ALL TECHNOLOGY NEEDS A LITTLE TCL Qualification, Certification and ISO 26262

Joe Drzewiecki, associate director of development tools, and Steve Vernier, manager of product engineering, automotive products at Microchip, both discuss Tool Confidence Level (TCL) and risk assessments


t may seem paradoxical that qualifying a tool for use in a functional safety application cannot fall to the tool provider. A closer look at the ISO 26262 qualification process will explain this apparent paradox. The process starts with determining the ASIL (Automotive Safety Integrity Level) of your application and the TCL (Tool Confidence Level) required of each tool intended for use.

DETERMINING TCL REQUIRED OF TOOLS TO BE USED When developing an item to ISO 26262 safety requirements, the standard requires that all software tools used in that item’s development have documented evidence as to why each tool is unlikely to introduce an error in operation – a good intent for strong performance is not enough. In the case of C compilers, there may be several to choose from and many considerations involved in the final selection. Confidence that the compiler chosen does not introduce errors into the design is essential. To help determine the level of detail

to which a tool should be analysed, a risk assessment is performed. Tool classification considers two aspects for each use case: its impact on the safety of the design (Tool Impact, or TI), and the probability that an error could be generated and go undetected (Tool error Detection, or TD). TI and TD are not affected by how often the tool has been used, or what company made the tool. Risk is not limited to only what goes directly into the item, but also the information that affects design choices or test results. Error detection can of course be built into the tool, but TD determination should also include the

evaluation and testing of the item later in the development process. Risk can be minimised by using tools for their intended purpose and usage conditions, which is usually described in a tool’s user guide and/or safety manual.


ISO 26262 recognises four qualification methods for each TCL, each ranked by the ASIL of the application. Increased confidence from use is

restrictive in that it applies only for the same version, of the same tool, in the same application. However, if that applies to your situation, it’s there to use. For the second method, an evaluation requires deep insight into the development processes of the tool provider. However, it is not likely to be used except for the mitigating influence of a third-party certification body, which could gain access to this usually proprietary information during certification audits. The third method is validation of the software tool. Validation is a tried-and-true method for ensuring proper operation of software. Depending on the tool, however, the degree of expertise necessary to validate the tool may be excessive. Finally, qualification gets easier if the tool has been developed in compliance with a safety standard. Of course, you must be comfortable

with the thoroughness of the qualification that you performed when you present it to an auditor. As mentioned, one would have to be a qualified compiler validation expert to determine if the hundreds of thousands of tests performed on the compilers, such as MPLAB XC, were necessary and sufficient.

One sure way to validate a tool’s qualification is to leverage third-party certification from an accredited body like TÜV SÜD. Such an organisation can bring a vast array of experience and expertise in both functional safety and tool certification. Utilising comprehensive information and incisive on-site audits, a third-party organisation uses information by the tools provider, including process definition and documentation, validation methodologies and results, a safety plan, Failure Mode and Effects Analysis (FMEA) and a functional safety manual, to ensure that any provisional classification and qualification documents, provided by a tool vendor, meet a rigorous, high standard of attainment.

MICROCHIP SIMPLIFIES MEETING FUNCTIONAL SAFETY REQUIREMENTS Along with the certificate from TÜV SÜD and the reports that substantiate it, Microchip provides all of the above- mentioned documentation, along with the aforementioned MPLAB XC compilers for functional safety. Also included in the package are classification and qualification documents for MPLAB X IDE and MPLAB debuggers, and programmers, to Tool Confidence Level 1 (TCL 1). Since the MPLAB XC compiler products support all of Microchip’s microcontrollers (MCUs), every MCU that Microchip offers is included in this functional safety solution. Microchip helps customers simplify the development tool qualification process for their functional safety requirements.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44