IEC Certification Kit

Simulink Verification and Validation

ISO 26262 Tool Qualification Package
R2015b

How to Contact MathWorks

Latest news:

www.mathworks.com

Sales and services:

www.mathworks.com/sales_and_services

User community:

www.mathworks.com/matlabcentral

Technical support:

www.mathworks.com/support/contact_us

Phone:
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098

508-647-7000

IEC Certification Kit: Simulink Verification and Validation ISO 26262 Tool Qualification Package

COPYRIGHT 20112015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the governments needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.

Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.

Revision History
September 2011
March 2012
September 2012
March 2013
September 2013
March 2014
October 2014
March 2015
September 2015

New for Version 2.0 (Applies to Release R2011b)

Revised for Version 2.1 (Applies to Release R2012a)
Revised for Version 3.0 (Applies to Release R2012b)
Revised for Version 3.1 (Applies to Release R2013a)
Revised for Version 3.2 (Applies to Release R2013b)
Revised for Version 3.3 (Applies to Release R2014a)
Revised for Version 3.4 (Applies to Release R2014b)
Revised for Version 3.5 (Applies to Release R2015a)
Revised for IEC Certification Kit Version 3.6 (Applies to Release R2015b)

Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Project Identification ............................................................................................................... 1-2
1.2 Tool Overview and Identification ........................................................................................... 1-3
1.3 Tool Qualification Artifacts Summary .................................................................................... 1-4
2 Software Tool Criteria Evaluation Report ........................................................................................ 2-1
2.1 Tool Environment ................................................................................................................... 2-2
2.2 Tool Configuration .................................................................................................................. 2-3
2.3 Reference Workflow ............................................................................................................... 2-5
2.4 Tool Use Cases ........................................................................................................................ 2-6
[SLVNV_UC1] Static analysis of a model to verify compliance with specified modeling
guidelines ..................................................................................................................................... 2-6
[SLVNV_UC2] Automatic fixing of reported issues ................................................................... 2-6
[SLVNV_UC3] Structural coverage analysis of test cases at the model level ............................. 2-6
2.5 Generic Tool Classification ..................................................................................................... 2-7
2.5.1
Potential Malfunctions or Erroneous Outputs ................................................................ 2-7
[SLVNV_E1] Model Compliance Checking False Negative ............................................... 2-7
[SLVNV_E2] Model Compliance Checking False Positive................................................. 2-7
[SLVNV_E3] Model Compliance Checking Non interference ............................................ 2-7
[SLVNV_E4] Model Compliance Checking Incorrect hyperlinks ....................................... 2-7
[SLVNV_E5] Model Compliance Checking Incorrect fixing of reported issues ................. 2-7
[SLVNV_E6] Model Coverage Analysis False Negative .................................................... 2-7
[SLVNV_E7] Model Coverage Analysis False Positive ...................................................... 2-8
[SLVNV_E8] Model Coverage Analysis Non interference ................................................. 2-8
[SLVNV_E9] Simulink Verification and Validation Usage of incorrect input data ............ 2-8
[SLVNV_E10] Simulink Verification and Validation Misinterpretation of results ............. 2-8
[SLVNV_E11] Simulink Verification and Validation Incorrect Tool Usage....................... 2-8
[SLVNV_E12] Simulink Verification and Validation Incorrect or Modified Installation ... 2-8
2.5.2
Error Prevention and Detection Measures ..................................................................... 2-9
[M1]......................................................................................................................................... 2-9
[M2]......................................................................................................................................... 2-9
[M3]......................................................................................................................................... 2-9
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Analyzed; Use of Checksums .................................................................................................. 2-9
[M_MISC2] Competency of the Project Team ..................................................................... 2-10
[M_MISC3], [M_MISC4] Adherence to Installation Instructions; Integrity of Tool Installation
............................................................................................................................................... 2-10
Tool Classification Summary ................................................................................................ 2-11
3 Software Tool Qualification Report ................................................................................................. 3-1
3.1 Requirement for Tool Qualification ........................................................................................ 3-2
3.2 Tool Qualification Documentation .......................................................................................... 3-3

4 Confirmation Review of Tool Classification and Qualification ....................................................... 4-1

