The majority of safety critical standards contain a section discussing the activities and analysis required to ensure tools deployed in the development of an electronic device won’t introduce bugs into the final product. The term “tools” commonly refers to design automation software used from concept through to production and can be 3rd party or homegrown. Often time, the thought of tool certification can be overwhelming and in this post, I’d like to discuss how ISO26262 certification packages can be leveraged to satisfy tool certification requirements in IEC 61508.
ISO 26262:2018 Part 8 Clause 11 provides guidance in the qualification of software tools. Firstly, it defines three terms:
- Tool Impact (TI): The possibility that a malfunction of a tool can introduce or fail to detect errors in a safety-related item
- Tool Error Detection (TD): The confidence in measures to prevent the tool from malfunctioning and producing erroneous output.
- Tool Confidence Level (TCL): A rating which combines TI and TD above.
The determination of Tool Impact (TI) and Tool Detection (TD) determine the TCL.
In the event that the tool is rated as TCL2 or TCL3, mitigation measures must be performed. ISO 26262-8:2018 Clause 11.4. provides guidance on activities required taking into account the Automotive Safety Integrity Level (ASIL) target.
It is expected that companies perform the mitigation techniques described in the tables above and provide the evidence of completion of those activities during an audit.
IEC 61508 Summary
IEC 61508 provides direction in how project teams must qualify the tools used in their flow. However, compared to ISO 26262, this guidance does leave more room for interpretation.
First, IEC 61508:3 126.96.36.199 discusses a ranking system similar to ISO 26262. Tools are assessed as T1, T2 or T3. T1 tools are tools which have no impact on safety or where there is a high degree of confidence that tool failures are detected. T3 tools are on the opposite end of the spectrum.
Section 188.8.131.52 indicates that all T2 and T3 tools shall provide product documentation which list out the use models and constraints. Additionally section 184.108.40.206 and 220.127.116.11 detail tool validation activities which are described further below.
Finally, Table A.3 discusses the techniques or measures which should be applied for “support tools and programming language” for the target Safety Integrity Level (SIL)
As it pertains to the usage of certified tools (third row in Table A.3), Part 7 Chapter C.4 details the criteria for a certified tool.
The certification of a tool will generally be carried out by an independent, often national, body, against independently set criteria, typically national or international standards. Ideally, the tools used in all development phases (specification, design, coding, testing and validation) and those used in configuration management, should be subject to certification.IEC 61508:7 C.4
The final row of Table A.3 specifies “proven in use” as a means of tool assessment. IEC 61508:3 18.104.22.168 – 22.214.171.124 details the evidence required to satisfy the proven in use argument, which includes establishing relevant history and documentation detailing validation activities and results. Other activities include documenting the errata, understanding use case restrictions, and in some cases, performing tool validation. Validation evidence may include:
- a chronological record of the validation activities;
- the version of the tool product manual being used;
- the tool functions being validated;
- tools and equipment used;
- the results of the validation activity; the documented results of validation shall state either that the software has passed the validation or the reasons for its failure;
- test cases and their results for subsequent analysis;
- discrepancies between expected and actual results.
Leveraging Siemens ISO26262 Certification
Siemens EDA performs extensive tool assessment and uses a third party auditor to officially certify the product meets best in class development process and standards. The 3rd party certification to the child standard (ISO 26262) satisfies the IEC 61508 requirement that certification be performed by “an independent, often national, body, against independently set criteria, typically national or international standards.” The graphic below is the certificate received from the Siemens EDA auditor.
In each certification package, Siemens also details the use cases, development practices, configuration management, and issue tracking systems deployed to reinforce best in class software development. Additionally, release notes, product documentation, and errata are provided. When coalesced, the information provided can be leveraged as evidence required during IEC 61508 tool assessment.
Hopefully this post clarified some of the expectations regarding tool certification in ISO 26262 and IEC 61508. Not surprisingly, the expectations between the two standards are similar. Therefore an argument can be made in leveraging ISO 26262 certification to meet IEC 61508 tool assessment requirements. To help simplify that process, Siemens EDA delivers certification packages proving Siemens EDA solutions are safe to use within an ISO 26262 safety critical development flow. Please see the Siemens Quality webpage for information on certified tool packages which are available on Siemens Support.