How to comply with ISO26262 efficiently By Steve Barriault –

Transcription

How to comply with ISO26262 efficiently By Steve Barriault –
How to comply with ISO26262 efficiently
– the case for highly automated testing
By Steve Barriault
Technical Sales & Marketing Manager –
Asia
© Vector Software Inc, all rights reserved.
Company introduction
• Founded in 1990 in Rhode Island by embedded engineers
• First release of VectorCAST in 1994
• VectorCAST provides unit and integration testing, as well as system test
coverage tools that are uniquely automated
• These tools can be run on a host, a simulator or directly on a target
• Have worldwide offices and representation
Netherlands
Sweden
Rhode Island
Japan
Georgia
Korea
Arizona
China
London
France
Italy
India
Israel
Software testing under ISO 26262
• ISO 26262 is IEC 61508 adapted to the needs of
the Automotive Industry
• Adopts a similar approach to software testing and
code coverage requirements to other, longer-lived
standards (such as DO-178B)
• The challenge: meet its requirements in an
industry where deadlines are coming up much
faster than in Aerospace
– In order to achieve success, efficiency will be key!
Our experience with standards
• Our roots are in the Aerospace industry, where our
15+ year of experience enabled us to work with all
the leading organizations
• Our Automotive business is expanding quickly, with
a growing list of companies using VectorCAST
• Requirementsbased testing
• Interface
testing
• Fault injection
test
• Resource
usage test(*)
(*) Source: Table 12 and 15:
Methods for software unit/integration testing
Metric Activities
• Unit test
• Integration
test
• System test
By Goal
By Scope
Tests in ISO 26262
• Structural
code
coverage
• Testrequirement
association
Requirement-base testing
• Ensures that the software fulfill its mission
– Sometimes called functional test
• Strongly recommended for all levels of ASIL, for both unit
and integration testing
• Stubbing can be performed to enhance your ability to test
low-level requirements in isolation
– They “replace” your existing code so you can better control your
inputs and outputs in the code
– But stubs can take a long time to be generated with scripting-based
tools
– With VectorCAST, the stubs are automatically generated in seconds,
with no user input whatsoever
Requirement-base testing
• The link between the requirement and the test case should
ideally be documented
– In VectorCAST, it can be. Our unit and integration tests can be linked
to specific requirements.
– The test case data (PASS|FAIL) that demonstrate requirements can
be uploaded to a requirement management system such as DOORS
DOORS®
requirements
VectorCAST
Test cases
Execution on
host,
simulator
or target
Req. 1
Test 1
PASS/FAIL
Req. 2
Test 2
PASS/FAIL!
Req. 3
Test 3
PASS/FAIL
External interface test
• External Interface Testing is a subset of functional testing.
• Highly recommended for all ASIL level, both unit and
integration
• It verifies that:
– Functions sent data out in the appropriate format and delivery
mechanism
– Functions that receive data in the appropriate format perform
correctly
– That the behavior when receiving data that is not formatted directly is
known
• Can also be tested by VectorCAST
Other types of test
• Fault injection test:
– Voluntarily inject arbitrary faults to test safety mechanisms
(ex: by corrupting values of variables)
– Recommended for unit/integration testing,
strongly recommended ASIL D (and C in integration)
– In VectorCAST, can provide test cases that have faulty values and
verify that the defensive code gets invoked
• Resource usage test:
–
–
–
–
Often only doable on target or at least simulator
Recommended for unit/integration testing
Strongly recommended ASIL D
Our superior degree of target integration can also help you do some
of this, but perhaps not all
Generating test case values
• Based on requirements
– Strongly recommended for all ASIL, unit/integration test
• Equivalence classes:
– This method may be used to partition possible input values of
external interfaces
– Strongly recommended ASIL B, C and D
– VectorCAST has a facility to generate automatically such partitioned
test cases
• Error guessing:
– Here, the tester tries to test errors that are suspected to be error
prone
– Only recommended all ASIL
– Also easily possible in VectorCAST
Generating test case values
• Analysis of boundary values
– Try values approaching, at, or crossing the boundaries, including out
of range value
– Can mean the type range or the functional range
– Strongly recommended for ASIL B, C and D
• VectorCAST has extensive tools to do this
– Auto-generation of MIN-MID-MAX test cases for all the extreme
variable type values
– Import from CSV functional range values – and execution of these in
test cases
Code coverage
• At decision
point, both
TRUE and
FALSE to be
executed
MCDC
• One test case
minimum to
execute one
line of code
Branch
Statement
• Lets you know when you have been “testing enough”
• Different criteria that require more or less test cases to
achieve
• VectorCAST supports all three criteria recommended by
ISO 26262 (and the “other criteria” – function/call coverage)
• All operands
must
independently
affect the
outcome of the
condition
How coverage criteria stack up
• Statement
if((a || b) && c)
– Line of code executed at least once
1 test case required
• Branch
if((a || b) && c) T
2 tests cases required
– Both the TRUE and FALSE
branches are executed
• MC/DC
F
if((a || b) && c) RESULT
– All operands can independently
affect the outcome
a
b
At least n+1 test case
c
required
© Vector Software, all rights reserved
13
F
F
T
F
T
F
T
T
F
T
T
T
F
T
F
F
Knowing what needs
to be done!
