12. ISO 26262 requirements

Clause

Document chapter(s)

Clause description

11.4.1

See the traceability below

If the safety lifecycle incorporates the use of a software tool for the development of a system, or its hardware or software elements, such that activities or tasks required by ISO 26262 series of standards rely on the correct functioning of a software tool, and where the relevant outputs of that tool are not examined or verified for the applicable process step(s), such software tools shall comply with the requirements of this clause.

11.4.2

N/A

If the confidence level evaluation or qualification of a software tool is performed independently from the development of a particular safety-related item or element, the validity of this predetermined Tool Confidence Level or qualification shall be verified prior to the software tool being used for the development of a particular safety-related item or element.

11.4.3

Safety Manual - Usage

When using a software tool, it shall be ensured that its usage, its determined environmental and functional constraints and its general operating conditions comply with its evaluation criteria or its qualification.

11.4.4.1

See sub items below

The usage of a software tool shall be planned, including the determination of:

11.4.4.1.a

Safety Manual - Environment

the identification and version number of the software tool;

11.4.4.1.b

Safety Manual - Tool options

the configuration of the software tool;

11.4.4.1.c

Evaluation Report - Use cases

the use cases of the software tool;

11.4.4.1.d

Safety Manual - Environment

the environment in which the software tool is executed,

11.4.4.1.e

Qualification Report - Acceptability statement

the maximum ASIL of all the safety requirements, allocated to the item or the element that can directly be violated, if the software tool is malfunctioning and producing corresponding erroneous output; and

11.4.4.1.f

Evaluation Report - Qualification Method

the methods to qualify the software tool, if required, based on the determined level of confidence and ASIL.

11.4.4.2

See sub items below

To ensure the proper evaluation or usage of the software tool, the following information shall be available:

11.4.4.2.a

Qualification Plan - Ferrocene details

a description of the features, functions and technical properties of the software tool;

11.4.4.2.b

User Manual

the user manual or other usage guides, if applicable;

11.4.4.2.c

Safety Manual - Environment

a description of the environment required for its operation,

11.4.4.2.d

Safety Manual - Degraded environment

a description of the expected behaviour of the software tool under anomalous operating conditions, if applicable;

11.4.4.2.e

Safety Manual - Known problems

a description of known software tool malfunctions and the appropriate safeguards, avoidance or workaround measures, if applicable; and

11.4.4.2.f

Safety Manual - Known Problems

the measures for the prevention or detection of malfunctions and the corresponding erroneous output of the software tool identified during the determination of the required level of confidence for this software tool.

11.4.5.1

See sub items below

The description of the usage of a software tool shall contain the following information:

11.4.5.1.a

Evaluation Report - Use cases

the intended purpose;

11.4.5.1.b

Evaluation Report - Use cases

the inputs and expected outputs; and

11.4.5.1.c

Evaluation Report - Use cases

the usage procedure, environmental and functional constraints, if applicable.

11.4.5.2

See sub items below

The intended usage of the software tool shall be analysed and evaluated to determine:

11.4.5.2.a

See sub items below

the possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed. This is expressed by the classes of Tool Impact (TI):

11.4.5.2.a.1

Evaluation Report - Tool analysis

TI1 shall be selected when there is an argument that there is no such possibility;

11.4.5.2.a.2

Evaluation Report - Tool analysis

TI2 shall be selected in all other cases;

11.4.5.2.b

See sub items below

the confidence in measures that prevent the software tool from malfunctioning and producing corresponding erroneous output, or in measures that detect that the software tool has malfunctioned and has produced corresponding erroneous output. This is expressed by the classes of Tool error Detection (TD):

11.4.5.2.b.1

Evaluation Report - Tool analysis

TD1 shall be selected if there is a high degree of confidence that a malfunction and its corresponding erroneous output will be prevented or detected

11.4.5.2.b.2

Evaluation Report - Tool analysis

TD2 shall be selected if there is a medium degree of confidence that a malfunction and its corresponding erroneous output will be prevented or detected;

11.4.5.2.b.3

Evaluation Report - Tool analysis

TD3 shall be selected in all other cases.

11.4.5.3

Evaluation Report - Tool analysis

If the correct selection of TI or TD is unclear or doubtful, TI and TD should be estimated conservatively.

11.4.5.4

Evaluation Report - Tool analysis

Based on the values determined for the classes of TI and TD (in accordance with 11.4.5.2 or 11.4.5.3), the required software Tool Confidence Level shall be determined according to Table 3.

11.4.6.1

Evaluation Report - Qualification method

For the qualification of software tools classified at TCL3, the methods listed in Table 4 shall be applied. For the qualification of software tools classified at TCL2, the methods listed in Table 5 shall be applied. A software tool classified at TCL1 needs no qualification methods.

11.4.6.2

See sub items below

The qualification of the software tool shall be documented including the following:

11.4.6.2.a

Safety Manual - Environment

the unique identification and version number of the software tool;

11.4.6.2.b

Qualification Report - Acceptability statement

the maximum Tool Confidence Level for which the software tool is classified together with a reference to its evaluation analysis;

11.4.6.2.c

Qualification Report - Acceptability Statement

for the considered use cases the pre-determined maximum ASIL, or specific ASIL, of any safety requirement which might directly be violated if the software tool is malfunctioning and produces corresponding erroneous output;

11.4.6.2.d

Safety Manual - Environment

the configuration and environment for which the software tool is qualified;

11.4.6.2.e

Qualification Plan - Ferrocene organization

the person or organization who carried out the qualification;

11.4.6.2.f

Evaluation Report - Qualification method

the methods applied for its qualification in accordance with 11.4.6.1;

11.4.6.2.g

Qualification Report - Test results

the results of the measures applied to qualify the software tool; and

11.4.6.2.h

Qualification Report - Test results

the usage constraints and malfunctions identified during the qualification, if applicable.

11.4.7

N/A

Increased confidence from use

11.4.8.1

Evaluation Report - Qualification method

If the method “Evaluation of the tool development process” in accordance with Table 4 or Table 5 is applied for the qualification of a software tool, the qualification shall comply with the requirements of this sub-clause.

11.4.8.2

Qualification Plan - Development process

The development process applied for the development of the software tool shall comply with an appropriate standard.

11.4.8.3

Qualification Plan - Development process

The evaluation of the development process applied for the development of the software tool shall be based on an appropriate national or international standard and provide evidence that a suitable software development process has been applied.

11.4.9

Qualification Plan - Validation process

Validation of the software tool

11.4.9.1

See items 11.4.9.2 below

If the method “Validation of the software tool” according to Table 4 or Table 5 is applied for the qualification of a software tool, the qualification shall comply with requirements of this sub-clause.

11.4.9.2

See sub items below

The validation of the software tool shall meet the following criteria:

11.4.9.2.a

Qualification Plan - Validation process

the validation measures shall provide evidence that the software tool complies with specified requirements to its purpose as specified in the classification;

11.4.9.2.b

Qualification Report - Test results

the malfunctions and their corresponding erroneous outputs of the software tool occurring during validation shall be analysed together with information on their possible consequences and with measures to avoid or detect them; and

11.4.9.2.c

Safety Manual - Degraded environment

the reaction of the software tool to anomalous operating conditions shall be examined;