IEC Certification Kit

Simulink® Requirements™
ISO 26262 Tool Qualification Package

R2020b

July 21, 2020 certkitiec_slreq_tqp

How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000

The MathWorks, Inc.

1 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit Simulink® Requirements™ ISO 26262 Tool Qualification Package
© COPYRIGHT 2019-2020 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or
copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced
in any form without prior written consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or
through the federal government of the United States. By accepting delivery of the Program or Documentation, the
government hereby agrees that this software or documentation qualifies as commercial computer software or
commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part
227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights
specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance,
display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for
or through the federal government) and shall supersede any conflicting contractual terms or conditions. If this
License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See
www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be
trademarks or registered trademarks of their respective holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents
for more information.

July 21, 2020 certkitiec_slreq_tqp

Revision History
March 2019 New for IEC Certification Kit Version 3.13 (Applies to Release R2019a)
September 2019 Revised for IEC Certification Kit Version 3.14 (Applies to Release R2019b)
March 2020 Revised for IEC Certification Kit Version 3.15 (Applies to Release R2020a)
September 2020 Revised for IEC Certification Kit Version 3.16 (Applies to Release R2020b)

July 21, 2020 certkitiec_slreq_tqp

Contents
1 Introduction ................................................................................................................................................ 1-1
2 Application Identification ........................................................................................................................... 2-1
3 Tool Identification and Qualification Artifacts Summary ........................................................................... 3-1
3.1 Tool Identification............................................................................................................................... 3-1
3.2 Tool Qualification Artifacts Summary ................................................................................................. 3-1
4 Software Tool Criteria Evaluation Report ................................................................................................... 4-1
4.1 Tool Environment ............................................................................................................................... 4-1
4.2 Tool Configuration .............................................................................................................................. 4-1
4.3 Reference Workflow ........................................................................................................................... 4-2
4.4 Tool Use Cases .................................................................................................................................... 4-2
4.5 Generic Tool Classification.................................................................................................................. 4-4
4.5.1 Potential Malfunctions or Erroneous Output .......................................................................... 4-4
4.5.2 Error Prevention and Detection Measures .............................................................................. 4-5
4.5.3 Tool Classification Summary .................................................................................................... 4-6
5 Software Tool Qualification Report ............................................................................................................ 5-1
5.1 Requirement for Tool Qualification .................................................................................................... 5-1
5.2 Tool Qualification Documentation ..................................................................................................... 5-1
6 Confirmation Review of Tool Classification and Qualification.................................................................... 6-1
6.1 Requirement for Confirmation Review............................................................................................... 6-1
6.2 Validity of Generic Tool Classification ................................................................................................ 6-1
6.2.1 Validity of Tool Use Cases ........................................................................................................ 6-1
6.2.2 Validity of Error Prevention and Detection Measures ............................................................. 6-4
6.2.3 Validity of Tool Classification Summary ................................................................................... 6-6
6.3 Validity of Generic Tool Qualification ................................................................................................. 6-8
6.4 Conformance with Reference Workflow ............................................................................................ 6-8

July 21, 2020 certkitiec_slreq_tqp i

1 Introduction

This document constitutes the ISO 26262 Tool Qualification Package for the Simulink® Requirements™
product. This document is intended for use in the ISO 26262 tool classification and qualification process for
software tools. It contains templates for the ISO 26262 tool qualification work products (see ISO 26262-
8:2018, Clause 11).

The applicant shall review the template for applicability to the application under consideration, and then
tailor and complete them as necessary.

See also:

• IEC Certification Kit: User’s Guide, R2020b

• ISO 26262-8:2018, Clause 11

ISO 26262-8:2018, Clause 11 provides provisions for software tools that are used to tailor activities or tasks
required by ISO 26262. The standard outlines a two-step approach to establish the required confidence in
the tools:

1. Tool classification determines the required level of confidence in the software tool.

2. Depending on the result of the tool classification, you might need to carry out a formal tool
qualification.

This document includes the following work products that need to be created when applying this approach
to a software tool (see ISO 26262-8:2018, 11.5):

• Software Tool Criteria Evaluation report, which provides the tool classification.
• Software Tool Qualification report, which provides the tool qualification (if required).

Note ISO 26262-8:2018 is used as a basis for tool classification and qualification. This approach is
considered suitable for the other standards supported by the IEC Certification Kit for Simulink
Requirements: IEC 61508, IEC 62304, EN 50128, EN 50657, or ISO 25119. The applicant needs
to review this template for applicability to the project under consideration and insert missing
information.

This document is intended for use with:

• Simulink® Requirements™ Reference Workflow (certkitiec_slreq_workflow)1

• Simulink® Requirements™ Conformance Demonstration Template (certkitiec_slreq_cdt)1

As you review this document, notice the use of <Insert Information>. This tag indicates where you should
customize the document for the project under consideration.

The following figures provide information to help understand how the IEC Certification Kit documentation
correlates to the user’s development workflow, tool classification, and tool qualification.

1 This document is available in the IEC Certification Kit Artifacts Explorer, the Simulink Requirements folder.

July 21, 2020 certkitiec_slreq_tqp 1-1

 Figure 1 demonstrates the process of integrating the Simulink Requirements reference workflow with your
project’s development workflow. It identifies workflow components and documentation that may be
affected by the consolidation.

