In this article I look at the different integrity levels for the DO-178C "Software Considerations in Airborne Systems and Equipment Certification" development guidance and ISO26262 "Road vehicles – Functional safety" standard, what they mean for code coverage and why they are not equivalent.
How do I find my Integrity Level?
Most safety standards use the concept of an integrity level, which is assigned to a system or a function. This level will be based on an initial analysis of the consequences of your software going wrong. Both standards have clear guidance on how to identify your integrity level. For example, DO-178C has Software Levels, which are assigned based on the outcome of "anomalous behaviour" of a software component – Level A for "Catastrophic Outcome", Level E for "No Safety Effect". ISO26262 has ASIL (Automotive Safety Integrity Level), based on the exposure to issues affecting the controllability of the vehicle. ASILs range from D for the highest severity/most probable exposure, and A as the least. So the underlying concept is similar – find out how severe the effect and how likely it is your software can go wrong. The difference is in the scales and criteria used.
What does my integrity level mean?
The allocated integrity level is linked to a set of processes to follow when developing your system – the higher the level then the more rigorous and stringent these processes are. Let’s take code coverage requirements as an example. The purpose of code coverage testing is to determine how much of your code has been exercised by your requirements based test cases. It can be a powerful tool in locating any code that doesn’t trace to a requirement, or limitations in your testing. The more severe the consequences of your code going wrong, then the more evidence we need that the test cases can find potential problems in the code.
Table 1 shows the code coverage requirements for DO178C from Annex A, Table A-7 of the standard. At Level C you only need to demonstrate that your tests cover all the statements in your software. However, at Level A you need three types of code coverage, including the most stringent, Multiple Condition/Decision Coverage for which every possible condition must be shown to independently affect the decision/software’s outcome. Further, you need to run these tests and demonstrate that the testing process has been performed by someone not directly involved with the development process.
|MC/DC||Decision Coverage||Statement Coverage|
|Level A||With Independence||With Independence||With Independence|
|Level B||-||With Independence||With Independence|
Compare this with the code coverage requirements in ISO26262. Table 2 shows the requirements from Tables 12 and 15 of Part 6 of ISO26262. There are two different sets, one at the unit level and one at the architectural level. Techniques are highly recommended (++) or recommended (+). No requirement for independence is there. So whilst at the highest ASIL we still require MC/DC, the requirement for how that’s achieved is different. Also code coverage must be applied at multiple abstraction levels.
|MC/DC (Unit Level)||Branch Coverage (Unit Level)||Statement Coverage (Unit Level)||Function Coverage (Architectural Level)||Call Coverage (Architectural Level)|
What’s the conclusion?
The integrity level concept is in almost all safety standards in one form or another. You will need to identify your integrity level in order to understand how to satisfy the standards development requirements, and, ultimately, the body approving whether your software is acceptably safe. However, the details mean that we can’t directly compare integrity levels between standards, and the requirements may be subtly different.