Sei sulla pagina 1di 29

IEC Certification Kit Embedded Coder™ ISO 26262 Tool Qualification Package

R2015b

How to Contact MathWorks

Latest news:

Sales and services:

User community:

Technical support:

Phone:

508-647-7000 (Phone)

The MathWorks, Inc. 3 Apple Hill Drive Natick, MA 01760-2098

For contact information about worldwide offices, see the MathWorks Web site.

IEC Certification Kit: Embedded Coder™ ISO 26262 Tool Qualification Package

© COPYRIGHT 20092015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees that this software or documentation qualifies as commercial computer software or commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.

Patents

MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more information.

Revision History

September 2009

New for Version 1.1 (Applies to Release 2009b)

March 2010

Revised for Version 1.2 (Applies to Release 2010a)

April 2010

Revised for Version 1.3 (Applies to Release 2009bSP1)

September 2010

Revised for Version 1.3 (Applies to Release 2010b)

March 2011

Revised for Version 1.4 (Applies to Release 2010bSP1)

April 2011

Revised for Version 1.4 (Applies to Release 2011a);

September 2011

renamed to Embedded Coder™ ISO 26262 Tool Qualification Package Revised for Version 2.0 (Applies to Release 2011b)

March 2012

Revised for Version 2.1 (Applies to Release 2012a)

September 2012

Revised for Version 3.0 (Applies to Release 2012b)

March 2013

Revised for Version 3.1 (Applies to Release 2013a)

September 2013

Revised for Version 3.2 (Applies to Release 2013b)

March 2014

Revised for Version 3.3 (Applies to Release 2014a)

October 2014

Revised for Version 3.4 (Applies to Release 2014b)

March 2015

Revised for Version 3.5 (Applies to Release 2015a)

September 2015

Revised for IEC Certification Kit Version 3.6 (Applies to Release 2015b)

Contents

1 Introduction

1-1

1.1 Application Identification

1-2

1.2 Tool Overview and Identification

1-3

1.3 Tool

Qualification Artifacts Summary

1-4

2 Software Tool Criteria Evaluation Report

2-1

2.1 Tool

Environment

2-2

2.2 Tool

Configuration

2-3

2.3 Reference Workflow

2-4

2.4 Tool Use Cases

2-5

[ECoder_UC1] Generating C Code for the Model Used for Production Code Generation

2-5

[ECoder_UC2] Generating C Code and Files for AUTOSAR Application Software Components

 

for the Model Used for Production Code Generation

2-5

[ECoder_UC3] Generating C++ Code for the Model Used for Production Code Generation

2-5

2.5 Generic Tool Classification

 

2-6

2.6 Detection of Malfunctions or Erroneous Output

2-7

2.7

Tool Classification Summary

 

2-8

Tool Impact TI

2-8

Tool

Error Detection TD

 

2-8

Required Tool Confidence Level

TCL

2-8

3 Software Tool Qualification Report

3-1

3.1 Requirement for Tool Qualification

3-2

3.2 Tool Qualification Documentation

3-3

4 Confirmation Review of Tool Classification and Qualification

4-1

4.1 Requirement for Confirmation Review

4-2

4.2 Validity

of

Generic

Tool

Classification

4-3

4.3 Validity

of

Generic

Tool

Qualification

4-4

4.4 Conformance with Reference Workflow

4-5

1 Introduction

This document constitutes the ISO 26262 Tool Qualification Package for the Embedded Coder™ product. This document is intended for use in the ISO 26262 tool classification and qualification process for software tools. It contains templates for the ISO 26262 tool qualification work products (see ISO 26262-8, Clause 11).

The applicant shall review this template for applicability to the application under consideration, and tailor and complete the information.

See also:

IEC Certification Kit: User’s Guide, R2015b

ISO 26262-8, Clause 11

ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or tasks required by ISO 26262. The standard outlines a two-step approach to establish the required confidence in the tools:

Tool classification determines the required level of confidence in the software tool.

Depending on the result of the tool classification, you might need to carry out a formal tool qualification.