Figure 1 Consolidation of the Simulink Requirements Reference Workflow and Project

Workflow
Figure 2 illustrates the correlation between the tool use cases, tool classification, and tool qualification.

Figure 2 Tool Classification and Tool Qualification Approach

July 21, 2020 certkitiec_slreq_tqp 1-2

2 Application Identification

Applicant: <Insert Information>

Application under consideration <Insert Information>

July 21, 2020 certkitiec_slreq_tqp 2-1

3 Tool Identification and Qualification
Artifacts Summary

3.1 Tool Identification

Simulink Requirements allows users to author, analyze, and manage requirements within Simulink. You can
create rich text requirements with custom attributes and link them to designs, code, and tests.
Requirements can be imported from external sources and you can receive automatic notification when
requirements change. You can view the requirements and design together, establish links with drag and
drop, annotate diagrams with requirements content, analyze requirements traceability, and navigate
between requirements, designs, generated code, and tests.

Simulink Requirements indicates when changes occur to linked requirements, designs, or tests. It calculates
the implementation and verification status of your requirements, enabling you to assess project
completeness.

Table 1 Tool Identification

Software Tool Version (Release) Tool Vendor

Simulink Requirements Version 1.6 (R2020b) The MathWorks, Inc.
1 Apple Hill Drive
IEC Certification Kit Version 3.16 (R2020b) Natick, MA, 01760-2098 USA

3.2 Tool Qualification Artifacts Summary

For Simulink Requirements,

Table 2 provides:

• Prerequisites
• Supporting information
• Tool qualification work products

The tool qualification artifacts listed in the table are mapped to sections in this document and artifacts
found elsewhere.

July 21, 2020 certkitiec_slreq_tqp 3-1

 Table 2 Tool Qualification Artifacts

ISO 26262- Artifact Corresponding Documents/Artifacts

8:2018, section
11.3.1 Safety plan <Insert Information. Include document title, version,
filename, and link >

11.3.1 Organization-specific rules <Insert Information. Include document title, version,

and processes for functional filename, and link >
safety

11.3.1 Applicable prerequisites of <Insert software lifecycle phase(s) and prerequisite(s)>

the lifecycle phases where
software tool is used

11.3.2 Predetermined maximum <Insert ASIL>

ASIL

11.3.2 Software tool documentation Simulink Requirements Getting Started Guide, R2020b
slrequirements_gs.pdf
Simulink Requirements User’s Guide, R2020b
slrequirements_ug.pdf
Simulink Requirements Reference, R2020b
slrequirements_ref.pdf
Simulink Requirements Release Notes, R2020b
rn.pdf

11.3.2 Environment and constraints MathWorks® bug report system at

of the software tool www.mathworks.com/support/bugreports/
<Insert a list of the applicable bug reports. Include
reference to the bug reports analysis and, if applicable,
patches installation reports>

11.5.1 Software tool criteria
evaluation report
Customized and completed Chapter 4: Software Tool
Criteria Evaluation Report of Simulink Requirements ISO
26262 Tool Qualification Package (this document)
certkitiec_slreq_tqp.docx
Simulink Requirements Reference Workflow, R2020b
certkitiec_slreq_workflow.pdf
Certificate
certkitiec_slreq_certificate.pdf
Report to the Certificate
certkitiec_slreq_certreport.pdf
<If applicable, insert additional documentation. Include
document title, version, filename, and link>

July 21, 2020 certkitiec_slreq_tqp 3-2

 ISO 26262- Artifact Corresponding Documents/Artifacts
8:2018, section
11.5.2 Software tool qualification Customized and completed Chapter 5: Software Tool
report Qualification Report in the Simulink Requirements ISO
26262 Tool Qualification Package (this document)
certkitiec_slreq_tqp.docx
Customized and completed Simulink Requirements
Conformance Demonstration Template
certkitiec_slreq_cdt.docx
Certificate
certkitiec_slreq_certificate.pdf
Report to the Certificate
certkitiec_slreq_certreport.pdf
<If applicable, insert additional documentation. Include
document title, version, filename, and link>

July 21, 2020 certkitiec_slreq_tqp 3-3

4 Software Tool Criteria Evaluation
Report

4.1 Tool Environment

It is assumed that Simulink Requirements will be used in the following environment (see ISO 26262-8:2018,
11.4.4.1d):

<Insert Information, such as operating system or pertinent environment information>

4.2 Tool Configuration

It is assumed that Simulink Requirements will be used with the tool configuration (see ISO 26262-8:2018,
11.4.4.1b):

• In the Simulink Requirements Editor menu, use the following items to display implementation and
verification status and change tracking information:
o Display -> Implementation Status
o Display -> Verification Status
o Display -> Change Information
• In the Simulink Requirements Report Generation Options pane, use the following checkboxes to include
implementation and verification status and change tracking information in the report:
o Implementation Status
o Verification Status
o Change Information
Note You can use other report content options to include additional information in the report that
is relevant to your project. For example, custom attributes.

July 21, 2020 certkitiec_slreq_tqp 4-1

4.3 Reference Workflow
It is assumed that Simulink Requirements will be used as described in the reference workflow documented
in Simulink Requirements Reference Workflow1.

4.4 Tool Use Cases

It is assumed that Simulink Requirements will be used as described by one or more of the following use
cases (see ISO 26262-8:2018, 11.4.4.1c). Additional information about the assumed usage of Simulink
Requirements can be found in the following documents:

• Simulink Requirements Reference Workflow

• Simulink Requirements User’s Guide1

Definitions
Simulink Requirements provides three built-in requirement types:

• Functional ─ Classify requirements that are meant to be implemented or verified in your Model-
Based Design workflow. Functional requirements contribute to the Implementation and
Verification status metrics of the requirement set that they are in.
• Container ─ Group requirements. Container requirements do not contribute to the Implementation
and Verification status metrics of the requirement set that they are in. However, all Functional
requirements under a Container requirement contribute to the status metrics.
• Informational ─ Provides supplemental information. Informational requirements and all
requirements under them do not contribute to the Implementation and Verification status metrics
of the requirement set that they are in.

Simulink Requirements provides these implementation statuses for functional requirements:

• Justified ─ At least one justification is linked to the requirement with an “Implemented by” link.
• Implemented ─ The requirement is not justified and has at least one “Implemented by” link.
• None ─ Requirement does not have an “Implemented by” link.

Simulink Requirements provides these verification statuses for functional requirements:

• Justified ─ At least one justification is linked to the requirement with an “Verified by” link.
• Passed ─ Requirement is not justified and all linked Simulink Test test cases and Simulink Design
Verifier proof objective blocks pass.
• Failed ─ Requirement is not justified and at least one linked Simulink Test test case or Simulink
Design Verifier proof objective block fails.
• Unexecuted ─ Requirement is not justified and at least one linked Simulink Test test case or
Simulink Design Verifier proof objective block is not executed.
• None ─ Requirement does not have a “Verified by” link.

Implementation and Verification status is determined for the requirements set, for functional and container
requirements with one or more child functional requirements (subset), and for individual functional
requirements. For a subset with parent functional requirement, the parent requirement also contributes to
the metrics calculation.

1 This document is available in the IEC Certification Kit Artifacts Explorer, the Simulink Requirements folder.

July 21, 2020 certkitiec_slreq_tqp 4-2

 [SLREQ_UC1] Authoring and managing requirements and requirement links
Simulink Requirements is used to author, analyze, and manage requirements within Simulink by leveraging
the following features:

• Requirements editor for requirements authoring, editing, and organization.

• Requirements import and synchronization from third-party tools, such as Microsoft® Word and Microsoft
Excel.
• Adding bidirectional links between requirements, Simulink model elements, and tests.
• Requirements Perspective for viewing, linking, and managing requirements within the Simulink graphical
editor.
Note Use case SLREQ_UC1 provides inputs (requirement sets) for the next use cases which cannot
be leveraged as standalone (status assessment, change tracking and reporting).

[SLREQ_UC2] Assessment of requirements implementation status

Simulink Requirements is used to assess the implementation status of a requirements by providing the
following metrics:

• Total number of functional requirements.

• Number of functional requirements with justified implementation (Justified status).
• Number of implemented functional requirements (Implemented status).
• Number of requirements without an “Implemented by” link (None status).

[SLREQ_UC3] Assessment of requirements verification status

Simulink Requirements is used to assess the verification status of the requirements by providing the
following metrics:

• Total number of functional requirements.

• Number of functional requirements with justified verification (Justified status).
• Number of passed functional requirements (Passed status).
• Number of failed functional requirements (Failed status).
• Number of unexecuted functional requirements (Unexecuted status).
• Number of functional requirements without a “Verified by” link (None status).

[SLREQ_UC4] Change tracking of requirement links

Simulink Requirements is used to tracks the requirements links by detecting change issues, such as when
link artifacts (source or destination) or requirements are modified. User can then resolve change issues or
clear link changes do not impact the requirement status.

[SLREQ_UC5] Generation of requirement report

Simulink Requirements is used to generate requirement reports. These reports include the following data:

• Requirements and associated requirement attributes

• Requirement links
• Implementation status metrics
• Verification status metrics
• Change issues
• Other auxiliary data

July 21, 2020 certkitiec_slreq_tqp 4-3

4.5 Generic Tool Classification
The tool classification for Simulink Requirements was performed in a generic manner, independently from
the development of a safety-related item or element.

For the generic tool classification, the reference use cases listed in Tool Use Cases on page 4-2 have been
considered. The tool classification is based on the potential malfunctions or erroneous outputs and error
prevention and detection measures listed in the following, corresponding sections.

4.5.1 Potential Malfunctions or Erroneous Output

The following potential malfunctions or erroneous outputs were considered as part of the tool classification
process:

[SLREQ_E1] Corruption of the requirements or links

Created requirements or links are corrupted, deleted, or erroneously displayed in the graphical user
interface of the tool.

[SLREQ_E2] Incorrect implementation status

One or more implementation status metrics are determined incorrectly.

[SLREQ_E3] Incorrect verification status

One or more verification status metrics are determined incorrectly.

[SLREQ_E4] Incorrect change tracking data

Change tracking data is incorrect or incomplete.

