Tool Qualification TCL ISO 26262: Complete Guide (TI, TD & Methods 1a–1d)
Hello, automotive embedded software engineers, safety managers, and development tool evaluators! Every software tool used in the development or verification of safety-related automotive software must be evaluated – and potentially qualified – to ensure that tool malfunctions do not introduce undetected errors into the final product. Tool qualification and the determination of the Tool Confidence Level (TCL) are defined in ISO 26262 Part 8, Clause 11, and they apply to every project that claims ISO 26262 compliance.
In this comprehensive guide at PiEmbSysTech, we will walk you through the complete process – from understanding why tool qualification exists, through the TI/TD/TCL classification, to the four qualification methods (1a, 1b, 1c, 1d), with practical examples for the most common development tools. Let us begin.
Tool Qualification TCL ISO 26262 Table of Contents
- Why Tool Qualification Exists – The Risk of Tool Malfunctions
- Which Tools Need Qualification?
- The Tool Classification Process – Three Steps
- Tool Impact (TI) – TI1 vs TI2
- Tool Error Detection (TD) – TD1, TD2, TD3
- TCL Determination – The TI × TD Matrix
- What Each TCL Level Means in Practice
- The Four Qualification Methods – 1a, 1b, 1c, 1d
- Selecting Qualification Methods by TCL and ASIL
- Practical Tool Classification Examples
- Compiler and Linker Qualification
- MISRA Static Analysis Tool Qualification
- Unit Testing and Coverage Tool Qualification
- Code Generator and Model-Based Tool Qualification
- Requirements Management and Configuration Tools
- TÜV Certification vs Project-Specific Qualification
- Complete Tool Qualification Workflow – Step by Step
- Common Mistakes and How to Avoid Them
- Frequently Asked Questions
- Conclusion
1. Why Tool Qualification Exists – The Risk of Tool Malfunctions
Software tools are integral to modern automotive software development – compilers generate the executable code, static analysis tools verify coding standard compliance, unit testing tools verify functionality, and code coverage tools measure test completeness. If any of these tools malfunctions, it can have direct safety consequences: a compiler bug could silently generate incorrect machine code from correct source code, a MISRA checker could fail to detect a dangerous coding violation, a coverage tool could report 100% coverage when actual coverage is incomplete, and a code generator could introduce subtle errors not present in the model.
ISO 26262 Part 8, Clause 11 addresses this risk by requiring that every software tool used in the safety lifecycle be evaluated for its potential to impact the safety of the final product. Tools that could introduce or fail to detect errors must be qualified to establish confidence in their correct functioning.
2. Which Tools Need Qualification?
The tool qualification requirements apply to any software tool whose output is relied upon for a safety-related activity and whose output is not fully verified independently. This includes compilers and linkers (generate executable code from source), static analysis tools (verify coding standard compliance and detect potential defects), unit testing frameworks (execute test cases and report pass/fail), code coverage tools (measure structural coverage), code generators (generate source code from models), requirements management tools (manage and trace safety requirements), and configuration management tools (manage software versions and builds).
Tools whose output is fully verified by subsequent activities may not need qualification – for example, a text editor does not need qualification because the source code it produces is subsequently compiled, analyzed, and tested. However, the boundary between “needs qualification” and “doesn’t need qualification” depends on the specific project workflow and must be evaluated case by case.
3. The Tool Classification Process – Three Steps
Tool classification is the first phase of the tool qualification process. It determines whether a tool needs formal qualification and, if so, at what level. The classification follows three steps: determine the Tool Impact (TI), determine the Tool Error Detection (TD), and derive the Tool Confidence Level (TCL) from the TI × TD combination.
4. Tool Impact (TI) – TI1 vs TI2
Tool Impact evaluates whether a malfunctioning tool can affect the safety of the final product.
TI1: The tool does not have the potential to introduce or fail to detect errors in the safety-related item. The tool’s output does not directly influence the safety-relevant software or hardware. Examples: text editors, project management tools, documentation generators, email clients.
TI2: The tool does have the potential to introduce errors (development tools like compilers, code generators) or to fail to detect errors (verification tools like MISRA checkers, coverage tools, unit testing tools). Most development and verification tools used in the software lifecycle are TI2.
If TI = TI1, the tool is automatically classified as TCL1 – no qualification is needed. If TI = TI2, the second step (TD determination) is required.
5. Tool Error Detection (TD) – TD1, TD2, TD3
For TI2 tools, Tool Error Detection (TD) evaluates the probability that errors introduced or missed by the tool will be detected by subsequent activities in the development process – either by measures internal to the tool or by external measures in the workflow.
TD1 (High confidence): There is high confidence that tool errors will be prevented or detected. Example: A code generator whose output source code is fully verified through unit testing, integration testing, and code review – even if the generator introduces an error, the subsequent verification will detect it.
TD2 (Medium confidence): There is medium confidence that tool errors will be detected. Example: A static analysis tool that checks for division-by-zero, but unit testing also covers division-by-zero cases – the tool error would likely (but not certainly) be caught.
TD3 (Low confidence): There is low confidence that tool errors will be detected. Example: A static analysis tool that is the sole means of verifying a particular safety property – if the tool fails to detect a violation, no other process step would catch it.
