IEC Certification Kit

Simulink® Verification and Validation™

ISO 26262 Tool Qualification Package

R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us

Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Simulink® Verification and Validation™ ISO 26262 Tool Qualification Package
© COPYRIGHT 2011–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.

Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
September 2011 New for Version 2.0 (Applies to Release R2011b)
March 2012 Revised for Version 2.1 (Applies to Release R2012a)
September 2012 Revised for Version 3.0 (Applies to Release R2012b)
March 2013 Revised for Version 3.1 (Applies to Release R2013a)
September 2013 Revised for Version 3.2 (Applies to Release R2013b)
March 2014 Revised for Version 3.3 (Applies to Release R2014a)
October 2014 Revised for Version 3.4 (Applies to Release R2014b)
March 2015 Revised for Version 3.5 (Applies to Release R2015a)
Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Project Identification ............................................................................................................... 1-2
1.2 Tool Overview and Identification ........................................................................................... 1-3
1.3 Tool Qualification Artifacts Summary .................................................................................... 1-4
2 Software Tool Criteria Evaluation Report ........................................................................................ 2-1
2.1 Tool Environment ................................................................................................................... 2-2
2.2 Tool Configuration .................................................................................................................. 2-3
2.3 Reference Workflow ............................................................................................................... 2-5
2.4 Tool Use Cases ........................................................................................................................ 2-6
[SLVNV_UC1] Static analysis of a model to verify compliance with specified modeling
guidelines ..................................................................................................................................... 2-6
[SLVNV_UC2] Automatic fixing of reported issues ................................................................... 2-6
[SLVNV_UC3] Structural coverage analysis of test cases at the model level ............................. 2-6
2.5 Generic Tool Classification ..................................................................................................... 2-7
2.5.1 Potential Malfunctions or Erroneous Outputs ................................................................ 2-7
[SLVNV_E1] Model Compliance Checking – False Negative ............................................... 2-7
[SLVNV_E2] Model Compliance Checking – False Positive................................................. 2-7
[SLVNV_E3] Model Compliance Checking – Non interference ............................................ 2-7
[SLVNV_E4] Model Compliance Checking – Incorrect hyperlinks ....................................... 2-7
[SLVNV_E5] Model Compliance Checking – Incorrect fixing of reported issues ................. 2-7
[SLVNV_E6] Model Coverage Analysis – False Negative .................................................... 2-7
[SLVNV_E7] Model Coverage Analysis – False Positive ...................................................... 2-8
[SLVNV_E8] Model Coverage Analysis – Non interference ................................................. 2-8
[SLVNV_E9] Simulink Verification and Validation – Usage of incorrect input data ............ 2-8
[SLVNV_E10] Simulink Verification and Validation – Misinterpretation of results ............. 2-8
[SLVNV_E11] Simulink Verification and Validation – Incorrect Tool Usage....................... 2-8
[SLVNV_E12] Simulink Verification and Validation – Incorrect or Modified Installation ... 2-8
2.5.2 Error Prevention and Detection Measures ..................................................................... 2-9
[M1]......................................................................................................................................... 2-9
[M2]......................................................................................................................................... 2-9
[M3]......................................................................................................................................... 2-9
Tool Classification Summary ................................................................................................ 2-10
3 Software Tool Qualification Report ................................................................................................. 3-1
3.1 Requirement for Tool Qualification ........................................................................................ 3-2
3.2 Tool Qualification Documentation .......................................................................................... 3-3
4 Confirmation Review of Tool Classification and Qualification ....................................................... 4-1
4.1 Requirement for Confirmation Review ................................................................................... 4-2
4.2 Validity of Generic Tool Classification................................................................................... 4-3
4.3 Validity of Generic Tool Qualification ................................................................................... 4-4
4.4 Conformance with Reference Workflow ................................................................................. 4-5

v
vi
1 Introduction

This document constitutes the ISO 26262 Tool Qualification Package for the Simulink®
Verification and Validation™ product. This document is intended for use in the ISO 26262 tool
classification and qualification process for software tools. It contains templates for the ISO
26262 tool qualification work products (see ISO 26262-8, Section 11).

The applicant shall review the templates for applicability to the project under consideration, and
then tailor and complete them as necessary.

See also:

 IEC Certification Kit: User’s Guide, R2015a

 ISO 26262-8, Section 11

ISO 26262-8, Clause 11 provides provisions for software tools that are used to tailor activities or
tasks required by ISO 26262. The standard outlines a two-step approach to establish the
required confidence in the tools:

 Tool classification determines the required level of confidence in the software tool.
 Depending on the result of the tool classification, you might need to carry out a formal
tool qualification.

When applying this approach to a software tool, the applicant must create the following work
products (see ISO 26262-8, 11.5):

 A software tool criteria evaluation report documenting the tool classification.

 A software tool qualification report documenting the tool qualification, if required.

Note The applicant needs to review this template for applicability to the project under
consideration and insert missing information.
1.1 Project Identification
Applicant: <Insert information>
Project under consideration: <List project under consideration>

1-2
1.2 Tool Overview and Identification
Simulink Verification and Validation allows users to:

• Check Simulink® and Stateflow® models for compliance with design and coding guidelines.
• Identify untested portions of models using structural coverage metrics.

Tool Identification
Software Tool Version (Release) Tool Vendor
Simulink Verification and 3.9 (R2015a) The MathWorks, Inc.
Validation 3 Apple Hill Drive
Natick, MA,
01760-2098 USA

1-3
1.3 Tool Qualification Artifacts Summary
For the Simulink Verification and Validation product, the following table lists:

 Prerequisites (see ISO 26262-8, 11.3.1)

 Supporting information (see ISO 26262-8, 11.3.2)
 Tool qualification work products (see ISO 26262-8, 11.5)

The tool qualification artifacts listed in the table are mapped to sections in this document and
other artifacts.

Artifact Corresponding Documents / Artifacts

Safety plan <Insert document title, version, and filename / link>
Applicable prerequisites of the lifecycle <Insert software lifecycle phase(s)>
phases where software tool is used  <Insert prerequisite(s)>
Predetermined maximum ASIL <Insert ASIL>
 Simulink Verification and Validation User’s Guide
R2015a
slvnv_ug.pdf
 Simulink Verification and Validation Reference
Software tool documentation R2015a
slvnv_ref.pdf
 Simulink Verification and Validation: Release Notes
R2015a
rn.pdf

 MathWorks® bug report system at

Environment and constraints of the www.mathworks.com/support/bugreports/
software tool
 <Insert information>

1-4
Artifact Corresponding Documents / Artifacts
 Customized and completed “Software Tool Criteria
Evaluation Report” in the Simulink Verification and
Validation ISO 26262 Tool Qualification Package (this
document)
certkitiec_slvnv_tqp.docx
 Simulink Verification and Validation Reference Workflow
R2015a
Software tool criteria evaluation report certkitiec_slvnv_workflow.pdf
 Certificate Z10 11 12 67052 013
December 2011
certkitiec_slvnv_certificate.pdf
 Report to the certificate Z10 11 12 67052 013
November 2014
certkitiec_slvnv_certreport.pdf
 Customized and completed “Software Tool Qualification
Report” in the Simulink Verification and Validation ISO
26262 Tool Qualification Package (this document)
certkitiec_slvnv_tqp.docx
 Customized and completed Simulink Verification and
Validation Conformance Demonstration Template
certkitiec_slvnv_cdt.docx
Software tool qualification report
 Certificate Z10 11 12 67052 013
December 2011
certkitiec_slvnv_certificate.pdf
 Report to the certificate Z10 11 12 67052 013
November 2014
certkitiec_slvnv_certreport.pdf

Customized and completed “Confirmation Review of Tool

Classification and Qualification” in the Simulink Verification
Confirmation review of qualification of a and Validation ISO 26262 Tool Qualification Package (this
software tool document)
certkitiec_slvnv_tqp.docx

1-5
1-6
2 Software Tool Criteria Evaluation
Report
2.1 Tool Environment
It is assumed that Simulink Verification and Validation will be used in the following
environment (see ISO 26262-8, 11.4.4.1d):

<Insert operating system and other pertinent environment information>

2-2
2.2 Tool Configuration
It is assumed that Simulink Verification and Validation will be used with the following tool
configuration (see ISO 26262-8, 11.4.4.1b).

