Tool qualification – The pain of functional safety (part 2)!

In the first part (Link) I explained the basic idea, which is behind the tool qualification. I have already given an overview of the four most frequently used measures.
In this article, I will discuss each of these 4 measures in more detail and name the respective advantages and disadvantages.

Measure 1: Data from the historical use of the tool

This measure can be applied within the tool qualification if a tool is used that has been on the market for a long time. In addition, historical data has to be available for the intended use case. This means that there are exact details about errors in the tool and whether these have been corrected. Critical factors here are the tool observation period and the impact of any new tool versions. In aviation, this measure is seen as rather critical. This measure is certainly used in industrial automation, the railway industry and the automotive industry. This especially the case when a tool is used that is acknowledged and recognized by the industry.

Measure 2: Tool development process assessment

This measure is explicitly mentioned in ISO 26262 and it is primarily used in the automotive sector. A multi-day, intensive assessment is carried out at the tool manufacturer in order to assess whether the applied development process for this tool is appropriate for the intended purpose. These assessments are mostly commissioned by the tool makers themselves and are carried out by recognized assessors. After successful completion of this assessment, the tool manufacturer also uses this certificate as a quality proof for his tool.

Measure 3: Test of the tool functionality

This measure is probably the best known to achieve a tool qualification. Based on a description of the functionalities of the tool, test cases will be developed for those sub-functions. The execution of these test cases should take place in the same environment in which the tool is operationally used. Often, several scripts are used, which may have an influence on the functionality of the tool. This aspect is covered with an execution of the tests, in the original operational environment. The effort spent is not the one-time performance of the tests, but the preparation of the test specifications, test cases and test procedures. This activity is often taken over by the commercial toolmakers. Such a work share minimizes the workload for the project team considerably. This measure provides the best cost / benefit ratio.

Measure 4: Development of the tool according to a functional safety standard

This measure offers the highest benefit for the safety. The tool is completely developed according to a standard of functional safety (ISO 26262, IEC 61508, DO-178C, etc.). This means that there is a risk and hazardous analysis and all planning documents, specification documents and verification documents have been developed according to the criticality level for which the tool itself is to be used. It is obvious that such a claim is only met in exceptional cases by commercial tool makers.

Conclusion

A full discussion of the best practices of the individual sectors can not be done in this blog. The essential points are:
In the aerospace industry often measure 3 is taken. This measure best recognized and respected. Measure 1 is only used in very rare cases. Measure 2 has no acceptance at all. Measure 4 is used, but usually not for commercial tools. Such tools are usually non-commercial special applications.
In the automotive industry, measure 3 has not yet really been accepted. Here measure 2 is often used. If a reasonable justification is possible, measure 1 may also be accepted (For higher ASIL the acceptance of measure 1 is decreasing). Measure 4 is the absolute exception.
In industrial automation, measure 1 is often accepted (more often than in other sectors). Measure 2 is also often used. Measure 3 can be used for high SIL levels. Measure 4 is the absolute exception.
All in all, it is recommended to follow the basic idea of he tool qualification. This means that first of all it is determined which process of the functional safety standard is automated by the use of a tool, or where the 4-eye principle is violated by the tool.
Only where this is the case, a tool qualification measure must be carried out.
In practice this usually means that no measure has to be taken for 60% to 80% of all potential tools. For the remaining tools, measure 3 is the best choice in most cases. Measure 4 may be necessary for very few but very critical applications.

Further HEICON Blog Posts related to Tool Qualification

• Importance of the Tool Qualification in the FuSa (part 1)!
• IEC 61508 – Tool qualification – When? Why? How?
• EN50128 and EN50657 support tools
• ISO 26262 Confidence in the use of software tools – A feasible strategy!

Are you ready for a functional safety workshop, to analyse improvement potentials in your development process, then send a mail to: info[at]heicon-ulm.de or call +49 (0) 7353 981 781.