automatisiertensoftwaretests

Similar documents
By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

CERTIFIED. Faster & Cheaper Testing. Develop standards compliant C & C++ faster and cheaper, with Cantata automated unit & integration testing.

Formal Verification and Automatic Testing for Model-based Development in compliance with ISO 26262

Using Model-Based Design in conformance with safety standards

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

Standardkonforme Absicherung mit Model-Based Design

IBM Rational Rhapsody

A Model-Based Reference Workflow for the Development of Safety-Related Software

Vector Software. Using VectorCAST to Satisfy Software Verification and Validation for ISO W H I T E P A P E R

Verification and Test with Model-Based Design

Tools and Methods for Validation and Verification as requested by ISO26262

SOFTWARE QUALITY ASSURANCE TOOLS & TECHNOLOGY PROFESSIONAL SERVICES ACADEMY. Feature Brief. Wrapping

Compiler in sicherheitsrelevanten Projekten Was bedeutet das für die Testumgebung?

Automating Best Practices to Improve Design Quality

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Best Practices Process & Technology. Sachin Dhiman, Senior Technical Consultant, LDRA

Functional Safety beyond ISO26262 for Neural Networks in Highly Automated Driving

Automating Best Practices to Improve Design Quality

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

Verification and Validation of High-Integrity Systems

Jay Abraham 1 MathWorks, Natick, MA, 01760

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Software architecture in ASPICE and Even-André Karlsson

From Design to Production

Production Code Generation and Verification for Industry Standards Sang-Ho Yoon Senior Application Engineer

Automatización de Métodos y Procesos para Mejorar la Calidad del Diseño

GNAT Pro Innovations for High-Integrity Development

What s New with the MATLAB and Simulink Product Families. Marta Wilczkowiak & Coorous Mohtadi Application Engineering Group

ISO compliant verification of functional requirements in the model-based software development process

Intro to Proving Absence of Errors in C/C++ Code

Report. Certificate Z

Considerations in automotive embedded development Global Automotive Director Kiyo Uemura

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Formal Verification for safety critical requirements From Unit-Test to HIL

Verification, Validation, and Test with Model-Based Design

Increasing Design Confidence Model and Code Verification

Simulation-based Test Management and Automation Sang-Ho Yoon Senior Application Engineer

IBM Rational Rhapsody

IBM Rational Rhapsody. IBM Rational Rhapsody Kit for ISO 26262, IEC 61508, IEC and EN Overview. Version 1.9

GAIO. Solution. Corporate Profile / Product Catalog. Contact Information

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

DO-178C / ED-12C Model Based Supplement. Pierre Lionne, SC-205 / WG-71 SG-4 Co-Chairman 1 Nov. 2011

Darshan Institute of Engineering & Technology for Diploma Studies

TESSY and ISO TESSY White Paper Author: Frank Büchner. How TESSY helps to achieve ISO compliance

Increasing Embedded Software Confidence Model and Code Verification. Daniel Martins Application Engineer MathWorks

Verification and Validation

StackAnalyzer Proving the Absence of Stack Overflows

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

SOFTWARE QUALITY. MADE IN GERMANY.

Guidelines for Writing C Code

Seven Roadblocks to 100% Structural Coverage (and how to avoid them)

Proposal of a software coding analysis tool using symbolic execution for a railway system

Frequently Asked Questions. AUTOSAR C++14 Coding Guidelines

Architecture-driven development of Climate Control Software LMS Imagine.Lab Embedded Software Designer Siemens DF PL

CTFL -Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

SCADE. SCADE Suite Tailored for Critical Applications EMBEDDED SOFTWARE

Static Analysis in C/C++ code with Polyspace

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Tool Safety Manual for Testwell CTC++

Alexandre Esper, Geoffrey Nelissen, Vincent Nélis, Eduardo Tovar

Simulink 를이용한 효율적인레거시코드 검증방안

Using Code Coverage to Improve the Reliability of Embedded Software. Whitepaper V

