How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

Transcription

1 How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

2 Agendum What the benefits of Functional Safety are What the most popular safety certifications are Why you should care if your development tools are FS-certified How development tools are FS-certified How FS-certified tools will speed your path to your own certification What you get with EWARM-FS How do I certify my own application? Coding standards with MISRA C Avoiding dark corners of C Summary

3 What the benefits of Functional Safety are

4 Why should I seek a certification? Reduce liability risks associated with your application Reduce odds of product recall Reduce number of firmware updates Ensure compliance with international standards and requirements Protects your company s reputation Also protects your company s bottom line

5 Certifications make you consider your design carefully Some certifications define failure modes and how to recover from them Others make you ponder ways in which your software could fail and how best to recover You must carefully outline these modes for review by a certification-granting entity to show you understand the risks

6 Types of Safety Certifications

7 What types of safety certifications are there? The short answer is that there are many: Each one caters to a specific industry or product category You have to find which one is right for your product The two most broad-reaching certifications are ISO and IEC They cover road vehicles & electronic safety-related systems respectively Most functional safety development tools aim for these two certifications because they cover almost all other certifications and industries

8 What do these safety standards do? These standards provide: Processes to assess risk for safety critical systems and assign safety goals Best practice development process requirements in order to reduce systematic failures Frameworks for quantitative analysis of random failure rates and effectiveness of diagnostic measures to detect random failure Ongoing procedures to ensure functional safety after product deployment In short, they outline how to identify and deal with risks and they require FS-certified tools

9 Functional Safety certifications for development tools

10 What does it mean if my tool is FS-certified? It means that your development tool has gone through a rigorous qualification process to ensure that it produces reliable and repeatable results when compiling your code. Additionally, it means: Development processes are in place to manage how the tool works with specific requirements put forth by different functional safety standards There are test and quality measures of the tool show validation of compliance with different language standards

11 What does it mean if my tool is FS-certified? It also means: There are specific processes and metrics in place to handle issues reported from the field and how users are updated about known issues A safety manual is provided to show proof-of-compliance with standards and how to operate the development tool to comply with FS standards Assessment takes into consideration how many developers are using the toolchain to ensure it has a broad user-base

12 How do I certify my current toolchain? The certification process is rather rigorous. The IEC standard details how support tools should be qualified in Section 7.4.4, but it is rather ambiguous on how a compiler should be qualified. Consider clause : The selected programming language shall have a translator which has been assessed for fitness for purpose including, where appropriate, assessment against the international or national standards. These and other stipulations make it difficult to certify a tool on your own and can result in significant work on your part to prove fitness and even more work to document why you think you have proven fitness! This only gets worse as you try to achieve higher and higher SIL safety levels.

13 How does using an FS-certified tool speed my certification?

14 How does the tool speed my certification? The simple answer is that it removes the requirement that you have to prove your toolchain complies with the safety standard. It also means that your test-and-fix phase of the Software Development Lifecycle (SDLC) can focus on finding bugs in your source code instead of wondering if a compiler issue is causing your problems Certified service packs mean that you don t have to recertify the tool to get added functionality to your toolchain

15 How much time and money can it save me? Quite a bit! As we ve seen previously, some of the requirements for tool certification can be a bit nebulous, so you avoid the backand-forth with your certifying entity. Tool certifications can take up to 6-12 months of calendar time and occupy several employees, nominally 2-5: Also places extra testing requirements on each project using the tool The actual numbers will depend on which SIL your project requires By using a tool that is FS-certified, you only need to certify your application which frees people from also needing to prove the development tools, which can save you upwards of $100k US.

16 What you get with EWARM-FS

17 What do I get with EWARM-FS? The benefits of using the functional safety version are: A complete build chain that is certified by TŰV SŰD to comply with the requirements for tools selection in IEC and ISO A report that accompanies the certificate that states under what circumstances the certificate is valid A test report that shows how the tool was tested to demonstrate compliance

18 What do I get with EWARM-FS? You also get: A compiler that supports C89, C99, and C++ languages (Note that the safety standards do not recommend using exceptions and RTTI in C++) Prequalified service packs for your FS tool to maintain certification and support for the life of the FS version (as long as there are paying customers under support contract for that version) Regular updates on known issues

19 How do I certify my application?

20 General outlines of FS requirements for applications Identify what the safety functions are Identify risk reduction methods for the safety functions Verify safety function performs the way it s supposed to Verify that system meets standards by rigorous testing Conduct Function Safety audits to assess testing evidence

21 Speeding the path to certifications Certifications are easier to achieve when you can prove that your code conforms to a coding standard (such as MISRA) Testing reports show that the overall number of defects in the software is low, despite many hours of testing and proves maturity of your development organization Code analysis also shows that your results are repeatable because you have a process in place to find and fix defects.

