IEC Certification Kit

Polyspace® Code ProverTM ISO 26262

Tool Qualification Package

R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000

The MathWorks, Inc.

3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Polyspace® Code Prover™ ISO 26262 Tool Qualification Package
© COPYRIGHT 2010–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
September 2013 New for Version 3.2 (Applies to Release 2013b)
March 2014 Revised for Version 3.3 (Applies to Release 2014a)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
March 2015 Revised for Version 3.5 (Applies to Release 2015a)
Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Item / Element Identification .................................................................................................. 1-2
1.2 Tool Overview and Identification ........................................................................................... 1-3
1.3 Tool Interfaces ........................................................................................................................ 1-4
1.3.1 Tool Inputs ................................................................................................................ 1-4
1.3.2 Tool Outputs ............................................................................................................. 1-4
1.4 Tool Qualification Artifacts Summary.................................................................................... 1-5
2 Software Tool Criteria Evaluation Report ....................................................................................... 2-1
2.1 Tool Environment ................................................................................................................... 2-2
2.2 Tool Configuration.................................................................................................................. 2-3
2.3 Tool Use Cases and Reference Workflow .............................................................................. 2-4
[PCP_UC1] Semantic code analysis with abstract interpretation of C/C++ Code to detect
systematic and potential run-time errors ................................................................................. 2-4
[PCP_UC2] Semantic code analysis with abstract interpretation of C/C++ code to detect
unreachable code ..................................................................................................................... 2-4
[PCP_UC3] Semantic analysis of the calling relationships in the C/C++ code ...................... 2-5
[PCP_UC4] Semantic analysis of global variable usage in the C/C++ code .......................... 2-5
[PCP_UC5] Reporting of software quality metrics ................................................................. 2-5
[PCP_UC6] Semantic analysis of C/C++ code to assess interface between components ....... 2-6
2.4 Generic Tool Classification .................................................................................................... 2-7
2.4.1 Potential Malfunctions or Erroneous Output ............................................................ 2-8
[PCP_E1] Run-time error detection – false negative .............................................................. 2-8
[PCP_E2] Run-time error detection – false positive ............................................................... 2-8
[PCP_E3] Unreachable code detection – false negative ......................................................... 2-8
[PCP_E4] Unreachable code detection – false positive .......................................................... 2-8
[PCP_E5] Calling relationship analysis – incorrect results ..................................................... 2-8
[PCP_E6] Global variable usage analysis – incorrect results ................................................. 2-8
[PCP_E7] Quality metrics reporting – incorrect metrics value ............................................... 2-9
[PCP_E8] Non interference .................................................................................................... 2-9
[PCP_E9] Usage of incorrect input data ................................................................................. 2-9
[PCP_E10] Misinterpretation of results .................................................................................. 2-9
[PCP_E11] Incorrect tool usage .............................................................................................. 2-9
[PCB_E12] Incorrect or modified tool installation ................................................................. 2-9
[PCB_E13] Incorrect operational environment ....................................................................... 2-9
2.4.2 Error Prevention and Detection Measures .............................................................. 2-10
[M1] Preceding or Subsequent Dynamic Verification (Testing) of the Software ................. 2-10
[M1_lim] Limited Preceding or Subsequent Dynamic Verification (Testing) of the Software 2-
10
[M2] Specified Procedure for Corrective Action on Failure of Source Code Verification or
Analysis ................................................................................................................................ 2-10

v
 [M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ..... 2-11
[M4] Check of the underlying verification and analysis results for critical issues ............... 2-11
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Verified; Use of Checksums ................................................................................................. 2-11
[M_MISC2] Competency of the Project Team ..................................................................... 2-11
[M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation .............. 2-11
[M_MISC4] Analysis of Available Bug Report Information ................................................ 2-11
Tool Classification Summary................................................................................................ 2-12
3 Software Tool Qualification Report ................................................................................................. 3-1
3.1 Requirement for Tool Qualification ........................................................................................ 3-2
3.2 Tool Qualification Documentation ......................................................................................... 3-3
4 Confirmation Review of Tool Classification and Qualification ....................................................... 4-1
4.1 Requirement for Confirmation Review ................................................................................... 4-2
4.2 Validity of Generic Tool Classification .................................................................................. 4-3
4.3 Validity of Generic Tool Qualification ................................................................................... 4-4
4.4 Conformance with Reference Workflow ................................................................................ 4-5

vi
1 Introduction

This document constitutes the ISO 26262 Tool Qualification Package for the Polyspace ® Code
Prover™ product. This document is intended for use in the ISO 26262 tool classification and
qualification process for software tools. It contains templates for the ISO 26262 tool
qualification work products (see ISO 26262-8, Clause 11).

