Why tool safety compliance matters and how vendors can make the process easier.
If you’re involved in the design or verification of safety-critical electronics, you’ve probably heard about some of the standards that apply to such development projects. If not, then you’re probably puzzled when you read about TÜV SÜD certifying that an EDA tool satisfies functional safety standards ISO 26262 (TCL3/ASIL D), IEC 61508 (T2/SIL 3) and EN 50128 (T2/SIL 3). The industry has quite an “alphabet soup” (more accurately, alphanumeric soup) of functional safety standards. In this post, we’ll try to sort it out.
The goal of all these standards is to define a rigorous development process for safety-critical hardware projects and to impose requirements on the robustness of the resulting design. A key part of this is recognizing that engineers use advanced software tools to develop complex hardware. Tools may malfunction, generate erroneous output, and ultimately introduce or fail to detect hardware faults that could cause hazardous events in the field. Functional safety standards demand that this risk be assessed and adequately minimized through tool qualification and other processes.
IEC 61508 is a baseline standard adapted and expanded for specific safety-critical applications. This standard defines off-line tools as those used exclusively for development, and divides them into three categories: T1 tools, for example text editors, do not generate any output that may influence the hardware design. T2 tools, for example coverage measurement tools, may fail to detect design defects. T3 tools, for example synthesis tools, may introduce errors in the hardware design. Verification and analysis tools generally are classified as T2.
IEC 61508 requirements include tool validation and qualification activities such as documenting expected tool behavior, usage guidelines and constraints, potential failure modes, and mitigation measures. Tools and the development process for the tools can be qualified at a Safety Integrity Level (SIL) from 1 to 3, with 3 being the highest. EN 50128 uses the same classification and terminology, but the standard is focused on railway applications.
Given all the attention on self-driving cars, the most commonly cited standard these days is probably ISO 26262, an adaptation of IEC 61508 to road vehicles. The first step is to determine the required tool confidence level (TCL), which in turn depends on tool impact and tool error detection capabilities. The standard does not require qualification of TCL1 tools, but TCL2 and TCL3 require additional tool qualification activities that may be complex and time consuming. It may be tempting to claim TCL1 for an entire tool chain, thus avoiding tool qualification, but this has several drawbacks:
On the other hand, achieving TCL2 or TCL3 can be a significant burden to development teams. Engineers might deploy redundant tools, implement additional checks on tool results, or accumulate and document successful tool usage history. This is where EDA vendors can help, by providing safety certificates or qualification kits that take part of the burden of safety compliance off the shoulders of users. Tool safety compliance is a project-specific task, but using certified tools enables compliance up to ASIL D, the highest Automotive Safety Integrity Level, with minimal effort.
Finally, it is highly valuable if EDA tools are certified by an independent agency and not just claimed as compliant by the vendor. TÜV SÜD is an accredited global testing, inspection, and certification provider widely respected in the industry. TÜV SÜD performs a thorough, independent assessment of the vendor’s organizational, tool development, and testing processes. The TÜV SÜD safety certificate and report form the basis of tool qualification kits (TQKs) provided by the vendor to its users.
Now you have the basics on what we meant by “TÜV SÜD has certified that EC-FPGA meets the most stringent tool qualification criteria set by functional safety standards ISO 26262 (TCL3/ASIL D), IEC 61508 (T2/SIL 3) and EN 50128 (T2/SIL 3)” in a recent announcement. Of course, there are many more details than we can cover in a single blog post. If you’re interested in learning more about functional safety standards, a white paper is available. As always, we welcome your questions or comments.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply