IEC Certification Kit

Embedded Coder®
ISO 26262 Tool Qualification Package

R2020b

July 22, 2020 certkitiec_ecoder_tqp

How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000

The MathWorks, Inc.

1 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit Embedded Coder® ISO 26262 Tool Qualification Package
© COPYRIGHT 2009-2020 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or
copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced
in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or
through the federal government of the United States. By accepting delivery of the Program or Documentation, the
government hereby agrees that this software or documentation qualifies as commercial computer software or
commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part
227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights
specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance,
display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for
or through the federal government) and shall supersede any conflicting contractual terms or conditions. If this
License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See
www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be
trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents
for more information.

July 22, 2020 certkitiec_ecoder_tqp

Revision History
September 2009 New for Version 1.1 (Applies to Release 2009b)
March 2010 Revised for Version 1.2 (Applies to Release 2010a)
April 2010 Revised for Version 1.3 (Applies to Release 2009bSP1)
September 2010 Revised for Version 1.3 (Applies to Release 2010b)
March 2011 Revised for Version 1.4 (Applies to Release 2010bSP1)
April 2011 Revised for Version 1.4 (Applies to Release 2011a); renamed to Embedded
Coder® ISO 26262 Tool Qualification Package
September 2011 Revised for Version 2.0 (Applies to Release 2011b)
March 2012 Revised for Version 2.1 (Applies to Release 2012a)
September 2012 Revised for Version 3.0 (Applies to Release 2012b)
March 2013 Revised for Version 3.1 (Applies to Release 2013a)
September 2013 Revised for Version 3.2 (Applies to Release 2013b)
March 2014 Revised for Version 3.3 (Applies to Release 2014a)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
March 2015 Revised for Version 3.5 (Applies to Release 2015a)
September 2015 Revised for IEC Certification Kit Version 3.6 (Applies to Release 2015b)
March 2016 Revised for IEC Certification Kit Version 3.7 (Applies to Release 2016a)
September 2016 Revised for IEC Certification Kit Version 3.8 (Applies to Release 2016b)
March 2017 Revised for IEC Certification Kit Version 3.9 (Applies to Release 2017a)
September 2017 Revised for IEC Certification Kit Version 3.10 (Applies to Release 2017b)
March 2018 Revised for IEC Certification Kit Version 3.11 (Applies to Release 2018a)
September 2018 Revised for IEC Certification Kit Version 3.12 (Applies to Release 2018b)
March 2019 Revised for IEC Certification Kit Version 3.13 (Applies to Release 2019a)
September 2019 Revised for IEC Certification Kit Version 3.14 (Applies to Release 2019b)
March 2020 Revised for IEC Certification Kit Version 3.15 (Applies to Release 2020a)
September 2020 Revised for IEC Certification Kit Version 3.16 (Applies to Release 2020b)

July 22, 2020 certkitiec_ecoder_tqp

Contents
1 Introduction ................................................................................................................................................ 1-1
2 Application Identification ........................................................................................................................... 2-1
3 Tool Identification and Qualification Artifacts Summary ........................................................................... 3-1
3.1 Tool Identification............................................................................................................................... 3-1
3.2 Tool Qualification Artifacts Summary ................................................................................................. 3-1
4 Software Tool Criteria Evaluation Report ................................................................................................... 4-1
4.1 Tool Environment ............................................................................................................................... 4-1
4.2 Tool Configuration .............................................................................................................................. 4-1
4.3 Reference Workflow ........................................................................................................................... 4-1
4.4 Tool Use Cases .................................................................................................................................... 4-2
4.5 Generic Tool Classification.................................................................................................................. 4-2
4.5.1 Potential Malfunctions or Erroneous Output .......................................................................... 4-2
4.5.2 Error Prevention and Detection Measures .............................................................................. 4-3
4.5.3 Tool Classification Summary .................................................................................................... 4-5
5 Software Tool Qualification Report ............................................................................................................ 5-1
5.1 Requirement for Tool Qualification .................................................................................................... 5-1
5.2 Tool Qualification Documentation ..................................................................................................... 5-1
6 Confirmation Review of Tool Classification and Qualification .................................................................... 6-1
6.1 Requirement for Confirmation Review............................................................................................... 6-1
6.2 Validity of Generic Tool Classification ................................................................................................ 6-1
6.2.1 Validity of Tool Use Cases ........................................................................................................ 6-1
6.2.2 Validity of Error Prevention and Detection Measures ............................................................. 6-4
6.2.3 Validity of Tool Classification Summary ................................................................................... 6-6
6.3 Validity of Generic Tool Qualification ................................................................................................. 6-7
6.4 Conformance with Reference Workflow ............................................................................................ 6-7

July 22, 2020 certkitiec_ecoder_tqp i

1 Introduction

This document constitutes the ISO 26262 Tool Qualification Package for the Embedded Coder® product. This
document is intended for use in the ISO 26262 tool classification and qualification process for software
tools. It contains templates for the ISO 26262 tool qualification work products (see ISO 26262-8:2018,
Section 11).