The applicant shall review this template for applicability to the application under consideration,
and tailor and complete the information.

See also:

 IEC Certification Kit: User’s Guide, R2015a

 ISO 26262-8, Clause 11

ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or
tasks required by ISO 26262. The standard outlines a two-step approach to establish the
required confidence in the tools:

 Tool classification determines the required level of confidence in the software tool.
 Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.

The following work products need to be created when applying this approach to a software tool
(see ISO 26262-8, 11.5):

 A software tool criteria evaluation report documenting the tool classification.

 A software tool qualification report documenting the tool qualification, if required.

Note The applicant needs to review this template for applicability to the item or element
under consideration, and tailor and complete the information.
1.1 Item / Element Identification
Applicant: <Company name>
<Item or element to be analysed or verified using Polyspace
Item/element under development:
Code Prover>

1-2
1.2 Tool Overview and Identification
Polyspace® Code Prover™ detects and proves the absence of overflow, divide-by-zero, out-of-
bounds array access, and certain other run-time errors in embedded software written in the C and
C++ programming languages.

Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove run-
time attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status
of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges for
variables and operator parameters at any point of the program, taking into account every
possible configuration (inputs, global variables).

Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as
well as to define, determine, and report software quality metrics.

Polyspace Code Prover can be used on handwritten code, generated code, or a combination of
the two.

Software Tool Version (Release) Tool Vendor

Polyspace® Code Prover™ Version 9.3 (R2015a) The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA, 01760-2098
USA

1-3
1.3 Tool Interfaces
Polyspace Code Prover uses the tool inputs and creates the tool outputs listed in the following
sections.

1.3.1 Tool Inputs

 C source code (e.g. .c and .h files) or C++ source (e.g. .cpp and .hpp files) code to be
analyzed or verified
 Data range specification
 Polyspace configuration and project information (.psprj and .ppm files)1
 Analysis / verification results provided by Polyspace Bug Finder and / or Polyspace Code
Prover

Note Depending on the actual use case(s), some of the tool inputs may not be applicable.

1.3.2 Tool Outputs

 Verification or analysis results (.pscp files and dependent files)
 Call tree (<projectname>_Call_Tree file in .html, .pdf, .rtf, .docx, or .xml
format)
 Dictionary containing information about global variables
(<projectname>_Variable_View file in .html, .pdf, .rtf, .docx, or .xml format)
 Software quality metrics results displayed in Web Dashboard or exported via Polyspace GUI
(.html, .pdf, .rtf, .docx, or .xml file)

Note Depending on the actual use case(s), some of the tool outputs may not be applicable.

1
Configuration and project information is being shared between Polyspace Bug Finder and Polyspace
Code Prover.

1-4
1.4 Tool Qualification Artifacts Summary
The following table lists:

 Prerequisites (see ISO 26262-8, 11.3.1)

 Supporting information (see ISO 26262-8, 11.3.2)
 Tool qualification work products (see ISO 26262-8, 11.5)

for the Polyspace Code Prover. The table also maps these tool qualification artifacts to sections
in this document and artifacts found elsewhere.