Model Coverage Analysis

Configuration Parameter Setting
Coverage Settings > Coverage Pane
<Insert project-specific settings> <Insert project-specific settings>
Coverage Settings > Results Pane
<Insert project-specific settings> <Insert project-specific settings>
Coverage Settings > Reporting Pane
<Insert relevant configuration parameter names> <Insert project-specific settings>
Coverage Settings > Options Pane
<Insert relevant configuration parameter names> <Insert project-specific settings>
Coverage Settings > Filter Pane
<Insert relevant configuration parameter names> <Insert project-specific settings>

2-3
Model Compliance Checking

Configuration Parameter Setting

Check configuration By Task > Modeling Standards for ISO 26262

 Display configuration management data

 Display model metrics and complexity report
 Check for unconnected objects
 Check for root Inports with missing properties
 Check for root Inports with missing range definitions
 Check for root Outports with missing range definitions
 Check for blocks not recommended for C/C++ production code
deployment
 Check usage of Stateflow constructs
 Check state machine type of Stateflow charts
 Check usage of Math Operations blocks
 Check usage of Signal Routing blocks
 Check usage of Logic and Bit Operations blocks
 Check usage of Ports and Subsystems blocks
 Check for inconsistent vector indexing methods
 Check for model objects that do not link to requirements
 Check for MATLAB Function interfaces with inherited
properties
 Check MATLAB Function metrics
 Check MATLAB Code Analyzer messages
 Check MATLAB code for global variables

2-4
2.3 Reference Workflow
It is assumed that Simulink Verification and Validation will be used as described in the
reference workflow documented in Simulink Verification and Validation Reference Workflow.

To access the reference workflow document, on the MATLAB command line, type
certkitiec to open the Artifacts Explorer. The reference workflow document is in Simulink
Verification and Validation > r2015a.

2-5
2.4 Tool Use Cases
It is assumed that Simulink Verification and Validation will be used as described by one or more
of the following use cases (see ISO 26262-8, 11.4.4.1c). Additional information can be found in
the reference workflow document Simulink Verification and Validation Reference Workflow.

[SLVNV_UC1] Static analysis of a model to verify

compliance with specified modeling guidelines
The Simulink Verification and Validation tool is used to check a Simulink or Stateflow model
for compliance with design and coding guidelines.

The model being checked can be an executable specification, a model used for production code
generation, or other interim models created during the model elaboration phase.

[SLVNV_UC2] Automatic fixing of reported issues

Subsequent to model compliance checking, the Simulink Verification and Validation tool is
used to automatically fix the reported issues.

The fixes are applied to the model being checked initially.

[SLVNV_UC3] Structural coverage analysis of test cases

at the model level
The Simulink Verification and Validation tool is used to determine the structural coverage that
can be achieved by a set of model level test cases or to identify untested portions of a Simulink
or Stateflow model. Supported model coverage metrics include:

 Decision coverage
 Condition coverage
 Modified condition and decision coverage (MC/DC)

Structural coverage analysis can be applied to an executable specification, a model used for
production code generation, or other interim models created during the model elaboration phase.

2-6
2.5 Generic Tool Classification
The tool classification for Simulink Verification and Validation was performed in a generic
manner, independently from the development of a particular safety-related item or element.

For the generic tool classification, the reference use cases listed in the section “Tool Use Cases”
have been taken into account. The tool classification is based on the potential malfunctions or
erroneous outputs and error prevention and detection measures listed in the following,
corresponding sections.

Additional information can be found in the reference workflow document: Simulink Verification
and Validation Reference Workflow.

2.5.1 Potential Malfunctions or Erroneous Outputs

The following potential malfunctions or erroneous outputs were taken into account as part of the
tool classification process:

[SLVNV_E1] Model Compliance Checking – False Negative

The modeling guideline checker incorrectly marks model as compliant.

[SLVNV_E2] Model Compliance Checking – False Positive

The modeling guideline checker incorrectly marks model as non-compliant.

[SLVNV_E3] Model Compliance Checking – Non interference

The modeling guideline checker contains an error, but the model to be analyzed does not invoke
the erroneous portion of the tool.