The applicant shall review this template for applicability to the application under consideration, and then
tailor and complete the information.

See also:

• IEC Certification Kit: User’s Guide, R2019b

• ISO 26262-8:2018, Section 11

ISO 26262-8:2018, Clause 11 provides provisions for software tools that are used to tailor activities or tasks
required by ISO 26262. The standard outlines a two-step approach to establish the required confidence in
the tools:

• Tool classification determines the required level of confidence in the software tool.
• Depending on the result of the tool classification, you might need to carry out a formal tool qualification.

This document includes the following work products that need to be created when applying this approach
to a software tool (see ISO 26262-8:2018, 11.5):

• Software Tool Criteria Evaluation report, which provides the tool classification.
• Software Tool Qualification report, which provides the tool qualification information (if required).

Note ISO 26262-8:2018 is used as a basis for tool classification and qualification. This approach is
considered suitable for the other standards supported by the IEC Certification Kit for
Embedded Coder: IEC 61508, IEC 62304, EN 50128, EN 50657, or ISO 25119.

The applicant needs to review this template for applicability to the project under consideration and insert
missing information.

This document is intended for use with:

• Embedded Coder Reference Workflow (certkitiec_ecoder_workflow)1

• Embedded Coder Conformance Demonstration Template (certkitiec_ecoder_cdt)1

As you review this document, notice the use of <Insert Information>. This tag indicates where you should
customize the document for the project under consideration.

The following figures provide information to help understand how the IEC Certification Kit documentation
correlates to the user’s development workflow, tool classification, and tool qualification.

1 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder folder.

July 22, 2020 certkitiec_ecoder_tqp 1-1

 Figure 1 demonstrates the process of integrating the Embedded Coder reference workflow with your
project’s development workflow. It identifies workflow components and documentation that may be
affected by the consolidation.

Figure 1 Consolidation of the Embedded Coder Reference Workflow and Project Workflow
Figure 2 illustrates the correlation between the tool use cases, tool classification, and tool qualification.

Figure 2 Tool Classification and Tool Qualification Approach

July 22, 2020 certkitiec_ecoder_tqp 1-2

2 Application Identification

Applicant: <Insert Information>

Application under consideration <Insert Information>

July 22, 2020 certkitiec_ecoder_tqp 2-1

3 Tool Identification and Qualification
Artifacts Summary

3.1 Tool Identification

Embedded Coder® is a code generator that transforms executable models into C or C++ code. The input
languages comprise Simulink®, Fixed-Point Designer™, and Stateflow®. Embedded Coder is an extension of
Simulink Coder™ that generates C or C++ code for embedded, discrete-time systems.1

Embedded Coder with AUTOSAR Blockset supports the generation of production code and files for
AUTOSAR application software components as follows:

• For AUTOSAR Classic software, generation of C code

• For AUTOSAR Adaptive software, generation of C++ code

AUTOSAR Blockset also allows you to develop Classic and Adaptive AUTOSAR software using
Simulink® models.

Table 1 Tool Identification

Software Tool Version (Release) Tool Vendor

Embedded Coder® Version 7.5 (R2020b) The MathWorks, Inc.
1 Apple Hill Drive
AUTOSAR Blockset Version 2.3 (R2020b) Natick, MA, 01760-2098 USA

IEC Certification Kit Version 3.16 (R2020b)

3.2 Tool Qualification Artifacts Summary

For the Embedded Coder product, Table 2 lists:

• Prerequisites
• Supporting information
• Tool qualification work products

The tool qualification artifacts listed in the table are mapped to sections in this document and artifacts
found elsewhere.

1 All products require MATLAB® as the underlying base software. Simulink® Coder™ requires MATLAB® Coder™.

July 22, 2020 certkitiec_ecoder_tqp 3-1

 Table 2 Tool Qualification Artifacts

ISO 26262- Tool Certification Artifact Corresponding Documents/Artifacts

8:2018,
section
11.3.1 Safety plan <Insert Information. Include document title, version,
filename, and link>

11.3.1 Organization-specific rules and <Insert Information. Include document title, version,
processes for functional safety filename, and link >

11.3.1 Applicable prerequisites of the <Insert software lifecycle phase(s) and prerequisite(s)>
lifecycle phases where software
tool is used

11.3.2 Predetermined maximum ASIL <Insert ASIL>

11.3.2 Software tool documentation Embedded Coder:

Embedded Coder Getting Started Guide, R2020b
ecoder_newgs.pdf
Embedded Coder User’s Guide, R2020b
ecoder_ug.pdf
Embedded Coder Reference, R2020b
ecoder_ref.pdf
Embedded Coder Release Notes, R2020b
rn.pdf
AUTOSAR Blockset:
AUTOSAR Blockset User’s Guide, R2020b
autosar_ug.pdf
AUTOSAR Blockset Reference, R2020b
autosar_ref.pdf
AUTOSAR Blockset Release Notes, R2020b
rn.pdf

11.3.2 Environment and constraints of MathWorks® bug report system at

the software tool www.mathworks.com/support/bugreports/
<Insert a list of the applicable bug reports. Include
reference to the bug reports analysis and, if applicable,
patches installation reports>

July 22, 2020 certkitiec_ecoder_tqp 3-2

 ISO 26262- Tool Certification Artifact Corresponding Documents/Artifacts
8:2018,
section
11.5.1 Software tool criteria evaluation Customized and completed Chapter 4: Software Tool
report Criteria Evaluation Report of Embedded Coder ISO 26262
Tool Qualification Package (this document)
certkitiec_ecoder_tqp.docx
Embedded Coder Reference Workflow, R2020b
certkitiec_ecoder_workflow.pdf
Certificate
certkitiec_ecoder_certificate.pdf
Report to the Certificate
certkitiec_ecoder_certreport.pdf
<If applicable, insert additional documentation. Include
document title, version, filename, and link>

11.5.2 Software tool qualification Customized and completed Chapter 5: Software Tool
report Qualification Report in the Embedded Coder ISO 26262 Tool
Qualification Package (this document)
certkitiec_ecoder_tqp.docx
Customized and completed Embedded Coder Conformance
Demonstration Template
certkitiec_ecoder_cdt.docx
Certificate
certkitiec_ecoder_certificate.pdf
Report to the Certificate
certkitiec_ecoder_certreport.pdf
<If applicable, insert additional documentation. Include
document title, version, filename, and link>

July 22, 2020 certkitiec_ecoder_tqp 3-3

4 Software Tool Criteria Evaluation
Report

4.1 Tool Environment

It is assumed that Embedded Coder® will be used in the following environment (see ISO 26262-8:2018,
11.4.4.1d):

<Insert Information, such as operating system or pertinent environment information>

4.2 Tool Configuration

It is assumed that Embedded Coder will be used in the following tool configuration provided in Table 3
when generating code (see ISO 26262-8:2018, 11.4.4.1b):

Table 3 Tool Configuration

Configuration Parameter Setting

Code Generation Pane
System target file <Insert .tlc file name of the ERT-based or
AUTOSAR system target file>

Language <Insert project-specific setting>

<Insert configuration parameter> <Insert project-specific setting>

Optimization Pane

<Insert configuration parameter> <Insert project-specific setting>

Hardware Implementation Pane

<Insert configuration parameter> <Insert project-specific setting>

4.3 Reference Workflow

It is assumed that Embedded Coder will be used as described in the reference workflow documented in
Embedded Coder Reference Workflow.1

1 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder folder.

July 22, 2020 certkitiec_ecoder_tqp 4-1

4.4 Tool Use Cases
It is assumed that Embedded Coder will be used as described by one or more of the following use cases (see
ISO 26262-8:2018, 11.4.4.1c). Additional information about the assumed usage of Embedded Coder can be
found in the following documents:

• Embedded Coder Reference Workflow

• Embedded Coder User’s Guide1
• (if using AUTOSAR Blockset) AUTOSAR Blockset User’s Guide2

[ECoder_UC1] Generating C Code from the Model Used for Production Code Generation
Embedded Coder code generator will be used to transform an executable model (model used for
production code generation) into production C code for application software components.

The input languages to the code generator comprise Simulink®, Fixed-Point Designer™, Stateflow®, and
MATLAB® code. The C source code generated by the code generator is transformed by the compiler/linker
tool chain into executable object code.

[ECoder_UC2] Generating C++ Code from the Model Used for Production Code Generation
Embedded Coder code generator will be used to transform an executable model (model used for
production code generation) into production C++ code for application software components.

The input languages to the code generator comprise Simulink, Fixed-Point Designer, Stateflow, and MATLAB
code. The C++ source code generated by the code generator is transformed by the compiler/linker tool
chain into executable object code.

[ECoder_UC3] Generating C/C++ Code and Files for AUTOSAR Application Software
Components from the Model Used for Production Code Generation
Embedded Coder code generator with AUTOSAR Blockset will be used to:

• Transform an executable model (model used for production code generation) into production C/C++
code and files for AUTOSAR application software components.
• Create an AUTOSAR configuration for a model, model AUTOSAR elements, and generate AUTOSAR XML
and AUTOSAR-compatible C/C++ code from a model.

4.5 Generic Tool Classification

The tool classification for Embedded Coder was performed in a generic manner, independently from the
development of a specific safety-related item or element.

For the generic tool classification, the use cases listed in Tool Use Cases above have been considered. The
tool classification is based on the potential malfunctions or erroneous outputs and error prevention and
detection measures listed in the following, corresponding sections.

4.5.1 Potential Malfunctions or Erroneous Output

The following potential malfunctions or erroneous outputs were considered as part of the tool classification
process:

2 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder/doc/autosar folder.

