Академический Документы
Профессиональный Документы
Культура Документы
R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
v
[M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ..... 2-11
[M4] Check of the underlying verification and analysis results for critical issues ............... 2-11
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Verified; Use of Checksums ................................................................................................. 2-11
[M_MISC2] Competency of the Project Team ..................................................................... 2-11
[M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation .............. 2-11
[M_MISC4] Analysis of Available Bug Report Information ................................................ 2-11
Tool Classification Summary................................................................................................ 2-12
3 Software Tool Qualification Report ................................................................................................. 3-1
3.1 Requirement for Tool Qualification ........................................................................................ 3-2
3.2 Tool Qualification Documentation ......................................................................................... 3-3
4 Confirmation Review of Tool Classification and Qualification ....................................................... 4-1
4.1 Requirement for Confirmation Review ................................................................................... 4-2
4.2 Validity of Generic Tool Classification .................................................................................. 4-3
4.3 Validity of Generic Tool Qualification ................................................................................... 4-4
4.4 Conformance with Reference Workflow ................................................................................ 4-5
vi
1 Introduction
This document constitutes the ISO 26262 Tool Qualification Package for the Polyspace ® Code
Prover™ product. This document is intended for use in the ISO 26262 tool classification and
qualification process for software tools. It contains templates for the ISO 26262 tool
qualification work products (see ISO 26262-8, Clause 11).
The applicant shall review this template for applicability to the application under consideration,
and tailor and complete the information.
See also:
ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or
tasks required by ISO 26262. The standard outlines a two-step approach to establish the
required confidence in the tools:
Tool classification determines the required level of confidence in the software tool.
Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.
The following work products need to be created when applying this approach to a software tool
(see ISO 26262-8, 11.5):
Note The applicant needs to review this template for applicability to the item or element
under consideration, and tailor and complete the information.
1.1 Item / Element Identification
Applicant: <Company name>
<Item or element to be analysed or verified using Polyspace
Item/element under development:
Code Prover>
1-2
1.2 Tool Overview and Identification
Polyspace® Code Prover™ detects and proves the absence of overflow, divide-by-zero, out-of-
bounds array access, and certain other run-time errors in embedded software written in the C and
C++ programming languages.
Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove run-
time attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status
of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges for
variables and operator parameters at any point of the program, taking into account every
possible configuration (inputs, global variables).
Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as
well as to define, determine, and report software quality metrics.
Polyspace Code Prover can be used on handwritten code, generated code, or a combination of
the two.
1-3
1.3 Tool Interfaces
Polyspace Code Prover uses the tool inputs and creates the tool outputs listed in the following
sections.
Note Depending on the actual use case(s), some of the tool inputs may not be applicable.
Note Depending on the actual use case(s), some of the tool outputs may not be applicable.
1
Configuration and project information is being shared between Polyspace Bug Finder and Polyspace
Code Prover.
1-4
1.4 Tool Qualification Artifacts Summary
The following table lists:
for the Polyspace Code Prover. The table also maps these tool qualification artifacts to sections
in this document and artifacts found elsewhere.
1-5
Tool Certification Artifact Corresponding Documents / Artifacts
Software tool criteria evaluation Customized and completed section “Software Tool Criteria Evaluation
report Report” of Polyspace Code Prover ISO 26262 Tool Qualification
Package (this document)
certkitiec_codeprover_tqp.docx
Polyspace Code Prover Reference Workflow
R2015a
certkitiec_codeprover_workflow.docx
Software tool qualification Customized and completed section “Software Tool Qualification
report Report” of Polyspace Code Prover ISO 26262 Tool Qualification
Package (this document)
certkitiec_codeprover_tqp.docx
Customized and completed Polyspace Code Prover Conformance
Demonstration Template
certkitiec_codeprover_cdt.docx
Certificate Z10 13 06 67052 012
June 2013
certkitiec_codeprover_certificate.pdf
certkitiec_codeprover_tqp.docx
1-6
2 Software Tool Criteria Evaluation
Report
2.1 Tool Environment
It is assumed that Polyspace Code Prover will be used in the following environment when
analyzing or verifying C/C++ code for the item / element under consideration (see ISO 26262-8,
11.4.4.1d):
2-2
2.2 Tool Configuration
It is assumed that Polyspace Code Prover will be used with the following configuration settings
when verifying or analyzing C/C++ code for the system / element under consideration (see ISO
26262-8, 11.4.4.1b):
2-3
2.3 Tool Use Cases and Reference Workflow
It is assumed that Polyspace Code Prover is used as described by one or more of the following
use cases (see ISO 26262-8, 11.4.4.1c). Details about these use cases are provided in Polyspace
Code Prover Reference Workflow.