The following work products need to be created when applying this approach to a software tool (see ISO 26262-8, 11.5):

A software tool criteria evaluation report documenting the tool classification.

A software tool qualification report documenting the tool qualification, if required.

Note

The applicant needs to review this template for applicability to the project under

consideration and insert missing information.

1.1 Application Identification

Applicant:

<Insert information>

Application under consideration:

<List application under consideration>

1.2 Tool Overview and Identification

Embedded Coder is a code generator that transforms executable graphical models into C or C++ code. The input languages comprise Simulink ® , Fixed-Point Designer™, and Stateflow ® . Embedded Coder is an extension of Simulink Coder™ that generates C or C++ code for embedded, discrete-time systems. 1

Embedded Coder also supports the generation of C code and files for AUTOSAR application software components. Additional support is provided by the optional Embedded Coder Support Package for AUTOSAR Standard.

Software Tool

Version (Release)

Tool Vendor

Embedded Coder

Version 6.9 (R2015b)

The MathWorks, Inc. 3 Apple Hill Drive Natick, MA, 01760-2098 USA

Embedded Coder Support Package for AUTOSAR Standard

Version 15.2.0 (R2015b)

IEC Certification Kit

Version 3.6 (R2015b)

1 All products require MATLAB ® as the underlying base software. Simulink ® Coder™ requires MATLAB ® Coder™.

1.3 Tool Qualification Artifacts Summary

The following table lists:

Prerequisites (see ISO 26262-8, 11.3.1)

Supporting information (see ISO 26262-8, 11.3.2)

Tool qualification work products (see ISO 26262-8, 11.5)

for the Embedded Coder product. The table also maps these tool qualification artifacts to sections in this document and artifacts found elsewhere.

Tool Certification Artifact

Corresponding Documents / Artifacts

Safety plan

<Insert document title, version, and filename / link>

Applicable prerequisites of the lifecycle phases where software tool is used

<Insert software lifecycle phase(s)>

<Insert prerequisite(s)>

Predetermined maximum ASIL

<Insert ASIL>

Software tool documentation

Embedded Coder Getting Started Guide

 

R2015b

ecoder_gs.pdf

Embedded Coder User’s Guide

 

R2015b

ecoder_ug.pdf

Embedded Coder AUTOSAR

 

R2015b

ecoder_ autosar .pdf

Embedded Coder Reference

 

R2015b

ecoder_ref.pdf

Embedded Coder Release Notes

 

R2015b

rn.pdf

Environment and constraints of the software tool

MathWorks ® bug report system at www.mathworks.com/support/bugreports/

<Insert information>

Tool Certification Artifact

Corresponding Documents / Artifacts

Software tool criteria evaluation report

Customized and completed section “Software Tool Criteria Evaluation Reportin the Embedded Coder ISO 26262 Tool Qualification Package (this document) certkitiec_ecoder_tqp.docx

Embedded Coder Reference Workflow

R2015b

certkitiec_ecoder_workflow.pdf

Certificate Z10 11 12 67052 014 December 2011 certkitiec_ecoder_certificate.pdf

Report to the Certificate Z10 11 12 67052 014 May 2015 certkitiec_ecoder_certreport.pdf

Software tool qualification report

Customized and completed “Software Tool Qualification Reportin the Embedded Coder ISO 26262 Tool Qualification Package (this document) certkitie c_ecoder_tqp.docx

Customized and completed Embedded Coder Conformance Demonstration Template certkitiec_ecoder_cdt.docx

Certificate Z10 11 12 67052 014 December 2011 certkitiec_ecoder_certificate.pdf

Report to the Certificate Z10 11 12 67052 014 May 2015 certkitiec_ecoder_certreport.pdf

Confirmation review of qualification of a software tool

Customized and completed “Confirmation Review of Tool Classification and Qualificationin the Embedded Coder ISO 26262 Tool Qualification Package (this document)

certkitiec_ecoder_tqp.docx

2 Software Tool Criteria Evaluation Report

2.1 Tool Environment

It is assumed that Embedded Coder will be used in the following environment (see ISO 26262-8,

