Functional Safety – ISO 26262

ETAS Tools and Services support Functional Safety of Electronic Systems

To be allowed to participate in road traffic, road vehicles must conform to the state of the art in terms of scientific and technological maturity. The prevention of product liability claims requires, at minimum, adherence to applicable industrial standards. All products being introduced to the market should have been developed in accordance with such standards.

Achieving safety depends on:

  • Appropriate system design: Diagnostics, redundancy etc.
  • Hardware reliability: Analysis of failure modes and failure rates
  • Software that is free from critical errors: State-of-the-art approach to software development
  • Disciplined approach to quality management: Analysis, test, and review
  • Ability to demonstrate that all safety goals have been met: Through product and process measures

In order to accomplish this, we offer a broad portfolio supporting functional safety in software development that includes qualified tools, engineering services as well as expert consultancy.

The challenge:
ISO 26262 as well as other related domain specifications such as ISO 25119 and EN ISO 13849 has been derived from the generic standard IEC 61508 for the functional safety of electronic systems as the binding standard for road vehicles. All new E/E systems need to be in conformance with the appropriate safety standard. The development processes, methods and tool chains all play a significant role in achieving the standard. Therefore development tools for future E/E systems also need to be ISO 26262 compliant.

The solution:
Our portfolio combine a high level of competence in methods, process and tools, embedded software and practical experience in the development safety-critical systems to support our customers in all aspects of functional safety. It includes:

  • Development Tools
    ETAS software development tools solutions including ASCET, RTA, INTECRIO, EHOOKS, LABCAR and INCA product families for the development and test of safety-critical automotive systems according standards like ISO 26262. Our tools support full and flexible implementation of AUTOSAR 4.x safety concepts at the operating systems and basic software level. Our certified code generators ensure integrity of generated software.
    Our function and software development tools are successfully deployed in engine management, ABS, and ESP projects.
  • Engineering Services
    Our Engineering Services are available to assist with all your development needs. The open architecture, modular design, and support of industrial and automotive standards common to all ETAS products allow for flexible adaptation to different development requirements and existing infrastructures.
  • RTA Consulting Services
    With our RTA Consulting Services we support our customers deploying functional safety in their series development, and processes. In addition, we can make our customers’ tool-chain qualifiable according to ISO 26262, by applying the ETAS Safety Manuals.

Our consulting team consists of a global network of consultants with many years’ experience of series development and research projects in the area of functional safety.

What is IEC 61508?
IEC 61508 is an international standard relating to the functional safety of electrical/electronic/programmable electronic safety-related systems. In this context, a system is defined to include sensors and other input devices, the programmable electronics itself and all actuators and other output devices.

What is ISO 26262?
ISO 26262 is the sector-specific adaptation of IEC 61508 that applies to electronic/electrical safety related systems, comprising both software and hardware, installed in passenger cars up to 3.5 tons in gross weight.

The standard consists of 10 parts, covering the full lifecycle of E/E/PE safety related systems from functional safety management over concept, design and development to production and operation. ISO 26262 is therefore state of the art with regard to product liability.

The implementation of ISO 26262 has an impact across the software development process. Some of the most important Areas that need to be considered can be summarized as follows:

  • Architectural design:
    • Low coupling, high cohesion
    • Expressed semi-formally
  • Design and implementation:
    • Guidelines like MISRA-C:2004
    • Freedom from memory/timing interference
  • Software testing:
    • Systematic approach to testing
    • High level of coverage
  • System testing:
    • Fault injection/robustness tests
    • Software testing in target environment

Do IEC 61508 and ISO 26262 require the use of certified tools?
IEC 61508 and ISO 26262 do not require that development tools are certified against the safety standards. However, both standards require that the system developer can establish that all tools used during development do not violate any system safety requirements to the extent required to support the claimed system safety integrity level (SIL or ASIL as appropriate).

In terms of safety engineering, the system developer needs to provide a valid safety argument for the tool chain, supported by appropriate evidence. A good tool chain safety argument should successfully argue that no single failure in any tool can leave an undetected critical flaw in the system.