4.1 Requirement for Confirmation Review ................................................................................... 4-2
4.2 Validity of Generic Tool Classification................................................................................... 4-3
4.3 Validity of Generic Tool Qualification ................................................................................... 4-4
4.4 Conformance with Reference Workflow ................................................................................. 4-5

vi

1 Introduction
This document constitutes the ISO 26262 Tool Qualification Package for the Simulink
Verification and Validation product. This document is intended for use in the ISO 26262 tool
classification and qualification process for software tools. It contains templates for the ISO
26262 tool qualification work products (see ISO 26262-8, Section 11).
The applicant shall review the templates for applicability to the project under consideration, and
then tailor and complete them as necessary.
See also:

IEC Certification Kit: Users Guide, R2015b

ISO 26262-8, Section 11

ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or
tasks required by ISO 26262. The standard outlines a two-step approach to establish the
required confidence in the tools:
Tool classification determines the required level of confidence in the software tool.
Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.
When applying this approach to a software tool, the applicant must create the following work
products (see ISO 26262-8, 11.5):

A software tool criteria evaluation report documenting the tool classification.

A software tool qualification report documenting the tool qualification, if required.

Note The applicant needs to review this template for applicability to the project under
consideration and insert missing information.

1.1 Project Identification

Applicant:

<Insert information>

Project under consideration:

<List project under consideration>

1-2

1.2 Tool Overview and Identification

Simulink Verification and Validation allows users to:
Check Simulink and Stateflow models for compliance with design and coding guidelines.
Identify untested portions of models using structural coverage metrics.
Tool Identification
Software Tool

Version (Release)

Tool Vendor

Simulink Verification and

Validation
IEC Certification Kit

3.10 (R2015b)

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA,
01760-2098 USA

Version 3.6 (R2015b)

1-3

1.3 Tool Qualification Artifacts Summary

For the Simulink Verification and Validation product, the following table lists:

Prerequisites (see ISO 26262-8, 11.3.1)

Supporting information (see ISO 26262-8, 11.3.2)
Tool qualification work products (see ISO 26262-8, 11.5)

The tool qualification artifacts listed in the table are mapped to sections in this document and
other artifacts.
Artifact

Corresponding Documents / Artifacts

Safety plan

<Insert document title, version, and filename / link>

<Insert software lifecycle phase(s)>
<Insert prerequisite(s)>

Applicable prerequisites of the lifecycle

phases where software tool is used
Predetermined maximum ASIL

Software tool documentation

<Insert ASIL>
Simulink Verification and Validation Users Guide
R2015b
slvnv_ug.pdf
Simulink Verification and Validation Reference
R2015b
slvnv_ref.pdf
Simulink Verification and Validation: Release Notes
R2015b
rn.pdf

Environment and constraints of the

software tool

MathWorks bug report system at

www.mathworks.com/support/bugreports/
<Insert information>

1-4

Artifact

Corresponding Documents / Artifacts

Customized and completed Software Tool Criteria
Evaluation Report in the Simulink Verification and
Validation ISO 26262 Tool Qualification Package (this
document)
certkitiec_slvnv_tqp.docx

Software tool criteria evaluation report

Simulink Verification and Validation Reference Workflow

R2015b
certkitiec_slvnv_workflow.pdf
Certificate Z10 11 12 67052 013
December 2011
certkitiec_slvnv_certificate.pdf
Report to the certificate Z10 11 12 67052 013
May 2015
certkitiec_slvnv_certreport.pdf
Customized and completed Software Tool Qualification
Report in the Simulink Verification and Validation ISO
26262 Tool Qualification Package (this document)
certkitiec_slvnv_tqp.docx

Software tool qualification report

Customized and completed Simulink Verification and

Validation Conformance Demonstration Template
certkitiec_slvnv_cdt.docx
Certificate Z10 11 12 67052 013
December 2011
certkitiec_slvnv_certificate.pdf
Report to the certificate Z10 11 12 67052 013
May 2015
certkitiec_slvnv_certreport.pdf

Confirmation review of qualification of a

software tool

Customized and completed Confirmation Review of Tool

Classification and Qualification in the Simulink Verification
and Validation ISO 26262 Tool Qualification Package (this
document)
certkitiec_slvnv_tqp.docx

1-5

1-6

2 Software Tool Criteria Evaluation

Report

2.1 Tool Environment

It is assumed that Simulink Verification and Validation will be used in the following
environment (see ISO 26262-8, 11.4.4.1d):
<Insert operating system and other pertinent environment information>