[SLVNV_E4] Model Compliance Checking – Incorrect hyperlinks

Hyperlinks in the analysis results contain errors.

[SLVNV_E5] Model Compliance Checking – Incorrect fixing of

reported issues
Automatic fixing of reported issues does not work correctly.

[SLVNV_E6] Model Coverage Analysis – False Negative

The model coverage analysis incorrectly marks uncovered model elements as covered.

2-7
[SLVNV_E7] Model Coverage Analysis – False Positive
The model coverage analysis incorrectly marks covered model elements as not covered.

[SLVNV_E8] Model Coverage Analysis – Non interference

The modeling coverage analysis contains an error, but the model to be analyzed does not invoke
the erroneous portion of the tool.

[SLVNV_E9] Simulink Verification and Validation – Usage of

incorrect input data
The modeling coverage analysis contains an error, but the model to be analyzed does not invoke
the erroneous portion of the tool.

[SLVNV_E10] Simulink Verification and Validation –

Misinterpretation of results
User interprets correct analysis results incorrectly.

[SLVNV_E11] Simulink Verification and Validation – Incorrect Tool

Usage
User does not follow established procedures when using the tool.

[SLVNV_E12] Simulink Verification and Validation – Incorrect or

Modified Installation
User does not follow established procedures when installing the tool, installs the tool in an
incorrect operational environment, or modifies a valid installation. [SLDV_E1] Test Case
Generation – False Negative

2-8
2.5.2 Error Prevention and Detection Measures
The following measures, which facilitate seamless functioning of model compliance checking
and model coverage analysis capabilities of the Simulink Verification and Validation tool, are
referenced in the tool classification process. Additional considerations are described in Simulink
Verification and Validation Reference Workflow.

[M1]
Before or after static analysis of a model to verify its compliance with specified modeling
guidelines:

 Dynamically verify (test) the model.

[M2]
After automatic fixing of reported issues, do one or more of the following:

 Re-check the model for its compliance with specified modeling guidelines.
 Dynamically verify (test) the model.
 Compare the XML files exported1 from the original and fixed Simulink models and
manually review the comparison results.

[M3]
After carrying out model coverage analysis:

 Use a code coverage tool when testing the software generated from the model to
determine structural coverage of test cases at the software level.

1
Requires Simulink Report Generator

2-9
 Tool Classification Summary
Potential malfunction Use TI Justification for TI Prevention / TD Justification for TD TCL
or erroneous output cases detection
measures
[SLVNV_E1] Model [SLVNV_ TI2 Incorrect analysis result [M1]Preceding or TD2 Static analysis tools typically detect TCL2
Compliance Checking – UC1] could prevent modeling subsequent dynamic only a subset of the existing modeling
False Negative guidelines violations from verification (testing) standard violations in the model.
being detected. of the model. Therefore, other process steps cannot
assume completeness of modeling
guideline check results.
Modeling standard violations do not
necessarily imply incorrect models.
Functional or structural testing help
detect real errors in the model. The
likelihood of detecting these errors by
testing is considered to be ‘medium’.
[SLVNV_E2] Model [SLVNV_ TI1 Nuisance only; model does - - - TCL1
Compliance Checking – UC1] not violate modeling
False Positive guidelines.
[SLVNV_E3] Model [SLVNV_ TI1 Error in the tool; does not - - - TCL1
Compliance Checking – UC1] affect analysis results.
Non Interference
[SLVNV_E4] Model [SLVNV_ TI1 Nuisance only; model does - - - TCL1
Compliance Checking – UC1] not violate modeling
Incorrect hyperlinks guidelines.
[SLVNV_E5] Model [SLVNV_ TI2 Incorrect fixing could [M2a] Subsequent re- TD2 Re-checking of the model will detect TCL2
Compliance Checking – UC2] introduce error in the checking of the model modeling standard violations introduced
Incorrect fixing of model. for compliance with by the automatic fixing but might miss
reported issues specified modeling other errors introduced.
guidelines.
[M2b] Subsequent TD2 Functional or structural testing help TCL2
dynamic verification detect real errors in the model. The
(testing) of the model. likelihood of detecting these errors by
testing is considered to be ‘medium’.
[M2c] Subsequent TD1 Manual review of the comparison TCL1
comparison of the results can verify that fixing of changes
XML files exported resulted did not introduce unintended
from the original and changes.
fixed Simulink models
and manual review of
the comparison results
[SLVNV_E6] Model [SLVNV_ TI2 Incorrect analysis result None TD3 - TCL3
Coverage Analysis - UC3] could prevent incomplete [M3] TD1 Use of a code coverage tool determines TCL1
False Negative test cases from being Subsequent usage of a completeness of tests at the software
detected. code coverage tool level.
Incomplete test cases when testing the
could result in untested software generated
portions of the model or from the model.
generated code.
[SLVNV_E7] Model [SLVNV_ TI1 Nuisance only; test cases    TCL1
Coverage Analysis - UC3] are complete.
False Positive