July 22, 2020 certkitiec_ecoder_tqp 4-2

 [ECoder_E1] Embedded Coder produces incorrect or incomplete C or C++ code
Embedded Coder produces C/C++ code that is incorrect or does not have the same functionality as the
source model, for example:

• An element of the model is not translated to the code, therefore the corresponding functionality is
missing in the code.
• An element of the model is translated with error, so the corresponding code functionality does not
match the model. (for example, gain value in the model is 5 but is translated to gain value 3 in the code)

[ECoder_E2] Embedded Coder produces C or C++ code with unintended functionality

Embedded Coder produces C/C++ code that is not related to the content of the source model. For example,
Embedded Coder generates code with functionality that does not exist in the original model.

[ECoder_E3] Embedded Coder produces files for AUTOSAR application software

components with incorrect content
Embedded Coder produces files for AUTOSAR application software components with content that does not
correspond to the content of the source model.

[MISC_E1] Usage of incorrect input data

Incorrect input data is used, resulting in tool malfunction and erroneous output.

[MISC_E2] Misinterpretation of tool results

User interprets tool results incorrectly.

[MISC_E3] Incorrect tool usage

User does not follow established procedures when using the tool, or the tool has been not been used in the
intended operational environment, resulting in tool malfunction and erroneous output.

[MISC_E4] Incorrect, modified, or incompatible with environment tool installation

User does not follow established procedures when installing the tool, installs the tool in an incorrect
operational environment, modifies a valid installation, or available bug reports for the tool have not been
analyzed and available patches have not been installed. This might result in tool malfunction and erroneous
output.

4.5.2 Error Prevention and Detection Measures

The following measures, which mitigate potential malfunctions and corresponding erroneous outputs of
Embedded Coder, are referenced in the tool classification process. Additional considerations are described
in Embedded Coder Reference Workflow.

[ECoder_M1] Back-to-back testing

Software-in-the-loop (SIL) and processor-in-the-loop (PIL) back-to-back testing of generated C/C++ code
versus source model can be used to verify the functional equivalence between the source model and
generated code. See “Back-To-Back Simulation” in the Embedded Coder™ Reference Workflow.

[ECoder_M2] Static code analysis

Static code analysis can be used to assess compliance with coding standards, determine code size and
complexity, and quality metrics. See “Static Code Analysis” in the Embedded Coder™ Reference Workflow.

July 22, 2020 certkitiec_ecoder_tqp 4-3

 [ECoder_M3] Prevention of unintended functionality
Code coverage analysis can be used to find code that is not related to the subsystem elements, i.e.
unintended functionality. See the “Code Coverage Comparison” section of “Prevention of Unintended
Functionality” in the Embedded Coder™ Reference Workflow.

Static code analysis can be used to assess compliance with coding standards, determine code size and
complexity and quality metrics. See “Static code analysis” in the Embedded Coder™ Reference Workflow.

Manual review of the Traceability Report for the generated C/C++ code can be used to find code that is not
related to the subsystem elements, i.e. unintended functionality. See “Traceability in the Code Generation
Report” in the Embedded Coder™ Reference Workflow.

[ECoder_M4] Review of the files for AUTOSAR application software components

Review of the files for AUTOSAR application software components.

[ECoder_M5] Validation of files for AUTOSAR application software components in the

AUTOSAR development environment
AUTOSAR development environment can be used to validate the schema for AUTOSAR application software
components files.

[MISC_M1] Configuration management and revision control

Configuration management, including revision control, shall be applied in accordance with Clause 7 of ISO
26262-8:2018 to the tools input and outputs, as well as for other applicable work products specified in the
respective safety standard.

For additional information, see “Configuration Management and Revision Control” in the tool-specific
reference workflow artifact.

[MISC_M2] Competency of the project team

Those carrying out activities using the tools shall be competent for the activities undertaken. For additional
information, see “Competency of the Project Team” in the tool-specific reference workflow artifact.

[MISC_M3] Adherence to installation instructions and validation of tool installation integrity

Adhere to the installation instructions for the tool (including dependent tools) and verify the version and
integrity of the tool. Validate modifications or additions made to the shipping product(s), if applicable, by
re-running the validation test suite provided in the IEC Certification Kit.

For additional information, see “Installation Integrity and Release Compatibility” in the tool-specific
reference workflow artifact.

[MISC_M4] Analysis of available bug report information

Assess and analyze the tool’s bug report information that is provided by MathWorks® and comply with the
recommendations and workarounds, if applicable.

For additional information, see “Bug Reporting” in the tool-specific reference workflow artifact.

[MISC_M5] Addressing tool errors and warnings

The tool reports abnormal operating modes, such as invalid tool inputs or incompatible settings that result
from incorrect tool usage, by issuing errors and warnings. All errors and warnings should be reviewed, and
appropriate action shall be taken.

