- Example of Safety Standards
When your firmware needs to comply with some safety standards, it cannot be achieved without unit testing. There are many safety compliance standards, for example, IEC 62304 for medical devices and ISO 26262 for automotive. Software unit implementation and verification is described in both standards. IEC 62304 5.5.1~4 and ISO 26262-6 8.1~8.5 for implementation and 9.1~9.5 for verification.
- Concept of Safety Level
Writing unit test to verify basic functionality is bare minimum requirement to comply both safety standards. Doing classic TDD can achieve at least this part. However, it is not sufficient to comply those standards if the module is required to comply with higher safety level. ISO 26262 is using ASIL(Automotive Safety Integration Level). There are four levels of hazard: ASIL A, B, C, D. This order is low risk to high risk. IEC 62304 is using Class. There are three software safety classifications, as follows
Class A: No injury or damage to health is possible.
Class B: Nonserious injury is possible.
Class C: Death or serious injury is possible
(medicaldesignbriefs.com/component/content/a..)
ISO 26262-6 describes unit test methods in table 10 and unit test case derivation in table 11 and unit test coverage(embitel.com/blog/embedded-blog/how-iso-2626..).
From table 10, regardless ASIL level, two tests are strongly recommended which are requirement-base test and interface test. Requirement-base test is the result of TDD as mentioned above. Interface test verifies function with use case, for example, injecting different type of signals to function. Different type of signals can be defined by equivalent class. This technique is found in table 11.
Based on what ASIL level to achieve, more unit test cases would be required. It is similar to IEC 62304. Class B and Class C will have common test cases but Class C requires more test cases, however, unit verification is not required for Class A. For Class B and C, IEC 62304 describes unit verification process needs to be documented. Acceptance criteria is required for Class C. The acceptance criteria examples are a) proper event sequence; b) data and control flow; c) planned resource allocation; d) fault handling (error definition, isolation, and recovery); e) initialization of variables; f) self-diagnostics; g) memory management and memory overflows; and h) boundary conditions.
- Conclusion
One product cannot be both medical device and automotive. But unit test is referred in both safety standards. It proves writing unit test is a good practice whether project is comply with safety standards or not. In general, TDD is not enough to comply safety standards but it is still part of process to comply with safety standards!