TL;DR Tools used in developing safety related automotive systems do not receive an ASIL. Some tools and the way they are used may not be suitable for the development of automotive safety electronics and this depends on the ASIL. When a tool vendor mentions an ASIL they might be indicating they have checked their tool "can" be suitable for development a certain ASIL. So a tool vendor that claims ASIL-D might be more correctly interpreted as a statement from the vendor that they have checked and made sure that the requirements when developing ASIL-D products have been met and their tool can be configured and used in a way that meets these requirements. When a certification body refers to an ASIL (or SIL) in a tool certificate it should be clear the qualification applies to the requirements for tools. Unless the tool has been developed in accordance with a safety standard it should be clear from the qualification scope.

exida recently certified a software tool to ASIL D. This tool is commonly used in safety related software development projects. This prompted a polite inquiry about the validity of this. The certificate includes a statement of what has been qualified as follows:

tool has met the relevant requirements for support tools of Automotive Safety Integrity Level (ASIL) D of ISO 26262-8 (Section 11)

The approach used to reach this conclusion is described in detail in the accompanying report. What follows is a summary of the key activities that were used to support the assessment conclusion and a checklist you can use when considering software tools in your projects.

Purpose and Scope clearly explains the scope of the assessment is Part 8 of ISO 26262. Part 8 Supporting Process contains requirements for Confidence in the use of software tools in section 14. No mention is made that the scope includes any other sections of ISO 26262 including Part 6 Product development at the software level.

Tools and Methods makes note of the proprietary Safety Case tool containing the exida scheme used to check the relevant requirements and that these assessment to these requirements was planned and updated during the assessment.

Project Management identifies the roles of the parties involved in the assessment. Three types of documentation arising from the assessment are identified:

  • Standards / literature used
  • Customer supplied documentation
  • Documentation developed by exida

Each document is identified including the relevant version to uniquely identify the document.

Assessment approach describes the target of the various audits that were performed as part of the assessment including many systematic capability topics such as tool lifecycle, competency, change and configuration management, software architecture design, verification, and tool validation

The particulars of the tool, the version and intended use are included in the Product Description section. This section also indicates the tool can be customized by the end user.

The longest section in the assessment describes the Details of Assessment. Over twelve areas were evaluated. The Intended Tool Usage and Tool Confidence Level (TCL) section indicates a “worst case” expected use as TCL2 because of an assessment of Tool Impact 2 and Tool Detection 2. The methods used in qualifying the tool are specified in ISO 26262 Part 8 Table 5. In this case a combination of the methods Recommended and Highly Recommended for ASIL D have been used. The results of these methods are also summarized in this section.

Status of the document records the revision history and authors including the evaluating assessor and the independent certifying assessor.

In conclusion a certificate for a tool has been issued that confirms the tool is suitable for use in the development of safety related electronics of all ASILs according to the requirements in ISO 26262 Part 8 at Tool Confidence Level 2 using a combination of methods 1a Increased confidence from use, 1b Evaluation of the tool development process and 1c Validation of the software tool.

Checklist

Subject of check

What to check based on the origin of compliance claim

Tool vendor claim

Product certification body certification

Development process

X

X

Test results proving good design process

X

X

Fault injection

X

X

Field failure study

X

X

User documentation

X

X

TCL determination

X

X

Methods used for qualification

X

X

Accreditation body identified

 

X

Logos of ISO/IEC 17065

 

X

Scheme

 

X

Tougher technical requirements beyond the standards

 

(X)

Published failure rates

 

X

Surveillance audit

 

X

Certificate on website

(X)

X

Assessment report on website

(X)

X

Dates / validity / names etc.

 

 

(X) – Optional


The scheme is the list of requirements published by the certifying body that includes all the certifying requirements in detail including any interpretations.

Related Items

exida Automotive Functional Safety Services


Tagged as:     Jonathan Moore     ISO 26262     Automotive     asil  

Other Blog Posts By Jonathan Moore