Bild: Warum brauchen wir eine Klassifizierung und Qualifizierung von Tools?

Tool Classification and Qualification in Compliance with ISO 26262

Prof. Dr. Mirko Conrad, Sophia Kohle & Dr. Hartmut Pohlheim
Illustration depicting the importance of tool classification and qualification in ensuring safety and compliance
Ensuring Safety and Compliance: The Crucial Role of Tool Classification and Qualification

Software tools are widely used to facilitate the development of safety-related electric and/or electronic (E/E) systems. These tools can potentially contribute to safety by automating the activities they perform and through the predictable execution of actions that may be prone to human error. On the contrary, tool errors could adversely affect the functionality and safety of the systems if the tools perform their intended functions inadequately or incorrectly.

To reduce the potential risks associated with tool usage and to ensure the integrity of the tool functionality, recent functional safety standards call for dedicated activities to gain confidence in the tools used during the development of E/E systems.

In the context of developing safety-related automotive software, fulfilling the tool classification and qualification requirements of ISO 26262 [ISO 26262-8] is mandatory to ensure the compliance with this functional safety standard.

Part 8 of this standard calls for a two-step process to gain confidence in the software tools. This process starts with (I) a tool classification to determine the required level of confidence in each software tool. Depending on the outcome of the first step, (II) a subsequent tool qualification to establish the required confidence might be necessary.

Determining the need for further tool qualification based on the tool impact and the efficacy of the tool error detection
Determining the need for further tool qualification based on the tool impact and the efficacy of the tool error detection

I. Tool Classification

Tool classification is based on the actual/intended usage of the tool. Therefore, the tool usage needs to be documented by means of tool use cases. Each use case is subjected to further analysis as follows.

Initially, potential tool errors that could occur in the context of the considered use case need to be identified and documented. For each tool error, it needs to be determined whether the tool error could introduce errors into the E/E system under development or fail to detect such errors. If it can be argued that there is no such possibility, the malfunction has a tool impact of 1 (TI1), otherwise the tool impact is 2 (TI2).

Then, the measures applied to prevent or detect these tool errors need to be identified and documented. The expected efficacy of these measures needs to be rated. Depending on whether there is high, medium, or even low confidence, the tool error detection is 1 (TD1), 2 (TD2), or 3 (TD3) respectively.

Finally, a tool confidence level (TCL) is assigned to each combination of a tool use case and a corresponding tool error. Given a tool impact class (i.e., TI1 or TI2) and a tool error detection class (i.e., TD1, TD2, or TD3), the corresponding TCL can be derived according to the following matrix.

The tool classification step has to be documented in a tool criteria evaluation report (a.k.a. tool classification report).

II. Tool Qualification

Those combinations of use cases and tool errors rated as TCL1 do not require further action. For all other combinations, i.e. those rated as TCL2 or TCL3, the tool qualification process needs to be initiated.

As per ISO 26262, tool qualification shall be carried out by using a suitable combination of the following four tool qualification methods:

(1a) Increased confidence from use.

(1b) Evaluation of the tool development process.

(1c) Validation of the software tool.

(1d) Development in compliance with a safety standard.

The selection of appropriate tool qualification methods depends on the TCL and on the Automotive Safety Integrity Level (ASIL) of the E/E system to be developed.

However, the practical significance of tool qualification methods (1a) and (1d) is rather limited. The vast majority of all tool qualifications known to the authors use method (1b) or (1c) or a combination thereof.

If method (1b) ‘Evaluation of the tool development process’ is utilized to qualify a software tool, its tool development process shall comply with an appropriate standard. The tool development process shall be assessed based on an appropriate national or international standard and the proper application of the assessed development process shall be demonstrated.

If method (1c) ‘Validation of the software tool’ is used, the validation of the software tool shall meet the following three criteria:

a) It shall be demonstrated that the software tool complies with its specified requirements, e.g., by using validation tests or reviews designed to evaluate functional and non-functional quality aspects of the tool.

b) If malfunctions occur during the validation, these malfunctions shall be analyzed. Also, information on their possible consequences and measures to avoid or detect them shall be provided.

c) The reaction of the software tool to anomalous operating conditions (e.g., foreseeable misuse, incomplete input data, and incompatible combinations of configuration settings) shall be examined.

The tool qualification step is being documented in a tool qualification report.

Conclusion

In summary, tool classification and qualification are integral aspects of ensuring the safety and reliability of automotive development processes, particularly under ISO 26262. By systematically assessing the impact of tools, determining required confidence levels, and employing robust qualification methods, organizations can ensure that the tools they utilize significantly contribute to the development of safe and reliable automotive systems.

References

  1. [ISO 26262-8] ISO 26262:2018 ‘Road Vehicles – Functional Safety’. Part 8 ‘Supporting Processes’. International Standard, ISO 2018
  2. [CKP18] M. Conrad, S. Kohle, H. Pohlheim: Qualification of Model-Based Development Tools - A Case Study. Proc. of Model-based Development of Embedded Systems (MBEES 2018), Dagstuhl, Germany 2018.

ISO 26262 Tool Classification and Qualification

This training class describes how to navigate the complexities of ISO 26262 tool classification and qualification for automotive software development. Gain insights into industry best practices, explore lessons learned, and participate in a hands-on session to customize an ISO 26262 classification kit tailored to your organization’s requirements.

► All Info & Registration

Haben Sie Fragen?

Prof. Dr. Mirko Conrad und Björn Kunze
Prof. Dr. Mirko Conrad & Björn Kunze
tudoor academy

* Pflichtfeld

Bitte addieren Sie 4 und 8.