Additional information about the assumed usage of Polyspace Code Prover can be found in the
reference workflow document Polyspace Code Prover Reference Workflow.
Code verification provided by Polyspace Code Prover proves the absence of overflow, divide-
by-zero, out-of-bounds array access, and certain other run-time errors in the source code, as
described in the Polyspace Code Prover User’s Guide, R2015a.
2-4
[PCP_UC3] Semantic analysis of the calling relationships
in the C/C++ code
The Polyspace Code Prover tool is used to extract control flow information from C or C++
source code. The extracted information is used by Polyspace Code Prover to generate an
application call tree.
Generated call graphs can e.g. be reviewed to analyze the control flow or to identify recursive
function calls.
Number and location(s) of read and write access(es) to global variables, directly or
through pointer access
Type value ranges for individual access operations
Shared variables and associated concurrent access protection
The variable access information can e.g. be reviewed to analyze the data flow.
Software quality metrics can be applied to handwritten as well as generated source code.
2-5
[PCP_UC6] Semantic analysis of C/C++ code to assess
interface between components
The Polyspace Code Prover tool is used to detect interface error between components.
2-6
2.4 Generic Tool Classification
The tool classification for Polyspace Code Prover was performed in a generic manner,
independently from the development of a particular safety-related item or element.
For the generic tool classification, the reference use cases listed in the section “Tool Use Cases”
have been taken into account. The tool classification is based on the potential malfunctions or
erroneous outputs and error prevention and detection measures listed in the corresponding
sections below.
Additional information about the assumed error prevention and detection measures can be found
in the reference workflow document Polyspace Code Prover Reference Workflow.
2-7
2.4.1 Potential Malfunctions or Erroneous Output
[PCP_E1] Run-time error detection – false negative
RTE2 analysis incorrectly marks software as verified
2. Run-Time Error
3. False positives for run-time errors can be caused by a bug in Polyspace Code Prover (malfunction of the tool leading the tool to
produce a false alarm), or by an approximation made by Polyspace Code Prover. Approximations are intrinsic to Abstract
Interpretation, the technology used by Polyspace Code Prover. Approximations should not be viewed as a malfunction of the
tool.
4. False negatives for unreachable code can be caused by a bug in Polyspace Code Prover (malfunction of the tool causing the
tool to not detect the unreachable code), or by an approximation made by Polyspace Code Prover. Approximations are
intrinsic to Abstract Interpretation, the technology used by Polyspace Code Prover. Approximations should not be viewed as a
malfunction of the tool.
5. This includes reporting non-existent calling relationships and not reporting existing calling relationships.
2-8
[PCP_E7] Quality metrics reporting – incorrect metrics value
Polyspace Code Prover computes an incorrect value for a software quality metrics or fails to
report the violation of a defined software quality goal.
7. For example, analysis of the wrong source code files or using variable ranges not consistent with the code file.
9. For example, user incorrectly trusts a green check before correcting the red, orange and gray checks that could influence the
green check result.
2-9
2.4.2 Error Prevention and Detection Measures
Potential measures to detect these potential malfunctions or erroneous outputs are described in
“Tool Classification Summary”. Additional considerations are discussed in the “Additional
Considerations” section of the reference workflow document Polyspace Code Prover Reference
Workflow.
Dynamically verify (test) the executable code corresponding to the C or C++ source
code.
Dynamically verify (test) the executable code corresponding to the C or C++ source
code without specifically aiming at detecting run-time errors.
Analyze the identified issues using a defined procedure for corrective action.
The procedure for corrective action includes manual analysis and review of the issues
uncovered.
2-10
[M3] Selective Review and Analysis of Source Code Portions not
Reached by Testing
After dynamically verifying (testing) the source code:
Review and analyze the portions of the C or C++ source code that were not reached by
testing.