Don t Judge Software by Its (Code) Coverage

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

Safety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University

Part I: Preliminaries 24

Structural Coverage Analysis for Safety-Critical Code - Who Cares? 2015 LDRA Ltd 1

Functional Safety Design Packages for STM32 & STM8 MCUs

CERTIFICATION ISSUES IN AUTOMOTIVE SOFTWARE

MISRA C:2012 WHITE PAPER

By Matthew Noonan, Project Manager, Resource Group s Embedded Systems & Solutions

Atollic TrueINSPECTOR. Improve software quality with static source code inspection!

Testing: Test design and testing process

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF FOOD SAFETY MANAGEMENT SYSTEMS

How to get to 100% code coverage

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

1 Visible deviation from the specification or expected behavior for end-user is called: a) an error b) a fault c) a failure d) a defect e) a mistake

Testing: (A Little) Logic Coverage

LATEST ISO UPDATE Focusing on Concurrency. Heiko Doerr MGI Group, 06. December 2016

Enabling Safe, Secure, Smarter Cars from Silicon to Software. Jeff Hutton Synopsys Automotive Business Development

MISRA-C Compliance Matrix _ Using PC Lint

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Final Presentation AUTOCOGEQ GMV, 2017 Property of GMV All rights reserved UNCLASSIFIED INFORMATION

VDE Testing and Certification Institute

O B J E C T L E V E L T E S T I N G

Inhalt. Description of Certification Procedure ISO 22000, HACCP and DIN 15593

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Written exam TDDD04 Software Testing

MONIKA HEINER.

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

Report. Certificate M6A SIMATIC S7 Distributed Safety

Transcription:

FunktionaleSicherheitmit automatisiertensoftwaretests SOFTWARE CONSIDERATIONS IN AIRBORNE SYSTEMS AND EQUIPMENT CERTIFICAION RTCA DO-178B RTCA Dynamisch& Statisch 0

Agenda Übersicht über Sicherheitsstandards und deren Inhalte Referenz zum V-Modell ISO 26262 Dynamische Tests Methoden Dynamische Analyse Testfallerstellung ISO 26262 Statische Analyse Implementierungsvorgaben Verifizierungsmethoden MISRA 1

Software Development Lifecycle System Requirements Architectural Design Detailed Design Unit Design Code Unit Test Static Analysis Integration Test System Test Acceptance Test Verification Order 1 Does code meet the quality standard? Static Analysis 2 Does code do what it should? Functional Requirements Testing Non-functional Requirements Testing 3 Does code not do what it should not? Robustness Testing 4 Is code tested enough? Structural Coverage Testing 2

Testing Methods by Safety Standard Sector Testing Methods ISO 26262 DO-178B/C IEC 62304 IEC 61508 EN 50128 IEC 60880 Static Analysis Requirements based tests Data / Control Flow interfaces State Transition Resource Usage test Timing tests Equivalence Partitioning Boundary Value Analysis Error Guessing Error Seeding / Fault Injection Structural Coverage testing 3

ISO 26262 6 Software Safety Requirements 11 Verification of Software Safety Requirements To verify embedded software fulfils the software safety requirements 7 Software Architectural Design 10 SW Integration Tests To verify software architectural design is correctly realised by the embedded software 8 9 Software Unit Design SW Unit Tests Verify units fulfil the software unit specifications and do not contain undesired functionality. 8 Code Implementation Part 6: Product Development at the software level Tables 10-15 4

