《Perforce：自動、半自動和傳統汽車軟件合規指南（英文版）（9頁）.pdf》由會員分享，可在線閱讀，更多相關《Perforce：自動、半自動和傳統汽車軟件合規指南（英文版）（9頁）.pdf（9頁珍藏版）》請在三個皮匠報告上搜索。

1、 Perforce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)IntroductionAn essential part of the automotive software development process is ensuring that it is compliant with key industry coding standards and guidelines.However,that process c

2、an be complex and time-consuming without the right software development tools and best practices.Here,we provide an overview of the key automotive software standards and the best practices for compliance.WHITE PAPERGuide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional Ve

3、hiclesWHITE PAPERGuide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)ContentsAutomotive Software.3Key Automotive Coding Guidelines.3Coding Guideline B

4、est Practices for Software Safety and Security.4Automotive Software Functional Safety General.4ISO 26262:Automotive Functional Safety.4ASIL Overview.4Automotive Software Functional Safety Autonomous Vehicles.6SOTIF(ISO/PAS 21448)Overview.6How SOTIF(ISO/PAS 21448)Relates to ISO 26262.7UL 4600 Overvie

5、w.7Automotive Software Functional Security.8How Perforce Static Analysis Tools Help Ensure Secure,Reliable,and Standards-Compliant Automotive Software.9WHITE PAPER3|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registere

6、d trademarks are the property of their respective owners.(0620RB22)Automotive SoftwareAll vehicle components regardless of whether they are for autonomous,semi-autonomous,or traditional vehicles have safety and security requirements,but the level of coverage varies depending on the functionality of

7、the component.It is obvious that a braking system has major safety requirements,and an In-Vehicle Infotainment(IVI)that has external communication will have to consider cybersecurity.Going forward,there will be an increase in domain and area controllers within the vehicle,where many separate,distinc

8、t components are consolidated into a single,distributed platform for the entire vehicle.This leads to safety,scheduling,and security concerns.Many of these concerns can be addressed by enforcing functional safety and security standards.All components are required to meet ISO 26262 and in the future

9、there will be a mandatory requirement to cover ISO/SAE 21434 for automotive cybersecurity.Both functional standards recommend the use of coding guidelines to detect undefined and critical unspecified behavior in programming languages.Key Automotive Coding GuidelinesMISRAMISRA,originally developed fo

10、r the automotive industry,provides coding standards for developing safety-critical systems and has been extended to cover security.It is now used in all industries where there are critical systems.MISRA C was originally published in 1998,and the latest version is MISRA C:2012 third edition first rev

11、ision with subsequent amendments covers C90,C99,and C11.It is now the most widely used set of coding guidelines for C around the world.In 2008,MISRA C+was published and is now used extensively by safety-critical developers.An update is forthcoming within the next year to cover the later versions of

12、C+.All MISRA guidelines are assigned a category to determine which are of the highest risk.AUTOSAR C+14The AUTOSAR coding guidelines are for the use of the C+14 language in critical and safety-related systems.They were developed for use in the AUTOSAR Adaptive Platform but are applicable to any safe

13、ty-critical applications written in C+.AUTOSAR C+14 is based on MISRA C+:2008 coding guidelines but with the addition of the best features of other C+coding standards,such as JSF and CERT C+.It allows for the use of some features that are not permitted by other C+coding standards,including:Dynamic M

14、emory Exceptions Templates Inheritance Virtual FunctionsThe AUTOSAR guidelines are classified according to the obligation level which indicates the risk of failing to resolve violations.CERTCERT is a secure coding standard that supports commonly used programming languages such as C,C+,and Java.It is

15、 composed of rules and recommendations that target insecure coding practices and undefined behaviors that lead to security risks.The rules provide requirements for the code while the requirements provide guidance that,when followed,should improve the safety,reliability,and security of software syste

16、ms.WHITE PAPER4|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)Each guideline in the CERT Coding Standards contains a risk assessment section tha

17、t attempts to provide software developers with an indication of the potential consequences of not addressing a particular rule or recommendation.Coding Guideline Best Practices for Software Safety and SecurityWhen selecting and implementing coding guidelines,there needs to be consideration of the ap

18、plication.Obviously,the programming language is the first step,but often that is already determined by the project.This will then lead to the available coding guidelines.Next,the scope of the application are there safety-critical or cybersecurity concerns,or both?All defensive implementation techniq

19、ues should start with the use of recognized coding guidelines.MISRA C:2012 Revision 1 and CERT C(and by extension MISRA C+and AUTOSAR C+14)identify critical and unspecified language behavior by implementing a language subset.This makes the resulting code more reliable,less prone to errors,and easier

