Professional Documents
Culture Documents
IEC Certification Kit: Embedded Coder ISO 26262 Tool Qualification Package
IEC Certification Kit: Embedded Coder ISO 26262 Tool Qualification Package
Embedded Coder®
ISO 26262 Tool Qualification Package
R2020b
This document constitutes the ISO 26262 Tool Qualification Package for the Embedded Coder® product. This
document is intended for use in the ISO 26262 tool classification and qualification process for software
tools. It contains templates for the ISO 26262 tool qualification work products (see ISO 26262-8:2018,
Section 11).
The applicant shall review this template for applicability to the application under consideration, and then
tailor and complete the information.
See also:
ISO 26262-8:2018, Clause 11 provides provisions for software tools that are used to tailor activities or tasks
required by ISO 26262. The standard outlines a two-step approach to establish the required confidence in
the tools:
• Tool classification determines the required level of confidence in the software tool.
• Depending on the result of the tool classification, you might need to carry out a formal tool qualification.
This document includes the following work products that need to be created when applying this approach
to a software tool (see ISO 26262-8:2018, 11.5):
• Software Tool Criteria Evaluation report, which provides the tool classification.
• Software Tool Qualification report, which provides the tool qualification information (if required).
Note ISO 26262-8:2018 is used as a basis for tool classification and qualification. This approach is
considered suitable for the other standards supported by the IEC Certification Kit for
Embedded Coder: IEC 61508, IEC 62304, EN 50128, EN 50657, or ISO 25119.
The applicant needs to review this template for applicability to the project under consideration and insert
missing information.
As you review this document, notice the use of <Insert Information>. This tag indicates where you should
customize the document for the project under consideration.
The following figures provide information to help understand how the IEC Certification Kit documentation
correlates to the user’s development workflow, tool classification, and tool qualification.
1 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder folder.
Figure 1 Consolidation of the Embedded Coder Reference Workflow and Project Workflow
Figure 2 illustrates the correlation between the tool use cases, tool classification, and tool qualification.
Embedded Coder with AUTOSAR Blockset supports the generation of production code and files for
AUTOSAR application software components as follows:
AUTOSAR Blockset also allows you to develop Classic and Adaptive AUTOSAR software using
Simulink® models.
• Prerequisites
• Supporting information
• Tool qualification work products
The tool qualification artifacts listed in the table are mapped to sections in this document and artifacts
found elsewhere.
1 All products require MATLAB® as the underlying base software. Simulink® Coder™ requires MATLAB® Coder™.
11.3.1 Organization-specific rules and <Insert Information. Include document title, version,
processes for functional safety filename, and link >
11.3.1 Applicable prerequisites of the <Insert software lifecycle phase(s) and prerequisite(s)>
lifecycle phases where software
tool is used
11.5.2 Software tool qualification Customized and completed Chapter 5: Software Tool
report Qualification Report in the Embedded Coder ISO 26262 Tool
Qualification Package (this document)
certkitiec_ecoder_tqp.docx
Customized and completed Embedded Coder Conformance
Demonstration Template
certkitiec_ecoder_cdt.docx
Certificate
certkitiec_ecoder_certificate.pdf
Report to the Certificate
certkitiec_ecoder_certreport.pdf
<If applicable, insert additional documentation. Include
document title, version, filename, and link>
Optimization Pane
1 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder folder.
[ECoder_UC1] Generating C Code from the Model Used for Production Code Generation
Embedded Coder code generator will be used to transform an executable model (model used for
production code generation) into production C code for application software components.
The input languages to the code generator comprise Simulink®, Fixed-Point Designer™, Stateflow®, and
MATLAB® code. The C source code generated by the code generator is transformed by the compiler/linker
tool chain into executable object code.
[ECoder_UC2] Generating C++ Code from the Model Used for Production Code Generation
Embedded Coder code generator will be used to transform an executable model (model used for
production code generation) into production C++ code for application software components.
The input languages to the code generator comprise Simulink, Fixed-Point Designer, Stateflow, and MATLAB
code. The C++ source code generated by the code generator is transformed by the compiler/linker tool
chain into executable object code.
[ECoder_UC3] Generating C/C++ Code and Files for AUTOSAR Application Software
Components from the Model Used for Production Code Generation
Embedded Coder code generator with AUTOSAR Blockset will be used to:
• Transform an executable model (model used for production code generation) into production C/C++
code and files for AUTOSAR application software components.