[SLREQ_E5] Generation of erroneous requirement report

Content of the generated requirement report is corrupted or incomplete.

[MISC_E1] Usage of incorrect input data

Incorrect input data is used, resulting in tool malfunction and erroneous output.

[MISC_E2] Misinterpretation of tool results

User interprets tool results incorrectly.

[MISC_E3] Incorrect tool usage

User does not follow established procedures when using the tool, or the tool has been not been used in the
intended operational environment, resulting in tool malfunction and erroneous output.

[MISC_E4] Incorrect, modified, or incompatible with environment tool installation

User does not follow established procedures when installing the tool, installs the tool in an incorrect
operational environment, modifies a valid installation, or available bug reports for the tool have not been
analyzed and available patches have not been installed. This might result in tool malfunction and erroneous
output.

July 21, 2020 certkitiec_slreq_tqp 4-4

4.5.2 Error Prevention and Detection Measures
To mitigate potential malfunctions and corresponding erroneous outputs of the Simulink Requirements
product, the following measures are provided. Additional considerations are described in the Simulink
Requirements Reference Workflow.

[SLREQ_M1] Verification of the requirements and links

Requirements and traceability data shall be verified in accordance with Clauses 6 and 9 of ISO 26262-
8:2018.

[SLREQ_M2] Verification of implementation status

Implementation status can be verified by manual calculation of implementation metrics.

[SLREQ_M3] Verification of verification status

Verification status can be verified by manual calculation of verification metrics.

[SLREQ_M4] Verification of change tracking data

Change tracking data can be verified by manual review of the link changes.

[SLREQ_M5] Verification of requirements report content

The requirement report can be verified by manual review of the report content against the graphical user
interface.

[MISC_M1] Revision control and configuration management

Configuration management shall be applied in accordance with Clause 7 of ISO 26262-8:2018 to the tool
input and outputs, as well as for other applicable work products specified in the respective safety standard.

For additional information, see “Configuration Management and Revision Control” in the tool-specific
reference workflow artifact.

[MISC_M2] Competency of the project team

Those carrying out activities using the tool shall be competent for the activities undertaken. Training of
users can be performed to ensure correct usage of tool.

For additional information, see “Competency of the Project Team” in the tool-specific reference workflow
artifact.

[MISC_M3] Adherence to installation instructions and validation of tool installation integrity

Adhere to the installation instructions for the tool (including dependent tools) and verify the version and
integrity of the tool. Validate modifications or additions made to the shipping product(s), if applicable, by
re-running the validation test suite provided in the IEC Certification Kit.

For additional information, see “Installation Integrity and Release Compatibility” in the tool-specific
reference workflow artifact.

[MISC_M4] Analysis of available bug report information

Assess and analyze the tool’s bug report information that is provided by MathWorks® and comply with the
recommendations and workarounds, if applicable.

For additional information, see “Bug Reporting” in the tool-specific reference workflow artifact.

July 21, 2020 certkitiec_slreq_tqp 4-5

 [MISC_M5] Addressing tool errors and warnings
The tool reports abnormal operating modes, such as invalid tool inputs or incompatible settings that result
from incorrect tool usage, by issuing errors and warnings. All errors and warnings should be reviewed and
appropriate action shall be taken.

4.5.3 Tool Classification Summary

Table 3 Tool Classification Summary

Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL

Malfunction or Detection Measures
Erroneous Output

[SLREQ_E1] [SLREQ_UC1] TI2 Incorrect or incomplete [SLREQ_M1] TD1 Verification of TCL1

Corruption of the Authoring and requirements or links Verification of requirements and
requirements or managing could result in incorrect requirements and traceability data will detect
links requirements implementation or traceability data in corrupted requirements or
and requirement incomplete testing of the accordance with links with high degree of
links implementation. Clauses 6 and 9 of confidence.
ISO 26262-8:2018.

[SLREQ_E2] [SLREQ_UC2] TI2 Incorrect implementation None TD3 - TCL3

Incorrect Assessment of status could result in
implementation requirements incomplete [SLREQ_M2] TD1 Manual verification will TCL1
status implementation implementation of the Verification of detect incorrect
status requirements. implementation implementation status
status with high degree of
confidence.

[SLREQ_E3] [SLREQ_UC3] TI2 Incorrect verification None TD3 - TCL3

Incorrect Assessment of status could result in
verification status requirements incomplete verification of [SLREQ_M3] TD1 Manual verification will TCL1
verification the requirements Verification of detect incorrect
status verification status verification status with
high degree of confidence

[SLREQ_E4] [SLREQ_UC4] TI2 Incorrect change tracking None TD3 - TCL3

Incorrect change Change tracking data could result in
tracking data of requirement implementation or [SLREQ_M4] TD1 Manual verification will TCL1
links verification of obsolete Verification of detect incorrect change
requirements. change tracking data tracking data with high
degree of confidence

[SLREQ_E5] [SLREQ_UC5] TI2 Erroneous requirements None TD3 - TCL3

Generation of Generation of report used for
erroneous requirement verification could result [SLREQ_M5] TD1 Manual verification will TCL1
requirement report in errors omission and Verification of detect incorrect report
report use of invalid requirements report content with high degree
implementation or content of confidence
verification or change
tracking status

[MISC_E1] Usage All TI2 Incorrect input data
of incorrect input could result in incorrect
data or incomplete analysis
results. It could introduce
or fail to detect an error
in a safety-related items
or elements being
developed.
[MISC_M1] TD1 Revision control and TCL1
Revision control and configuration management
configuration provides integrity of the
management input data. Using
[MISC_M5] checksums allows the
unique identification the
Addressing tool
input data.
errors and warnings
Invalid or corrupted input
data will be reported by
the tool and addressed by
the user.