20、 to maintain.The level of coverage required may vary depending on the functionality of the component.It may be that it is sufficient to only apply rules that detect high-risk violations.CERT defines the severity of each rule,and MISRA C applies a category.This allows a subset of rules to be enforced

21、.However,any decision to disable rules from any coding guidelines must be considered carefully as a justification will often be necessary.Automotive Software Functional Safety GeneralAn essential part of the automotive software development process is verifying that the software is compliant with key

22、 industry standards and guidelines to ensure safety and security.ISO 26262:Automotive Functional SafetyISO 26262 “Road vehicles functional safety”,is the major functional safety standard used in the automotive industry.It is a risk-based safety standard and applies to electric and/or electronic syst

23、ems in production vehicles.This includes driver assistance,propulsion,and vehicle dynamics control systems.ISO 26262 covers the functional safety aspects of the entire development process from requirements specification through design and implementation to verification and validation.WHY ISO 26262 I

24、S IMPORTANT FOR AUTOMOTIVE SOFTWAREISO 26262 is important for automotive software because all road vehicles are required to comply with it to ensure safety throughout the lifecycle of the automotive equipment and systems.Specific steps are required in each phase to ensure safety from the earliest co

25、ncept to the point when the vehicle is decommissioned.Compliance helps developers avoid or control systematic failures and mitigate the effects of failure.ASIL OverviewAutomotive Safety Integrity Levels(ASILs)are a key element of ISO 26262 and are used to measure the risk of a specific system compon

26、ent.The more complex the system,the greater the risk of systematic failures and random hardware failures.There are four ASIL values,A-D.ASIL A is the minimum level of risk and ASIL D is the maximum.WHITE PAPER5|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perf

27、orce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)Compliance requirements become stricter going from A to D.QM(quality management)is an additional option that is used to note that there is no safety requirement for a particular component

28、.For more information on how to determine Automotive Safety Integrity Levels,download our white paper,How to Comply with the ISO 26262 Standard.ISO 26262 FUNCTIONAL SAFETY FOR SOFTWARE DEVELOPERSISO 26262 is comprised of 11 parts,where Part 6:Product Development at the Software Level and Part 8:Supp

29、orting Processes are particularly applicable to electric vehicle software development.Part 6 contains a series of tables that includes methods to define software processes.(The full list of the tables supported by static analysis can be found in our white paper,How to Comply with the ISO 26262 Stand

30、ard.)For each method,the degree of recommendation to use the corresponding method depends on the ASIL and is categorized as follows:“+”indicates that the method is highly recommended for the identified ASIL.“+”indicates that the method is recommended for the identified ASIL.“o”indicates that the met

31、hod has no recommendation for or against its usage for the identified ASIL.For example,in Table 6 below,method a.one entry and one exit point in subprograms and functions is highly recommended for all ASILs,whereas method j.no recursions is only recommended for the lower levels.Table 6 Design Princi

32、ples for Software Unit Design and Implementationa.One entry and one exit point in subprograms and functionsb.No dynamic objects or variables,or else online test during their creationc.Initialization of variablesd.No multiple use of variable namese.Avoid global variables or else justify their usagef.

33、Restricted use of pointersg.No implicit type conversionsh.No hidden data flow or control flowi.No unconditional jumpsj.No recursions+MethodsASILABCDWHITE PAPER6|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered tr

34、ademarks are the property of their respective owners.(0620RB22)HOW TO MEET ISO 26262 COMPLIANCE REQUIREMENTSISO 26262 recommends that a coding standard is applied to cover many of the coding principles listed in the tables in Part 6.Applying a coding guideline such as MISRA or AUTOSAR C+14,can be ma

35、de easier by using a static analysis tool.Any tool which is relied upon to show compliance with ISO 26262 must be qualified to ensure that it is suitable for use in a safety-related environment.Therefore,it is easier to use a tool that has already been certified,such as Perforce static analysis tool

36、s Helix QAC and Klocwork which have been certified by TV-SD for use in safety-related development.Automotive Software Functional Safety Autonomous VehiclesWhile the same functional safety and security standards that are essential for a traditionally powered vehicles are also relevant for autonomous

37、vehicles,there are additional standards that should be followed.SOTIF(ISO/PAS 21448)OverviewSOTIF which stands for Safety of the Intended Functionality is the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality or by reasonably foreseea

38、ble misuse.ISO/PAS 21448(SOTIF)was developed to address the new safety challenges for autonomous and semi-autonomous vehicle software,which rely on artificial intelligence(AI)and machine learning(ML).The aim is the same as for ISO 26262,the protection of humans from harm and injuries,but while the o