22 Coding standards with MISRA C

23 What is MISRA C? MISRA C is a software development standard for the C programming language developed by the Motor Industry Software Reliability Association. Its aims are to facilitate code safety, portability and reliability in the context of embedded systems, specifically those systems programmed in ISO C. MISRA C 1998: 127 rules MISRA C 2004: 141 rules MISRA C 2012: 157 rules MISRA C : 161 rules

24 Benefits of using MISRA Improved safety and reliability of code: Memory may not be dynamically allocated which effectively eliminates possibility of running out of memory during run-time Definitions are strictly typed so that signed/unsigned mismatches are not possible Many other common-sense rules that we developers sometimes forget while coding! Many not-so-obvious rules that help us help other developers Helps you find potential bugs before you begin the testing phase: Identifies many potential pitfalls in your code Looks for inconsistencies between your code and other developers code

25 How MISRA protects you (Rule 13) Rule 13 (advisory) - this rule states that an application should not directly use basic types such as char, int, float etc. Instead specific-length equivalents should be typedefed for the specific compiler, and these type names should be used in the code. The reason is that different compilers could use different underlying representation for the basic types. The most common case is the type int that could be seen as 16 bit wide by one compiler and 32 bit wide by another.

26 How MISRA protects you (Rule 13, continued) Developers take greater care when selecting the appropriate size and signedness: Instead of just picking an int, developers will use, say, uint16_t whenever I need to represent a 16-bit entity that never will be negative. This makes the code easier to read and understand as the reader doesn't have to consider a situation where expressions could be negative when adding code

27 How MISRA protects you (Rule 23) Rule 23 (advisory): All declarations at file scope should be static where possible. Declaring a variable or a function static means it cannot be seen or used directly by other modules in the application. This rule: Prevents you from unintentionally exposing internal help functions and file-local variables Forces you to really design the interface of new modules Makes the interface clearer, something very important as applications become legacy and the person who wrote the code may not be available to interpret it

28 How MISRA protects you (Rule 33) Rule 33 (required): The right hand side of a "&&" or " " operator shall not contain side effects. There is nothing in the C language that prevents you from writing code that looks like the following: if ((x == y) (*p++ == z)) { /* do something */ } In this example: The right hand side of the operator is only evaluated (and its sideeffects executed) if the expression on the left-hand side is false that is, if x and y are not equal In this example, the side-effect is to post-increment the pointer p.

29 How MISRA protects you (Rule 33, continued) However: Even if this behavior is specified by the standard, it is still easy to get it wrong when writing the code. Even if you manage to get it right, everyone that will ever read or maintain the code must also understand the rules and your intentions. Bad example Good example if ((x == y) (*p++ == z)) { /* do something */ } int dosomething = 0; if (x == y) { dosomething = 1; } else if (*p++ == z) { dosomething = 1; } if (dosomething) { /* do something */ }

30 How MISRA protects you (Rule 59) Rule 59 (required): The statement forming the body of an "if", "else if", "else", "while", "do... while", or "for" statement shall always be enclosed in braces. Consider following example: if (x == 0) { y = 10; z = 0; } else y = 20;

31 How MISRA protects you (Rule 59, continued) The idea of this rule is to avoid a classical mistake. In the example below, the line z = 1; was added. if (x == 0) { y = 10; z = 0; } else y = 20; z = 1; It looks as though it's part of the else clause but it isn t! In fact, it is placed after the if statement altogether, which means that the assignment will always take place. Surrounding braces ensure that your scope is always clear.

32 Avoiding dark corners of C

33 Avoiding dark corners of C Some developers believe that making fewer source lines of C or using clever C constructions makes tighter code wrong! Code becomes difficult to read, understand or maintain Writing code in a clear, logical manner helps the compiler make more informed choices on how to optimize your code Clever solution unsigned long int a; unsigned char b; Better solution unsigned long int a; unsigned char b; /* Move bits 0-20 to 11-31, if non-0, first! gives 0 */ b =!!(a << 11); //Straightforward if if (a & 0x1FFFFFFF)!= 0) { b = 0x01; } The clever solution produces more code because it invokes two! operations in C In short, write one statement at a time and avoid compound statements as much as possible

34 Avoiding dark corners of C In this example, the clever code produces more code because it invokes the need for a temporary variable in order to hold the 1 or 0 added to the variable str Clever solution int bar(char *str) { //Calculating with result of //comparison, not clear return foo(str+(*str== + )); } Better solution int bar(char *str) { if (*str == + ) { str++; } return foo(str); }

35 Summary

36 Summary Functional safety is becoming more desirable, even when it isn t required FS-certified tools prove that they have been through rigorous testing FS-certified tools are necessary to get your own certification MISRA C is an extremely popular coding standard Coding standards such as MISRA C help you find bugs before they get in the field Using FS-certified tools and coding standards help you develop high-quality applications very quickly

37 THANK YOU FOR YOUR ATTENTION!