See you at BlackHat USA

05.03.2024

ISO 26262 Requirements for Guaranteed Automotive Safety & Security

How to ensure safety and security of automotive vehicles with qualified ISO 26262 tools.

ISO 26262 Requirements for Guaranteed automotive safety and security - image of a virtual vehicle

ISO 26262 Safety & Security Preview

  • How to prepare for a safe and secure future for automotive and autonomous vehicles?
  • Complying with coding and modeling guidelines specified by the ISO 26262 standard.
  • A car in autonomous driving mode may randomly turn left or right on its own caused by an undefined behavior.

Automotive complexity and compliance augment steadily

New advancements in technology, standards and regulations are driving increased challenges for automotive functional safety and cybersecurity requirements. Reaching these standards can be a daunting task, and even then, how do you know when you have tested enough?

Automotive systems are more complex than they’ve ever been (Figure 1), a necessity driven by the demand for innovations like Advanced Driver Assistance Systems (ADAS), autonomous driving (AD) modes, and new electric vehicles (EV). This is also because organizations increasingly face a challenging landscape of tools and technologies, and both regulatory and compliance pressures to ensure not only the reliability of the software but also that it performs as intended and free from safety vulnerabilities.

Complexity and Productivity graph, in regards to automotive: ISO 26262

To account for this, providers need to efficiently comply with increasingly stringent standards to meet functional safety certifications starting at the source code of the application.

TrustInSoft Analyzer provides a solution that simplifies the ISO 26262 certification process with its independent qualification from TÜV SÜD.

A simplified path to certification awaits you with time-saving features such as exhaustive static analysis, fuzzing, and advanced memory mapping.

What does ISO 26262 Address?

The international standard, ISO 26262 is crucial in defining safe and secure development practices for automotive systems. It helps guide developers and testers through safety integrations throughout the software development cycle to identify and mitigate potential threats and hazards caused by software through best testing practices and documentation.

 

In part six, the standard addresses the software development process focusing on verification and validation methods. It additionally outlines recommendations such as the following:

  • Designing and implementing software for fault tolerance and minimizing the risk of hazards
  • Developing software according to a documented process that is compliant with ISO 26262
  • Complying with coding and modeling guidelines specified by the ISO 26262 standard
  • Using static code analysis, control flow analysis, data flow analysis, and structural code coverage as essential tools for verifying software
  • Creating a comprehensive report detailing the integration of software with hardware, based on testing to validate software behavior on target hardware environments.

This post is Part 1 of a 2-part series derived from TrustInSoft’s new white paper, “SIMPLIFYING ISO 26262 CERTIFICATION WITH TRUSTINSOFT ANALYZER- How automotive software teams reduce compliance challenges by eliminating 100% of undefined behaviors” 

 

To get your FREE copy, CLICK HERE.

The Need for ISO 26262 Certification:

Ultimately, the independent authority must conclude that the development process and outputs were planned and implemented in a manner that ensures all functional safety goals were met. This is exceedingly challenging given the complexity and scale of automotive software, leading many teams to turn to qualified development tools like TrustInSoft Analyzer to support ISO 26262 compliance.

The Impact of Undefined Behaviors:

Undefined behaviors (UBs) occur when the considered C language standard imposes no requirement on the behavior of a given program construct. This means that anything can happen: the program may fail to compile, execute incorrectly at runtime, crash, or output incorrect results. UBs are typically associated with illegal operations that lead to crashes, such as divisions by zero.

ISO 26262 recognizes the influence of such UBs by defining software “robustness” as the prevention of “implausible values, execution errors, division by zero, and errors in data flow and control flow” (ISO 26262-6:8.4.4).

The simplified code sample below illustrates the potential safety

impact of UBs:

void changeCarDirection(void) {
bool bDirection;
if (bDirection) {
turnSteeringWheelLeft();
}
else {
turnSteeringWheelRight();
}
}
 

The uninitialized bDirection variable causes an undefined behavior, where the car may turn randomly left or right, or go straight. Worse, anything could happen, such as the calling of another function that may lead to arbitrary code execution.

As an ISO 26262 qualified tool, TrustInSoft Analyzer can mathematically guarantee the absence of undefined behaviors using formal verification.

How TrustInSoft Analyzer Proves the Absence of Undefined Behaviors:

Exhaustive static analysis:

Rather than implement sets of pre-established rules like most static analysis tools, TrustInSoft Analyzer uses mathematical formal methods to prove unequivocally that code is free from coding errors and UBs that can lead to issues. Known as “exhaustive static analysis,” these methods were initially developed for the formal verification of safety-critical systems over two decades ago, now highly refined and optimized for today’s automotive software applications.

Note that the ISO 26262 standard refers to methods operating on code as “semi-formal methods” and classifies “formal methods” as acting on description techniques that have both syntax and semantics completely defined, such as UML and similar model-based frameworks.

TrustInSoft Analyzer uses a set of exhaustive static analysis methods based on “abstract interpretation.” These methods simulate a whole set of a given program’s executions simultaneously, as opposed to traditional tests that can only individually simulate a given execution. This approach enables developers to go beyond traditional testing methods that may miss UBs for an individual test value and guarantees that testing results are valid for any compiler, any chosen set of compiler options, and any memory layout.

Additionally, this approach can be applied to analyze wide ranges of input values at the same time – eliminating the need to run tests using the sequential and iterative application of different sets of input values and significantly reducing verification time.

For flexibility in choosing the appropriate analysis scope, TrustInSoft Analyzer provides two levels of analysis:

  1. Interpreter mode is the easiest and fastest to use and reuses existing test drivers when available. This mode identifies all UBs met when running the existing tests, without false positives, and generates code coverage reports.
  2. Analyzer mode performs full exhaustive static analysis, without false negatives, accelerating the achievement of ISO 26262 objectives (e.g. boundary testing, robustness testing) and generates code coverage reports.

Conclusion:

Reducing the effort and manhours needed to comply with ISO 26262 can be simplified with TrustInSoft Analyzer for robust and guaranteed results. With benefits such as hardware awareness and memory mapping and powerful formal methods analysis, developers can have peace of mind that they have obtained functional proof of the absence of all undefined behaviors.

Learn more about the technology and methodology behind simplifying the ISO 26262 certification process by downloading the full free white paper here.

In the next post:

In part 2 of this series, we will explore how using an exhaustive static analysis tool can bring unique results to the ISO 26262 process with unique features that give the developers the necessary tools to improve the depth and speed of their verification processes in the ISO 26262 certification process.

For additional information see our white paper

If you find this post useful, our new white paper, Simplifying ISO 26262

Certification With TrustInsoft Analyzer, contains a more detailed discussion of all the topics covered in this blog series, and several examples and case studies as well. 

To download your FREE copy, CLICK HERE.

Newsletter

Related articles

June 18, 2024
June 4, 2024
May 31, 2024