2-2

2.2 Tool Configuration

It is assumed that Simulink Verification and Validation will be used with the following tool
configuration (see ISO 26262-8, 11.4.4.1b).
Model Coverage Analysis
Configuration Parameter
Coverage Settings > Coverage Pane
<Insert project-specific settings>
Coverage Settings > Results Pane
<Insert project-specific settings>
Coverage Settings > Reporting Pane
<Insert relevant configuration parameter names>
Coverage Settings > Options Pane
<Insert relevant configuration parameter names>
Coverage Settings > Filter Pane
<Insert relevant configuration parameter names>

Setting
<Insert project-specific settings>
<Insert project-specific settings>
<Insert project-specific settings>
<Insert project-specific settings>
<Insert project-specific settings>

2-3

Model Compliance Checking

Configuration Parameter

Setting

Check configuration

By Task > Modeling Standards for ISO 26262

Display configuration management data
Display model metrics and complexity report
Check for unconnected objects
Check for root Inports with missing properties
Check for root Inports with missing range definitions
Check for root Outports with missing range definitions
Check for blocks not recommended for C/C++ production code
deployment
Check usage of Stateflow constructs
Check state machine type of Stateflow charts
Check usage of Math Operations blocks
Check usage of Signal Routing blocks
Check usage of Logic and Bit Operations blocks
Check usage of Ports and Subsystems blocks
Check for inconsistent vector indexing methods
Check for model objects that do not link to requirements
Check for MATLAB Function interfaces with inherited
properties
Check MATLAB Function metrics
Check MATLAB Code Analyzer messages
Check MATLAB code for global variables

2-4

2.3 Reference Workflow

It is assumed that Simulink Verification and Validation will be used as described in the
reference workflow documented in Simulink Verification and Validation Reference Workflow.
To access the reference workflow document, on the MATLAB command line, type
certkitiec to open the Artifacts Explorer. The reference workflow document is in Simulink
Verification and Validation.

2-5

2.4 Tool Use Cases

It is assumed that Simulink Verification and Validation will be used as described by one or more
of the following use cases (see ISO 26262-8, 11.4.4.1c). Additional information can be found in
the reference workflow document Simulink Verification and Validation Reference Workflow.

[SLVNV_UC1] Static analysis of a model to verify

compliance with specified modeling guidelines
The Simulink Verification and Validation tool is used to check a Simulink or Stateflow model
for compliance with design and coding guidelines.
The model being checked can be an executable specification, a model used for production code
generation, or other interim models created during the model elaboration phase.

[SLVNV_UC2] Automatic fixing of reported issues

Subsequent to model compliance checking, the Simulink Verification and Validation tool is
used to automatically fix the reported issues.
The fixes are applied to the model being checked initially.

[SLVNV_UC3] Structural coverage analysis of test cases

at the model level
The Simulink Verification and Validation tool is used to determine the structural coverage that
can be achieved by a set of model level test cases or to identify untested portions of a Simulink
or Stateflow model. Supported model coverage metrics include:
Decision coverage
Condition coverage
Modified condition and decision coverage (MC/DC)
Structural coverage analysis can be applied to an executable specification, a model used for
production code generation, or other interim models created during the model elaboration phase.

2-6

2.5 Generic Tool Classification

The tool classification for Simulink Verification and Validation was performed in a generic
manner, independently from the development of a particular safety-related item or element.
For the generic tool classification, the reference use cases listed in the section Tool Use Cases
have been taken into account. The tool classification is based on the potential malfunctions or
erroneous outputs and error prevention and detection measures listed in the following,
corresponding sections.
Additional information can be found in the reference workflow document: Simulink Verification
and Validation Reference Workflow.

2.5.1 Potential Malfunctions or Erroneous Outputs

The following potential malfunctions or erroneous outputs were taken into account as part of the
tool classification process:

[SLVNV_E1] Model Compliance Checking False Negative

The modeling guideline checker incorrectly marks model as compliant.

[SLVNV_E2] Model Compliance Checking False Positive

The modeling guideline checker incorrectly marks model as non-compliant.

[SLVNV_E3] Model Compliance Checking Non interference

The modeling guideline checker contains an error, but the model to be analyzed does not invoke
the erroneous portion of the tool.

[SLVNV_E4] Model Compliance Checking Incorrect hyperlinks

Hyperlinks in the analysis results contain errors.

