How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

Similar documents
Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Informatica e Sistemi in Tempo Reale

Top 10 Bug-Killing Coding Standard Rules

The Role of Automation Systems in Management of Change

Software in safety critical systems

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Software Application Control and SDLC

SIS Functional Design 15 minutes

Is your current safety system compliant to today's safety standard?

When COTS is not SOUP Commercial Off-the-Shelf Software in Medical Systems. Chris Hobbs, Senior Developer, Safe Systems

Verification and Validation of Software Components and Component Based Software Systems

TÜ V Rheinland Industrie Service

Die wichtigsten Use Cases für MISRA, HIS, SQO, IEC, ISO und Co. - Warum Polyspace DIE Embedded Code-Verifikationslösung ist.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE, AND AGING

Vetting Smart Instruments for the Nuclear Industry

TESSY Automated dynamic module/unit and. CTE Classification Tree Editor. integration testing of embedded applications. for test case specifications

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

Best Practices for Verification, Validation, and Test in Model- Based Design

Agile Development for Application Security Managers

Advanced Encryption Standard (AES) User's Guide

Object Oriented Software Design

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

White Paper. Java versus Ruby Frameworks in Practice STATE OF THE ART SOFTWARE DEVELOPMENT 1

Chap 1. Software Quality Management

ASSESSMENT OF THE ISO STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY

Scoping (Readings 7.1,7.4,7.6) Parameter passing methods (7.5) Building symbol tables (7.6)

University of Hull Department of Computer Science. Wrestling with Python Week 01 Playing with Python

Software Engineering Techniques

International Software Test Institute

Functional Safety Management: As Easy As (SIL) 1, 2, 3

How To Improve Software Quality

(Refer Slide Time: 01:52)

Introduction to Automated Testing

Safer food supply chains why assessments are great news for your business

Frequently Asked Questions

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Design of automatic testing tool for railway signalling systems software safety assessment

THE ALARM SYSTEM FROM THE OPERATOR`S PERSPECTIVE. C T Mattiasson. Scanraff AB, Sweden. Introduction

Satisfying ASIL Requirements with Parasoft C++test Achieving Functional Safety in the Automotive Industry

Quality Management Systems. Compliance Driven or Quality Driven?

The programming language C. sws1 1

Brocade Fabric OS DATA CENTER. Target Path Selection Guide January 4, 2016

ITIL A guide to service asset and configuration management

QUALITY ASSURANCE IN EXTREME PROGRAMMING Plamen Balkanski

CONTINUOUS INTEGRATION

MPLAB TM C30 Managed PSV Pointers. Beta support included with MPLAB C30 V3.00

Realizing business flexibility through integrated SOA policy management.

Sources: On the Web: Slides will be available on:

Phys4051: C Lecture 2 & 3. Comment Statements. C Data Types. Functions (Review) Comment Statements Variables & Operators Branching Instructions

Reduce Medical Device Compliance Costs with Best Practices.

Object Oriented Software Design

SIL in de praktijk (Functional Safety) Antwerpen Compliance of Actuators and Life Cycle Considerations. SAMSON AG Dr.

Controlling Risks Safety Lifecycle

Software Production. Industrialized integration and validation of TargetLink models for series production

Software Development for Medical Devices

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

BETTER YOUR CREDIT PROFILE

13 Classes & Objects with Constructors/Destructors

Module 10 - Managing Training

Effective Software Verification for Medical Devices

Common Beginner C++ Programming Mistakes

SQF Program Vocabulary

State of Medical Device Development State of Medical Device Development seapine.com 1

Chapter 3: Data Mining Driven Learning Apprentice System for Medical Billing Compliance

The first program: Little Crab

Object Oriented Software Design II

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Testing, Debugging, and Verification

Selecting Sensors for Safety Instrumented Systems per IEC (ISA )

Learning outcomes. Systems Engineering. Software Quality Management. Product reflects Process. Lecture 5. Introduction to Software Quality Management

KITES TECHNOLOGY COURSE MODULE (C, C++, DS)

Automation can dramatically increase product quality, leading to lower field service, product support and

Open-source Versus Commercial Software: A Quantitative Comparison

Qualifying Software Tools According to ISO 26262

2 The first program: Little Crab

DELL. Unified Server Configurator Security Overview. A Dell Technical White Paper. By Raja Tamilarasan, Wayne Liles, Marshal Savage and Weijia Zhang

Coding Rules. Encoding the type of a function into the name (so-called Hungarian notation) is forbidden - it only confuses the programmer.

Modernized and Maintainable Code. Frank Weil, Ph.D. UniqueSoft, LLC

Pitfalls in Embedded Software

How To Improve Your Software

The Dirty Little Secret of Software Pricing

Parrot in a Nutshell. Dan Sugalski dan@sidhe.org. Parrot in a nutshell 1

Testing, What is it Good For? Absolutely Everything!

Process Ownership and Service Ownership

What is Functional Safety Management?

