Software safety certification is both an old and new reality in the embedded systems world. Developers of devices such as avionics systems have been using strict DO-178A/B/C standards for years. However, automotive software standards, such as ISO 26262 (2011), are more recent. As software becomes integral to the functionality of safety-critical systems, standards continue to emerge to help characterize best practices and codify the expectations of the software.
Achieving certification and developing software to meet safety standards is expensive and time-consuming -- and for good reason. The level of rigor required for developing such software means lots of verification and validation throughout the development process. Fortunately, standards bodies and the standards themselves recognize the roles of tools – and static analysis in particular. GrammaTech CodeSonar has been independently certified for use in development of software at the highest safety-integrity levels for ISO 26262, IEC 61508, and EN 50128. Leveraging tools to cut the development and testing burden means the difference between on-budget and on-schedule for certified (and non-certified) software.
- A short history of the cost per defect metric
- Therac 25 Incident
- The ROI of Static Analysis in Safety-Critical Software Development
Functional Safety Standards
Functional safety is end-to-end in scope, meaning that safety of a component or subsystem is evaluated in terms of an entire system, including all software and hardware. This is an important concept to understand, since software was once considered independent or insignificant in a system. (The famous Therac-25 incident proved that false in a tragic way.)
Aerospace led the way with standards like DO-178, due to both the complexity of the software and the criticality of the systems being developed. Industrial, transportation, rail, and automotive followed over the years, usually as derived standards from EN/ISO 16508.
Another result of the focus on functional safety is better understanding of the impact of software control on an entire system and the risk analysis and management that is used at the system level. The focus on repeatable, documented processes and rigorous testing helped software safety to improve immensely. The Toyota unintended acceleration problem (2009) indicates that improvements are still needed.
Certification and Static Analysis Tools
Functional safety standards don’t specifically require automated tools, but to efficiently meet certification requirements, tools offer an excellent return on investment. For example, ISO 26262 (Road Vehicles – Functional Safety) specifies software unit design and implementation principles and coding guidelines. Static analysis tools are particularly useful in enforcing coding standards such as MISRA C.
Help with coding standards is useful but it's just a small fraction of the capabilities of a product such as GrammaTech CodeSonar. Certification standards need robustness, correctness, and consistency, which require design, coding, and testing rigor beyond the coding standards. Static analysis tools can find defects in the source code before and after it’s part of the project. The tools can also detect bugs that are hard to find in testing and are expensive to debug and fix. In addition, avoiding complexity and increasing maintainability is difficult to manage manually, and tools such as GrammaTech's CodeSurfer help immensely in management the structure of the code.
Software certifications require proof of implementation to the standard, which is often manually generated, but automation reduces the workload. Confidence is required in an automated tools’ results in order for them to be acceptable certification evidence. To address this, tools vendors can seek certifications for the products they sell as well. Recognizing this need, GrammaTech CodeSonar is independently certified for ISO 26262, IEC 61508, and EN 50128. This means that developers can use the tools with confidence that the results produced are acceptable to approval bodies during certification. It’s just too risky to use unqualified tools, which will only result in further testing, documentation, and certification costs.
Static analysis tools provide tangible productivity improvements to software teams seeking stringent software safety certification. Using a qualified tool as part of the software development process from early stages of development can have significant benefits:
- Enforce coding standards for safety, security and style. Automating code analysis during code development ensures quality in the development stream every day.
- Reducing manual effort in proving software robustness and behavior. Static analysis tools augment software testing by providing more assurance of software quality.
- Reducing number of defects throughout development – by preventing bugs in the first place. Code that works the first time is much cheaper to test and integrate than buggy code. Bugs removed from the code before testing (or even source configuration management) reduces costs and risk.
- Finding serious defects that elude testing. Software testing in safety-critical systems is exhaustive and, depending on the level of concern, require complete statement and or decision coverage. Despite this testing rigor, static analysis tools have found defects that were missed. These are the most worrisome types of defects – is it really worth the risk of letting these bugs go into a shipping product?
Cost and Risk Reduction
Static analysis tools give risk and cost reduction throughout a product’s lifecycle including after it ships, into market introduction, maintenance, and legacy. How? As Capers Jones ( “A short history of the cost per defect metric”, 2009) demonstrates, defects cost a lot of money because there are so many of them (cost per defect might be the same over time but the volume of defects is not). Using tools to cut the sheer volume of defects reduces costs and downstream risks, as illustrated in Figure 1 below. Reducing the volume of defects early in the lifecycle provides significant cost reduction. In addition, static analysis tools provide extra quality and security assurance that conventional testing may miss, often reducing defects and security vulnerabilities being shipped to customers.
Figure 1: Total cost of defects versus volume of defects and possible costs savings from reducing this volume. Costs per defect are based on Capers Jones (2009). Note the highest costs are earlier in the lifecycle (implementation). Note that significant cost increases start after product release and are not covered here.
More detail on return on investment for static analysis is provided in a previous post.
Safety critical software certification is a growing in range and scope in embedded systems. Software is taking over in terms of costs and overall safety in systems, and standards are adapting to new markets as need arises. Development of safety-critical software is risky and expensive, and growing complexity and connectivity means that manufactures have to look for ways to improve. Static analysis tools boost the quality assurance, robustness, and correctness that safety standards require. Early adoption and use is key to reaping the most rewards.