ISO 26262 - Exemplary Tool Classification of Model-Based Design Tools

Tool classification is an important part of the tool qualification process required by ISO 26262 since it determines the required confidence level for each tool in use. To cover the variety of tools used by practitioners, the standard only provides a framework for tool classification and leaves it up to the applicant to instantiate this framework. To illustrate the ISO 26262 tool classification procedure, this paper provides an exemplary tool classification for the Model Advisor, a static analysis tool used in Model-Based Design, By putting this example into the context of a practical tool qualification approach for COTS tools, the author’s report their experiences in instantiating the ISO 26262-8 tool qualification framework. 1 Tool Qualification According to ISO 26262 According to ISO 26262, a software tool can support or enable tailoring of the lifecycle through tailoring of activities required by the standard. In these cases, confidence is needed that the usage of a tool: 1. Decreases the risk of systematic faults in the system under development caused by malfunctions of this tool or its erroneous output. 2. Promotes the adequacy of the development process w.r.t. compliance with ISO 26262, if activities or tasks required by ISO 26262 rely on the correct functioning of this tool. Chapter 11 of ISO/FDIS 26262-8 defines a process to gain confidence in the usage of a software tool, a.k.a. software tool qualification. The required level of confidence in the tool is determined by: • The possibility that the malfunctioning software tool or its erroneous output can either introduce errors or fail to detect errors in the system/item being developed. • The confidence in preventing or detecting such errors in the tool’s output. To evaluate the confidence in prevention or detection measures, tool-internal measures (e.g. monitoring) as well as tool-external measures (e.g. guidelines, tests, reviews) implemented in the software lifecycle can be taken into account. If required by the tool confidence level determined, appropriate qualification methods need to be applied to comply with both the tool’s confidence level and the maximum ASIL among the safety requirements allocated to the system / item to be developed using the software tool. 2 Two-stage Qualification of COTS Tools The knowledge of the actual tool usage and its embedding into the software development process used in the actual project is crucial to the ISO 26262 tool classification and qualification approach. Since only the tool user has this knowledge at their disposal, the responsibility for the final tool classification and potentially tool qualification in the context of the application lies with the tool user. However, tool classification and qualification also encompass generic aspects and activities that are common across various users. In case of commercial-off-the shelf (COTS) tools, the tool vendor can facilitate the tool qualification process by documenting generic aspects, conducting generic activities, and providing the resulting information to its tool users to simplify their tool qualification activities. Similar as for other standards (e.g. DO-178B), users of COTS tools expect their tool vendors to provide ISO 26262 tool qualification packages that can be adapted and instantiated with limited effort. Tool qualification in such a situation can be achieved by a two-stage qualification approach that is characterized by sharing the tool qualification activities between the tool vendor and the tool user [Con10, CSM10, HKW+11]. Stage I, the application-agnostic pre-qualification, comprises the following steps: I.a. Generic tool classification [Tool vendor] I.b. Generic pre-qualification up to max. required TCL [Tool vendor] I.c. Independent assessment of generic tool classification and pre-qualification [External organization] The pre-qualification results in an ISO 26262 tool qualification kit as mentioned above. Even not required by ISO 26262, an independent assessment by a certification authority or a consulting firm with sufficient experience and reputation can be used as a means to increase the confidence in the pre-qualification and the tool qualification kit. Stage II, the application-specific adaptation, encompasses a 1 The MathWorks, Inc., Natick, MA, USA [email protected] 2 samoconsult GmbH Berlin, Germany [email protected] II.a. Review / adaptation of the tool qualification kit