Dynamic Testing 5

ISO 26262 Dynamic Testing - Methods ISO 26262 Tables 10 & 13 Methods for software unit & integration testing Methods ASIL A ASIL B ASIL C ASIL D 1a. Requirement-based test ++ ++ ++ ++ 1b. Interface test ++ ++ ++ ++ 1c. Fault injection test * + + + ++ 1d. Resource usage test + + + ++ 1e. Back-to-back comparison test between model and code (if applicable) + + ++ ++ * This includes injection of arbitrary faults (e.g. by corrupting values of variables, by introducing code mutations, or by corrupting values of CPU registers). 9.4.3 / 10.4.3 The software unit / integration test methods listed in Table 10/13 shall be applied to demonstrate that both the software components and the embedded software achieve: d) robustness; EXAMPLE Absence of inaccessible software; effective error detection and handling. 6

Interface Simulation Fault Injection - Simulation A function/method inside test script with programmable instances Stub, (mock, fake, etc) replaces called object interface at link time with dummy code Check Parameters Check Call Order Source Code Choose Return Parameter value(s) Raise Exceptions Stub Called Object 7

Interface Interception Fault Injection - Interception A function/method inside test script with programmable instances Wrapper intercepts specific calls to and uses real called objects at run time Wrapper Check Out Parameters Check Call order BEFORE Modify Out Parameters Set other pre-conditions Source Code Called Object Modify In Parameters and Return AFTER Check In Parameters and Return Set / check other post-conditions 8

Where to control Fault Injection - Integration Test Options Integration Test Entry-point Where to start driving from the test? Test Script Simulation Stubs for calls to items not integrated Interception Unit B Unit A Unit C Unit D Global Data Wrappers for specific calls to integrated items Unit E Unit F Unit G Unit H Unit I Unit J 9

Fault Injection - Integration Testing Order Top-Down / Bottom-Up / As-One What order can they be tested in? What dependencies does that test bring? Top-Down Parents tested first & sub-units simulated then used to call sub-units Unit A Global Data Bottom-Up As-One Test script drives child-units then tested sub-units used in higher tests Unit B Unit C Unit E Unit D Unit F Unit G Wrapping Interceptions can check all interactions in any order Unit H Unit I Unit J 10

ISO 26262 Dynamic Analysis ISO 26262 Tables 12 & 15 Structural Coverage Metrics at the software unit & architecture levels Methods ASIL A ASIL B ASIL C ASIL D 1a. Statement coverage ++ ++ + + 1b. Branch coverage + ++ ++ ++ 1c. MC/DC Modified Condition/Decision Coverage) + + + ++ 1a. Function coverage + + ++ ++ 1b. Call Coverage + + ++ ++ 9.4.5 To evaluate the completeness of test cases and to demonstrate that there is no unintended functionality, the coverage of requirements at the software unit level shall be determined and the structural coverage shall be measured in accordance with the metrics listed in Table 12. If the achieved structural coverage is considered insufficient, either additional test cases shall be specified or a rationale shall be provided. 10.4.5 To evaluate the completeness of tests and to obtain confidence that there is no unintended functionality, the coverage of requirements at the software architectural level by test cases shall be determined. If necessary, additional test cases shall be specified or a rationale shall be provided. 10.4.6 To evaluate the completeness of test cases and to obtain confidence that there is no unintended functionality, the structural coverage shall be measured in accordance with the metrics listed in Table 15. If the achieved structural coverage is considered insufficient, either additional test cases shall be specified or a rationale shall be provided. 11

Pin-point Analysis Simple Standards Compliance Rule-Sets for safety standards and SILs Metrics: Standalone or integrated with test suite Powerful drill-down views, filters and reports Automatic test case coverage optimization Structural Code Coverage Entry-Points Statements Decisions Call Returns Relational Operators Loops Conditions (inc.masking + unique cause MC/DC) 12

Unit Test HiL Example Approach for HiL Testing Example controlling colours of an LED Low-level calls to read / write operations on the LED port Automatically interceptingreturn from LED to modify the call behavior at run time (HiL) Injects faulty error conditions back to controlling function to achieve desire code coverage Use of Fault Injection to achieve Code Coverage Wrapping interception to inject fault Code coverage of HW errors becomes achievable with HiL 13