[SLVNV_E5] Model Compliance Checking Incorrect fixing of

reported issues
Automatic fixing of reported issues does not work correctly.

[SLVNV_E6] Model Coverage Analysis False Negative

The model coverage analysis incorrectly marks uncovered model elements as covered.

2-7

[SLVNV_E7] Model Coverage Analysis False Positive

The model coverage analysis incorrectly marks covered model elements as not covered.

[SLVNV_E8] Model Coverage Analysis Non interference

The modeling coverage analysis contains an error, but the model to be analyzed does not invoke
the erroneous portion of the tool.

[SLVNV_E9] Simulink Verification and Validation Usage of

incorrect input data
Analysis of incorrect or inconsistent tool inputs.

[SLVNV_E10] Simulink Verification and Validation

Misinterpretation of results
User interprets correct analysis results incorrectly.

[SLVNV_E11] Simulink Verification and Validation Incorrect Tool

Usage
User does not follow established procedures when using the tool.

[SLVNV_E12] Simulink Verification and Validation Incorrect or

Modified Installation
Simulink Verification and Validation has not been installed correctly, has been modified after
installation or available bug reports for the tool havent been analyzed.

2-8

2.5.2 Error Prevention and Detection Measures

The following measures, which facilitate seamless functioning of model compliance checking
and model coverage analysis capabilities of the Simulink Verification and Validation tool, are
referenced in the tool classification process. Additional considerations are described in Simulink
Verification and Validation Reference Workflow.

[M1]
Before or after static analysis of a model to verify its compliance with specified modeling
guidelines:

Dynamically verify (test) the model.

[M2]
After automatic fixing of reported issues, do one or more of the following:

Re-check the model for its compliance with specified modeling guidelines.
Dynamically verify (test) the model.
Compare the XML files exported1 from the original and fixed Simulink models and
manually review the comparison results.

[M3]
After carrying out model coverage analysis:

Use a code coverage tool when testing the software generated from the model to
determine structural coverage of test cases at the software level.

[M_MISC1] Revision Control and Configuration Management to

Identify the Artifacts to be Analyzed; Use of Checksums
Apply configuration management to the artifacts to be verified or analyzed using Simulink
Verification and Validation.

Requires Simulink Report Generator

2-9

[M_MISC2] Competency of the Project Team

Those carrying out verification or analysis activities using Simulink Verification and Validation
shall be competent for the activities undertaken.

[M_MISC3], [M_MISC4] Adherence to Installation Instructions;

Integrity of Tool Installation
Adhere to the installation instructions for Simulink Verification and Validation (including
dependent tools) and verify the version and integrity of the tool.
Validate modifications or additions made to the shipping product(s), if applicable.

2-10

Tool Classification Summary

Potential malfunction Use
or erroneous output cases

TI

Justification for TI

Prevention /
detection
measures

TD

[M1]Preceding or
subsequent dynamic
verification (testing)
of the model.

TD2 Static analysis tools typically detect

only a subset of the existing modeling
standard violations in the model.
Therefore, other process steps cannot
assume completeness of modeling
guideline check results.
Modeling standard violations do not
necessarily imply incorrect models.
Functional or structural testing help
detect real errors in the model. The
likelihood of detecting these errors by
testing is considered to be medium.
-

TCL2

TCL1

TCL1

[SLVNV_E1] Model
Compliance Checking
False Negative

[SLVNV_ TI2 Incorrect analysis result

UC1]
could prevent modeling
guidelines violations from
being detected.

[SLVNV_E2] Model
Compliance Checking
False Positive
[SLVNV_E3] Model
Compliance Checking
Non Interference
[SLVNV_E4] Model
Compliance Checking
Incorrect hyperlinks
[SLVNV_E5] Model
Compliance Checking
Incorrect fixing of
reported issues

[SLVNV_ TI1 Nuisance only; model does UC1]

not violate modeling
guidelines.
[SLVNV_ TI1 Error in the tool; does not UC1]
affect analysis results.

[SLVNV_E6] Model
Coverage Analysis False Negative

[SLVNV_E7] Model
Coverage Analysis False Positive

[SLVNV_ TI1 Nuisance only; model does

UC1]
not violate modeling
guidelines.
[SLVNV_ TI2 Incorrect fixing could
UC2]
introduce error in the
model.