July 21, 2020 certkitiec_slreq_tqp 4-6

 Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL
Malfunction or Detection Measures
Erroneous Output

[MISC_E2] All TI2 Misinterpretation of [MISC_M2] TD1 Training of users can TCL1
Misinterpretation analysis results could Competency of the prevent these issues.
of tool results prevent errors from project team
being detected

[MISC_E3] All TI2 Incorrect tool usage
Incorrect tool could result in incorrect
usage or incomplete analysis
results. It could introduce
or fail to detect an error
in a safety-related items
or elements being
developed.
[MISC_M2] TD1 Training of users can TCL1
Competency of the ensure correct usage of
project team tool.
[MISC_M5] Invalid tool inputs or
Addressing tool incompatible settings that
are caused by incorrect
errors and warnings
tool usage will be reported
by the tool and addressed
by the user.

[MISC_E4] All TI2 Incorrect or modified
Incorrect, installation could result
modified, or in incorrect or
incompatible with incomplete analysis
environment tool results. It could introduce
installation or fail to detect an error
in a safety-related items
or elements being
developed.
[MISC_M3] TD1 Adherence to installation TCL1
Adherence to guide instructions provides
installation a seamless installation.
instructions and
Validation of the installed
validation of tool tool provides integrity of
installation integrity the tool installation. This
could include re-running
the validation tests
shipping with the IEC
Certification Kit before
using the tool.

[MISC_M4] Analysis TD1 Analysis of the bug report TCL1

of available bug information and use of
report information recommendations and
workarounds minimizes
impact of tool bugs.

Based on the classification analysis provided in the table above, the maximum tool impact of the Simulink
Requirements use cases considered is TI2.

Subsequent use of all error detection measures identified in the table above provides high degree of
confidence that tool malfunctions will be detected. Therefore, the tool confidence level for the tool
capabilities implementing the identified tool use cases is TCL1 if all error detection measures are applied.

If no error detection measures are applied for the errors SLREQ_E2, SLREQ_E3, SLREQ_E4 and SLREQ_E5
and corresponding use cases, the tool confidence level is TCL3.

TÜV SÜD reviewed the generic tool classification and confirmed the preceding results in the Report to the
Certificate.

July 21, 2020 certkitiec_slreq_tqp 4-7

5 Software Tool Qualification Report

5.1 Requirement for Tool Qualification

TCL1 can be claimed for the Simulink Requirements capabilities implementing use cases specified in this
document given the all error detection measure specified in the document are applied. Therefore,
additional tool qualification methods are not necessary according to ISO 26262-8:2018, Clause 11.4.6.1.

Given the required tool confidence level TCL3 for the Simulink Requirements capabilities SLREQ_UC2,
SLREQ_UC3, SLREQ_UC4 and SLREQ_UC5 without their manual verification (see Generic Tool Classification
on page 2-2), these capabilities need to be qualified to TCL3. Permissible tool qualification methods for TCL3
are listed in ISO 26262-8:2018 Table 4.

5.2 Tool Qualification Documentation

MathWorks carried out an application independent pre-qualification of Simulink Requirements.

The Simulink Requirements capabilities SLREQ_UC2, SLREQ_UC3, SLREQ_UC4 and SLREQ_UC5 were
prequalified for all ASILs per ISO 26262-8:2018, up to and including TCL3. The pre-qualification of Simulink
Requirements was carried out using a combination of the following methods:

• Evaluation of the tool development process (ISO 26262-8:2018, Tables 4 and 5, method 1b).
• Validation of the software tool (ISO 26262-8:2018, Tables 4 and 5, method 1c).

Per ISO 26262-8:2018, Tables 4 and 5, these two methods are permissible for all ASILs. For TCL2, method 1b
is highly recommended for ASILs A, B, and C. Method 1c is highly recommended for ASIL D. For TCL3,
method 1b is highly recommended for ASILs A and B. Method 1c is highly recommended for ASILs C and D.

TÜV SÜD carried out an independent tool qualification assessment. MathWorks submitted the results of
the methods applied to pre-qualify Simulink Requirements to TÜV SÜD.

TÜV SÜD reviewed the results of the generic tool qualification of Simulink Requirements and confirmed the
results in the Report to the Certificate.

Tool qualification for the corresponding capabilities of the Simulink Requirements product can be claimed
for TCL1 and TCL3 by referencing the certification report and corresponding certificate.

Note TÜV SÜD qualification assessment for the method “Validation of the software tool” is carried
out for the tool use scope specified in Chapter 4 of this document. Modified tool use cases or
error prevention and detection measures are not covered by the TÜV SÜD qualification
assessment.

