New advanced functionalities that are being added to modern cars, such as automated driving or advanced safety systems, have forced a paradigm shift in automotive software development environments.
The C language, which dominated the automotive space for years, is no longer sufficient to address the growing complexity of automotive software architectures. With the requirement of object-oriented design, C++ is now a natural choice for many automotive teams.
But C++ is complicated and requires a lot of effort to assure predictability, safety, and security. The automotive functional safety standard, ISO 26262, provides some guidance on the software development and verification and validation (V&V) processes, but it does not go in depth at the level of language constructs. To get such guidance, organizations turn to coding standards like MISRA C/C++ or AUTOSAR C++.
Here we explain how to do just that – complying with ISO 26262 by using a static analysis tool that’s configured with AUTOSAR C++ 14 compliance checkers.
A word about the standards
ISO26262 Road vehicles – Functional safety
ISO 26262 is a functional safety standard for road vehicles. The standard focuses on electrical and/or electronic systems in production cars. ISO 26262 addresses the functional-safety related aspects of development activities and work products, defining functional-safety as “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical or electronic systems.”
ISO 26262 consists of ten parts that address different aspects of the product development process, including requirements specification, design, implementation, integration, verification, validation, and configuration. Part 6 of the standard focuses on product development at the software level, including methods and requirements needed for the software development and testing processes that must be followed to achieve compliance.
AUTOSAR C++ 14 Coding Guidelines
The AUTOSAR C++ 14 coding standard is a part of Adaptive AUTOSAR, which is a platform for developing automotive control units. The platform is developed by a consortium of automotive companies (including all main players) and provides the specification of interfaces for services and APIs. There are commercial implementations of the AUTOSAR platform provided by a few different vendors that can be used for developing automotive systems.
The Adaptive AUTOSAR specification was designed with the C++ 14 language, and includes a coding standard that restricts the usage of C++ 14 to the constructs that are predictable and that don’t lead to unnecessary risk. The coding standard contains more than 300 coding guidelines grouped into different categories. Static analysis tools can help to enforce compliance with the coding guidelines.
AUTOSAR C++14 was created as an update to the MISRA C++ 2008 coding standard, which was outdated. In January 2019, the MISRA and AUTOSAR consortiums announced a merger of their two most popular coding standards for safety critical C++ and declared development and maintenance of the standard.
How to achieve compliance with ISO 26262?
Compliance with a functional safety standard like ISO 26262 requires significant effort and needs to be an integrated part of the project from the very beginning. Even in the case of the software components, compliance requires specific activities during requirements gathering, planning, and implementation and it is definitely not something that can be added later.
ISO 26262 specifies a collection of methods that are required to achieve compliance with the standard. To claim compliance, users must provide evidence that all applicable requirements and methods have been implemented. For example, in Part 6, you can find recommended that refer to the software development process. The methods are grouped in the table below:
Not all methods apply to everyone. Applicability of the method depends on the Automotive Safety Integrity Level (ASIL), which is a risk classification defined in the standard (ASIL A represents the lowest degree and ASIL D represents the highest degree of automotive hazard). The method can be highly recommended (++), recommended (+), or neutral (o).
The challenge that teams typically face when trying to comply with the standard is how to implement the methods that are recommended for their processes. The decision on how to comply with the specific method or requirement is frequently based on the team experience. In some simple situations, manual procedures and reviews can be an answer, but in most cases, teams are trying to find tools that can automate required methods.
A tool that is used to comply with ISO 26262 has to be approved for the intended use through the formal process called tool qualification. The objective of the qualification of software tools is to provide evidence of software tool suitability, for use when developing a safety-related item or element. This can be a time and resource consuming task. To streamline the qualification kit, it is best to use a tool with an automated qualification kit and includes a TÜV SÜD certification, which is often sufficient for tool qualification.
How does AUTOSAR C++ coding standard streamline compliance with ISO26262?
