Abstract
Automotive manufacturers and their suppliers increasingly need to
follow the objectives of ISO 26262 as it is now state-of-the art and as
it is the case that an ever increasing number of active and passive
safety systems are developed within cars. This has increased the need
to define a safe system development process. This paper proposes a
model-based approach including automatic and certified code
generation to efficiently implement the embedded software that
controls these systems while meeting the needed safety requirements
and obeying the rules of ISO 26262.
Introduction
This paper presents an approach for the development of ISO 26262
[1] compliant software applications based on Model-Based Design
(MBD) and certified Automatic Code Generation (ACG). When using
such a method, strong benefits can be achieved in reducing software
verification costs while meeting the objectives of ISO 26262 at the
highest ASIL levels.
After a brief summary of the ISO 26262 standard, the paper presents
a detailed analysis of what is really expected by the standard for tool
qualification, with strong emphasis on having a Safety Case that takes
into accounts the various stakeholders, i.e. the tool developer, the tool
installer and the tool user, considering all possible failure conditions
and mitigation actions by performing hazard analysis and risk
assessment using a method such as HAZOP [3].
According to the standard, a Safety Case has been built for the
qualification of the Automatic Code Generator (ACG) and it has
shown the various mitigation actions that should be taken. It is clearly
demonstrated that if we want the tool users not to perform low level
verification activities such as application software code reviews and
code level testing, a number of precise actions have to be taken by the
tool developer in order to provide the required tool confidence level.
This typically includes tool code reviews and tool structural code
coverage. Therefore, any tool qualification method that would only
rely on “validation of the software tool” cannot meet these objectives for the tool user. The methods that consist in performing “tool
development in accordance with a safety standard” such as ISO
26262 or DO-178C [2] will allow us to meet the objectives that we
have described above. However, ISO 26262 allows for an appropriate
combination of methods to achieve this.
In a final section of the paper we present a complete SCADE MBD
flow relying on the existence of the certified ACG and a few typical
industrial use cases of safety-related applications such as advanced
driver assistance systems (ADAS).
The Purpose, Organization and Requirements of
ISO-26262
In a context where safety is one of the key issues in automobile
development, the ISO 26262 standard provides for the development
of safety-related systems:
• the definition of an automotive safety lifecycle
• a risk-based approach based on Automotive Safety Integrity
Levels (ASIL) from D representing the highest level to A the
lowest level
• and the use of ASILs for specifying the applicable requirements
of ISO 26262 to be met while developing the system so as to
avoid unreasonable residual risks.
Let us now briefly describe the following three topics in the standard:
• the ISO 26262 concept phase
• the ISO 26262 requirements for product development
• and the ISO 26262 tool qualification process.
The ISO 26262 Concept Phase
Part 3 of ISO 26262 describes the requirements of the concept phase
of ISO-26262. Assuming an item has been identified, safety analyses
are carried out on the basis of the item definition and the safety
concept is derived from it.
The objective of the “Hazard analysis and risk assessment phase” is
to identify and categorize the potential hazards of the item and
formulate safety goals to prevent or mitigate hazards in order to
achieve acceptable risk.
CITATION: Dion, B., “A Cost-Effective Model-Based Approach for Developing ISO 26262 Compliant Automotive Safety Related
Applications,” SAE Technical Paper 2016-01-0138, 2016, doi:10.4271/2016-01-0138.