2-10
Potential malfunction Use TI Justification for TI Prevention / TD Justification for TD TCL
or erroneous output cases detection
measures
[SLVNV_E8] Model [SLVNV_ TI1 Error in the tool; does not    TCL1
Coverage Analysis - UC3] impact analysis results.
Non interference
[SLVNV_E9] Simulink [SLVNV_ TI2 Incorrect or incomplete [M_MISC1] TD1 Revision control and configuration TCL1
Verification and UC1] analysis results could Revision control and management facilitate integrity of the
Validation - Usage of [SLVNV_ prevent errors from being configuration artifacts to be verified. Using checksums
incorrect input data1 UC3] detected. management2 to allows the unique identification the
identify the artifacts to artifacts being verified.
be verified; use of
checksums.
[SLVNV_E10] Simulink [SLVNV_ TI2 Misinterpretation of [M_MISC2] TD1 Training of tool users can prevent these TCL1
Verification and UC1] analysis results could Competency of the issues.
Validation - [SLVNV_ prevent errors from being project team3
Misinterpretation of UC2] detected.
results [SLVNV_
UC3]
[SLVNV_E11] Simulink [SLVNV_ TI2 Incorrect usage could [M_MISC2] TD1 Training of users can prevent these TCL1
Verification and UC1] prevent errors from being Competency of the issues.
Validation - Incorrect [SLVNV_ detected. project team.
Tool Usage UC2]
[SLVNV_
UC3]
[SLVNV_E12] Simulink [SLVNV_ TI2 Incorrect or modified [M_MISC4] TD1 Adherence to installation guide and TCL1
Verification and UC1] installation could prevent Adherence to verification of the installed tool version
Validation - Incorrect or [SLVNV_ errors from being detected. installation guide facilitate seamless installation.
Modified Installation UC2] instructions.4
[SLVNV_ and
UC3] [M_MISC3]
Measures to verify
integrity of installed
tool version.5
1 For example, analysis of the wrong model.
2 See “Configuration Management and Revision Control” in the Simulink Verification and Validation Reference Workflow.
3 See “Competency of the Project Team” in the Simulink Verification and Validation Reference Workflow.
4 See “Installation Integrity and Release Compatibility” in the Simulink Verification and Validation Reference Workflow.
5
Could include re-running the validation tests shipping with the IEC Certification Kit before using Simulink Verification and Validation.

2-11
Based on the preceding analysis, the maximum tool impact of the Simulink Verification and
Validation use cases taken into account is TI2.

Applying the prevention and detection measures previously described provides a medium degree
of confidence that a malfunction or an erroneous output of the model compliance checking
capability of Simulink Verification and Validation can be prevented or detected. The resulting
maximum required tool confidence level for model compliance checking is TCLMAX2.

For the model coverage analysis capability of Simulink Verification and Validation, not
applying prevention or detection measures to verify the results of the model coverage analysis
results in a maximum required tool confidence level of TCLMAX3.

Subsequent use of a code coverage tool when testing the software generated from the model and
the application of the generic prevention and detection measures M_MISC1, M_MISC2,
M_MISC3, and M_MISC4 provides a high degree of confidence that a malfunction or an
erroneous output of the modeling guidelines checking capability of Simulink Verification and
Validation can be prevented or detected. In this case, the resulting maximum required tool
confidence level for model coverage analysis is TCLMAX1.