2-11
Tool Classification Summary
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E1] [PCP_UC1] TI2 Incorrect [M1] TD2 Functional or structural testing can TCL2
Run-time error [PCP_UC6] verification Preceding or detect RTEs. The likelihood of
detection – false result could subsequent detecting RTEs by testing is
negative prevent run- dynamic considered to be medium.
time errors in verification
the software (testing) of the
from being software
detected [M1_lim] TD3 Functional or structural testing can TCL3
Limited preceding detect RTEs. In processes where
or subsequent Polyspace Code Prover is the
dynamic primary means of detecting RTEs,
verification the test process might not be
(testing) of the optimized to detect these kinds of
software errors. As a result, the likelihood
of detecting RTEs by testing
might be low.
[PCP_E2] [PCP_UC1] TI1 Software does [M2] TD1 Procedure for corrective action TCL1
Run-time error [PCP_UC6] not contain an Specified includes manual analysis and
detection – false error procedure for review of the issues uncovered.
positive corrective action on This process will detect false
failure of source positives.
code verification or
analysis
[PCP_E3] [PCP_UC2] TI2 Incorrect [M1] TD1 Comprehensive structural testing TCL1
Unreachable code verification Preceding or can detect unreachable code.
detection – false result (or subsequent
negative approximations dynamic
made by verification
Polyspace Code (testing) of the
Prover) could software;
prevent [M3]
unreachable Selective review
source code and analysis of
from being source code
detected portions not
reached by testing
[PCP_E4] [PCP_UC2] TI2 Incorrect [M2] TD1 Procedure for corrective action TCL1
Unreachable code verification Specified includes manual analysis and
detection – false result could procedure for review of the issues uncovered.
positive mark reachable corrective action on This process is able to detect false
code as failure of source positives.
unreachable code verification or
analysis
2-12
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E5] [PCP_UC3, TI2 Incorrectly [M1] TD2 During integration testing, calling TCL2
Calling relationship PCP_UC6] identified Preceding or relationships will be exercised as
analysis – incorrect calling subsequent well. The likelihood of detecting
results relationships dynamic incorrectly identified calling
could prevent verification relationships by testing is
architectural (testing) of the considered to be medium.
and other issues software
from being
detected
[PCP_E6] [PCP_UC4, TI2 Incorrectly [M1] TD2 During testing, selected usage TCL3
Global variable PCP_UC6] identified Preceding or scenarios for global variables will
usage analysis – global variable subsequent be exercised as well. The
incorrect results usage could dynamic likelihood of detecting incorrectly
prevent verification identified usage of global
architectural (testing) of the variables by testing is considered
and other issues software to be low.
from being
detected
[PCP_E7] [PCP_UC5] TI2 Incorrect value [M4] TD1 Quality metrics reports aggregate TCL1
Quality metrics for quality Check of the analysis and verification results
reporting – incorrect metrics could underlying provided by Polyspace Code
metrics value prevent a verification and Prover and Polyspace Bug Finder.
software analysis results for Reviewing the aggregated results
problem from critical issues; does not replace an analysis of the
being detected [M2] underlying analysis and
and analyzed Specified verification results. Checking the
procedure for underlying results for critical
corrective action on issues will reveal software
failure of source problems that are incorrectly
code verification or aggregated.
analysis
[PCP_E8] [PCP_UC1, TI1 Error in the tool - TD1 - TCL1
Non interference PCP_UC2, does not impact
PCP_UC3, analysis results
PCP_UC4,
PCP_UC5,
PCP_UC6]
2-13
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E9] [PCP_UC1, TI2 Incorrect or [M_MISC1] TD1 Revision control and configuration TCL1
Usage of incorrect PCP_UC2, incomplete Revision control management maintains the
input data PCP_UC3, verification or and configuration integrity of the artifacts to be
PCP_UC4, analysis results management to verified. Using checksums allows
PCP_UC5, could prevent identify the the unique identification the
PCP_UC6] errors from artifacts to be artifacts being verified.
being detected verified; Use of
checksums
[PCP_E10] [PCP_UC1, TI2 Misinterpre- [M_MISC2] TD1 Training of users can prevent TCL1
Misinterpretation of PCP_UC2, tation of Competency of the these issues.
results PCP_UC3, verification or project team
PCP_UC4, analysis results
PCP_UC5, could prevent
PCP_UC6] errors from
being detected
[PCP_E11] [PCP_UC1, TI2 Incorrect usage [M_MISC2] TD1 Training of users can prevent TCL1
Incorrect tool usage PCP_UC2, could prevent Competency of the these issues.
