Professional Documents
Culture Documents
ISO 26262 - Exemplary Tool Classification of Model-Based Design Tools
ISO 26262 - Exemplary Tool Classification of Model-Based Design Tools
Abstract: Tool classification is an important part of the maximum ASIL among the safety requirements allocated
tool qualification process required by ISO 26262 since it to the system / item to be developed using the software
determines the required confidence level for each tool in tool.
use. To cover the variety of tools used by practitioners,
the standard only provides a framework for tool 2 Two-stage Qualification of COTS Tools
classification and leaves it up to the applicant to
instantiate this framework. The knowledge of the actual tool usage and its embedding
To illustrate the ISO 26262 tool classification into the software development process used in the actual
procedure, this paper provides an exemplary tool project is crucial to the ISO 26262 tool classification and
classification for the Model Advisor, a static analysis tool qualification approach. Since only the tool user has this
used in Model-Based Design, knowledge at their disposal, the responsibility for the final
By putting this example into the context of a practical tool classification and potentially tool qualification in the
tool qualification approach for COTS tools, the author’s context of the application lies with the tool user.
report their experiences in instantiating the ISO 26262-8 However, tool classification and qualification also
tool qualification framework. encompass generic aspects and activities that are common
across various users. In case of commercial-off-the shelf
1 Tool Qualification According to ISO (COTS) tools, the tool vendor can facilitate the tool
26262 qualification process by documenting generic aspects,
conducting generic activities, and providing the resulting
According to ISO 26262, a software tool can support or information to its tool users to simplify their tool
enable tailoring of the lifecycle through tailoring of qualification activities.
activities required by the standard. In these cases, Similar as for other standards (e.g. DO-178B), users
confidence is needed that the usage of a tool: of COTS tools expect their tool vendors to provide ISO
1. Decreases the risk of systematic faults in the 26262 tool qualification packages that can be adapted and
system under development caused by instantiated with limited effort.
malfunctions of this tool or its erroneous output. Tool qualification in such a situation can be achieved
2. Promotes the adequacy of the development by a two-stage qualification approach that is
process w.r.t. compliance with ISO 26262, if characterized by sharing the tool qualification activities
activities or tasks required by ISO 26262 rely on between the tool vendor and the tool user [Con10,
the correct functioning of this tool. CSM10, HKW+11].
Chapter 11 of ISO/FDIS 26262-8 defines a process to Stage I, the application-agnostic pre-qualification,
gain confidence in the usage of a software tool, a.k.a. comprises the following steps:
software tool qualification. The required level of I.a. Generic tool classification [Tool vendor]
confidence in the tool is determined by: I.b. Generic pre-qualification up to max. required
• The possibility that the malfunctioning software
TCL [Tool vendor]
tool or its erroneous output can either introduce
errors or fail to detect errors in the system/item I.c. Independent assessment of generic tool
being developed. classification and pre-qualification
[External organization]
• The confidence in preventing or detecting such
errors in the tool’s output. The pre-qualification results in an ISO 26262 tool
To evaluate the confidence in prevention or detection qualification kit as mentioned above. Even not required
measures, tool-internal measures (e.g. monitoring) as well by ISO 26262, an independent assessment by a
as tool-external measures (e.g. guidelines, tests, reviews) certification authority or a consulting firm with sufficient
implemented in the software lifecycle can be taken into experience and reputation can be used as a means to
account. increase the confidence in the pre-qualification and the
If required by the tool confidence level determined, tool qualification kit.
appropriate qualification methods need to be applied to Stage II, the application-specific adaptation,
comply with both the tool’s confidence level and the encompasses a
II.a. Review / adaptation of the tool qualification kit qualification could still be leveraged. [CMS10] provides
[Tool user] an example for an application-specific adaptation of an
The application-specific adaptation results in the final ISO 26262 tool qualification kit.
ISO 26262 tool qualification documentation.
The generic, application-agnostic pre-qualification, 3 Tool Classification Example: Model
i.e. stage I, is based on common, typical tool use cases. It Advisor
can be augmented by a reference workflow to be utilized
by the tool user when using the tool for developing or Model-Based Design of Automotive Application
verifying safety-related software. In terms of ISO 26262, Software Components
the reference workflow describes error prevention and Because of its capability to address software complexity
detection measures employed when using the tool. and productivity challenges, Model-Based Design
In the generic tool classification, the tool is classified [HKM+05, CFG+05, CD06] is quickly becoming a
assuming that it is used as specified by the typical use widespread software engineering paradigm for the
cases and tool usage is supported by the error prevention development of embedded application software
and detection methods described in the reference components across industries. For example, practitioners
workflow. The maximum required tool confidence level report productivity gains of 4 to 10 times when using
(TCL) resulting from the generic tool classification is graphical modeling techniques [HKM+05, KHJ07]. In a
used to determine the necessary tool qualification typical Model-Based Design workflow, an initial
methods. executable graphical specification representing the
An example generic tool classification will be application software component under development is
discussed in the next section. refined and augmented until it becomes the blueprint for
If an independent assessment is utilized, the tool the final implementation through automatic code
qualification artifacts created by the tool vendor are generation.
submitted to the external organization for review and Model-Based Design is one of the software
approval. The assessor states the adequacy of the development paradigms directly addressed in ISO 26262.
classification and the pre-qualification artifacts in an Annex B of ISO 26262-6 describes this development
assessment report. If the assessment is carried out by a paradigm in more detail.
notified body such as the TÜV, a corresponding Simulink® [Simulink, Mos06] is a widely used
certificate can be issued. Model-Based Design environment. It supports the
To further support tool users, the tool vendor can also description of both discrete- and continuous-time models
create a tool qualification package (TQP) containing pre- in a graphical block-diagram language. Embedded code
filled templates for the tool qualification artifacts as generation from Simulink models is supported by
described in ISO 26262-8. Embedded CoderTM [ECoder]. The code generator is
An example of a tool qualification kit created using capable of translating Simulink models into C or C++
this approach is MathWorks IEC Certification Kit code that can be deployed onto embedded systems.