6. TCL Determination – The TI × TD Matrix
| TD1 (High) | TD2 (Medium) | TD3 (Low) | |
|---|---|---|---|
| TI1 (No impact) | TCL1 | TCL1 | TCL1 |
| TI2 (Has impact) | TCL1 | TCL2 | TCL3 |
TCL1: No qualification needed. TCL2: Qualification needed (medium confidence required). TCL3: Qualification needed (high confidence required – most stringent methods).
7. What Each TCL Level Means in Practice
TCL1: The tool either has no safety impact (TI1) or its errors would be detected by subsequent process steps (TI2 + TD1). No formal tool qualification is required. The tool classification analysis itself (documenting the TI, TD, and TCL determination) must still be documented in the Criteria Evaluation Report.
TCL2: The tool has safety impact and medium confidence in error detection (TI2 + TD2). Formal tool qualification is required, with the specific methods depending on the ASIL of the project. The tool must be demonstrated to function correctly for the use cases relevant to the safety project.
TCL3: The tool has safety impact and low confidence in error detection (TI2 + TD3). This is the most stringent level – formal tool qualification with the most rigorous methods is required, particularly for ASIL C and D projects.
8. The Four Qualification Methods – 1a, 1b, 1c, 1d
ISO 26262 Part 8, Clause 11.4.6 defines four tool qualification methods. A suitable combination of these methods must be used for TCL2 and TCL3 tools.
Method 1a – Increased confidence from use: Relies on extensive prior experience with the tool to demonstrate that it functions correctly. Requires documented evidence of long-term, widespread use in comparable projects without safety-relevant tool malfunctions. In practice, 1a is difficult to satisfy rigorously because the evidence of “no tool errors in prior use” must be systematic and comprehensive.
Method 1b – Evaluation of the tool development process: Evaluates whether the tool was developed using a rigorous development process that reduces the likelihood of tool errors. This is typically demonstrated through the tool vendor’s compliance with an appropriate standard (e.g., IEC 61508, ISO 9001 with additional safety extensions). Method 1b is commonly used by tool vendors who have their development process assessed by a certification body (e.g., TÜV SÜD, SGS-TÜV).
Method 1c – Validation of the software tool: Validates the tool against its specification through systematic testing – verifying that the tool produces correct output for the use cases relevant to the safety project. Method 1c is the most commonly used method in practice because it directly demonstrates correct tool behavior for the specific use cases. Tool vendors typically provide Tool Qualification Kits (TQKs) or Tool Qualification Support Kits (TQSKs) that contain pre-defined validation test suites.
Method 1d – Development in accordance with a safety standard: Requires that the tool itself was developed in compliance with a recognized safety standard (e.g., IEC 61508 for safety-related development, DO-178C for aerospace software). This is the most rigorous method but rarely applicable because most commercial development tools are not developed to a safety standard. Method 1d is primarily relevant for specialized safety tools developed within the automotive safety ecosystem.
9. Selecting Qualification Methods by TCL and ASIL
| Method | TCL2 | TCL3 | ||||||
|---|---|---|---|---|---|---|---|---|
| A | B | C | D | A | B | C | D | |
| 1a – Increased confidence from use | + | + | + | + | + | + | + | + |
| 1b – Evaluation of development process | + | + | ++ | ++ | + | ++ | ++ | ++ |
| 1c – Validation of the software tool | + | ++ | ++ | ++ | ++ | ++ | ++ | ++ |
| 1d – Development per safety standard | + | + | ++ | ++ | + | ++ | ++ | ++ |
+ = Recommended, ++ = Highly Recommended. In practice, most tool qualifications use 1b + 1c or 1c alone.
10. Practical Tool Classification Examples
| Tool | TI | TD | TCL | Rationale |
|---|---|---|---|---|
| Text editor | TI1 | — | TCL1 | Editor output (source code) is fully verified by subsequent compilation, analysis, and testing |
| C compiler/linker | TI2 | TD1* | TCL1* | *If generated object code is fully verified via testing; otherwise TD3 → TCL3 |
| MISRA static analysis tool | TI2 | TD2/TD3 | TCL2/3 | TD2 if code review also checks MISRA; TD3 if tool is sole MISRA enforcement |
| Unit testing framework | TI2 | TD2/TD3 | TCL2/3 | TD3 if unit test results are the sole evidence of unit correctness |
| Code coverage tool | TI2 | TD3 | TCL3 | If coverage tool under-reports, untested code goes undetected; no independent check |
| Code generator (Simulink) | TI2 | TD1/TD3 | TCL1/3 | TD1 if generated code is fully tested; TD3 if only back-to-back tested at model level |
| Requirements management tool | TI1 | – | TCL1 | Traceability and requirement content verified through reviews; tool organizes, not creates |
| Project management tool | TI1 | – | TCL1 | No impact on safety-relevant software artifacts |
11. Compiler and Linker Qualification
Compilers are one of the most discussed tools in tool qualification because they can silently introduce errors – the generated object code may not faithfully represent the source code. The TCL classification depends critically on the project’s verification workflow. If the generated object code (or the source code after preprocessing) is fully tested through unit testing, integration testing, and structural coverage analysis, then tool errors in the compiler would be detected by these subsequent tests – supporting a TD1 classification and TCL1 (no qualification needed). However, if the testing is incomplete or the compiler is responsible for safety-critical optimizations that are not independently verified, TD3 and TCL3 may be appropriate – requiring formal qualification. Compiler qualification via method 1c typically involves running a compiler test suite (such as the SuperTest or Plum Hall test suites) against the language standard to verify correct compilation for the relevant language features.