July 22, 2020 certkitiec_ecoder_tqp 4-4

4.5.3 Tool Classification Summary
Table 4 Tool Classification Summary

Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL

Malfunction or Detection Measures
Erroneous Output
[ECoder_E1] [ECoder_UC1] TI2 Incorrect code [ECoder_M1] Back- TD1 Back-to-back testing between generated TCL1
Embedded Coder could introduce to-back testing code and model ensures the numerical
produces [ECoder_UC2]
incorrect behavior [ECoder_M2] Static equivalence of the source model and
incorrect or [ECoder_UC3] of the target generated code.
incomplete C or code analysis
application This measure addresses the applicable
C++ code component verification methods recommended by
ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code generation errors
will be detected.

[ECoder_E2] [ECoder_UC1] TI2 C/C++ code with [ECoder_M3] TD1 Review of a traceability report for the TCL1
Embedded Coder unintended Prevention of generated code and code coverage
produces C or C++ [ECoder_UC2] unintended
functionality could analysis can be used to detect code that
code with [ECoder_UC3] introduce functionality is not related to the model elements,
unintended unintended i.e. unintended functionality.
functionality [ECoder_M2] Static
behavior of the This measure addresses the applicable
code analysis
target application verification methods recommended by
component ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code with unintended
functionality will be detected.

ECoder_E3] [ECoder_UC3] TI2 AUTOSAR [ECoder_M4] TD1 Review of the generated AUTOSAR files TCL1
Embedded Coder application Review of the files provide a high degree of confidence that
produces files for software for AUTOSAR incorrect content will be detected.
AUTOSAR components with application software AUTOSAR development environment
application incorrect content components can be also used to validate the schema
software could result in for AUTOSAR application software
components with incorrect [ECoder_M5] components files and support the
incorrect content component Validation of files for review.
implementation. AUTOSAR
application software
components in the
AUTOSAR
development
environment

[MISC_E1] Usage All TI2 Incorrect input data [MISC_M1] TD1 Revision control and configuration TCL1
of incorrect input could result in Configuration management provides integrity of the
data incorrect or management and input data. Using checksums allows the
incomplete analysis revision control unique identification the input data.
results. It could [MISC_M5] Invalid or corrupted input data will be
introduce or fail to
Addressing tool reported by the tool and addressed by
detect an error in a
errors and warnings the user.
safety-related items
or elements being
developed.

[MISC_E2] All TI2 Misinterpretation of [MISC_M2] TD1 Training of users can prevent these TCL1
Misinterpretation analysis results Competency of the issues.
of tool results could prevent project team
errors from being
detected

July 22, 2020 certkitiec_ecoder_tqp 4-5

 Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL
Malfunction or Detection Measures
Erroneous Output
[MISC_E3] All TI2 Incorrect tool usage [MISC_M2] TD1 Training of users can ensure correct TCL1
Incorrect tool could result in Competency of the usage of tool.
usage incorrect or project team
incomplete analysis [MISC_M5] Invalid tool inputs or incompatible
results. It could Addressing tool settings that are caused by incorrect
introduce or fail to
errors and warnings tool usage will be reported by the tool
detect an error in a
and addressed by the user.
safety-related items
or elements being
developed.

[MISC_E4] All TI2 Incorrect or [MISC_M3] TD1 Adherence to installation guide TCL1
Incorrect, modified Adherence to instructions provides a seamless
modified, or installation could installation installation.
incompatible with result in incorrect instructions and
environment tool Validation of the installed tool provides
or incomplete validation of tool
installation integrity of the tool installation. This
analysis results. It installation integrity could include re-running the validation
could introduce or tests shipping with the IEC Certification
fail to detect an
Kit before using the tool.
error in a safety-
related items or [MISC_M4] Analysis TD1 Analysis of the bug report information TCL1
elements being of available bug and use of recommendations and
developed. report information workarounds minimizes impact of tool
bugs.

Based on the preceding analysis of the potential malfunctions or erroneous output for the tool use cases
[ECoder_UC1], [ECoder_UC2] and [ECoder_UC3], the maximum tool impact of Embedded Coder is TI2.

Use of the error detection measures [ECoder_M1] to [MISC_M5] provides high degree of confidence (TD1)
that tool malfunctions will be detected. Therefore, the tool confidence level for the capabilities
implementing the tool use cases [ECoder_UC1], [ECoder_UC2] and [ECoder_UC3] is TCL1.

A suitable subset of the reference workflow and error detection measures can be selected to achieve a
medium degree of confidence (TD2) that tool malfunctions will be detected. In this case, the resulting tool
confidence level is TCL2.

TÜV SÜD reviewed the generic tool classification and confirmed the results in the Report to the Certificate.

July 22, 2020 certkitiec_ecoder_tqp 4-6

5 Software Tool Qualification Report

5.1 Requirement for Tool Qualification

If TCL1 is claimed for the Embedded Coder® product, additional tool qualification methods are not
necessary per ISO 26262-8:2018, clause 11.4.6.1. The applied tool qualification methods described below
are voluntary and provide additional confidence.