[IECCertKit]. The ISO 26262 portion of the kit1 contains The Simulink environment is extensively used in
ISO 26262 tool qualification kits for the Embedded different application domains. According to [HKM+05],
CoderTM code generator [ECoder] and the Polyspace® 50% of the behavioral models for automotive controls are
code verifiers [Polyspace]. The independent assessments designed using this environment. Because of the
for these products were carried out by TÜV SÜD. popularity of this environment, an analysis tool for
For stage II, the tool user needs to review the Simulink models is used in this paper to illustrate the
template documents for applicability to the system / item realization of the ISO 26262 tool classification approach.
under consideration and to instantiate or adapt the
information provided. Static Analysis at the Model Level
If the pre-qualified tool is used within the perimeter When using Model-Based Design for ISO 26262
of the use cases and the reference workflow, the user can applications, the detailed design of application software
directly leverage the pre-qualification by referencing the components can be implemented as a model, in
certificate and the certificate report. accordance with a set of modeling guidelines (a.k.a.
If the user uses the tool differently, the tool design and coding guidelines for the modeling language).
classification needs to be carried out according to the The detailed design needs to be verified before
actual use case(s). However, if the required TCL derived proceeding to the next development phase [ISO 26262-6].
from the actual use cases is equal or lower than the TCL Part of this verification process is the static analysis of the
that resulted from the typical use cases, the generic tool Simulink model against the applicable modeling
guidelines. Model checks can be carried out by using the
1
The IEC Certification Kit also contains documents, artifacts, and tools Model Advisor [MdlAdv] a static analysis tool integrated
to support certification and qualification activities according to the IEC into the Simulink environment. Additional Model Advisor
61508 base standard and additional domain-specific derivative checks focused on specific standards, such as ISO 26262,
standards.
are provided by Simulink® Verification and Advisor to check a set of modeling guidelines.
Validation™. Fig. 1 illustrates the usage of Model
requirements
Qualification
qualification
Increasing
TD 3 TCL 3
TI 2
TD 2
Medium
measures for TCL3
(TCLREQ) to support these use cases needs to be
UC Qualification
1..n
TD 1 High
TCL 2
measures for TCL2 established.
TI 1 TCL 1 Example: A table format (cf. [Mai09]) can be used to
Figure 2. Tool Classification Scheme acc. to ISO document the determination of TI, TD and TCLs. Table 1
26262-8 summarizes this process for the Model Advisor example.
ID Potential malfunction or Use case TI Justification for Measure(s) to prevent TD Justification for TD TCL
erroneous output TI or detect error in tool
output
E1 False negative: The UC1 TI2 Incorrect Preceding or TD2 Static analysis tools typically TCL2
modeling guideline checker analysis result subsequent dynamic detect only a subset of the
incorrectly marks model as could prevent verification (testing) of existing modeling standard
compliant modeling the model violations in the model.
guidelines Therefore, other process steps
violations from can not assume completeness of
being detected modeling guideline check
results.
Modeling standard violations do
not necessarily imply incorrect
models. Functional or structural
testing help detect real errors in
the model. The likelihood of
detecting these errors by testing
is considered to be ‘medium’.
E2 False positive: The UC1 TI1 Nuisance only, - - - TCL1
modeling guideline checker software does
incorrectly marks model as not violate
non-compliant modeling
guidelines
E3 Non interference: The UC1 TI1 Error in the tool - - - TCL1
modeling guideline checker does not affect
contains an error, but model analysis results
to be analyzed does not
invoke the erroneous
portion of the tool
E4 Incorrect hyperlinks: UC1 TI1 Nuisance only, - - - TCL1
Hyperlinks in the analysis software does
results contain errors. not violate
modeling
guidelines
E5 Incorrect fixing of reported UC2 TI2 Incorrect fixing Re-checking of the TD2 Re-checking of the model TCL2
issues: Automatic fixing of could introduce model after automatic will detect modeling standard
reported issues does not error in the fixing of reported violations introduced by the
work correctly. model issues automatic fixing but might
miss other errors introduced
Subsequent dynamic TD2 Functional or structural TCL2
verification (testing) of testing help detect real errors
the model in the model. The likelihood
of detecting these errors by
testing is considered to be
‘medium’.
Automatic comparison TD1 Manual review of the TCL1
of XML files exported comparison results can verify
from the original and that fixing of changes resulted
fixed Simulink models did not introduce un-intended
and subsequent manual changes
review of the
comparison results
ID Potential malfunction Use TI Justification for TI Measure(s) to TD Justification for TD TCL
or erroneous output case prevent or detect
error in tool output
E6 Misinterpretation of UC1 TI2 Misinterpretation of Adequate competency TD1 Adequate training of users can prevent TCL1
results: User interprets analysis results could of the project team these issues
correct analysis results prevent errors from
incorrectly being detected