[SLVNV_ TI2 Incorrect analysis result

UC3]
could prevent incomplete
test cases from being
detected.
Incomplete test cases
could result in untested
portions of the model or
generated code.
[SLVNV_ TI1 Nuisance only; test cases
UC3]
are complete.

Justification for TD

TCL

TCL1

[M2a] Subsequent re- TD2 Re-checking of the model will detect

checking of the model
modeling standard violations introduced
for compliance with
by the automatic fixing but might miss
specified modeling
other errors introduced.
guidelines.
[M2b] Subsequent
TD2 Functional or structural testing help
dynamic verification
detect real errors in the model. The
(testing) of the model.
likelihood of detecting these errors by
testing is considered to be medium.
[M2c] Subsequent
TD1 Manual review of the comparison
comparison of the
results can verify that fixing of changes
XML files exported
resulted did not introduce unintended
from the original and
changes.
fixed Simulink models
and manual review of
the comparison results
None
TD3 [M3]
TD1 Use of a code coverage tool determines
Subsequent usage of a
completeness of tests at the software
code coverage tool
level.
when testing the
software generated
from the model.

TCL2

TCL1

2-11

TCL2

TCL1

TCL3
TCL1

Potential malfunction Use

or erroneous output cases
[SLVNV_E8] Model
Coverage Analysis Non interference
[SLVNV_E9] Simulink
Verification and
Validation - Usage of
incorrect input data1

[SLVNV_E10] Simulink
Verification and
Validation Misinterpretation of
results

TI

Justification for TI

Prevention /
detection
measures

[SLVNV_ TI1 Error in the tool; does not

UC3]
impact analysis results.
[SLVNV_ TI2 Incorrect or incomplete
UC1]
analysis results could
[SLVNV_
prevent errors from being
UC3]
detected.

[SLVNV_ TI2 Misinterpretation of

UC1]
analysis results could
[SLVNV_
prevent errors from being
UC2]
detected.
[SLVNV_
UC3]
[SLVNV_E11] Simulink [SLVNV_ TI2 Incorrect usage could
Verification and
UC1]
prevent errors from being
Validation - Incorrect
[SLVNV_
detected.
Tool Usage
UC2]
[SLVNV_
UC3]
[SLVNV_E12] Simulink [SLVNV_ TI2 Incorrect or modified
Verification and
UC1]
installation could prevent
Validation - Incorrect or [SLVNV_
errors from being detected.
Modified Installation
UC2]
[SLVNV_
UC3]

TD

Justification for TD

TCL

TCL1

[M_MISC1]
TD1 Revision control and configuration
TCL1
Revision control and
management facilitate integrity of the
configuration
artifacts to be verified. Using checksums
management2 to
allows the unique identification the
identify the artifacts to
artifacts being verified.
be verified; use of
checksums.
[M_MISC2]
TD1 Training of tool users can prevent these TCL1
Competency of the
issues.
project team3

[M_MISC2]
Competency of the
project team.

TD1 Training of users can prevent these

issues.

[M_MISC4]
Adherence to
installation guide
instructions.4
and
[M_MISC3]
Measures to verify
integrity of installed
tool version.5

TD1 Adherence to installation guide and

TCL1
verification of the installed tool version
facilitate seamless installation.

1 For

example, analysis of the wrong model.

Configuration Management and Revision Control in the Simulink Verification and Validation Reference Workflow.
3 See Competency of the Project Team in the Simulink Verification and Validation Reference Workflow.
4 See Installation Integrity and Release Compatibility in the Simulink Verification and Validation Reference Workflow.
5
Could include re-running the validation tests shipping with the IEC Certification Kit before using Simulink Verification and Validation.
2 See

2-12

TCL1

Based on the preceding analysis, the maximum tool impact of the Simulink Verification and
Validation use cases taken into account is TI2.
Applying the prevention and detection measures previously described provides a medium degree
of confidence that a malfunction or an erroneous output of the model compliance checking
capability of Simulink Verification and Validation can be prevented or detected. The resulting
maximum required tool confidence level for model compliance checking is TCLMAX2.
For the model coverage analysis capability of Simulink Verification and Validation, not
applying prevention or detection measures to verify the results of the model coverage analysis
results in a maximum required tool confidence level of TCLMAX3.
Subsequent use of a code coverage tool when testing the software generated from the model and
the application of the generic prevention and detection measures M_MISC1, M_MISC2,
M_MISC3, and M_MISC4 provides a high degree of confidence that a malfunction or an
erroneous output of the modeling guidelines checking capability of Simulink Verification and
Validation can be prevented or detected. In this case, the resulting maximum required tool
confidence level for model coverage analysis is TCLMAX1.
TV SD reviewed the generic tool classification and confirmed the preceding results in Report
to the certificate Z10 11 12 67052 013.