If TCL2 is claimed for the Embedded Coder product, additional tool qualification methods appropriate for
the predetermined maximum ASIL for the application under consideration are necessary per ISO 26262-
8:2018, clause 11.4.6.1. Permissible tool qualification methods for TCL2 are listed in ISO 26262-8:2018 table
5.

5.2 Tool Qualification Documentation

MathWorks® carried out an application-independent prequalification of the Embedded Coder product on a
voluntary basis to provide additional confidence using the following method:

• Evaluation of the tool development process (ISO 26262-8:2018, Table 5, method 1b).

TÜV SÜD reviewed the generic tool qualification artifacts for Embedded Coder and confirmed the results in
the Report to the Certificate.

Note TÜV SÜD qualification assessment for the method “Validation of the software tool” is carried
out for the tool use scope specified in Chapter 4 of this document. Modified tool use cases or
error prevention and detection measures are not covered by the TÜV SÜD qualification
assessment.

July 22, 2020 certkitiec_ecoder_tqp 5-1

6 Confirmation Review of Tool
Classification and Qualification

6.1 Requirement for Confirmation Review

The tool classification (see Chapter 4) was carried out independently from the development of the
application under consideration. Therefore, the resulting, predetermined tool confidence level shall be
confirmed by the applicant prior to Embedded Coder® being used for the development of a particular
safety-related item or element for the application under consideration (see ISO 26262-8:2018, 11.4.2).

If TCL2 is confirmed, the prequalification shall be confirmed prior to Embedded Coder being used for the
development of a particular safety-related item or element for the application under consideration. The
confirmation is required, because the prequalification was carried out independently from the development
of the application under consideration.

If TCL1 is confirmed, tool qualification and hence confirmation of the tool qualification are not required.

The generic tool classification assumes that Embedded Coder is being used as described in the reference
workflow documented in Embedded Coder Reference Workflow. Therefore, conformance with the entire
reference workflow (for TCL1) or the suitable subset (for TCL2) in the application under consideration shall
be confirmed by the applicant.

Note The applicant needs to document the applicable Tool Confidence Level (TCL1 or TCL2) claimed
for the application under consideration and the translation validation workflow followed. The
selected TCL influences the required rigor of the translation validation process. Therefore, the
applicant needs to document the actual translation validation workflow used for the
application under consideration.

6.2 Validity of Generic Tool Classification

Applicable Tool Confidence Level: < Insert TCL1 or TLC2>

<Insert results of the confirmation review and reference the conformation review documentation>

6.2.1 Validity of Tool Use Cases

Table 5 identifies the Embedded Coder use cases that were considered as part of the tool classification
process and identifies whether the use cases were modified, added, or deleted for the project under
consideration.

The table is structured as follows:

• The first column identifies whether the use case was modified:
o No change — Use case did not change.
o Update — Use case was updated.

July 22, 2020 certkitiec_ecoder_tqp 6-1

 o Delete — Use case was not needed; therefore, it was removed.
o New — New use case was required.

The second column provides the use case as described in section Tool Use Cases on page 4-2 with the
following exceptions:

o If the Change Status is “Update”, this column provides the modified use case.
o If the Change Status is “New”, this column provides the new use case.
• The third column states the use case as a checklist question, which is to be asked with regard to your
project. The following applies:
o If the Change Status is “Update” and a use case was updated, this column provides the modified
checklist question.
o If the Change Status is “New”, this column provides the checklist questions as appropriate for the
new use case.
• The fourth column defines whether the use case was applicable for the project. This column can provide
additional information or clarification with regard to how the use case was applied in the project. The
following applies:
o If the Change Status is “Delete”, provide an explanation as to why this use case was not applicable
to the project.

Table 5 Validity of Tool Use Cases

Change Status Use Case Checklist Applicable to

Project?
<Insert [ECoder_UC1] Generating C code from the Is Embedded Coder being <Insert Yes or No and
Information> model used for production code generation used to generate C code for provide additional
Embedded Coder code generator will be used the model used for details if needed>
to transform an executable model (model used production code generation?
for production code generation) into
production C code for application software
components.

<Insert [ECoder_UC2] Generating C++ code from the Is Embedded Coder being <Insert Yes or No and
Information> model used for production code generation used to generate C++ code for provide additional
Embedded Coder code generator will be used the model used for details if needed>
to transform an executable model (model used production code generation?
for production code generation) into
production C++ code for application software
components.

<Insert [ECoder_UC3] Generating C/C++ Code and Is Embedded Coder code <Insert Yes or No and
Information> Files from AUTOSAR Application Software generator with AUTOSAR provide additional
Components for the Model Used for Blockset being used to details if needed>
Production Code Generation transform an executable
Embedded Coder code generator with graphical model into
AUTOSAR Blockset will be used to: production C code and files
for AUTOSAR Classic software
components?