July 21, 2020 certkitiec_slreq_tqp 5-1

6 Confirmation Review of Tool
Classification and Qualification

6.1 Requirement for Confirmation Review

The tool classification (see Chapter 4: Software Tool Criteria Evaluation Report) was carried out
independently from the development of the project under consideration. Therefore, the resulting
predetermined tool confidence level shall be confirmed by the applicant prior to Simulink Requirements
being used for the development of a safety-related item or element in the project under consideration (see
ISO 26262-8:2018, 11.4.2).

The tool qualification (see Chapter 5: Software Tool Qualification Report) was carried out independently
from the development of the application under consideration. Therefore, the resulting generic pre-
qualification shall be confirmed by the applicant prior to Simulink Requirements being used for the
development of a particular safety-related item or element for the application under consideration (see ISO
26262-8:2018, 11.4.2).

The generic tool classification assumes that Simulink Requirements is being used as described in the
reference workflow documented in Simulink Requirements Reference Workflow. Therefore, conformance
with the reference workflow in the project under consideration shall be confirmed by the applicant.

6.2 Validity of Generic Tool Classification

Applicable Tool Confidence Level: <Insert TCL1 or TCL3>

<Insert results of the confirmation review and reference the conformation review documentation>

6.2.1 Validity of Tool Use Cases

Table 4 identifies Simulink Requirements use cases that were considered as part of the tool classification
process and identifies whether the use cases were modified, added, or deleted for the project under
consideration.

The table is structured as follows:

• The first column identifies whether the use case was modified:
o No change — Use case did not change.
o Update — Use case was updated.
o Delete — Use case was not needed; therefore, it was removed.
o New — New use case was required.
• The second column provides the use case as described in section “Tool Use Cases” on page 4-2 with the
following exceptions:
o If the Change Status is “Update”, this column provides the modified use case.
o If the Change Status is “New”, this column provides the new use case.

July 21, 2020 certkitiec_slreq_tqp 6-1

 • The third column states the use case as a checklist question, which is to be asked with regard to your
project. The following applies:
o If the Change Status is “Update” and a use case was updated, this column provides the modified
checklist question.
o If the Change Status is “New”, this column provides the checklist questions as appropriate for the
new use case.
• The fourth column defines whether the use case was applicable for the project. This column can provide
additional information or clarification with regard to how the use case was applied in the project. The
following applies:
o If the Change Status is “Delete”, provide an explanation as to why this use case was not applicable
to the project.
Table 4 Validity of Tool Use Cases

Change Status Use Case Checklist Applicable to

Project?
<Insert [SLREQ_UC1] Authoring and managing Is Simulink Requirements <Insert Yes or No and
Information> requirements and requirement links being used to author, analyze, provide additional
Simulink Requirements is used to author, and manage requirements details if needed>
analyze, and manage requirements within within Simulink by using the
Simulink by leveraging the following features: following features:

• Requirements editor for requirements • Requirements editor for

authoring, editing, and organization requirements authoring,
• Requirements import and synchronization editing, and
from third-party tools, such as Microsoft® organization?
Word and Microsoft Excel • Requirements import and
• Adding bidirectional links between synchronization from
requirements, Simulink model elements, third-party tools, such as
and tests Microsoft® Word and
Microsoft Excel?
• Requirements Perspective for viewing,
linking, and managing requirements within • Adding bidirectional links
the Simulink graphical editor between requirements,
Simulink model elements,
and tests?
Requirements Perspective for
viewing, linking, and
managing requirements
within the Simulink graphical
editor?

July 21, 2020 certkitiec_slreq_tqp 6-2

Change Status Use Case Checklist Applicable to
Project?
<Insert [SLREQ_UC2] Assessment of requirements Is Simulink Requirements <Insert Yes or No and
Information> implementation status being used to assess the provide additional
Simulink Requirements is used to assess the implementation status of details if needed>
implementation status of requirements by requirements by using the
providing the following metrics: following metrics:

• Total number of functional requirements • Total number of

• Number of functional requirements with functional requirements?
justified implementation (Justified status) • Number of functional
• Number of implemented functional requirements with
requirements (Implemented status) justified implementation
(Justified status)?
• Number of requirements without an
“Implemented by” link (None status) • Number of implemented
functional requirements
(Implemented status)?
• Number of requirements
without an
“Implemented by” link
(None status)?
<Insert [SLREQ_UC3] Assessment of requirements Is Simulink Requirements <Insert Yes or No and
Information> verification status being used to assess the provide additional
Simulink Requirements is used to assess the verification status of the details if needed>
verification status of the requirements by requirements by using the
providing the following metrics: following metrics:

• Total number of functional requirements • Total number of

• Number of functional requirements with functional requirements?
justified verification (Justified status) • Number of functional
• Number of passed functional requirements with
requirements (Passed status) justified verification
(Justified status)?
• Number of failed functional requirements
(Failed status) • Number of passed
functional requirements
• Number of unexecuted functional
(Passed status)?
requirements (Unexecuted status)
• Number of failed
• Number of functional requirements
without a “Verified By” link functional requirements
(Failed status)?
• Number of unexecuted
functional requirements
(Unexecuted status)?
• Number of functional
requirements without a
“Verified By” link?
<Insert [SLREQ_UC4] Change tracking of requirement Is Simulink Requirements <Insert Yes or No and
Information> links being used to track the provide additional
Simulink Requirements is used to track requirements links by details if needed>
requirements links by detecting change issues, detecting change issues?

