100% Coverage for Safety-Critical Software - Efficient Testing by Static Analysis

Safety-critical embedded software is used more and more pervasively in the automotive, avionics and healthcare industries. Failures of such safety-critical embedded systems may cause high costs or even endanger human beings. Also for non-safety-critical applications, a software failure may necessitate expensive updates. Making sure that an application is working properly means addressing many different aspects. Development standards like DO-178B, IEC 61508 and the new revisions DO-178C, or ISO 26262 require to identify potential functional and non-functional hazards and to demonstrate that the software does not violate the relevant safety goals. For ensuring functional program properties automatic or model-based testing, and formal techniques like model checking become more and more widely used. For non-functional properties identifying a safe end-of-test criterion is a hard problem since failures usually occur in corner cases and full test coverage cannot be achieved. For some non-functional program properties this problem is solved by abstract interpretation-based static analysis techniques which provide full coverage and yield provably correct results. In this article we focus on static analyses of worst-case execution time, stack consumption, and runtime errors, which are increasingly adopted by industry in the validation and certification process for safety-critical software. We explain the underlying methodology and identify criteria for their successful application. The integration of static analyzers in the development process requires interfaces to other development tools, like code generators or scheduling tools. Using them for certification requires an appropriate tool qualification. We will address each of these topics and report on industrial experience.