July 22, 2020 certkitiec_ecoder_tqp 6-2

Change Status Use Case Checklist Applicable to
Project?
• Transform an executable model (model Is Embedded Coder code <Insert Yes or No and
used for production code generation) into generator with AUTOSAR provide additional
production C/C++ code and files for Blockset being used to create details if needed>
AUTOSAR application software an AUTOSAR configuration for
components. a model, model AUTOSAR
• Create an AUTOSAR configuration for a elements, and generate
model, model AUTOSAR elements, and AUTOSAR XML and AUTOSAR
generate AUTOSAR XML and AUTOSAR- Classic platform-compatible C
compatible C/C++ code from a model. code from a model?

Is Embedded Coder code <Insert Yes or No and

generator with AUTOSAR provide additional
Blockset being used to details if needed>
transform an executable
graphical model into
production C++ code and files
for AUTOSAR Adaptive
software components?

Is Embedded Coder code <Insert Yes or No and

generator with AUTOSAR provide additional
Blockset being used to create details if needed>
an AUTOSAR configuration for
a model, model AUTOSAR
elements, and generate
AUTOSAR XML and AUTOSAR
Adaptive platform-compatible
C++ code from a model?

Are there any tool use cases not considered? <Insert Yes or No. If yes, identify tool use case(s) and
provide rationale.>

July 22, 2020 certkitiec_ecoder_tqp 6-3

6.2.2 Validity of Error Prevention and Detection Measures
Table 6 identifies Embedded Coder error prevention and detection measures that were considered as part
of the tool classification process and whether they were modified, added, or deleted for the project under
consideration.

Table 6 Validity of Error Prevention and Detection Measures

Change Status Error Prevention and Detection Measure Checklist Applicable to

Project?
<Insert [ECoder_M1] Back-to-back testing Is the back-to-back testing of <Insert Yes or No and
Information> Software-in-the-loop (SIL) and processor- generated C/C++ code versus provide additional
in-the-loop (PIL) back-to-back testing of source model being used to verify details if needed>
generated C/C++ code versus source the numerical equivalence
model can be used to verify the between the source model and
functional equivalence between the generated code?
source model and generated code.

<Insert [ECoder_M2] Static code analysis Is static code analysis being used <Insert Yes or No and
Information> Static code analysis can be used to assess to assess compliance with coding provide additional
compliance with coding standards, standards, determine code size details if needed>
determine code size and complexity and and complexity, and quality
quality metrics. metrics?

<Insert [ECoder _M3] Prevention of unintended Is an analysis of the code coverage

Information> functionality
Code coverage analysis can be used to
find code that is not related to the
subsystem elements, i.e. unintended
functionality
Manual review of the Traceability Report
for the generated C/C++ code can be
used to find code that is not related to
the subsystem elements, i.e. unintended
functionality.
being used to find code that is not
related to the subsystem
elements?
Do you conduct a manual review <Insert Yes or No and
of a traceability report for the provide additional
generated code to ensure there is details if needed>
no code that is not related to the
subsystem elements?

<Insert [ECoder _M3] Model and code coverage Do you conduct a review of model <Insert Yes or No and
Information> analysis and code coverage reports to provide additional
Model and code coverage analysis can be ensure there is no code that is not details if needed>
used to find code that is not related to related to the subsystem
the subsystem elements, i.e. unintended elements?
functionality.

<Insert [MISC_M1] Configuration management Is configuration of the tool’s input <Insert Yes or No and
Information> and revision control and output data managed in provide additional
Configuration management, including accordance with Clause 7 of ISO details if needed>
revision control, shall be applied in 26262-8:2018?
accordance with Clause 7 of ISO 26262-
8:2018 to the tool input and outputs, as
well as for other applicable work
products specified in the respective
safety standard.

July 22, 2020 certkitiec_ecoder_tqp 6-4

Change Status Error Prevention and Detection Measure Checklist Applicable to
Project?
<Insert [MISC_M2] Competency of the project Are users who carry out activities <Insert Yes or No and
Information> team using the tool competent for the provide additional
Those carrying out activities using the activities undertaken? details if needed>
tool shall be competent for the activities
Are users trained to ensure <Insert Yes or No and
undertaken. Training of users can be
correct usage of the tool? provide additional
performed to ensure correct usage of
details if needed>
tool.

<Insert [MISC_M3] Adherence to installation Did users adhere to the <Insert Yes or No and
Information> instructions and validation of tool installation instructions for the provide additional
installation integrity tool (including dependent tools)? details if needed>
Adhere to the installation instructions for
Did user verify the version and <Insert Yes or No and
the tool (including dependent tools) and
integrity of the tool? provide additional
verify the version and integrity of the
details if needed>
tool. Validate modifications or additions
made to the shipping product(s), if Did users validate modifications or <Insert Yes or No and
applicable, by re-running the validation additions made to the shipping provide additional
test suite provided in the IEC Certification product(s), if applicable, by re- details if needed>
Kit. running the validation test suite
provided in the IEC Certification
Kit?