• Create an AUTOSAR configuration for a model, model AUTOSAR elements, and generate AUTOSAR XML
and AUTOSAR-compatible C/C++ code from a model.
For the generic tool classification, the use cases listed in Tool Use Cases above have been considered. The
tool classification is based on the potential malfunctions or erroneous outputs and error prevention and
detection measures listed in the following, corresponding sections.
2 This document is available in the IEC Certification Kit Artifacts Explorer, the Embedded Coder/doc/autosar folder.
• An element of the model is not translated to the code, therefore the corresponding functionality is
missing in the code.
• An element of the model is translated with error, so the corresponding code functionality does not
match the model. (for example, gain value in the model is 5 but is translated to gain value 3 in the code)
Static code analysis can be used to assess compliance with coding standards, determine code size and
complexity and quality metrics. See “Static code analysis” in the Embedded Coder™ Reference Workflow.
Manual review of the Traceability Report for the generated C/C++ code can be used to find code that is not
related to the subsystem elements, i.e. unintended functionality. See “Traceability in the Code Generation
Report” in the Embedded Coder™ Reference Workflow.
For additional information, see “Configuration Management and Revision Control” in the tool-specific
reference workflow artifact.
For additional information, see “Installation Integrity and Release Compatibility” in the tool-specific
reference workflow artifact.
For additional information, see “Bug Reporting” in the tool-specific reference workflow artifact.
[ECoder_E2] [ECoder_UC1] TI2 C/C++ code with [ECoder_M3] TD1 Review of a traceability report for the TCL1
Embedded Coder unintended Prevention of generated code and code coverage
produces C or C++ [ECoder_UC2] unintended
functionality could analysis can be used to detect code that
code with [ECoder_UC3] introduce functionality is not related to the model elements,
unintended unintended i.e. unintended functionality.
functionality [ECoder_M2] Static
behavior of the This measure addresses the applicable
code analysis
target application verification methods recommended by
component ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code with unintended
functionality will be detected.
ECoder_E3] [ECoder_UC3] TI2 AUTOSAR [ECoder_M4] TD1 Review of the generated AUTOSAR files TCL1
Embedded Coder application Review of the files provide a high degree of confidence that
produces files for software for AUTOSAR incorrect content will be detected.
AUTOSAR components with application software AUTOSAR development environment
application incorrect content components can be also used to validate the schema
software could result in for AUTOSAR application software
components with incorrect [ECoder_M5] components files and support the
incorrect content component Validation of files for review.
implementation. AUTOSAR
application software
components in the
AUTOSAR
development
environment
[MISC_E1] Usage All TI2 Incorrect input data [MISC_M1] TD1 Revision control and configuration TCL1
of incorrect input could result in Configuration management provides integrity of the
data incorrect or management and input data. Using checksums allows the
incomplete analysis revision control unique identification the input data.
results. It could [MISC_M5] Invalid or corrupted input data will be
introduce or fail to
Addressing tool reported by the tool and addressed by
detect an error in a
errors and warnings the user.
safety-related items
or elements being
developed.
[MISC_E2] All TI2 Misinterpretation of [MISC_M2] TD1 Training of users can prevent these TCL1
Misinterpretation analysis results Competency of the issues.
of tool results could prevent project team
errors from being
detected
[MISC_E4] All TI2 Incorrect or [MISC_M3] TD1 Adherence to installation guide TCL1
Incorrect, modified Adherence to instructions provides a seamless
modified, or installation could installation installation.
incompatible with result in incorrect instructions and
environment tool Validation of the installed tool provides
or incomplete validation of tool
installation integrity of the tool installation. This
analysis results. It installation integrity could include re-running the validation
could introduce or tests shipping with the IEC Certification
fail to detect an
Kit before using the tool.
error in a safety-
related items or [MISC_M4] Analysis TD1 Analysis of the bug report information TCL1
elements being of available bug and use of recommendations and
developed. report information workarounds minimizes impact of tool
bugs.
Based on the preceding analysis of the potential malfunctions or erroneous output for the tool use cases
[ECoder_UC1], [ECoder_UC2] and [ECoder_UC3], the maximum tool impact of Embedded Coder is TI2.
