IEC Certification Kit

Embedded Coder ISO 26262

Tool Qualification Package
R2015b

How to Contact MathWorks

Latest news:

www.mathworks.com

Sales and services:

www.mathworks.com/sales_and_services

User community:

www.mathworks.com/matlabcentral

Technical support:

www.mathworks.com/support/contact_us

Phone:

508-647-7000 (Phone)

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA 01760-2098
For contact information about worldwide offices, see the MathWorks Web site.

IEC Certification Kit: Embedded Coder ISO 26262 Tool Qualification Package

COPYRIGHT 20092015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the governments needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of
additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more information.

Revision History
September 2009
March 2010
April 2010
September 2010
March 2011
April 2011

September 2011
March 2012
September 2012
March 2013
September 2013
March 2014
October 2014
March 2015
September 2015

New for Version 1.1 (Applies to Release 2009b)

Revised for Version 1.2 (Applies to Release 2010a)
Revised for Version 1.3 (Applies to Release 2009bSP1)
Revised for Version 1.3 (Applies to Release 2010b)
Revised for Version 1.4 (Applies to Release 2010bSP1)
Revised for Version 1.4 (Applies to Release 2011a);
renamed to Embedded Coder ISO 26262 Tool
Qualification Package
Revised for Version 2.0 (Applies to Release 2011b)
Revised for Version 2.1 (Applies to Release 2012a)
Revised for Version 3.0 (Applies to Release 2012b)
Revised for Version 3.1 (Applies to Release 2013a)
Revised for Version 3.2 (Applies to Release 2013b)
Revised for Version 3.3 (Applies to Release 2014a)
Revised for Version 3.4 (Applies to Release 2014b)
Revised for Version 3.5 (Applies to Release 2015a)
Revised for IEC Certification Kit Version 3.6 (Applies to Release 2015b)

Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Application Identification ........................................................................................................ 1-2
1.2 Tool Overview and Identification ........................................................................................... 1-3
1.3 Tool Qualification Artifacts Summary .................................................................................... 1-4
2 Software Tool Criteria Evaluation Report ........................................................................................ 2-1
2.1 Tool Environment ................................................................................................................... 2-2
2.2 Tool Configuration .................................................................................................................. 2-3
2.3 Reference Workflow ............................................................................................................... 2-4
2.4 Tool Use Cases ........................................................................................................................ 2-5
[ECoder_UC1] Generating C Code for the Model Used for Production Code Generation.......... 2-5
[ECoder_UC2] Generating C Code and Files for AUTOSAR Application Software Components
for the Model Used for Production Code Generation .................................................................. 2-5
[ECoder_UC3] Generating C++ Code for the Model Used for Production Code Generation ..... 2-5
2.5 Generic Tool Classification ..................................................................................................... 2-6
2.6 Detection of Malfunctions or Erroneous Output ..................................................................... 2-7
2.7 Tool Classification Summary .................................................................................................. 2-8
Tool Impact TI ............................................................................................................................. 2-8
Tool Error Detection TD .............................................................................................................. 2-8
Required Tool Confidence Level TCL ......................................................................................... 2-8
3 Software Tool Qualification Report ................................................................................................. 3-1
3.1 Requirement for Tool Qualification ........................................................................................ 3-2
3.2 Tool Qualification Documentation .......................................................................................... 3-3
4 Confirmation Review of Tool Classification and Qualification ....................................................... 4-1
4.1 Requirement for Confirmation Review ................................................................................... 4-2
4.2 Validity of Generic Tool Classification................................................................................... 4-3
4.3 Validity of Generic Tool Qualification ................................................................................... 4-4
4.4 Conformance with Reference Workflow ................................................................................. 4-5

vi

1 Introduction
This document constitutes the ISO 26262 Tool Qualification Package for the Embedded
Coder product. This document is intended for use in the ISO 26262 tool classification and
qualification process for software tools. It contains templates for the ISO 26262 tool
qualification work products (see ISO 26262-8, Clause 11).
The applicant shall review this template for applicability to the application under consideration,
and tailor and complete the information.
See also:

IEC Certification Kit: Users Guide, R2015b

ISO 26262-8, Clause 11

ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or
tasks required by ISO 26262. The standard outlines a two-step approach to establish the
required confidence in the tools:
Tool classification determines the required level of confidence in the software tool.
Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.
The following work products need to be created when applying this approach to a software tool
(see ISO 26262-8, 11.5):

A software tool criteria evaluation report documenting the tool classification.