11.4.4.1d):

<Insert operating system and other pertinent environment information>

2.2 Tool Configuration

It is assumed that Embedded Coder will be used in the following tool configuration when generating code (see ISO 26262-8, 11.4.4.1b):

Configuration Parameter

Setting

Code Generation pane

System target file

<Insert . tlc file name of the ERT-based or AUTOSAR system target file>

Language

<Insert application-specific settings>

<Insert relevant configuration parameter names>

<Insert application-specific setting>

Optimization pane

<Insert relevant configuration parameter names>

<Insert application-specific setting>

Hardware Implementation pane

<Insert relevant configuration parameter names>

<Insert application-specific setting>

2.3

Reference Workflow

It is assumed that Embedded Coder will be used as described in the reference workflow documented in Embedded Coder Reference Workflow.

To access the reference workflow document, on the MATLAB command line, type certkitiec . The reference workflow document is in Embedded Coder.

2.4 Tool Use Cases

It is assumed that Embedded Coder will be used as described by the following use cases (see ISO 26262-8, 11.4.4.1c). Additional information about the assumed usage of Embedded Coder can be found in the reference workflow document Embedded Coder Reference Workflow.

[ECoder_UC1] Generating C Code for the Model Used for Production Code Generation

Embedded Coder code generator will be used to transform an executable graphical model (model used for production code generation) into production C code for application software components.

[ECoder_UC2] Generating C Code and Files for AUTOSAR Application Software Components for the Model Used for Production Code Generation

Embedded Coder code generator will be used to transform an executable graphical model (model used for production code generation) into production C code and files for AUTOSAR application software components.

The optional Embedded Coder Support Package for AUTOSAR Standard will be used to create an AUTOSAR configuration for a model, model AUTOSAR elements, and generate ARXML and AUTOSAR-compatible C code from a model.

[ECoder_UC3] Generating C++ Code for the Model Used for Production Code Generation

Embedded Coder code generator will be used to transform an executable graphical model (model used for production code generation) into production C++ code for application software components.

The input languages to the code generator comprise Simulink, Fixed-Point Designer, and Stateflow. The C or C++ source code generated by the code generator is transformed by the compiler/linker tool chain into executable object code.

2.5 Generic Tool Classification

The tool classification for Embedded Coder was performed in a generic manner, independently from the development of a particular safety-related item or element.

For the generic tool classification, the reference use cases listed in the section Tool Use Cases have been taken into account.

2.6 Detection of Malfunctions or Erroneous Output

To mitigate potential malfunctions or erroneous outputs of the Embedded Coder product, the applicant will carry out application-specific verification and validation measures (translation validation) as defined in:

Embedded Coder Reference Workflow

Depending on the applicable tool confidence level, the entire translation validation workflow, or a suitable subset, will be applied:

For TCL1, the complete workflow

For TCL2, a suitable subset of the workflow that ensures that a malfunction or an erroneous output of the code generator will be prevented or detected with at least a medium degree of confidence

For use case [ECoder_UC2], it is assumed that the generated AUTOSAR file will be validated elsewhere, e.g., by the AUTOSAR development environment that consumes the file (applies to TCL1 and TCL2).

2.7 Tool Classification Summary

Tool Impact TI

There is a possibility that a safety requirement can be violated if the Embedded Coder product is malfunctioning or producing erroneous output. Therefore, the tool impact (TI) for the coder generator is TI2 (conservative estimate).

Tool Error Detection TD

The tool error detection (TD) depends on the translation validation workflow that is being used.

According to the Report to the Certificate Z10 11 12 67052 014, carrying out the translation validation workflow documented in Embedded Coder Reference Workflow provides a high degree of confidence that a malfunction or an erroneous output of the code generator will be prevented or detected. Provided that the translation validation workflow is followed, the tool error detection for the code generation tools is TD1.