Development tools for safety critical applications

INTECRIO: Integration and build tool for virtual prototyping
As INTECRIO integrates on C-code level, our customers are able to use C-code debuggers and development environments to trace the code etc. in order to measure metrics like code or decision coverage easily. This helps to understand if the conversion of function model to C-code requires additional test cases or not. Therefore INTECRIO can be used to fulfill the software development and test methods proposed by ISO 26262.

ASCET: Simulation, rapid prototyping and target execution
The following standard features of ASCET make it a good choice for engineering safety-related software, as they actively support the software development according to ISO 26262:

  • Support for modularity, abstraction and encapsulation: ASCET has an object-based programming model and generated code has an identical modular structure. Models are uniquely partitioned into clear two layers of abstraction, encapsulating the design of the high-level system and isolating it from changes resulting from low level design considerations.
  • Unambiguous definition: Implicit assumptions about data and control flow that typically occur in graphical modelling techniques are removed by explicitly formalizing ordering in the design through sequence numbering. ASCET graphical models have the same behavior, regardless of how they are drawn.
  • Support for real-time: Simple integration with real-time operating systems like RTA-OSEK with thread-safe communication using ASCET’s state-based message communication scheme.
  • Prevention of runtime errors: ASCET automatically adds defensive programing checks to prevent common numerical errors like division by zero, underflow, overflow etc.
  • Satisfaction of software implementation requirements: generation of up to 100 % MISRA-C:2004 compliant source code, no uncontrolled data or control flow, no dynamic data structures, no data use before initialization.

IEC 61508 and ISO 26262 certification for ASCET

ASCET-MD V6.1 and ASCET-SE V6.1 have been certified by TÜV-SÜD as “fit for purpose” for use in the development of safety related systems according to IEC 61508:2010 and ISO/DIS 26262:2009. The certification covers code generation for all currently supported microcontroller targets for systems with a safety integrity level up to and including SIL 3 for IEC 61508 and ASIL D for ISO/DIS 26262.

RTA-OS and RTA-RTE: AUTOSAR compliant implementation of safety concepts
AUTOSAR specifies a number of concepts at the operating system level for ensuring functional safety of ECU software. We deliver AUTOSAR 4.0 conformant implementation of OS and RTE.

Both tools:

  • Generate MISRA compliant source code
  • Support multi-core concepts and OS applications that support partitioning of safety-critical and non-safety-critical software
  • Support the AUTOSAR 4.0 approaches to timing and memory partitioning
  • Are certified according to ISO 26262 by TÜV Süd

ISOLAR-EVE: Shorter feedback loops with critical errors found earlier
The ISO 26262 standard requires software integration testing in a realistic target environment. Virtualizing ECU hardware allows for a software integration test at an early stage using target ECU basic software. The identical source code of an ECU can be executed with ISOLAR-EVE in a virtual environment for early validation.

EHOOKS: Performing safety-critical ECU tests
Verifying ECU software according to ISO 26262 requires testing in a target environment whilst ensuring a high level of controllability and observability in the software. ETAS offers a tool called EHOOKS which provides a sophisticated configuration, build and patching mechanism.

The features of testing safety-critical ECU software with EHOOKS:

  • Testing is performed on the target ECU hardware using production software, access to the ECU is achieved using an ETAS ETK interface
  • Data variables and functions can be directly manipulated allowing the targeted testing of critical functionality
  • Fault injection can be efficiently performed by either manipulating variables, bypassing functions with incorrect implementations or simulating incorrect sensor data
  • Seamless integration into the INCA environment to allow for efficient control and observation as well as low learning curve for experienced measurement and test engineers

The prototype create with EHOOKS is extremely close to the final ECU and therefore very useful for validation and verification purpose as requested by ISO 26262.

LABCAR: Performing HiL system integration tests
ISO 26262 requires representative fault injection and regression testing to be performed at the system level. This requires a high level of accuracy in the simulation of the system environment.

LABCAR provides a scalable Hardware-in-the-Loop test environment with high precision and signal quality. Features include:

  • Test of the real ECU in a lab with a simulated environment (100 % reproducible)
  • Integration of high-fidelity plant models
  • Accurate simulation of faults at the interfaces to the ECU
  • Fully automatic regression testing and variant-based release testing of ECUs
  • Effectively reuse of proven tests across vehicle projects