<Insert [MISC_M4] Analysis of available bug Did users assess and analyze bug <Insert Yes or No and
Information> report information report information for the tool? provide additional
Assess and analyze the tool’s bug report details if needed>
information that is provided by
Did users comply with the <Insert Yes or No and
MathWorks® and comply with the
recommendations and provide additional
recommendations and workarounds, if
workarounds, if applicable? details if needed>
applicable.

<Insert [MISC_M5] Addressing tool errors and Did the user review all errors and <Insert Yes or No and
Information> warnings warnings? provide additional
The tool reports abnormal operating details if needed>
modes, such as invalid tool inputs or
Was appropriate action taken in <Insert Yes or No and
incompatible settings that result from
response to the errors and provide additional
incorrect tool usage, by issuing errors and
warning? details if needed>
warnings. All errors and warnings should
be reviewed, and appropriate action shall
be taken.

Are there any error prevention and detection measures <Insert Yes or No. If yes, identify tool use case(s) and
not considered? provide rationale.>

July 22, 2020 certkitiec_ecoder_tqp 6-5

6.2.3 Validity of Tool Classification Summary
Table 6 provides a tool classification summary for the project under consideration and should be updated to
include any modifications that are identified in these sections (if any):

• Validity of Tool Use Cases on page 6-1

• Validity of Error Prevention and Detection Measures on page 6-4
Table 6 Validity of Tool Classification Summary

Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL

Malfunction or Detection Measures
Erroneous Output
[ECoder_E1] [ECoder_UC1] TI2 Incorrect code [ECoder_M1] Back- TD1 Back-to-back testing between generated TCL1
Embedded Coder could introduce to-back testing code and model ensures the numerical
produces [ECoder_UC2]
incorrect behavior equivalence of the source model and
incorrect or [ECoder_UC3] of the target generated code.
incomplete C or application
C++ code This measure addresses the applicable
component verification methods recommended by
ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code generation errors
will be detected.

[ECoder_E2] [ECoder_UC1] TI2 C/C++ code with [ECoder_M3] TD1 Review of a traceability report for the TCL1
Embedded Coder unintended Prevention of generated code and code coverage
produces C or C++ [ECoder_UC2] unintended
functionality could analysis can be used to detect code that
code with [ECoder_UC3] introduce functionality is not related to the model elements,
unintended unintended i.e. unintended functionality.
functionality [ECoder_M2] Static
behavior of the This measure addresses the applicable
code analysis
target application
verification methods recommended by
component ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code with unintended
functionality will be detected.

[MISC_E1] Usage All TI2 Incorrect input data [MISC_M1] TD1 Revision control and configuration TCL1
of incorrect input could result in Configuration management provides integrity of the
data incorrect or management and input data. Using checksums allows the
incomplete analysis revision control unique identification the input data.
results. It could [MISC_M5] Invalid or corrupted input data will be
introduce or fail to Addressing tool reported by the tool and addressed by
detect an error in a
errors and warnings the user.
safety-related items
or elements being
developed.

[MISC_E2] All TI2 Misinterpretation of [MISC_M2] TD1 Training of users can prevent these TCL1
Misinterpretation analysis results Competency of the issues.
of tool results could prevent project team
errors from being
detected

[MISC_E3] All TI2 Incorrect tool usage [MISC_M2] TD1 Training of users can ensure correct TCL1
Incorrect tool could result in Competency of the usage of tool.
usage incorrect or project team
incomplete analysis [MISC_M5] Invalid tool inputs or incompatible
results. It could Addressing tool settings that are caused by incorrect
introduce or fail to
errors and warnings tool usage will be reported by the tool
detect an error in a
and addressed by the user.
safety-related items
or elements being
developed.

July 22, 2020 certkitiec_ecoder_tqp 6-6

 Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL
Malfunction or Detection Measures
Erroneous Output
[MISC_E4] All TI2 Incorrect or [MISC_M3] TD1 Adherence to installation guide TCL1
Incorrect, modified Adherence to instructions provides a seamless
modified, or installation could installation installation.
incompatible with result in incorrect instructions and
environment tool Validation of the installed tool provides
or incomplete validation of tool integrity of the tool installation. This
installation analysis results. It installation integrity could include re-running the validation
could introduce or tests shipping with the IEC Certification
fail to detect an
Kit before using the tool.
error in a safety-
related items or [MISC_M4] Analysis TD1 Analysis of the bug report information TCL1
elements being of available bug and use of recommendations and
developed. report information workarounds minimizes impact of tool
bugs.

6.3 Validity of Generic Tool Qualification

Applicable Tool Confidence Level: <Insert TCL1 or TCL2>

<Insert results of the confirmation review or reference the conformation review documentation.>

6.4 Conformance with Reference Workflow

< Applicable Tool Confidence Level: <Insert TCL1 or TCL2>

<Insert reference to customized and completed Conformance Demonstration Template for the project.>

July 22, 2020 certkitiec_ecoder_tqp 6-7