ISO 26262 Dynamic Testing Deriving Test Cases ISO 26262 Tables 11 & 14 Methods for deriving test cases for software unit & integration testing Methods ASIL A ASIL B ASIL C ASIL D 1a. Analysis of requirements ++ ++ ++ ++ 1b. Generation and analysis of equivalence classes + ++ ++ ++ 1c. Analysis of boundary values + ++ ++ ++ 1d. Error guessing + + + + 9.4.3 / 10.4.3 The software unit / integration test methods listed in Table 10/13 shall be applied to demonstrate that both the software components and the embedded software achieve: a) compliance with the software unit / architectural design specification b) compliance with the specification of the hardware-software interface c) the specified functionality ISO 26262 Tables 12 & 15 Structural Coverage Metrics at the software unit & architecture levels Methods ASIL A ASIL B ASIL C ASIL D 1a. Statement coverage ++ ++ + + 1b. Branch coverage + ++ ++ ++ 1c. MC/DC Modified Condition/Decision Coverage) + + + ++ 14

Automating Requirements Testing Example Requirements Specification Req Description LLRq_01 system_valid() shall be called to determine if input parameters are currently valid to use in calculations LLRq_02 when system_valid() returns OK [0] checked_status [GD int] shall be set to OK [0] LLRq_03 when system_valid() returns ERROR [3], checked_status [GD int] shall be set to ERROR [3] LLRq_04 when result of paramse/(c+d) = zero, share [GD double] shall be set to ERROR [3] LLRq_05 when result of paramse/(c+d) zero, share [GD double] shall be set to result value LLRq_06 warning level ERROR [3] shall be returned when check_status[gd int] is set to ERROR [3] LLRq_07 warning level ERROR [3] shall be returned when share [GD double] is set to ERROR [3] LLRq_08 warning level OK [0] shall be returned unless either check_status[gd int] or share [GD double] are set to ERROR [3] LLRq_09 warning level TOO_LOW [1] shall be returned when average of paramsfirst_a& second_a <11.25 LLRq_10 warning level TOO_LOW [1] shall be returned when average of paramsfirst_b& second_b <13.25 LLRq_11 warning level TOO_HIGH [2] shall be returned when average of paramsfirst_a& second_a >15.25 LLRq_12 warning level TOO_HIGH [2] shall be returned when average of paramsfirst_b& second_b >18.25 Unit Design Code Unit Test Implementation values_check.c int values_check() low_value_check() high_value_check() average_a average_b values_check.h int checked_status double share Testing Objectives Test cases which verify requirements Test cases which are traced to requirements (requirements coverage) Test cases which exercise all the software (code coverage) 15

Code Implementation Input parameters: first _a second _a first_b second_b c d e Return int high (1) not (0) Return -int OK (0) ERROR (3) External Function system_ valid () values_ check() checked Global data -int status = ERROR (3) or = OK (0) share Return int low (1) not (0) Global data - double = value of e/(c+d) or = ERROR (3) Return int OK (0) TOO_LOW (1) TOO_HIGH (2) ERROR (3) average_a high_value _check() average_b low_value _check() 16

Automatic Test Generation Generate Tests from Code Compile source with Cantata enabled Select Source Files(s) to Test Cantata Makefiles Source Files PARSE.csi Test Scripts AutoTest Algorithm AutoTest Generation Report 17

Map Tests to Requirements Requirements Tracing Bi-Directional Requirements Traceability Imports requirements data to Cantata server Text, images & hyperlinks Drag & drop assignment Controlled export with results status and coverage Requirements Management Tools Integrated with Requirements Tools All Copyright and Trademarks of their respective owners are acknowledged 18