Use of the error detection measures [ECoder_M1] to [MISC_M5] provides high degree of confidence (TD1)
that tool malfunctions will be detected. Therefore, the tool confidence level for the capabilities
implementing the tool use cases [ECoder_UC1], [ECoder_UC2] and [ECoder_UC3] is TCL1.
A suitable subset of the reference workflow and error detection measures can be selected to achieve a
medium degree of confidence (TD2) that tool malfunctions will be detected. In this case, the resulting tool
confidence level is TCL2.
TÜV SÜD reviewed the generic tool classification and confirmed the results in the Report to the Certificate.
If TCL2 is claimed for the Embedded Coder product, additional tool qualification methods appropriate for
the predetermined maximum ASIL for the application under consideration are necessary per ISO 26262-
8:2018, clause 11.4.6.1. Permissible tool qualification methods for TCL2 are listed in ISO 26262-8:2018 table
5.
• Evaluation of the tool development process (ISO 26262-8:2018, Table 5, method 1b).
TÜV SÜD reviewed the generic tool qualification artifacts for Embedded Coder and confirmed the results in
the Report to the Certificate.
Note TÜV SÜD qualification assessment for the method “Validation of the software tool” is carried
out for the tool use scope specified in Chapter 4 of this document. Modified tool use cases or
error prevention and detection measures are not covered by the TÜV SÜD qualification
assessment.
If TCL2 is confirmed, the prequalification shall be confirmed prior to Embedded Coder being used for the
development of a particular safety-related item or element for the application under consideration. The
confirmation is required, because the prequalification was carried out independently from the development
of the application under consideration.
If TCL1 is confirmed, tool qualification and hence confirmation of the tool qualification are not required.
The generic tool classification assumes that Embedded Coder is being used as described in the reference
workflow documented in Embedded Coder Reference Workflow. Therefore, conformance with the entire
reference workflow (for TCL1) or the suitable subset (for TCL2) in the application under consideration shall
be confirmed by the applicant.
Note The applicant needs to document the applicable Tool Confidence Level (TCL1 or TCL2) claimed
for the application under consideration and the translation validation workflow followed. The
selected TCL influences the required rigor of the translation validation process. Therefore, the
applicant needs to document the actual translation validation workflow used for the
application under consideration.
<Insert results of the confirmation review and reference the conformation review documentation>
• The first column identifies whether the use case was modified:
o No change — Use case did not change.
o Update — Use case was updated.
The second column provides the use case as described in section Tool Use Cases on page 4-2 with the
following exceptions:
o If the Change Status is “Update”, this column provides the modified use case.
o If the Change Status is “New”, this column provides the new use case.
• The third column states the use case as a checklist question, which is to be asked with regard to your
project. The following applies:
o If the Change Status is “Update” and a use case was updated, this column provides the modified
checklist question.
o If the Change Status is “New”, this column provides the checklist questions as appropriate for the
new use case.
• The fourth column defines whether the use case was applicable for the project. This column can provide
additional information or clarification with regard to how the use case was applied in the project. The
following applies:
o If the Change Status is “Delete”, provide an explanation as to why this use case was not applicable
to the project.
<Insert [ECoder_UC2] Generating C++ code from the Is Embedded Coder being <Insert Yes or No and
Information> model used for production code generation used to generate C++ code for provide additional
Embedded Coder code generator will be used the model used for details if needed>
to transform an executable model (model used production code generation?
for production code generation) into
production C++ code for application software
components.
<Insert [ECoder_UC3] Generating C/C++ Code and Is Embedded Coder code <Insert Yes or No and
Information> Files from AUTOSAR Application Software generator with AUTOSAR provide additional
Components for the Model Used for Blockset being used to details if needed>
Production Code Generation transform an executable
Embedded Coder code generator with graphical model into
AUTOSAR Blockset will be used to: production C code and files
for AUTOSAR Classic software
components?
Are there any tool use cases not considered? <Insert Yes or No. If yes, identify tool use case(s) and
provide rationale.>
<Insert [ECoder_M2] Static code analysis Is static code analysis being used <Insert Yes or No and
Information> Static code analysis can be used to assess to assess compliance with coding provide additional
compliance with coding standards, standards, determine code size details if needed>
determine code size and complexity and and complexity, and quality
quality metrics. metrics?
