MethodASIL AASIL BASILCASIL DEmbeddedValidatorCoverageEmbeddedTester CoverageTable 8 Notations for software unit design1d Formal notations for requirements specification++++Formal specification of functional and

10 Safety requirements Based on patternsTable 3 Notations for software architectural design1c Formal notations for requirements specification++++Formal specification of functional and safety requirements Based on patterns1c Semi-formal verification++++++Self-monitoring validity of the C-Observes from Patterns under MIL/SIL/PIL Formal verificationo+++Formal verification Based on Model checking1d Semi-formal verification by simulating dynamic parts of the design++++Self-monitoring validity of the C-Observes from Patterns under MIL/SIL/PIL Formal verificationoo++Formal verification Based on Model checking1b Semi-formal verification++++++Self-monitoring validity of the C-Observes from Patterns under MIL/SIL/PIL Formal verificationoo++Formal verification Based on Model checking1a Requirements- Based test++++++++Requirements Based test generation Based on the pattern mutationImport and Execution of Functional Tests from different formats CTE, EXCEL, Signal Based test generation Based on C-Observers Patterns coverage1e Back-to-back test between Model and code++++++Automatic MIL/SIL/PIL regression test execution and results comparison1a Statement coverage++++++Part of the code coverage report1b Branch coverage+++++++Part of the code coverage report1c MC/DC (Modified Condition/Decision Coverage)+++++Part of the code coverage report1a