Demystifying the European Machinery Directive and SEMI Requirements for the Industrial Automation and Semiconductor Markets

Optimize Application Performance and Enhance the Customer Experience

Eurusdd s TZ/RZ Clues & Lessons

Transcription:

How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

Agendum What the benefits of Functional Safety are What the most popular safety certifications are Why you should care if your development tools are FS-certified How development tools are FS-certified How FS-certified tools will speed your path to your own certification What you get with EWARM-FS How do I certify my own application? Coding standards with MISRA C Avoiding dark corners of C Summary

What the benefits of Functional Safety are

Why should I seek a certification? Reduce liability risks associated with your application Reduce odds of product recall Reduce number of firmware updates Ensure compliance with international standards and requirements Protects your company s reputation Also protects your company s bottom line

Certifications make you consider your design carefully Some certifications define failure modes and how to recover from them Others make you ponder ways in which your software could fail and how best to recover You must carefully outline these modes for review by a certification-granting entity to show you understand the risks

Types of Safety Certifications

What types of safety certifications are there? The short answer is that there are many: Each one caters to a specific industry or product category You have to find which one is right for your product The two most broad-reaching certifications are ISO 26262 and IEC 61508 They cover road vehicles & electronic safety-related systems respectively Most functional safety development tools aim for these two certifications because they cover almost all other certifications and industries

What do these safety standards do? These standards provide: Processes to assess risk for safety critical systems and assign safety goals Best practice development process requirements in order to reduce systematic failures Frameworks for quantitative analysis of random failure rates and effectiveness of diagnostic measures to detect random failure Ongoing procedures to ensure functional safety after product deployment In short, they outline how to identify and deal with risks and they require FS-certified tools

Functional Safety certifications for development tools

What does it mean if my tool is FS-certified? It means that your development tool has gone through a rigorous qualification process to ensure that it produces reliable and repeatable results when compiling your code. Additionally, it means: Development processes are in place to manage how the tool works with specific requirements put forth by different functional safety standards There are test and quality measures of the tool show validation of compliance with different language standards

What does it mean if my tool is FS-certified? It also means: There are specific processes and metrics in place to handle issues reported from the field and how users are updated about known issues A safety manual is provided to show proof-of-compliance with standards and how to operate the development tool to comply with FS standards Assessment takes into consideration how many developers are using the toolchain to ensure it has a broad user-base

How do I certify my current toolchain? The certification process is rather rigorous. The IEC 61508 standard details how support tools should be qualified in Section 7.4.4, but it is rather ambiguous on how a compiler should be qualified. Consider clause 7.4.4.10: The selected programming language shall have a translator which has been assessed for fitness for purpose including, where appropriate, assessment against the international or national standards. These and other stipulations make it difficult to certify a tool on your own and can result in significant work on your part to prove fitness and even more work to document why you think you have proven fitness! This only gets worse as you try to achieve higher and higher SIL safety levels.

How does using an FS-certified tool speed my certification?

How does the tool speed my certification? The simple answer is that it removes the requirement that you have to prove your toolchain complies with the safety standard. It also means that your test-and-fix phase of the Software Development Lifecycle (SDLC) can focus on finding bugs in your source code instead of wondering if a compiler issue is causing your problems Certified service packs mean that you don t have to recertify the tool to get added functionality to your toolchain

How much time and money can it save me? Quite a bit! As we ve seen previously, some of the requirements for tool certification can be a bit nebulous, so you avoid the backand-forth with your certifying entity. Tool certifications can take up to 6-12 months of calendar time and occupy several employees, nominally 2-5: Also places extra testing requirements on each project using the tool The actual numbers will depend on which SIL your project requires By using a tool that is FS-certified, you only need to certify your application which frees people from also needing to prove the development tools, which can save you upwards of $100k US.

What you get with EWARM-FS

What do I get with EWARM-FS? The benefits of using the functional safety version are: A complete build chain that is certified by TŰV SŰD to comply with the requirements for tools selection in IEC 61508 and ISO 26262 A report that accompanies the certificate that states under what circumstances the certificate is valid A test report that shows how the tool was tested to demonstrate compliance

What do I get with EWARM-FS? You also get: A compiler that supports C89, C99, and C++ languages (Note that the safety standards do not recommend using exceptions and RTTI in C++) Prequalified service packs for your FS tool to maintain certification and support for the life of the FS version (as long as there are paying customers under support contract for that version) Regular updates on known issues

How do I certify my application?

General outlines of FS requirements for applications Identify what the safety functions are Identify risk reduction methods for the safety functions Verify safety function performs the way it s supposed to Verify that system meets standards by rigorous testing Conduct Function Safety audits to assess testing evidence

Speeding the path to certifications Certifications are easier to achieve when you can prove that your code conforms to a coding standard (such as MISRA) Testing reports show that the overall number of defects in the software is low, despite many hours of testing and proves maturity of your development organization Code analysis also shows that your results are repeatable because you have a process in place to find and fix defects.