July 21, 2020 certkitiec_slreq_tqp 6-3

Change Status Use Case Checklist Applicable to
Project?
such as when link artifacts (source or Is the user resolving change
destination) or requirements are modified. issues or clear link changes
User can then resolve change issues or clear that do not impact the
link changes that do not impact the requirement status?
requirement status.

<Insert [SLREQ_UC5] Generation of requirement Is Simulink Requirements <Insert Yes or No and

Information> report being used to generate provide additional
Simulink Requirements is used to generate requirement reports? details if needed>
requirement reports. These reports include the
following data:
• Requirements and associated requirement
attributes
• Requirement links
• Implementation status metrics
• Verification status metrics
• Change issues
Are there any tool use cases not considered? <Insert Yes or No. If yes, identify tool use case(s) and
provide rationale.>

6.2.2 Validity of Error Prevention and Detection Measures

Table 5 identifies Simulink Requirements error prevention and detection measures that were considered as
part of the tool classification process and whether they were modified, added, or deleted for the project
under consideration. For information about the table structure, see the description in section “Validity of
Tool Use Cases” on page 6-1.

Table 5 Validity of Error Prevention and Detection Measures

Change Status Error Prevention and Detection Measure Checklist Applicable to

Project?
<Insert [SLREQ_M1] Verification of the Is requirements and traceability <Insert Yes or No and
Information> requirements and links data verified in accordance with provide additional
Requirements and traceability data shall be Clauses 6 and 9 of ISO 26262- details if needed>
verified in accordance with Clauses 6 and 9 8:2018?
of ISO 26262-8:2018.

<Insert [SLREQ_M2] Verification of implementation Is implementation status <Insert Yes or No and

Information> status verified by manual calculation provide additional
Implementation status can be verified by of implementation metrics? details if needed>
manual calculation of implementation
metrics

<Insert [SLREQ_M3] Verification of verification Is verification status verified by <Insert Yes or No and
Information> status manual calculation of provide additional
Verification status can be verified by verification metrics? details if needed>
manual calculation of verification metrics.

July 21, 2020 certkitiec_slreq_tqp 6-4

Change Status Error Prevention and Detection Measure Checklist Applicable to
Project?
<Insert [SLREQ_M4] Verification of change tracking Is change tracking data verified <Insert Yes or No and
Information> data by manual review of the link provide additional
Change tracking data can be verified by changes? details if needed>
manual review of the link changes.

<Insert [SLREQ_M5] Verification of requirements
Information> report content
The requirement report can be verified by
manual review of the report content
against the graphical user interface.
Is the requirement report <Insert Yes or No and
verified by manual review of the provide additional
report content against the details if needed>
graphical user interface?

<Insert [MISC_M1] Revision control and Is configuration of the tool’s <Insert Yes or No and
Information> configuration management input and output data managed provide additional
Configuration management shall be applied in accordance with Clause 7 of details if needed>
in accordance with Clause 7 of ISO 26262- ISO 26262-8:2018?
8:2018 to the tool input and outputs, as
well as for other applicable work products
specified in the respective safety standard.

<Insert [MISC_M2] Competency of the project Are users who carry out <Insert Yes or No and
Information> team activities using the tool provide additional
Those carrying out activities using the tool competent for the activities details if needed>
shall be competent for the activities undertaken?
undertaken. Training of users can be
Are users trained to ensure <Insert Yes or No and
performed to ensure correct usage of tool.
correct usage of the tool? provide additional
details if needed>

<Insert [MISC_M3] Adherence to installation Did users adhere to the <Insert Yes or No and
Information> instructions and validation of tool installation instructions for the provide additional
installation integrity tool (including dependent details if needed>
Adhere to the installation instructions for tools)?
the tool (including dependent tools) and Did user verify the version and <Insert Yes or No and
verify the version and integrity of the tool. integrity of the tool? provide additional
Validate modifications or additions made to details if needed>
the shipping product(s), if applicable, by re-
running the validation test suite provided in Did users validate modifications <Insert Yes or No and
the IEC Certification Kit. or additions made to the provide additional
shipping product(s), if details if needed>
applicable, by re-running the
validation test suite provided in
the IEC Certification Kit?

<Insert [MISC_M4] Analysis of available bug report Did users assess and analyze <Insert Yes or No and
Information> information bug report information for the provide additional
Assess and analyze the tool’s bug report tool? details if needed>
information that is provided by
Did users comply with the <Insert Yes or No and
MathWorks® and comply with the
recommendations and provide additional
recommendations and workarounds, if
workarounds, if applicable? details if needed>
applicable.

July 21, 2020 certkitiec_slreq_tqp 6-5

Change Status Error Prevention and Detection Measure Checklist Applicable to
Project?
<Insert [MISC_M5] Addressing tool errors and Did the user review all errors <Insert Yes or No and
Information> warnings and warnings? provide additional
The tool reports abnormal operating details if needed>
modes, such as invalid tool inputs or
Was appropriate action taken in <Insert Yes or No and
incompatible settings that result from
response to the errors and provide additional
incorrect tool usage, by issuing errors and
warning? details if needed>
warnings. All errors and warnings should be
reviewed and appropriate action shall be
taken.