2-13

3 Software Tool Qualification Report

3.1 Requirement for Tool Qualification

Given the maximum required tool confidence level TCLMAX2 for Model Compliance
Checking (see Generic Tool Classification), this capability of Simulink Verification and
Validation needs to be qualified up to TCL2. Permissible tool qualifications methods for TCL2
are listed in ISO 26262-8 Table 5.
Given the maximum required tool confidence level TCLMAX3 for Model Coverage Analysis
without verification of the analysis results (see Generic Tool Classification), this capability of
Simulink Verification and Validation needs to be qualified up to TCL3. Permissible tool
qualifications for TCL3 are listed in ISO 26262-8 Table 4.
Given the maximum required tool confidence level TCLMAX1 for Model Coverage Analysis
with subsequent use of a code coverage tool (see Generic Tool Classification), this capability
of Simulink Verification and Validation does not require formal tool qualification methods (see
ISO 26262-8, 11.4.6.1).

3-2

3.2 Tool Qualification Documentation

MathWorks carried out an application independent pre-qualification of Simulink Verification
and Validation.
The Model Compliance Checking capability using the ISO 26262 modeling standard checks was
prequalified for all ASILs according to ISO 26262-8, up to and including TCL 2.
The Model Coverage Analysis capability was prequalified for all ASILs according to ISO
26262-8, up to and including TCL 3.
The pre-qualification of Simulink Verification and Validation was carried out using a
combination of the following methods:

Evaluation of the tool development process (ISO 26262-8, Tables 4 and 5, Method 1b).
Validation of the software tool (ISO 26262-8, Tables 4 and 5, Method 1c).

According to ISO 26262-8, Tables 4 and 5, these two methods are permissible for all ASILs. For
TCL2, method 1b is highly recommended for ASILs A, B, and C. Method 1c is highly
recommended for ASIL D. For TCL3, method 1b is highly recommended for ASILs A and B.
Method 1c is highly recommended for ASILs C and D.
TV SD carried out an independent tool qualification assessment. MathWorks submitted the
results of the methods applied to pre-qualify Simulink Verification and Validation to TV SD.
TV SD reviewed the results of the generic tool qualification for the Model Coverage
Analysis and Model Compliance Checking capabilities of Simulink Verification and Validation.
TV SD confirmed the results in Report to the certificate Z10 11 12 67052 013.

3-3

3-4

4 Confirmation Review of Tool

Classification and Qualification

4.1 Requirement for Confirmation Review

The tool classification (see Software Tool Criteria Evaluation Report) was carried out
independently from the development of the project under consideration. Therefore, the resulting
predetermined tool confidence level shall be confirmed by the applicant prior to Simulink
Verification and Validation being used for the development of a particular safety-related item or
element in the project under consideration (see ISO 26262-8, 11.4.2, 11.4.10).
The tool qualification (see Software Tool Qualification Report) was carried out independently
from the development of the application under consideration. Therefore, the resulting generic
pre-qualification shall be confirmed by the applicant prior Simulink Verification and Validation
being used for the development of a particular safety-related item or element for the application
under consideration (see ISO 26262-8, 11.4.2, 11.4.10).
The generic tool classification is based on the assumption that Simulink Verification and
Validation is being used as described in the reference workflow documented in Simulink
Verification and Validation Reference Workflow. Therefore, conformance with the reference
workflow in the project under consideration shall be confirmed by the applicant.

4-2

4.2 Validity of Generic Tool Classification

Applicable Tool Confidence Level: <Insert TCL>
<Insert results of confirmation review or reference to confirmation review documentation>

4-3

4.3 Validity of Generic Tool Qualification

Applicable Tool Confidence Level: <Insert TCL>
<Insert results of confirmation review or reference to confirmation review documentation>

4-4

4.4 Conformance with Reference Workflow

Applicable Tool Confidence Level: <Insert TCL>
<Insert results of confirmation review or reference to confirmation review documentation>

4-5