Tool Certification Artifact Corresponding Documents / Artifacts

Safety plan <Document title, version, and filename / link>
Applicable prerequisites of the <Applicable software lifecycle phase(s)>
lifecycle phases where software • <Phase-specific prerequisite(s)>
tool is used
Predetermined maximum ASIL <ASIL>
Software tool documentation  Polyspace Code Prover Getting Started Guide,
R2015a
codeprover_gs.pdf

 Polyspace Code Prover User’s Guide

R2015a
codeprover_ug.pdf

 Polyspace Code Prover Reference

R2015a
codeprover_ref.pdf

 Polyspace Code Prover Release Notes

R2015a
rn.pdf
Environment and constraints of  Polyspace Code Prover Limitations
the software tool R2015a
codeprover_limitations.pdf

 MathWorks® bug report system at

www.mathworks.com/support/bugreports/
 <Additional information if applicable>

1-5
Tool Certification Artifact Corresponding Documents / Artifacts
Software tool criteria evaluation  Customized and completed section “Software Tool Criteria Evaluation
report Report” of Polyspace Code Prover ISO 26262 Tool Qualification
Package (this document)
certkitiec_codeprover_tqp.docx
 Polyspace Code Prover Reference Workflow
R2015a
certkitiec_codeprover_workflow.docx

 Certificate Z10 13 06 67052 012

June 2013
certkitiec_codeprover_certificate.pdf

 Report to the Certificate Z10 13 06 67052 012

November 2014
certkitiec_codeprover_certreport.pdf

Software tool qualification  Customized and completed section “Software Tool Qualification
report Report” of Polyspace Code Prover ISO 26262 Tool Qualification
Package (this document)
certkitiec_codeprover_tqp.docx
 Customized and completed Polyspace Code Prover Conformance
Demonstration Template
certkitiec_codeprover_cdt.docx
 Certificate Z10 13 06 67052 012
June 2013
certkitiec_codeprover_certificate.pdf

 Report to the Certificate Z10 13 06 67052 012

November 2014
certkitiec_codeprover_certreport.pdf

Confirmation review of Customized and completed section “Confirmation Review of Tool

qualification of a software tool Classification and Qualification” of Polyspace Code Prover ISO 26262
Tool Qualification Package (this document)

certkitiec_codeprover_tqp.docx

1-6
2 Software Tool Criteria Evaluation
Report
2.1 Tool Environment
It is assumed that Polyspace Code Prover will be used in the following environment when
analyzing or verifying C/C++ code for the item / element under consideration (see ISO 26262-8,
11.4.4.1d):

<Insert operating system and other pertinent environment information>

2-2
2.2 Tool Configuration
It is assumed that Polyspace Code Prover will be used with the following configuration settings
when verifying or analyzing C/C++ code for the system / element under consideration (see ISO
26262-8, 11.4.4.1b):

Configuration Option Setting

Language <Insert C or C++>
Target & Compiler pane
<Insert configuration parameter names> <Insert application-specific settings>
Multitasking pane
<Insert configuration parameter names> <Insert application-specific settings>
Coding Rules pane
<Insert configuration parameter names> <Insert application-specific setting>
Code Prover Verification pane
<Insert configuration parameter names> <Insert application-specific setting>
Post Verification pane
<Insert configuration parameter names> <Insert application-specific setting>
Reporting pane
<Insert configuration parameter names> <Insert application-specific setting>
Distributed Computing pane
<Insert configuration parameter names> <Insert application-specific setting>

2-3
2.3 Tool Use Cases and Reference Workflow
It is assumed that Polyspace Code Prover is used as described by one or more of the following
use cases (see ISO 26262-8, 11.4.4.1c). Details about these use cases are provided in Polyspace
Code Prover Reference Workflow.

Additional information about the assumed usage of Polyspace Code Prover can be found in the
reference workflow document Polyspace Code Prover Reference Workflow.

[PCP_UC1] Semantic code analysis with abstract

interpretation of C/C++ Code to detect systematic and
potential run-time errors
The Polyspace Code Prover tool is used to identify systematic and potential run-time errors in C
or C++ source code.

Code verification provided by Polyspace Code Prover proves the absence of overflow, divide-
by-zero, out-of-bounds array access, and certain other run-time errors in the source code, as
described in the Polyspace Code Prover User’s Guide, R2015a.

This verification uses formal-methods based on abstract interpretation techniques. It can be

applied to handwritten as well as generated source code.

[PCP_UC2] Semantic code analysis with abstract

interpretation of C/C++ code to detect unreachable code
Gray checks provided by the Polyspace Code Prover tool are used to identify unreachable code
branches in C or C++ source code. This verification uses formal-methods based on abstract
interpretation of the source code.