Green: Fully covered
(good)
Red: Not covered
(bad)
Orange: Partially
covered (?)
+/- critical software
Statement
+
Branch
+
MCDC
very critical software
What you get - Automaticity
• Unit test environments are generated automatically:
– All drivers and stubs generated with NO user input
• Constructing a test case is done through point and click OR CSV
– NO scripting of ANY kind
• Both Black Box and White Box are allowed
• Execution on target is done 100% automatically
– You click a button, and the rest is done for you
• Execution reports are generated 100% automatically
• Both GUI and command line are available
• Re-running any test environment in regression mode is automatic, even
if the test cases are modified, or if the underlying code is modified
– Regression testing is completely automated
What you get - Flexibility
• Full, guaranteed support for C/C++ of ANY complexity
• Users can control the value of ALL parameters, return values, global
data and data coming from stubs – even for pointers, exceptions, etc.
• Can test individual values, special values (NAN, positive infinity, etc),
range of values, list of values, even call code to generate Monte Carlostyle of test cases
• Can create complex test cases that set state machines and test their
transition from one state to another (compound test cases)
• Creation of test cases from CSV
• Automatic test case generation based on basis path analysis, MIN-MIDMAX, and more so as to give a leg up during structural coverage
• Code coverage is displayed in an easy-to-understand way
Other capabilities you get…
• The ability to test libraries – even if you don’t have access to the code!
• The capability to test as you develop (agile development), or even to first
write test cases before writing code (test-driven development)
• The debugger can be used to control test case execution (so the tool
becomes a test vector generator for debugging too)
• The ability to perform timing calculations, in some conditions can also
be done while other processes from the OS are executing
• The ability to stub library functions, if desired…
• … and much more
Quite simply, you are getting a complete test bench that
enables you to comply with ISO 26262 efficiently, so you
can still meet demanding deadlines!
What about tool qualification?
• ISO 26262 Part 8, Section 11 mentions tool qualification
– The objective of the qualification of software tools is to provide evidence of
software tool suitability for use when developing a safety-related item or
element, such that confidence can be achieved in the correct execution of
activities and tasks required by ISO 26262
• Depends on how critical the tool’s reliability is to the quality
of the code
• Process more flexible than DO-178B, but if you need tool
qualification, Vector Software has a long experience of
providing this service
– We can provide you documents demonstrating the tool performance
as adequate in your environment: same compiler version, board,
debugger, and tool version
Conclusion
• ISO 26262 contains a number of recommendations that
have been proven effective in other industries
– It does not reinvent the wheel but builds on a rich heritage to customize an
unique standard to the needs of the Automotive industry
• Unit/integration testing and code coverage can be very timeintensive, which no one in this industry can afford!
• The only way to meet ISO 26262, increase code quality and
still meet your deadlines is to invest in test automation
– Fortunately, VectorCAST tools have both the automation and
flexibility required for you to achieve ISO 26262 compliance in a
timely manner
Questions?