A software tool qualification report documenting the tool qualification, if required.

Note The applicant needs to review this template for applicability to the project under
consideration and insert missing information.

1.1 Application Identification

Applicant:

<Insert information>

Application under consideration:

<List application under consideration>

1-2

1.2 Tool Overview and Identification

Embedded Coder is a code generator that transforms executable graphical models into C or C++
code. The input languages comprise Simulink, Fixed-Point Designer, and Stateflow.
Embedded Coder is an extension of Simulink Coder that generates C or C++ code for
embedded, discrete-time systems.1
Embedded Coder also supports the generation of C code and files for AUTOSAR application
software components. Additional support is provided by the optional Embedded Coder Support
Package for AUTOSAR Standard.
Software Tool
Embedded

Coder

Embedded Coder Support Package for

AUTOSAR Standard
IEC Certification Kit

Version (Release)

Tool Vendor

Version 6.9 (R2015b)

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA, 01760-2098
USA

Version 15.2.0 (R2015b)

Version 3.6 (R2015b)

All products require MATLAB as the underlying base software. Simulink Coder requires MATLAB Coder.

1-3

1.3 Tool Qualification Artifacts Summary

The following table lists:

Prerequisites (see ISO 26262-8, 11.3.1)

Supporting information (see ISO 26262-8, 11.3.2)
Tool qualification work products (see ISO 26262-8, 11.5)

for the Embedded Coder product. The table also maps these tool qualification artifacts to
sections in this document and artifacts found elsewhere.
Tool Certification Artifact

Corresponding Documents / Artifacts

Safety plan

<Insert document title, version, and filename / link>

Applicable prerequisites of the <Insert software lifecycle phase(s)>

lifecycle phases where software
tool is used
<Insert prerequisite(s)>
Predetermined maximum ASIL

<Insert ASIL>

Software tool documentation

Embedded Coder Getting Started Guide

R2015b
ecoder_gs.pdf
Embedded Coder Users Guide
R2015b
ecoder_ug.pdf
Embedded Coder AUTOSAR
R2015b
ecoder_autosar.pdf
Embedded Coder Reference
R2015b
ecoder_ref.pdf
Embedded Coder Release Notes
R2015b
rn.pdf

Environment and constraints of

the software tool

MathWorks bug report system at

www.mathworks.com/support/bugreports/
<Insert information>

1-4

Tool Certification Artifact

Corresponding Documents / Artifacts

Software tool criteria evaluation Customized and completed section Software Tool Criteria Evaluation
report
Report in the Embedded Coder ISO 26262 Tool Qualification Package
(this document)
certkitiec_ecoder_tqp.docx
Embedded Coder Reference Workflow
R2015b
certkitiec_ecoder_workflow.pdf
Certificate Z10 11 12 67052 014
December 2011
certkitiec_ecoder_certificate.pdf
Report to the Certificate Z10 11 12 67052 014
May 2015
certkitiec_ecoder_certreport.pdf
Software tool qualification
report

Customized and completed Software Tool Qualification Report in the

Embedded Coder ISO 26262 Tool Qualification Package (this
document)
certkitiec_ecoder_tqp.docx
Customized and completed Embedded Coder Conformance
Demonstration Template
certkitiec_ecoder_cdt.docx
Certificate Z10 11 12 67052 014
December 2011
certkitiec_ecoder_certificate.pdf
Report to the Certificate Z10 11 12 67052 014
May 2015
certkitiec_ecoder_certreport.pdf

Confirmation review of
qualification of a software tool

Customized and completed Confirmation Review of Tool Classification

and Qualification in the Embedded Coder ISO 26262 Tool Qualification
Package (this document)
certkitiec_ecoder_tqp.docx

1-5

1-6

2 Software Tool Criteria Evaluation

Report

2.1 Tool Environment

It is assumed that Embedded Coder will be used in the following environment (see ISO 26262-8,
11.4.4.1d):
<Insert operating system and other pertinent environment information>