This analysis can be applied to handwritten as well as generated source code.

2-4
[PCP_UC3] Semantic analysis of the calling relationships
in the C/C++ code
The Polyspace Code Prover tool is used to extract control flow information from C or C++
source code. The extracted information is used by Polyspace Code Prover to generate an
application call tree.

Generated call graphs can e.g. be reviewed to analyze the control flow or to identify recursive
function calls.

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC4] Semantic analysis of global variable usage in

the C/C++ code
The Polyspace Code Prover tool is used to extract data flow information from C or C++ source
code with regards to the usage of global variables. For each global variable in the source code,
Polyspace Code Prover provides the following information:

 Number and location(s) of read and write access(es) to global variables, directly or
through pointer access
 Type value ranges for individual access operations
 Shared variables and associated concurrent access protection

The variable access information can e.g. be reviewed to analyze the data flow.

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC5] Reporting of software quality metrics

The Polyspace Code Prover tool is used to define, determine, and report quality metrics for C or
C++ source code. The reports are based on analysis and verification results provided by
Polyspace Code Prover and Polyspace Bug Finder.

Software quality metrics can be applied to handwritten as well as generated source code.

2-5
[PCP_UC6] Semantic analysis of C/C++ code to assess
interface between components
The Polyspace Code Prover tool is used to detect interface error between components.

Polyspace Code Prover provides the following information:

 Function-call with an incorrect number of arguments.

 Function-call with an incorrect type of arguments.

This analysis can be applied to handwritten and generated source code.

2-6
2.4 Generic Tool Classification
The tool classification for Polyspace Code Prover was performed in a generic manner,
independently from the development of a particular safety-related item or element.

For the generic tool classification, the reference use cases listed in the section “Tool Use Cases”
have been taken into account. The tool classification is based on the potential malfunctions or
erroneous outputs and error prevention and detection measures listed in the corresponding
sections below.

Additional information about the assumed error prevention and detection measures can be found
in the reference workflow document Polyspace Code Prover Reference Workflow.

2-7
2.4.1 Potential Malfunctions or Erroneous Output
[PCP_E1] Run-time error detection – false negative
RTE2 analysis incorrectly marks software as verified

[PCP_E2] Run-time error detection – false positive

RTE analysis incorrectly marks software as faulty 3

[PCP_E3] Unreachable code detection – false negative

Polyspace Code Prover fails to detect unreachable code4

[PCP_E4] Unreachable code detection – false positive

Polyspace Code Prover incorrectly marks software parts as unreachable

[PCP_E5] Calling relationship analysis – incorrect results

Polyspace Code Prover does not identify calling relationships correctly5.

[PCP_E6] Global variable usage analysis – incorrect results

Polyspace Code Prover does not identify the usage of global variables correctly6.

2. Run-Time Error
3. False positives for run-time errors can be caused by a bug in Polyspace Code Prover (malfunction of the tool leading the tool to
produce a false alarm), or by an approximation made by Polyspace Code Prover. Approximations are intrinsic to Abstract
Interpretation, the technology used by Polyspace Code Prover. Approximations should not be viewed as a malfunction of the
tool.
4. False negatives for unreachable code can be caused by a bug in Polyspace Code Prover (malfunction of the tool causing the
tool to not detect the unreachable code), or by an approximation made by Polyspace Code Prover. Approximations are
intrinsic to Abstract Interpretation, the technology used by Polyspace Code Prover. Approximations should not be viewed as a
malfunction of the tool.
5. This includes reporting non-existent calling relationships and not reporting existing calling relationships.

6. This may affect e.g. the following information:

• Number and location(s) of read and write access(es) to global variables, directly or through pointer access
• Type value ranges for individual access operations
• Shared variables and associated concurrent access protection

2-8
[PCP_E7] Quality metrics reporting – incorrect metrics value
Polyspace Code Prover computes an incorrect value for a software quality metrics or fails to
report the violation of a defined software quality goal.

[PCP_E8] Non interference

Polyspace Code Prover contains an error, but software to be analyzed does not invoke the
erroneous portion of the tool

[PCP_E9] Usage of incorrect input data

Verification or analysis of incorrect or inconsistent tool inputs7.