Coding standards with MISRA C

What is MISRA C? MISRA C is a software development standard for the C programming language developed by the Motor Industry Software Reliability Association. Its aims are to facilitate code safety, portability and reliability in the context of embedded systems, specifically those systems programmed in ISO C. MISRA C 1998: 127 rules MISRA C 2004: 141 rules MISRA C 2012: 157 rules MISRA C++ 2008: 161 rules

Benefits of using MISRA Improved safety and reliability of code: Memory may not be dynamically allocated which effectively eliminates possibility of running out of memory during run-time Definitions are strictly typed so that signed/unsigned mismatches are not possible Many other common-sense rules that we developers sometimes forget while coding! Many not-so-obvious rules that help us help other developers Helps you find potential bugs before you begin the testing phase: Identifies many potential pitfalls in your code Looks for inconsistencies between your code and other developers code

How MISRA protects you (Rule 13) Rule 13 (advisory) - this rule states that an application should not directly use basic types such as char, int, float etc. Instead specific-length equivalents should be typedefed for the specific compiler, and these type names should be used in the code. The reason is that different compilers could use different underlying representation for the basic types. The most common case is the type int that could be seen as 16 bit wide by one compiler and 32 bit wide by another.

How MISRA protects you (Rule 13, continued) Developers take greater care when selecting the appropriate size and signedness: Instead of just picking an int, developers will use, say, uint16_t whenever I need to represent a 16-bit entity that never will be negative. This makes the code easier to read and understand as the reader doesn't have to consider a situation where expressions could be negative when adding code

How MISRA protects you (Rule 23) Rule 23 (advisory): All declarations at file scope should be static where possible. Declaring a variable or a function static means it cannot be seen or used directly by other modules in the application. This rule: Prevents you from unintentionally exposing internal help functions and file-local variables Forces you to really design the interface of new modules Makes the interface clearer, something very important as applications become legacy and the person who wrote the code may not be available to interpret it

How MISRA protects you (Rule 33) Rule 33 (required): The right hand side of a "&&" or " " operator shall not contain side effects. There is nothing in the C language that prevents you from writing code that looks like the following: if ((x == y) (*p++ == z)) { /* do something */ } In this example: The right hand side of the operator is only evaluated (and its sideeffects executed) if the expression on the left-hand side is false that is, if x and y are not equal In this example, the side-effect is to post-increment the pointer p.

How MISRA protects you (Rule 33, continued) However: Even if this behavior is specified by the standard, it is still easy to get it wrong when writing the code. Even if you manage to get it right, everyone that will ever read or maintain the code must also understand the rules and your intentions. Bad example Good example if ((x == y) (*p++ == z)) { /* do something */ } int dosomething = 0; if (x == y) { dosomething = 1; } else if (*p++ == z) { dosomething = 1; } if (dosomething) { /* do something */ }

How MISRA protects you (Rule 59) Rule 59 (required): The statement forming the body of an "if", "else if", "else", "while", "do... while", or "for" statement shall always be enclosed in braces. Consider following example: if (x == 0) { y = 10; z = 0; } else y = 20;

How MISRA protects you (Rule 59, continued) The idea of this rule is to avoid a classical mistake. In the example below, the line z = 1; was added. if (x == 0) { y = 10; z = 0; } else y = 20; z = 1; It looks as though it's part of the else clause but it isn t! In fact, it is placed after the if statement altogether, which means that the assignment will always take place. Surrounding braces ensure that your scope is always clear.

Avoiding dark corners of C

Avoiding dark corners of C Some developers believe that making fewer source lines of C or using clever C constructions makes tighter code wrong! Code becomes difficult to read, understand or maintain Writing code in a clear, logical manner helps the compiler make more informed choices on how to optimize your code Clever solution unsigned long int a; unsigned char b; Better solution unsigned long int a; unsigned char b; /* Move bits 0-20 to 11-31, if non-0, first! gives 0 */ b =!!(a << 11); //Straightforward if if (a & 0x1FFFFFFF)!= 0) { b = 0x01; } The clever solution produces more code because it invokes two! operations in C In short, write one statement at a time and avoid compound statements as much as possible

Avoiding dark corners of C In this example, the clever code produces more code because it invokes the need for a temporary variable in order to hold the 1 or 0 added to the variable str Clever solution int bar(char *str) { //Calculating with result of //comparison, not clear return foo(str+(*str== + )); } Better solution int bar(char *str) { if (*str == + ) { str++; } return foo(str); }

Summary

Summary Functional safety is becoming more desirable, even when it isn t required FS-certified tools prove that they have been through rigorous testing FS-certified tools are necessary to get your own certification MISRA C is an extremely popular coding standard Coding standards such as MISRA C help you find bugs before they get in the field Using FS-certified tools and coding standards help you develop high-quality applications very quickly

THANK YOU FOR YOUR ATTENTION!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information