Are there any error prevention and detection measures not <Insert Yes or No. If yes, identify tool use case(s) and
considered? provide rationale.>

6.2.3 Validity of Tool Classification Summary

Table 6 provides a tool classification summary for the project under consideration and should be updated to
include any modifications that are identified in these sections (if any):

• Validity of Tool Use Cases on page 6-1

• Validity of Error Prevention and Detection Measures on page 6-4
Table 6 Validity of Tool Classification Summary

Potential Use Cases TI Justification for TI Prevention / TD Justification for TD TCL

Malfunction or Detection Measures
Erroneous Output

[SLREQ_E1] [SLREQ_UC1] TI2 Incorrect or incomplete [SLREQ_M1] TD1 Verification of TCL1

Corruption of the Authoring and requirements or links Verification of requirements and
requirements or managing could result in incorrect requirements and traceability data will detect
links requirements implementation or traceability data in corrupted requirements or
and requirement incomplete testing of the accordance with links with high degree of
links implementation. Clauses 6 and 9 of confidence.
ISO 26262-8:2018.

[SLREQ_E2] [SLREQ_UC2] TI2 Incorrect implementation None TD3 - TCL3

Incorrect Assessment of status could result in
implementation requirements incomplete [SLREQ_M2] TD1 Manual verification will TCL1
status implementation implementation of the Verification of detect incorrect
status requirements. implementation implementation status
status with high degree of
confidence.

[SLREQ_E3] [SLREQ_UC3] TI2 Incorrect verification None TD3 - TCL3

Incorrect Assessment of status could result in
Verification Status requirements incomplete verification of [SLREQ_M3] TD1 Manual verification will TCL1
verification the requirements Verification of detect incorrect
status verification status verification status with
high degree of confidence

[SLREQ_E4] [SLREQ_UC4] TI2 Incorrect change tracking None TD3 - TCL3

Incorrect change Change tracking data could result in
tracking data of requirement implementation or [SLREQ_M4] TD1 Manual verification will TCL1
links verification of obsolete Verification of detect incorrect change
requirements. change tracking data tracking data with high
degree of confidence

TI2 None TD3 - TCL3

July 21, 2020 certkitiec_slreq_tqp 6-6

 Potential Use Cases TI Justification for TI
Malfunction or
Erroneous Output
[SLREQ_E5] [SLREQ_UC5] Erroneous requirements
Generation of Generation of report used for
erroneous requirement verification could result
requirement report in errors omission and
report use of invalid
implementation or
verification or change
tracking status
[MISC_E1] Usage All TI2 Incorrect input data
of incorrect input could result in incorrect
data or incomplete analysis
results. It could introduce
or fail to detect an error
in a safety-related items
or elements being
developed.
[MISC_E2] All TI2 Misinterpretation of
Misinterpretation analysis results could
of tool results prevent errors from
being detected
[MISC_E3] All TI2 Incorrect tool usage
Incorrect tool could result in incorrect
usage or incomplete analysis
results. It could introduce
or fail to detect an error
in a safety-related items
or elements being
developed.
[MISC_E4] All TI2 Incorrect or modified
Incorrect, installation could result
modified, or in incorrect or
incompatible with incomplete analysis
environment tool results. It could introduce
installation or fail to detect an error
in a safety-related items
or elements being
developed.
July 21, 2020 certkitiec_slreq_tqp
Prevention / TD Justification for TD TCL
Detection Measures
[SLREQ_M5] TD1 Manual verification will TCL1
Verification of detect incorrect report
requirements report content with high degree
content of confidence
[MISC_M1] TD1 Revision control and TCL1
Revision control and configuration management
configuration provides integrity of the
management input data. Using
checksums allows the
[MISC_M5]
Addressing tool unique identification the
input data.
errors and warnings
Invalid or corrupted input
data will be reported by
the tool and addressed by
the user.
[MISC_M2] TD1 Training of users can TCL1
Competency of the prevent these issues.
project team
[MISC_M2] TD1 Training of users can TCL1
Competency of the ensure correct usage of
project team tool.
[MISC_M5] Invalid tool inputs or
Addressing tool incompatible settings that
errors and warnings are caused by incorrect
tool usage will be reported
by the tool and addressed
by the user.
[MISC_M3] TD1 Adherence to installation TCL1
Adherence to guide instructions provides
installation a seamless installation.
instructions and Validation of the installed
validation of tool tool provides integrity of
installation integrity the tool installation. This
could include re-running
the validation tests
shipping with the IEC
Certification Kit before
using the tool.
[MISC_M4] Analysis TD1 Analysis of the bug report TCL1
of available bug information and use of
report information recommendations and
workarounds minimizes
impact of tool bugs.
6-7
6.3 Validity of Generic Tool Qualification
Applicable Tool Confidence Level: <Insert TCL1 or TCL3>

<Insert results of the confirmation review. If claiming TCL3, reference the conformation review
documentation.>

6.4 Conformance with Reference Workflow

Applicable Tool Confidence Level: <Insert TCL1 or TCL3>

<Insert reference to customized and completed Conformance Demonstration Template for the project.>

July 21, 2020 certkitiec_slreq_tqp 6-8