2-2

2.2 Tool Configuration

It is assumed that Embedded Coder will be used in the following tool configuration when
generating code (see ISO 26262-8, 11.4.4.1b):
Configuration Parameter

Setting

Code Generation pane

System target file
Language

<Insert .tlc file name of the ERT-based or

AUTOSAR system target file>
<Insert application-specific settings>

<Insert relevant configuration parameter names>

<Insert application-specific setting>

Optimization pane
<Insert relevant configuration parameter names>

<Insert application-specific setting>

Hardware Implementation pane

<Insert relevant configuration parameter names>

<Insert application-specific setting>

2-3

2.3 Reference Workflow

It is assumed that Embedded Coder will be used as described in the reference workflow
documented in Embedded Coder Reference Workflow.
To access the reference workflow document, on the MATLAB command line, type
certkitiec. The reference workflow document is in Embedded Coder.

2-4

2.4 Tool Use Cases

It is assumed that Embedded Coder will be used as described by the following use cases (see
ISO 26262-8, 11.4.4.1c). Additional information about the assumed usage of Embedded Coder
can be found in the reference workflow document Embedded Coder Reference Workflow.

[ECoder_UC1] Generating C Code for the Model Used for

Production Code Generation
Embedded Coder code generator will be used to transform an executable graphical model
(model used for production code generation) into production C code for application software
components.

[ECoder_UC2] Generating C Code and Files for AUTOSAR

Application Software Components for the Model Used for
Production Code Generation
Embedded Coder code generator will be used to transform an executable graphical model
(model used for production code generation) into production C code and files for AUTOSAR
application software components.
The optional Embedded Coder Support Package for AUTOSAR Standard will be used to create
an AUTOSAR configuration for a model, model AUTOSAR elements, and generate ARXML
and AUTOSAR-compatible C code from a model.

[ECoder_UC3] Generating C++ Code for the Model Used

for Production Code Generation
Embedded Coder code generator will be used to transform an executable graphical model
(model used for production code generation) into production C++ code for application software
components.
The input languages to the code generator comprise Simulink, Fixed-Point Designer, and
Stateflow. The C or C++ source code generated by the code generator is transformed by the
compiler/linker tool chain into executable object code.

2-5

2.5 Generic Tool Classification

The tool classification for Embedded Coder was performed in a generic manner, independently
from the development of a particular safety-related item or element.
For the generic tool classification, the reference use cases listed in the section Tool Use Cases
have been taken into account.

2-6

2.6 Detection of Malfunctions or Erroneous Output

To mitigate potential malfunctions or erroneous outputs of the Embedded Coder product, the
applicant will carry out application-specific verification and validation measures (translation
validation) as defined in:
Embedded Coder Reference Workflow
Depending on the applicable tool confidence level, the entire translation validation workflow, or
a suitable subset, will be applied:

For TCL1, the complete workflow

For TCL2, a suitable subset of the workflow that ensures that a malfunction or an
erroneous output of the code generator will be prevented or detected with at least a
medium degree of confidence

For use case [ECoder_UC2], it is assumed that the generated AUTOSAR file will be validated
elsewhere, e.g., by the AUTOSAR development environment that consumes the file (applies to
TCL1 and TCL2).

2-7

2.7 Tool Classification Summary

Tool Impact TI
There is a possibility that a safety requirement can be violated if the Embedded Coder product is
malfunctioning or producing erroneous output. Therefore, the tool impact (TI) for the coder
generator is TI2 (conservative estimate).

Tool Error Detection TD

The tool error detection (TD) depends on the translation validation workflow that is being used.
According to the Report to the Certificate Z10 11 12 67052 014, carrying out the translation
validation workflow documented in Embedded Coder Reference Workflow provides a high
degree of confidence that a malfunction or an erroneous output of the code generator will be
prevented or detected. Provided that the translation validation workflow is followed, the tool
error detection for the code generation tools is TD1.
According to the Report to the Certificate Z10 11 12 67052 014, carrying out a suitable subset of
the translation validation workflow documented in Embedded Coder Reference Workflow
provides a medium degree of confidence that a malfunction or an erroneous output of the code
generator will be prevented or detected. In this case, the tool error detection for the code
generation tools is TD2.