PCP_UC3, errors from project team
PCP_UC4, being detected
PCP_UC5,
PCP_UC6]
[PCB_E12] [PCP_UC1, TI2 Incorrect or [M_MISC3] TD1 Verification of the installed tool TCL1
Incorrect or modified PCP_UC2, modified Adherence to version will prevent these issues.
tool installation PCP_UC3, installation installation
PCP_UC4, could prevent instructions;
PCP_UC5, errors from Integrity of tool
PCP_UC6] being detected installation;
[M_MISC4]
Analysis of
Available Bug
Report Information
[PCB_E13] [PCP_UC1, TI2 Incorrect [M_MISC3] TD1 Adherence to installation guide TCL1
Incorrect operational PCP_UC2, operational Adherence to instructions will provide a
environment PCP_UC3, environment installation seamless installation
PCP_UC4, could prevent instructions;
PCP_UC5, errors from Integrity of tool
PCP_UC6] being detected installation;
[M_MISC4]
Analysis of
Available Bug
Report Information
2-14
There is a possibility that a safety requirement can be violated if Polyspace Code Prover is
malfunctioning or producing erroneous output. According to the preceding analysis, the
maximum tool impact (TI) of the use cases taken into account for Polyspace Code Prover is TI2.
According to the preceding analysis, the maximum required tool confidence level (TCL) for
Polyspace Code Prover is TCLMAX3.
TÜV SÜD reviewed the generic tool classification and confirmed the results in the Report to the
Certificate Z10 13 06 67052 012.
2-15
2-16
3 Software Tool Qualification Report
3.1 Requirement for Tool Qualification
Given the maximum required tool confidence level TCLMAX3 (see “Generic Tool
Classification”), Polyspace Code Prover needs to be qualified up to TCL3. Additional tool
qualification methods appropriate for the predetermined maximum ASIL for the application
under consideration are necessary, according to ISO 26262-8, clause 11.4.6.1. Permissible tool
qualification methods for TCL3 are listed in ISO 26262-8 table 4.
3-2
3.2 Tool Qualification Documentation
MathWorks carried out an application-independent prequalification of the Polyspace Code
Prover. The Polyspace Code Prover was prequalified for all ASILs according to ISO 26262-8
(for TCL1, TCL2, and TCL3).
The prequalification for the Polyspace Code Prover was carried out using a combination of the
following methods:
Evaluation of the tool development process (ISO 26262-8, Tables 4 and 5, Method 1b).
Validation of the software tool (ISO 26262-8, Tables 4 and 5, Method 1c).
According to ISO 26262-8, Tables 4 and 5, these two methods are permissible for all ASILs.
For TCL2, method 1b is highly recommended for ASILs A, B, and C. Method 1c is highly
recommended for ASIL D.
For TCL3, method 1b is highly recommended for ASILs A, and B. Method 1c is highly
recommended for ASILs C and D.
TÜV SÜD carried out an independent tool qualification assessment. MathWorks submitted the
results of the methods applied to prequalify the Polyspace Code Prover to TÜV SÜD.
TÜV SÜD reviewed the generic tool qualification artifacts for Polyspace Code Prover and
confirmed the results in Report to the Certificate Z10 13 06 67052 012.
Tool qualification for the Polyspace Code Prover can be claimed for TCL1, TCL2, and TCL3 by
referencing the certification report and corresponding certificate.
3-3
.
3-4
4 Confirmation Review of Tool
Classification and Qualification
4.1 Requirement for Confirmation Review
The tool classification (see "Software Tool Criteria Evaluation Report”) was carried out
independently from the development of the application under consideration. Therefore, the
resulting, predetermined tool confidence level shall be confirmed by the applicant prior to
Polyspace Code Prover being used for the development of a particular safety-related item or
element for the application under consideration (see ISO 26262-8, 11.4.2, 11.4.10).
The tool qualification (see "Software Tool Qualification Report”) was carried out independently
from the development of the application under consideration. Therefore, the resulting, generic
prequalification shall be confirmed by the applicant prior to Polyspace Code Prover being used
for the development of a particular safety-related item or element for the application under
consideration (see ISO 26262-8, 11.4.2, 11.4.10).
4-2
4.2 Validity of Generic Tool Classification
Applicable Tool Confidence Level: < Insert TCL>
4-3
4.3 Validity of Generic Tool Qualification
Applicable Tool Confidence Level: < Insert TCL >
4-4
4.4 Conformance with Reference Workflow
Applicable Tool Confidence Level: < Insert TCL >
< Insert results of confirmation review or reference to confirmation review documentation >
4-5