According to the Report to the Certificate Z10 11 12 67052 014, carrying out a suitable subset of the translation validation workflow documented in Embedded Coder Reference Workflow provides a medium degree of confidence that a malfunction or an erroneous output of the code generator will be prevented or detected. In this case, the tool error detection for the code generation tools is TD2.

Required Tool Confidence Level TCL

Based on the determined values for TI and TD:

The required tool confidence level for the code generator is TCL1, provided that the reference workflow documented in Embedded Coder Reference Workflow is followed.

The required tool confidence level for the code generator is TCL2, provided that a suitable subset of the reference workflow documented in Embedded Coder Reference Workflow is followed.

TÜV SÜD reviewed the generic tool classification and confirmed the results in Report to the Certificate Z10 11 12 67052 014.

3 Software Tool Qualification Report

3.1 Requirement for Tool Qualification

If TCL1 is claimed for the Embedded Coder product, additional tool qualification methods are not necessary according to ISO 26262-8, clause 11.4.6.1. The applied tool qualification methods listed below are voluntary and provide additional confidence.

If TCL2 is claimed for the Embedded Coder product, additional tool qualification methods appropriate for the predetermined maximum ASIL for the application under consideration are necessary according to ISO 26262-8, clause 11.4.6.1. Permissible tool qualification methods for TCL2 are listed in ISO 26262-8 table 5.

3.2 Tool Qualification Documentation

MathWorks carried out an application-independent prequalification of the Embedded Coder product.

TÜV SÜD reviewed the generic tool qualification artifacts for Embedded Coder and confirmed the results in Report to the Certificate Z10 11 12 67052 014.

The Embedded Coder product is prequalified for all ASILs according to ISO 26262-8 (for TCL1 and TCL2).

The Embedded Coder product was prequalified using a combination of the following methods:

Evaluation of the tool development process (ISO 26262-8, Table 5, Method 1b).

Validation of the software tool (ISO 26262-8, Table 5, Method 1c).

According to ISO 26262-8, table 5, these two methods are permissible for all ASILs. Method 1b is highly recommended for ASILs A, B, and C. Method 1c is highly recommended for ASIL D.

Tool qualification for the Embedded Coder product can be claimed for TCL1 and TCL2 by referencing the certification report and corresponding certificate.

4 Confirmation Review of Tool Classification and Qualification

4.1 Requirement for Confirmation Review

The tool classification (see "Software Tool Criteria Evaluation Report”) was carried out independently from the development of the application under consideration. Therefore, the resulting, predetermined tool confidence level shall be confirmed by the applicant prior to Embedded Coder being used for the development of a particular safety-related item or element for the application under consideration (see ISO 26262-8, 11.4.2, 11.4.10).

If TCL2 is confirmed, the prequalification shall be confirmed prior to Embedded Coder being used for the development of a particular safety-related item or element for the application under consideration. The confirmation is required, because the prequalification was carried out independently from the development of the application under consideration.

If TCL1 is confirmed, tool qualification and hence confirmation of the tool qualification are not required.

The generic tool classification is based on the assumption that Embedded Coder is being used as described in the reference workflow documented in Embedded Coder Reference Workflow. Therefore, conformance with the entire reference workflow (for TCL1) or the suitable subset (for TCL2) in the application under consideration shall be confirmed by the applicant.

Note

TCL2) claimed for the application under consideration and the translation validation workflow followed. The selected TCL influences the required rigor of the translation validation process.

Therefore, the applicant needs to document the actual translation validation workflow used for the application under consideration.

The applicant needs to document the applicable Tool Confidence Level (TCL1 or

4.2 Validity of Generic Tool Classification

Applicable Tool Confidence Level: < Select TCL1 or TCL2>

<Insert results of confirmation review or reference to confirmation review documentation>

4.3 Validity of Generic Tool Qualification

Applicable Tool Confidence Level: < Select TCL1 or TCL2>

< Insert results of confirmation review or reference to confirmation review documentation in case of TCL2>

4.4 Conformance with Reference Workflow

Applicable Tool Confidence Level: < Select TCL1 or TCL2>

< Insert reference to customized and completed Conformance Demonstration Template >