Required Tool Confidence Level TCL

Based on the determined values for TI and TD:

The required tool confidence level for the code generator is TCL1, provided that the
reference workflow documented in Embedded Coder Reference Workflow is followed.
The required tool confidence level for the code generator is TCL2, provided that a
suitable subset of the reference workflow documented in Embedded Coder Reference
Workflow is followed.

TV SD reviewed the generic tool classification and confirmed the results in Report to the
Certificate Z10 11 12 67052 014.

2-8

3 Software Tool Qualification Report

3.1 Requirement for Tool Qualification

If TCL1 is claimed for the Embedded Coder product, additional tool qualification methods are
not necessary according to ISO 26262-8, clause 11.4.6.1. The applied tool qualification methods
listed below are voluntary and provide additional confidence.
If TCL2 is claimed for the Embedded Coder product, additional tool qualification methods
appropriate for the predetermined maximum ASIL for the application under consideration are
necessary according to ISO 26262-8, clause 11.4.6.1. Permissible tool qualification methods for
TCL2 are listed in ISO 26262-8 table 5.

3-2

3.2 Tool Qualification Documentation

MathWorks carried out an application-independent prequalification of the Embedded Coder
product.
TV SD reviewed the generic tool qualification artifacts for Embedded Coder and confirmed
the results in Report to the Certificate Z10 11 12 67052 014.
The Embedded Coder product is prequalified for all ASILs according to ISO 26262-8 (for TCL1
and TCL2).
The Embedded Coder product was prequalified using a combination of the following methods:

Evaluation of the tool development process (ISO 26262-8, Table 5, Method 1b).
Validation of the software tool (ISO 26262-8, Table 5, Method 1c).

According to ISO 26262-8, table 5, these two methods are permissible for all ASILs. Method 1b
is highly recommended for ASILs A, B, and C. Method 1c is highly recommended for ASIL D.
Tool qualification for the Embedded Coder product can be claimed for TCL1 and TCL2 by
referencing the certification report and corresponding certificate.

3-3

3-4

4 Confirmation Review of Tool

Classification and Qualification

4.1 Requirement for Confirmation Review

The tool classification (see "Software Tool Criteria Evaluation Report) was carried out
independently from the development of the application under consideration. Therefore, the
resulting, predetermined tool confidence level shall be confirmed by the applicant prior to
Embedded Coder being used for the development of a particular safety-related item or element
for the application under consideration (see ISO 26262-8, 11.4.2, 11.4.10).
If TCL2 is confirmed, the prequalification shall be confirmed prior to Embedded Coder being
used for the development of a particular safety-related item or element for the application under
consideration. The confirmation is required, because the prequalification was carried out
independently from the development of the application under consideration.
If TCL1 is confirmed, tool qualification and hence confirmation of the tool qualification are not
required.
The generic tool classification is based on the assumption that Embedded Coder is being used as
described in the reference workflow documented in Embedded Coder Reference Workflow.
Therefore, conformance with the entire reference workflow (for TCL1) or the suitable subset
(for TCL2) in the application under consideration shall be confirmed by the applicant.
Note The applicant needs to document the applicable Tool Confidence Level (TCL1 or
TCL2) claimed for the application under consideration and the translation validation workflow
followed. The selected TCL influences the required rigor of the translation validation process.
Therefore, the applicant needs to document the actual translation validation workflow used for
the application under consideration.

4-2

4.2 Validity of Generic Tool Classification

Applicable Tool Confidence Level: < Select TCL1 or TCL2>
<Insert results of confirmation review or reference to confirmation review documentation>

4-3

4.3 Validity of Generic Tool Qualification

Applicable Tool Confidence Level: < Select TCL1 or TCL2>
< Insert results of confirmation review or reference to confirmation review documentation in
case of TCL2>

4-4

4.4 Conformance with Reference Workflow

Applicable Tool Confidence Level: < Select TCL1 or TCL2>
< Insert reference to customized and completed Conformance Demonstration Template >

4-5