39、bjective of ISO 26262is to avoid unreasonable risks derived from hazards caused by a malfunctioning of a system,the objective of ISO/PAS 21448(SOTIF)is to avoid unreasonable risks due to potentially hazardous behaviors related to functional insufficiencies or deficiencies.The need to cover this spec

40、ific aspect of safety arose in the automotive field in relation to the development of self-driving cars.But,considering that the self-driving cars which will soon be able to drive without any human involvement are a product located at the intersection of automotive and robotics areas,it may be expec

41、ted that SOTIF will apply,maybe with some adjustments,to robotics as well.ISO 21448 provides guidance on design and verification and validation measures.By applying these measures,automotive software developers can achieve safety in situations without failure and thus achieving SOTIF.It is applied t

42、o intended functionality where proper situational awareness is critical to safety,and where that situational awareness is derived from complex sensors and processing algorithms as used by AI and MLWHY SOTIF(ISO/PAS 21448)IS IMPORTANTSOTIF is important because verifying automated systems is difficult

43、.In general,automated systems have huge volumes of data,which is fed to complex algorithms.Artificial intelligence and machine learning(AI/ML)are critical for developing these systems.To avoid potential safety hazards,the AI will need to make decisions in a variety of scenarios,including those that

44、require situational awareness.SOTIF is key to ensuring that the AI can make the best decision for a given scenario to avoid safety hazards.WHITE PAPER7|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered trademarks

45、are the property of their respective owners.(0620RB22)WHERE SOTIF(ISO/PAS 21448)APPLIESSOTIF applies to safety violations that occur without the failure of a system.To better illustrate what this means,here is an example of situational awareness.It has been snowing and the road has become icy.The AI

46、-based system installed in your self-driving car is unable to comprehend the situation and respond properly,impacting its ability to operate safely.Without being able to sense the icy road conditions,your self-driving car instead decides to drive faster than what would be safe putting your life,as w

47、ell as those in your car and on the road,at risk.However,lets instead imagine that your self-driving cars software has fulfilled the SOTIF requirements.By doing so,it is able to take the road conditions into account and make a decision based on the probability of what could happen.Which means that i

48、nstead of speeding up,your car makes the decision to slow down.How SOTIF(ISO/PAS 21448)Relates to ISO 26262ISO/PAS 21448(SOTIF)applies to systems that can have safety hazards without a system failure.Examples of these types of systems include emergency intervention systems and advanced driver assist

49、ance systems(ADAS).It does not apply to cases covered by the ISO 26262 or to hazards directly caused by the system technology.ISO 26262 covers functional safety in the event of system failures and applies to existing,established systems such as dynamic stability control(DSC)systems or airbags.For th

50、ese systems,safety is ensured by mitigating the risk of system failure.Simply put,SOTIF compliments ISO 26262 to ensure that autonomous and semi-autonomous vehicles are as safe as possible.UL 4600 OverviewUL 4600 Standard for Safety for the Evaluation of Autonomous Products addresses the safety prin

51、ciples and processes for evaluating fully autonomous systems that operate with no human intervention.It is intended to address the changes required from traditional safety practices to take into account autonomy,such as lack of human operator to take fault mitigation actions.WHITE PAPER8|Guide to Au

52、tomotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)It includes safety case construction,risk analysis,safety relevant aspects of design process,testing,tool qua

53、lification,autonomy validation,data integrity,human-machine interaction(for non-drivers),life cycle concerns,metrics,and conformance assessment.The approach is claim-based approach prescribing topics that must be addressed in creating a safety case.It does not define pass/fail criteria for safety or

54、 set acceptable risk levels.UL 4600 FUNCTIONAL SAFETY FOR AUTONOMOUS VEHICLE DEVELOPERSUL 4600 is explicitly designed to help developers and manufacturers of automated products like self-driving cars to build a safety case for their product.It sets out a methodology by which the developer or manufac

55、turer can explain why an autonomous vehicle is acceptably safe through a comprehensive and structured set of claims or goals.These claims or goals must then be supported by arguments and evidence.In addition,UL 4600 sets out a structure for the safety case,dividing claims into areas such as“risk ass

56、essment”;“interacting with Non-Driver Humans”;and“verification,validation,and testing”.Throughout the standard are extensive lists to“prompt”users to consider things which the standard defines as“mandatory”,“required”,“highly recommended”,and“recommended”.It also specifies how conformity with these

57、prompts will be achieved and potential“pitfalls”.UL 4600 requires developers to consider the use of the vehicle throughout its operational life.This approach also requires that the supply chain for the maintenance of the vehicle has been considered.They must also have processes for managing any unce

