ISO 26262

ISO 26262

ISO 26262 is the functional safety standard for electrical and electronic systems in series production passenger cars. It requires qualification of all (electrical and electronic) components with respect to safety. The qualification process is described in the standard.

Qualification for safety is different from quality assurance because one has to take into account only the safety hazards that result from failure. While a broken door lock may be a serious quality issue, it is not likely to pose an immediate safety threat. A second difference is that in safety qualification one always has to take into account the specific use case of the component: the same light bulb used for either the indicator light, or the passenger interior light poses a different safety threat in those two use cases.

Usually, the compiler is not part of the on-board electronic systems. The compiler is used by the component developer, and it is the compiler-generated code that goes into the car. Clearly, if the compiler generates incorrect code and the component that contains that code is part of the control system of the car, this can have serious consequences. For that reason, ISO 26262 part 8 section 11 defines that the tools used to create components are also subject to qualification. The compiler is one such tool – its correctness can have serious impact on the safety of the car.

Compiler qualification, for example by testing against the compiler specification using the SuperTest test and validation suite for C and C++ compilers, is the process that is described by the ISO 26262 standard to gain sufficient confidence in the correctness of the compiler. It is independent of the application that is being developed, but depends on the use case of the compiler: how the compiler is used to compile the application. For example, this includes the specific option settings and optimization level of the compiler. SuperTest can be easily configured for any specific use case.

With a qualified compiler, the application developer can trust that malfunctions of the compiler are detected in the qualification process. This means that a compiler does not have to be free of defects (few compilers are), but that the defects are known to the application developer so they can be avoided. This way the compiler can be trusted, so it does not have to be in-the-loop of the coverage testing process. Coverage testing can proceed at source code level instead of at the compiler-generated code level.

A benefit of a trusted compiler is that it significantly simplifies the test procedures for the application and makes them more efficient. It is true that compiler qualification itself is not trivial, but it is a process that can be managed in-house without much overhead and it can be done in parallel with application development. Its results can also be shared between multiple projects that use the same compiler. SuperTest is the best tool available to provide tool validation for C and C++ compilers that are used for safety-critical automotive systems.