Following a coding standard like AUTOSAR C++ is a widely accepted method for satisfying some of the requirements stemming from ISO 26262. AUTOSAR C++ 14 provides the traceability tables that map ISO 26262 principles and recommendations to the appropriate coding guidelines.
The mapping covers mainly section 8 of Part 6 of ISO 26262, and highly simplifies the process of achieving compliance with corresponding methods and requirements from the standard. See below for an example of the table from the AUTOSAR C++ 14 standard:
Table B.6: The criteria that shall be considered when selecting a suitable modeling or programming language.
The table above is just one example of the traceability to ISO 26262, touching the specific table from paragraph 5.4.6 (there are similar mappings for other paragraphs). ISO 26262 traceability tables can be found In the B.6 references section of the AUTOSAR C++ 14 standard that is freely available.
The AUTOSAR C++ 14 coding guidelines alone are not sufficient to achieve compliance with ISO 26262 for the software component. Some methods in the standard can’t be covered with the application of AUTOSAR guidelines, such as methods 1g and 1h from the table above.
Method 1g recommends “Use of style guides” and method 1h recommends “Use of naming conventions.” AUTOSAR C++ 14 does not include any style guides or naming conventions. Both methods, however, can be easily implemented with a commercial tool with modules for creating custom static analysis rules.
Methods in the standard that can’t be implemented with static analysis in general require other testing techniques.
Finding the right tool for AUTOSAR C++ 14 compliance
Introducing the coding standard compliance process into the team development workflow is not an easy task. As such, it is very important to select a tool that will help in achieving compliance without imposing too much overhead and without the requirement for additional manual procedures. The following points are considered to be important decision-making factors when selecting the solution for static analysis.
1. Coverage of the coding guidelines from the standard
AUTOSAR C++ 14 defines a substantial number of the guidelines. The most up-to-date version of the AUTOSAR coding standard contains at this moment approximately 400 guidelines, with 350 of these guidelines possible to be enforced with static analysis. Supporting this number of guidelines is a challenge for static analysis tool vendors, and not all static analysis tools available on the market cover the standard sufficiently enough for compliance.
2. Support for data and control flow technology
Guidelines defined in the AUTOSAR C++ coding standard have different levels of complexity. Some are simple guidelines that can be enforced with relatively simple static analysis technology, like:
But there are also guidelines that require sophisticated data and control flow analysis to simulate the paths in the analyzed source code and decide if a given guideline is violated or not. For example, the following guideline:
This guideline cannot be reliably detected without data and control flow analysis. The static analysis tool you choose has to evaluate the paths in the code to correctly determine if the index that is used for accessing the data in the container is within the correct range or not. Many commercial tools and most open-source tools on the market apply very rudimentary flow analysis to this class of problems, and in effect they either miss an issue in the code or report an enormous number of false-positives, which consume a huge amount of time to review, and kill productivity.
When benchmarking a static analysis tool, it is recommended to put special attention on comparing results for more complex guidelines, which require flow analysis technology.
3. Support for tool qualification
Although AUTOSAR C++ does not explicitly require tool qualification to approve the static analysis solution for use, ISO 26262 does. So when planning to use AUTOSAR C++ for streamlining the compliance with ISO 26262, it is recommended to pick a static analysis solution that supports end-users with appropriate certificates and a qualification kit.
Summary
Following a coding standard like AUTOSAR C++ 14 can help organizations achieve compliance with ISO 26262, as there are multiple methods and requirements defined in the ISO 26262 standard that can be satisfied by conforming to the AUTOSAR coding guidelines.
AUTOSAR C++ 14 provides dedicated traceability tables that demonstrate the mapping between ISO 26262 requirements and the coding guidelines, and teams wishing to streamline their ISO 26262 compliance efforts by applying AUTOSAR C++ coding guidelines need to be well informed when they select the static analysis tools for use. Of utmost importance to the success of compliance, the static analysis tool should provide: high coverage of the guidelines in the static analysis checkers, advanced flow analysis technology, and support for the end-user in the tool qualification process.