[PCP_E10] Misinterpretation of results

User interprets Polyspace Code Prover verification or analysis results incorrectly 8.

[PCP_E11] Incorrect tool usage

User does not follow recommended procedures when using Polyspace Code Prover analysis9.

[PCB_E12] Incorrect or modified tool installation

Polyspace Code Prover has not been installed correctly, has been modified after installation or
available bug reports for the tool haven’t been analyzed.

[PCB_E13] Incorrect operational environment

Polyspace Code Prover is not been used in the intended operational environment, or available
bug reports for the tool haven’t been analyzed.

7. For example, analysis of the wrong source code files or using variable ranges not consistent with the code file.

8. For example, user misinterprets orange check as correct.

9. For example, user incorrectly trusts a green check before correcting the red, orange and gray checks that could influence the
green check result.

2-9
2.4.2 Error Prevention and Detection Measures
Potential measures to detect these potential malfunctions or erroneous outputs are described in
“Tool Classification Summary”. Additional considerations are discussed in the “Additional
Considerations” section of the reference workflow document Polyspace Code Prover Reference
Workflow.

[M1] Preceding or Subsequent Dynamic Verification (Testing) of the

Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

 Dynamically verify (test) the executable code corresponding to the C or C++ source
code.

[M1_lim] Limited Preceding or Subsequent Dynamic Verification

(Testing) of the Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

 Dynamically verify (test) the executable code corresponding to the C or C++ source
code without specifically aiming at detecting run-time errors.

[M2] Specified Procedure for Corrective Action on Failure of Source

Code Verification or Analysis
After verifying or analyzing the source code with Polyspace Code Prover:

 Analyze the identified issues using a defined procedure for corrective action.

The procedure for corrective action includes manual analysis and review of the issues
uncovered.

2-10
[M3] Selective Review and Analysis of Source Code Portions not
Reached by Testing
After dynamically verifying (testing) the source code:

 Review and analyze the portions of the C or C++ source code that were not reached by
testing.

[M4] Check of the underlying verification and analysis results for

critical issues
Check the individual verification and analysis results that are the basis for the quality metrics
reported by Polyspace Code Prover for critical issues that require further attention.

[M_MISC1] Revision Control and Configuration Management to

Identify the Artifacts to be Verified; Use of Checksums
Apply configuration management to the artifacts to be verified or analyzed using Polyspace
Code Prover.

[M_MISC2] Competency of the Project Team

Those carrying out verification or analysis activities using Polyspace Code Prover shall be
competent for the activities undertaken.

[M_MISC3] Adherence to Installation Instructions; Integrity of Tool

Installation
Adhere to the installation instructions for Polyspace Code Prover (including dependent tools)
and verify the version and integrity of the tool.
Validate modifications or additions made to the shipping product(s), if applicable.

[M_MISC4] Analysis of Available Bug Report Information

Assess and analyze bug report information for Polyspace Code Prover provided by MathWorks ®
and comply with the recommendations and workarounds, if applicable.

2-11
Tool Classification Summary
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E1] [PCP_UC1] TI2 Incorrect [M1] TD2 Functional or structural testing can TCL2
Run-time error [PCP_UC6] verification Preceding or detect RTEs. The likelihood of
detection – false result could subsequent detecting RTEs by testing is
negative prevent run- dynamic considered to be medium.
time errors in verification
the software (testing) of the
from being software
detected [M1_lim] TD3 Functional or structural testing can TCL3
Limited preceding detect RTEs. In processes where
or subsequent Polyspace Code Prover is the
dynamic primary means of detecting RTEs,
verification the test process might not be
(testing) of the optimized to detect these kinds of
software errors. As a result, the likelihood
of detecting RTEs by testing
might be low.
[PCP_E2] [PCP_UC1] TI1 Software does [M2] TD1 Procedure for corrective action TCL1
Run-time error [PCP_UC6] not contain an Specified includes manual analysis and
detection – false error procedure for review of the issues uncovered.
positive corrective action on This process will detect false
failure of source positives.
code verification or
analysis
[PCP_E3] [PCP_UC2] TI2 Incorrect [M1] TD1 Comprehensive structural testing TCL1
Unreachable code verification Preceding or can detect unreachable code.
detection – false result (or subsequent
negative approximations dynamic
made by verification
Polyspace Code (testing) of the
Prover) could software;
prevent [M3]
unreachable Selective review
source code and analysis of
from being source code
detected portions not
reached by testing
[PCP_E4] [PCP_UC2] TI2 Incorrect [M2] TD1 Procedure for corrective action TCL1
Unreachable code verification Specified includes manual analysis and
detection – false result could procedure for review of the issues uncovered.
positive mark reachable corrective action on This process is able to detect false
code as failure of source positives.
unreachable code verification or
analysis