<Insert [ECoder _M3] Model and code coverage Do you conduct a review of model <Insert Yes or No and
Information> analysis and code coverage reports to provide additional
Model and code coverage analysis can be ensure there is no code that is not details if needed>
used to find code that is not related to related to the subsystem
the subsystem elements, i.e. unintended elements?
functionality.
<Insert [MISC_M1] Configuration management Is configuration of the tool’s input <Insert Yes or No and
Information> and revision control and output data managed in provide additional
Configuration management, including accordance with Clause 7 of ISO details if needed>
revision control, shall be applied in 26262-8:2018?
accordance with Clause 7 of ISO 26262-
8:2018 to the tool input and outputs, as
well as for other applicable work
products specified in the respective
safety standard.
<Insert [MISC_M3] Adherence to installation Did users adhere to the <Insert Yes or No and
Information> instructions and validation of tool installation instructions for the provide additional
installation integrity tool (including dependent tools)? details if needed>
Adhere to the installation instructions for
Did user verify the version and <Insert Yes or No and
the tool (including dependent tools) and
integrity of the tool? provide additional
verify the version and integrity of the
details if needed>
tool. Validate modifications or additions
made to the shipping product(s), if Did users validate modifications or <Insert Yes or No and
applicable, by re-running the validation additions made to the shipping provide additional
test suite provided in the IEC Certification product(s), if applicable, by re- details if needed>
Kit. running the validation test suite
provided in the IEC Certification
Kit?
<Insert [MISC_M4] Analysis of available bug Did users assess and analyze bug <Insert Yes or No and
Information> report information report information for the tool? provide additional
Assess and analyze the tool’s bug report details if needed>
information that is provided by
Did users comply with the <Insert Yes or No and
MathWorks® and comply with the
recommendations and provide additional
recommendations and workarounds, if
workarounds, if applicable? details if needed>
applicable.
<Insert [MISC_M5] Addressing tool errors and Did the user review all errors and <Insert Yes or No and
Information> warnings warnings? provide additional
The tool reports abnormal operating details if needed>
modes, such as invalid tool inputs or
Was appropriate action taken in <Insert Yes or No and
incompatible settings that result from
response to the errors and provide additional
incorrect tool usage, by issuing errors and
warning? details if needed>
warnings. All errors and warnings should
be reviewed, and appropriate action shall
be taken.
Are there any error prevention and detection measures <Insert Yes or No. If yes, identify tool use case(s) and
not considered? provide rationale.>
[ECoder_E2] [ECoder_UC1] TI2 C/C++ code with [ECoder_M3] TD1 Review of a traceability report for the TCL1
Embedded Coder unintended Prevention of generated code and code coverage
produces C or C++ [ECoder_UC2] unintended
functionality could analysis can be used to detect code that
code with [ECoder_UC3] introduce functionality is not related to the model elements,
unintended unintended i.e. unintended functionality.
functionality [ECoder_M2] Static
behavior of the This measure addresses the applicable
code analysis
target application
verification methods recommended by
component ISO 26262-8 and 26262-11 and
therefore provide a high degree of
confidence that code with unintended
functionality will be detected.
[MISC_E1] Usage All TI2 Incorrect input data [MISC_M1] TD1 Revision control and configuration TCL1
of incorrect input could result in Configuration management provides integrity of the
data incorrect or management and input data. Using checksums allows the
incomplete analysis revision control unique identification the input data.
results. It could [MISC_M5] Invalid or corrupted input data will be
introduce or fail to Addressing tool reported by the tool and addressed by
detect an error in a
errors and warnings the user.
safety-related items
or elements being
developed.
[MISC_E2] All TI2 Misinterpretation of [MISC_M2] TD1 Training of users can prevent these TCL1
Misinterpretation analysis results Competency of the issues.
of tool results could prevent project team
errors from being
detected
[MISC_E3] All TI2 Incorrect tool usage [MISC_M2] TD1 Training of users can ensure correct TCL1
Incorrect tool could result in Competency of the usage of tool.
usage incorrect or project team
incomplete analysis [MISC_M5] Invalid tool inputs or incompatible
results. It could Addressing tool settings that are caused by incorrect
introduce or fail to
errors and warnings tool usage will be reported by the tool
detect an error in a
and addressed by the user.
safety-related items
or elements being
developed.
<Insert results of the confirmation review or reference the conformation review documentation.>
<Insert reference to customized and completed Conformance Demonstration Template for the project.>