Subscribe, Like, Rate...
EZ Spotlight Topics

A variety of tools, including a hammer and screwdriver, arranged on a rustic wooden background.

​​ISO 26262 Essentials: Ensuring Confidence in Your Software Tools ​

Bajaj
3 minute read time.

By Ashish Iskande

What is Tool Qualification and Why is it Important? 

In safety-critical automotive development, tools act as silent partners but can also pose silent threats. If a tool introduces an undetected error, it can compromise the entire safety case. That’s why ISO 26262 mandates tool qualification for certain tools. Consider a code generator producing incorrect output for an ASIL-D system. If the error goes unnoticed, the resulting software could fail in the field, potentially leading to hazardous events. 

Unqualified tools pose risks such as: 

  • Undetected failures in generated code or analysis. 
  • False confidence in verification results. 
  • Misleading outputs in quantitative safety analysis (e.g., FMEDA) 

Tool qualification provides documented proof that the tool performs as intended and does not introduce unacceptable risks into the safety lifecycle. This typically includes activities such as validating tool functionality, assessing error-detection mechanisms, and reviewing development processes to ensure compliance with ISO 26262 requirements. 

 

When is Tool Qualification Required? 

Tool qualification is determined through Software Tool Evaluation as per ISO 26262 guidelines. Not every tool used in the development process requires qualification: first, it must be evaluated to establish its Tool Confidence Level (TCL). TCL depends on two key factors:  

1. Tool Impact (TI) 

This assesses whether a malfunction in the software tool could introduce errors or fail to identify them in a safety-related item or element under development. 

  • TI1: Selected when it can be argued that such a possibility does not exist.   
  • TI2: Selected in all other cases.  

 

2. Tool Error Detection (TD): 

This evaluates the confidence in measures that prevent or detect malfunctions in software tools producing erroneous output. 

  • TD1: Selected if there is a high degree of confidence that a malfunction and its corresponding erroneous output will be prevented or detected.  
  • TD2: Selected if there is a medium degree of confidence that a malfunction and its corresponding erroneous output will be prevented or detected.  
  • TD3: Selected in all other cases.  

After evaluating Tool Impact (TI) and Tool Detection (TD), the Tool Confidence Level (TCL) can be determined in accordance with ISO 26262, Part 8, Table 3.    

  • TCL 1: No qualification required. 
  • TCL 2 or TCL 3: Qualification is mandatory.  

 

 Decision Tree for TCL evaluation

Figure 1: Decision Tree for TCL evaluation 

 

Tool Qualification Methods   

ISO 26262 recommends four primary methods for tool qualification to ensure the reliability of software tools used in the development of safety-critical automotive systems. The selection of method depends on:  

  • The evaluated Tool Confidence Level (TCL) 
  • The highest applicable Automotive Safety Integrity Level (ASIL) 

The selection guidelines for these methods are provided in ISO 26262 Part 8, Table 4 and Table 5  

1. Increased confidence from use  

  • Basis: Proven-in-use evidence   
  • Approach: Provide a rationale that the software tool has been previously utilized for the same purpose in comparable use cases, under similar operating environments and functional constraints.  

2. Evaluation of the tool development process 

  • Basis: Assessment of the tool supplier’s development process.  
  • Approach: Evaluate the development process against an appropriate national or international standard, ensuring evidence that a suitable software development process was applied.    

3. Validation of the software tool 

  • Basis: Testing to demonstrate correct behavior for intended use cases.  
  • Approach: Provide evidence that the assessed tool errors either do not occur or will be detected. Validation can be performed using a customized test suite developed by the user or by the tool vendor. Example: Tool Qualification Kit for Medini Analyze from Ansys.   

4. Development in accordance with a safety standard 

  • Basis: The tool was developed in accordance with a recognized safety standard.  
  • Approach: Ensure compliance with standards such as ISO 26262 or IEC 61508 during tool development.  

   

Bottom Line  

Tool qualification isn’t just a checkboxit’s a safeguard against hidden risks in safety-critical automotive development. By combining ISO 26262 principles with automation, organizations can reduce cost, improve confidence, and accelerate safety-critical development.  

Read more from the Automotive FuSa blog series.

 

Tags: ​​Automotive FuSa automotive
    •  Analog Employees 

    One additional and valid approach to increasing confidence for use of a specific tool that is not explicitly covered in this blog or in ISO2626 is for cases where you can validate the output of the tool (e.g., use diverse tools to generate same output and compare outputs or test the output of the tool as part of the product development workflow to detect errors that may have been introduced by the tool) rather than qualifying the tool directly.  The tool characterization activity to determine a TCL value alludes towards this with the application of a TD value (i.e., if one were to qualify the tool's output directly the TD could be improved).  Current efforts to update tool characterization and qualification guidance in IEC 61508 for edition 3 are trying to make this approach option more explicit.