2-12
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E5] [PCP_UC3, TI2 Incorrectly [M1] TD2 During integration testing, calling TCL2
Calling relationship PCP_UC6] identified Preceding or relationships will be exercised as
analysis – incorrect calling subsequent well. The likelihood of detecting
results relationships dynamic incorrectly identified calling
could prevent verification relationships by testing is
architectural (testing) of the considered to be medium.
and other issues software
from being
detected
[PCP_E6] [PCP_UC4, TI2 Incorrectly [M1] TD2 During testing, selected usage TCL3
Global variable PCP_UC6] identified Preceding or scenarios for global variables will
usage analysis – global variable subsequent be exercised as well. The
incorrect results usage could dynamic likelihood of detecting incorrectly
prevent verification identified usage of global
architectural (testing) of the variables by testing is considered
and other issues software to be low.
from being
detected
[PCP_E7] [PCP_UC5] TI2 Incorrect value [M4] TD1 Quality metrics reports aggregate TCL1
Quality metrics for quality Check of the analysis and verification results
reporting – incorrect metrics could underlying provided by Polyspace Code
metrics value prevent a verification and Prover and Polyspace Bug Finder.
software analysis results for Reviewing the aggregated results
problem from critical issues; does not replace an analysis of the
being detected [M2] underlying analysis and
and analyzed Specified verification results. Checking the
procedure for underlying results for critical
corrective action on issues will reveal software
failure of source problems that are incorrectly
code verification or aggregated.
analysis
[PCP_E8] [PCP_UC1, TI1 Error in the tool - TD1 - TCL1
Non interference PCP_UC2, does not impact
PCP_UC3, analysis results
PCP_UC4,
PCP_UC5,
PCP_UC6]

2-13
Potential Use cases TI Justification Prevention / TD Justification for TD TCL
malfunction or for TI detection
erroneous output measures
[PCP_E9] [PCP_UC1, TI2 Incorrect or [M_MISC1] TD1 Revision control and configuration TCL1
Usage of incorrect PCP_UC2, incomplete Revision control management maintains the
input data PCP_UC3, verification or and configuration integrity of the artifacts to be
PCP_UC4, analysis results management to verified. Using checksums allows
PCP_UC5, could prevent identify the the unique identification the
PCP_UC6] errors from artifacts to be artifacts being verified.
being detected verified; Use of
checksums
[PCP_E10] [PCP_UC1, TI2 Misinterpre- [M_MISC2] TD1 Training of users can prevent TCL1
Misinterpretation of PCP_UC2, tation of Competency of the these issues.
results PCP_UC3, verification or project team
PCP_UC4, analysis results
PCP_UC5, could prevent
PCP_UC6] errors from
being detected
[PCP_E11] [PCP_UC1, TI2 Incorrect usage [M_MISC2] TD1 Training of users can prevent TCL1
Incorrect tool usage PCP_UC2, could prevent Competency of the these issues.
PCP_UC3, errors from project team
PCP_UC4, being detected
PCP_UC5,
PCP_UC6]