Static Analysis 19

ISO 26262 Implementation Principles ISO 26262 Table 8 Design principles for software unit design and implementation Methods ASIL A ASIL B ASIL C ASIL D 1a. One entry and one exit point in subprograms and functions ++ ++ ++ ++ 1b. No dynamic objects or variables, or else online test during their creation + ++ ++ ++ 1c. Initialization of variables ++ ++ ++ ++ 1d. No multiple use of variable names + ++ ++ ++ 1e. Avoid global variables or else justify their usage + + ++ ++ 1f. Limited use of pointers 0 + + ++ 1g. No implicit type conversions + ++ ++ ++ 1h. No hidden data flow or control flow + ++ ++ ++ 1i. No unconditional jumps ++ ++ ++ ++ 1j. No recursions + + ++ ++ 8.4.4 The software unit design and implementation at the source code level as listed in Table 8 shall be applied to achieve the following properties: c) correctness of data flow and control flow between and within the software units; NOTE For the C language, MISRA C covers many of the methods listed in Table 8. 20

ISO 26262 Static Analysis Verification Methods ISO 26262 Table 9 Methods for the verification of software unit design and implementation Methods ASIL A ASIL B ASIL C ASIL D 1a. Walk-through ++ + 0 0 1b. Inspection + ++ ++ ++ 1c. Semi-formal verification + + ++ ++ 1d. Formal verification 0 0 + + 1e. Control flow analysis + + ++ ++ 1f. Data flow analysis + + ++ ++ 1g. Static code analysis + ++ ++ ++ 1h. Semantic code analysis + + + + 8.4.5 The software unit design and implementation shall be verified in accordance with Clause 9, and by applying the verification methods listed in Table 9 to demonstrate: d) the compliance of the source code with the coding guidelines (see 5.5.3); and e) the compatibility of the software unit implementations with the target hardware 21

Example Approach for Initialization of Variables Static Analysis of C Code Select rule configuration Select level of data flow analysis Synchronize project to import source files Select and analyze source file(s) Review results Uninitialized variables and others Use of Static Analysis to detect uninitialized variable Identify root cause of violation MISRA compliance rules and learning 22

MISRA Standards MISRA Motor Industry Software Reliability Association MISRA C MISRA C++ 1998 -Guidelines for the use of the C language in vehicle based software MISRA C:1998 (MISRA C1) 2004 -MISRA C:2004 Guidelines for the use of the C language in critical systems MISRA C:2004 (MISRA C2) 2013 -MISRA C:2012 Guidelines for the use of the C language in critical systems MISRA C:2012 (MISRA C3) 159 rules of which 138 are statically enforceable 2008 -Guidelines for the use of the C++ language in critical systems 228 rules of which 219 are statically enforceable 23

MISRA C MISRA C Contents Environment and character sets Comments and Naming Types and Constants Declarations and definitions Initialization and Operators Conversions and expressions Control flow and functions Preprocessor Pointers and arrays Structures and unions Standard libraries MISRA C Divisions Directives Rules MISRA C Classification Mandatory Required Advisory 24

Integrated & Synchronized Dynamic & Static Synchronize Static Analysis & Dynamic testing Cantata and QA Framework installed in same Eclipse IDE. Automatic make file trigger of QA-C or QA-C++ analysis during dynamic testing. As code changes both types of verification are automatically triggered 25

Bosch Case Study Static Analysis Combination of Code review Compiler QA-C Verification of Functional requirements Coding guidelines Lexical correctness Syntax Semantics Complexity Dynamic Testing Combination of Functional test tool Cantata Verification of Functional Requirements Interfaces Code Coverage AutoTest generated test cases Verification of low level requirements Reduced effort for functional tests Continuous Integration & Testing Static Analysis & Dynamic Testing Continuous Testing Process Achievement of sustained quality improvement 26

Easing your Path to Certification ISO 26262 Tool Certification Kits Cantata and QA-C/C++ have been certified by SGS-TÜV SAAR GmbH, an independent third party certification body for functional safety, accredited by Deutsche Akkreditierungsstelle GmbH (DAkkS) For all the main software safety standards 27

Questions? Thank you Wolfram Kusterer Sales Manager wolfram.kusterer@qa-systems.de 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback