ISO 26262

ISO 26262

ISO 26262 is the functional safety standard for electrical and electronic systems in series production passenger cars. It requires qualification of all (electrical and electronic) components with respect to safety. The qualification process is described in the standard.

Qualification for safety is different from quality assurance because one has to take into account the safety hazards that result from failure. While a broken door lock may be a serious quality issue, it is not likely to pose an immediate safety threat. A second difference is that in safety qualification one always has to take into account the specific use case of the component: the same light bulb used for either the indicator light, or the passenger interior light poses a different safety threat for those two use cases.

Compiler Qualification

Usually, the compiler is not part of the on-board electronic systems. The compiler is used by the component developer, and it is the compiler-generated code that goes into the car. There can be serious consequences if the compiler generates incorrect code and the component that contains that code is part of the control system of the car. For that reason, ISO 26262 part 8 section 11 defines that the tools used to create components are also subject to qualification. The compiler is one such tool.

Compiler qualification, for example by testing against the compiler specification using the SuperTest test and validation suite for C and C++ compilers, is the process that is described by the ISO 26262 standard to gain sufficient confidence in the correctness of the compiler. It is independent of the application that is being developed, but depends on the use case of the compiler: how the compiler is used to compile the application. For example, this includes the specific option settings and optimization level of the compiler. SuperTest can be easily configured for any specific use case.

With a qualified compiler, the application developer can trust that malfunctions of the compiler are detected in the qualification process. This means that a compiler does not have to be free of defects (few compilers are), but that the defects are known to the application developer so they can be avoided.

A benefit of a trusted compiler is that it significantly simplifies the test procedures for the application and makes them more efficient. It is true that compiler qualification itself is not trivial, but it is a process that can be managed in-house without much overhead and it can be done in parallel with application development. Its results can also be shared between multiple projects that use the same compiler. SuperTest is the best tool available to provide tool validation for C and C++ compilers that are used for safety-critical automotive systems.

Standard Library Qualification

A Software Development Kit (SDK) typically includes both the compiler and the standard library. The standard library is the collection of headers and library functions that are defined by the C and C++ language definitions. Library qualification is different from compiler qualification because the library code becomes part of the application code that runs on the safety critical component.

ISO 26262 offers two routes for library qualification: one for the re-use of a pre-existing library, and one for any other library development. The difference is that a pre-existing library does not have to be developed according to the guidelines of ISO 26262. This means that qualification is possible for the standard library that comes with the SDK, and even for an open-source library.

The qualification process is described in ISO 26262 Part 8, Clause 12. They key component to go through this process is a requirement-based test suite. Solid Sands’ SuperGuard C Library Safety Qualification Suite is such a test suite. It is the only test suite that provides detailed traceability between the requirements that are derived from the language specification and the tests for the complete standard C library.

The pre-existing route can even be applied if you only have the binaries of the library for qualification up to ASIL C. For ASIL D, ISO 26262 requires structural code coverage analysis, for which source code is needed. SuperGuard is tuned for this task as well, providing high structural and MC/DC coverage.

The second library qualification route is more elaborate because it requires that the development of the standard library complies to ISO 26262 Part 6. Also for this route, SuperGuard is extremely useful to adhere to the requirements of Software unit verification. This clause too is based on a requirements-based test suite.

Even if the standard library that you use is delivered as a binary archive, your use case (that includes the compiler configuration and compilation options) is important. This is because the standard library also consists of header files that are processed as source code. For efficiency, many functions in the standard library are implemented as macros and are compiled with your current use case. You must make sure that this use case matches the one that is used for qualification.