58、rtainties,assumptions,and potential gaps in the safety case on an ongoing basis.It is mandatory that there is a structured software development process and evidence provided to show that it is followed at all levels from unit through to system.This can be difficult for some levels of autonomy,for ex

59、ample machine-learning,but the steps in development must be defined.Therefore,it is highly recommended that processes from traditional safety standards like ISO 26262 are adopted.In addition,it is also highly recommended that evidence of compliance to safety and security standard coding guidelines l

60、ike MISRA is provided.Automotive Software Functional SecurityThe frequency of cyberattacks on vehicles increased 225%from 2018 to 2021,according to the Upstreams 2022 Global Automotive Cybersecurity Report.This staggering increase highlights how automotive software security is no longer optional but

61、 absolutely necessary.ISO/SAE 21434:AUTOMOTIVE SOFTWARE SECURITYISO/SAE 21434“Road vehicles cybersecurity engineering”is an automotive standard that focuses on the cybersecurity risk in road vehicle electronic systems.The standard covers all stages of a vehicles lifecycle from the initial design to

62、end-of-life decommissioning,by the application of cybersecurity engineering.This applies to all electronic systems,components,and software in the vehicle,plus any external connectivity.In addition,ISO/SAE 21434 provides a comprehensive approach to implementing security safeguards that span the entir

63、e supplier chain.WHY ISO/SAE 21434 IS IMPORTANT FOR AUTOMOTIVE SOFTWAREISO/SAE 21434 is important for automotive software as current safety-critical standards are not sufficient to cover cybersecurity risks.The standard provides a structured process to ensure that cybersecurity considerations are in

64、corporated into automotive products throughout their lifetime.The standard requires automotive manufacturers and suppliers to demonstrate due diligence in the implementation of cybersecurity engineering and that cybersecurity management is applied throughout the supply chain to support it.WHITE PAPE

65、R9|Guide to Automotive Software Compliance:Autonomous,Semi-Autonomous,and Traditional V Perforce Software,Inc.All trademarks and registered trademarks are the property of their respective owners.(0620RB22)About PerforcePerforce powers innovation at unrivaled scale.Perforce solutions future-proof com

66、petitive advantage by driving quality,security,compliance,collaboration,and speed across the technology lifecycle.We bring deep domain and vertical expertise to every customer,so nothing stands in the way of success.Our global footprint spans more than 80 countries and includes over 75%of the Fortun

67、e 100.Perforce is trusted by the worlds leading brands to deliver solutions to even the toughest challenges.Accelerate technology delivery,with no shortcuts.Get the Power of Perforce.HOW TO MEET ISO/SAE 21434 REQUIREMENTSISO/SAE 21434 requires that cybersecurity is at the forefront of all design dec

68、isions including the selection of the programming language to be used for software development.There are several criteria to be considered when selecting a programming language,which include:Secure design and coding techniques.Unambiguous syntax and semantic definitions.However,some of these criteri

69、a may not be sufficiently addressed in the selected language.Therefore,it is recommended that coding guidelines such as MISRA and CERT are used to address the deficiencies of the chosen language.There is an additional requirement to verify the compliance with the selected coding guidelines,with the

70、recommendation to use static analysis tools.Static analysis tools can both verify compliance with the coding guidelines and provide evidence of that compliance.This will provide overall consistency,correctness,and completeness with respect to cybersecurity requirements.In addition,a static analysis

71、tool will make compliance simpler and help meet development guidelines to produce safe,secure,and reliable software.How Perforce Static Analysis Tools Help Ensure Secure,Reliable,and Standards-Compliant Automotive SoftwareTo effectively identify software security vulnerabilities and weaknesses,as we

72、ll as to enforce recommended coding standards and guidelines,an industry standardized tool should be used specifically a static analysis tool.Static analysis tools such as Helix QAC and Klocwork can both verify compliance with coding standards and guidelines,and provide evidence of that compliance.T

73、his will provide overall consistency,correctness,and completeness with respect to functional safety and cybersecurity requirements.By using a static analysis tool,you can accelerate compliance by:Enforcing coding standards and detecting rule violations.Detecting compliance issues earlier in developm

74、ent.Accelerating code reviews and manual testing efforts.Reporting on compliance over time and across product versions.Perforce static analysis tools provide full compliance to both MISRA and CERT guidelines.They are also certified for use for safety-critical systems by TV-SD,including ISO 26262 up to ASIL level D.See for yourself how Perforce static analysis tools can help ensure the functional safety and security of your automotive software.Request your free trial today.STATIC ANALYSIS FREE TRIAL