TÜV SÜD reviewed the generic tool classification and confirmed the preceding results in Report
to the certificate Z10 11 12 67052 013.

2-12
3 Software Tool Qualification Report
3.1 Requirement for Tool Qualification
Given the maximum required tool confidence level TCLMAX2 for Model Compliance
Checking (see “Generic Tool Classification”), this capability of Simulink Verification and
Validation needs to be qualified up to TCL2. Permissible tool qualifications methods for TCL2
are listed in ISO 26262-8 Table 5.

Given the maximum required tool confidence level TCLMAX3 for Model Coverage Analysis
without verification of the analysis results (see “Generic Tool Classification”), this capability of
Simulink Verification and Validation needs to be qualified up to TCL3. Permissible tool
qualifications for TCL3 are listed in ISO 26262-8 Table 4.

Given the maximum required tool confidence level TCLMAX1 for Model Coverage Analysis
with subsequent use of a code coverage tool (see “Generic Tool Classification”), this capability
of Simulink Verification and Validation does not require formal tool qualification methods (see
ISO 26262-8, 11.4.6.1).

3-2
3.2 Tool Qualification Documentation
MathWorks carried out an application independent pre-qualification of Simulink Verification
and Validation.

The Model Compliance Checking capability using the ISO 26262 modeling standard checks was
prequalified for all ASILs according to ISO 26262-8, up to and including TCL 2.

The Model Coverage Analysis capability was prequalified for all ASILs according to ISO
26262-8, up to and including TCL 3.

The pre-qualification of Simulink Verification and Validation was carried out using a
combination of the following methods:

 Evaluation of the tool development process (ISO 26262-8, Tables 4 and 5, Method 1b).
 Validation of the software tool (ISO 26262-8, Tables 4 and 5, Method 1c).

According to ISO 26262-8, Tables 4 and 5, these two methods are permissible for all ASILs. For
TCL2, method 1b is highly recommended for ASILs A, B, and C. Method 1c is highly
recommended for ASIL D. For TCL3, method 1b is highly recommended for ASILs A and B.
Method 1c is highly recommended for ASILs C and D.

TÜV SÜD carried out an independent tool qualification assessment. MathWorks submitted the
results of the methods applied to pre-qualify Simulink Verification and Validation to TÜV SÜD.

TÜV SÜD reviewed the results of the generic tool qualification for the Model Coverage
Analysis and Model Compliance Checking capabilities of Simulink Verification and Validation.
TÜV SÜD confirmed the results in Report to the certificate Z10 11 12 67052 013.

3-3
3-4
4 Confirmation Review of Tool
Classification and Qualification
4.1 Requirement for Confirmation Review
The tool classification (see “Software Tool Criteria Evaluation Report”) was carried out
independently from the development of the project under consideration. Therefore, the resulting
predetermined tool confidence level shall be confirmed by the applicant prior to Simulink
Verification and Validation being used for the development of a particular safety-related item or
element in the project under consideration (see ISO 26262-8, 11.4.2, 11.4.10).

The tool qualification (see “Software Tool Qualification Report”) was carried out independently
from the development of the application under consideration. Therefore, the resulting generic
pre-qualification shall be confirmed by the applicant prior Simulink Verification and Validation
being used for the development of a particular safety-related item or element for the application
under consideration (see ISO 26262-8, 11.4.2, 11.4.10).

The generic tool classification is based on the assumption that Simulink Verification and
Validation is being used as described in the reference workflow documented in Simulink
Verification and Validation Reference Workflow. Therefore, conformance with the reference
workflow in the project under consideration shall be confirmed by the applicant.

4-2
4.2 Validity of Generic Tool Classification
Applicable Tool Confidence Level: <Insert TCL>

<Insert results of confirmation review or reference to confirmation review documentation>

4-3
4.3 Validity of Generic Tool Qualification
Applicable Tool Confidence Level: <Insert TCL>

<Insert results of confirmation review or reference to confirmation review documentation>

4-4
4.4 Conformance with Reference Workflow
Applicable Tool Confidence Level: <Insert TCL>

<Insert results of confirmation review or reference to confirmation review documentation>

4-5