[PCB_E12] [PCP_UC1, TI2 Incorrect or [M_MISC3] TD1 Verification of the installed tool TCL1
Incorrect or modified PCP_UC2, modified Adherence to version will prevent these issues.
tool installation PCP_UC3, installation installation
PCP_UC4, could prevent instructions;
PCP_UC5, errors from Integrity of tool
PCP_UC6] being detected installation;
[M_MISC4]
Analysis of
Available Bug
Report Information
[PCB_E13] [PCP_UC1, TI2 Incorrect [M_MISC3] TD1 Adherence to installation guide TCL1
Incorrect operational PCP_UC2, operational Adherence to instructions will provide a
environment PCP_UC3, environment installation seamless installation
PCP_UC4, could prevent instructions;
PCP_UC5, errors from Integrity of tool
PCP_UC6] being detected installation;
[M_MISC4]
Analysis of
Available Bug
Report Information

2-14
There is a possibility that a safety requirement can be violated if Polyspace Code Prover is
malfunctioning or producing erroneous output. According to the preceding analysis, the
maximum tool impact (TI) of the use cases taken into account for Polyspace Code Prover is TI2.

According to the preceding analysis, the maximum required tool confidence level (TCL) for
Polyspace Code Prover is TCLMAX3.

TÜV SÜD reviewed the generic tool classification and confirmed the results in the Report to the
Certificate Z10 13 06 67052 012.

2-15
2-16
3 Software Tool Qualification Report
3.1 Requirement for Tool Qualification
Given the maximum required tool confidence level TCLMAX3 (see “Generic Tool
Classification”), Polyspace Code Prover needs to be qualified up to TCL3. Additional tool
qualification methods appropriate for the predetermined maximum ASIL for the application
under consideration are necessary, according to ISO 26262-8, clause 11.4.6.1. Permissible tool
qualification methods for TCL3 are listed in ISO 26262-8 table 4.

3-2
3.2 Tool Qualification Documentation
MathWorks carried out an application-independent prequalification of the Polyspace Code
Prover. The Polyspace Code Prover was prequalified for all ASILs according to ISO 26262-8
(for TCL1, TCL2, and TCL3).

The prequalification for the Polyspace Code Prover was carried out using a combination of the
following methods:

 Evaluation of the tool development process (ISO 26262-8, Tables 4 and 5, Method 1b).
 Validation of the software tool (ISO 26262-8, Tables 4 and 5, Method 1c).

According to ISO 26262-8, Tables 4 and 5, these two methods are permissible for all ASILs.

For TCL2, method 1b is highly recommended for ASILs A, B, and C. Method 1c is highly
recommended for ASIL D.

For TCL3, method 1b is highly recommended for ASILs A, and B. Method 1c is highly
recommended for ASILs C and D.

TÜV SÜD carried out an independent tool qualification assessment. MathWorks submitted the
results of the methods applied to prequalify the Polyspace Code Prover to TÜV SÜD.

TÜV SÜD reviewed the generic tool qualification artifacts for Polyspace Code Prover and
confirmed the results in Report to the Certificate Z10 13 06 67052 012.

Tool qualification for the Polyspace Code Prover can be claimed for TCL1, TCL2, and TCL3 by
referencing the certification report and corresponding certificate.

3-3
.

3-4
4 Confirmation Review of Tool
Classification and Qualification
4.1 Requirement for Confirmation Review
The tool classification (see "Software Tool Criteria Evaluation Report”) was carried out
independently from the development of the application under consideration. Therefore, the
resulting, predetermined tool confidence level shall be confirmed by the applicant prior to
Polyspace Code Prover being used for the development of a particular safety-related item or
element for the application under consideration (see ISO 26262-8, 11.4.2, 11.4.10).

The tool qualification (see "Software Tool Qualification Report”) was carried out independently
from the development of the application under consideration. Therefore, the resulting, generic
prequalification shall be confirmed by the applicant prior to Polyspace Code Prover being used
for the development of a particular safety-related item or element for the application under
consideration (see ISO 26262-8, 11.4.2, 11.4.10).

4-2
4.2 Validity of Generic Tool Classification
Applicable Tool Confidence Level: < Insert TCL>

<Results of confirmation review or reference to confirmation review documentation>

4-3
4.3 Validity of Generic Tool Qualification
Applicable Tool Confidence Level: < Insert TCL >

<Results of confirmation review or reference to confirmation review documentation>

4-4
4.4 Conformance with Reference Workflow
Applicable Tool Confidence Level: < Insert TCL >

< Insert results of confirmation review or reference to confirmation review documentation >

4-5