12. MISRA Static Analysis Tool Qualification
MISRA static analysis tools (Polyspace, Coverity, PC-lint, LDRA, QA-MISRA, Parasoft) have TI2 because they can fail to detect MISRA violations – and if that violation leads to a runtime failure, the safety could be compromised. The TD depends on whether other measures also check for the same issues – if code reviews also verify MISRA compliance, TD2 may be justified. If the static analysis tool is the sole enforcement mechanism, TD3 applies and TCL3 qualification is needed. Most commercial MISRA tools provide Tool Qualification Support Kits (TQSKs) that include pre-defined test suites for method 1c validation and documentation for method 1b process assessment. Many are TÜV-certified for ISO 26262 up to ASIL D.
13. Unit Testing and Coverage Tool Qualification
Unit testing frameworks (VectorCAST, Cantata, Tessy, Parasoft C/C++test) and code coverage tools are TI2 because they can fail to detect defects (if the test framework incorrectly reports a pass) or under-report coverage (if the coverage tool misses untested paths). Coverage tools are typically TCL3 because there is rarely an independent second method to verify coverage metrics – if the tool reports 100% MC/DC but the actual coverage is lower, no subsequent process step would detect this. Unit testing frameworks may be TCL2 if the test results are also verified through code review or independent testing. Leading tools (Cantata, VectorCAST) are TÜV-certified at TCL1 for specific usage workflows.
14. Code Generator and Model-Based Tool Qualification
Code generators (MATLAB/Simulink Embedded Coder, TargetLink, dSPACE TargetLink) transform models into source code. Their classification depends heavily on the verification of the generated code. If the generated code is fully verified through the same unit testing and coverage analysis as hand-written code, the code generator can achieve TD1 → TCL1. If verification relies solely on model-level back-to-back testing without code-level verification, TD3 → TCL3 applies. MathWorks provides IEC 61508/ISO 26262 certification kits for Embedded Coder and Simulink that support method 1b + 1c qualification.
15. Requirements Management and Configuration Tools
Requirements management tools (IBM DOORS, Polarion, Jama Connect, codebeamer) are typically TI1 because they organize and trace requirements – they do not generate or verify safety-relevant code. The correctness of requirements content is verified through reviews, not through the tool’s internal logic. Similarly, configuration management tools (Git, SVN, ClearCase) are TI1 because they store and version files – the correctness of the stored content is verified through other means. These tools typically classify as TCL1 without qualification.
16. TÜV Certification vs Project-Specific Qualification
Many tool vendors obtain TÜV (or SGS-TÜV) certification for their tools – a third-party assessment that the tool has been evaluated according to ISO 26262 and/or IEC 61508 tool qualification requirements. It is important to understand what this certification covers and what it does not.
A TÜV certificate typically confirms that the tool vendor has performed methods 1b and/or 1c for a defined set of use cases and that the tool’s development process has been assessed. The certificate may state the maximum TCL and ASIL for which the tool is certified. However, the tool qualification is always the responsibility of the tool user (the project), not the tool vendor. The TÜV certificate reduces the user’s qualification effort – the user can leverage the vendor’s 1b/1c evidence – but the user must still perform the tool classification (TI, TD, TCL) for their specific project and verify that the vendor’s certified use cases align with their actual usage. If the user’s use cases differ from the certified use cases, additional project-specific validation may be needed.
17. Complete Tool Qualification Workflow – Step by Step
Step 1 — Inventory all tools: List every software tool used in the safety lifecycle for the project.
Step 2 – Document tool use cases: For each tool, document the specific use cases – how the tool is used, what inputs it receives, and what outputs are relied upon for safety.
Step 3 – Classify each tool (TI, TD, TCL): Determine TI1 or TI2. For TI2 tools, determine TD1, TD2, or TD3. Derive the TCL from the TI × TD matrix. Document the classification rationale in the Criteria Evaluation Report.
Step 4 – For TCL2/TCL3 tools, select qualification methods: Based on the TCL and project ASIL, select the appropriate combination of methods 1a–1d from the Part 8 tables.
Step 5 – Perform qualification activities: Execute the selected methods – obtain vendor 1b/1c evidence, run tool validation test suites, document results.
Step 6 – Create the Tool Qualification Report: Document the qualification evidence, results, and conclusions. This report is a required work product for the safety case.
Step 7 – Maintain qualification through tool updates: When a tool version changes, reassess whether the qualification remains valid or needs to be updated.
18. Common Mistakes and How to Avoid Them
Mistake 1: Assuming TÜV certification eliminates the need for project-specific classification. TÜV certification supports the qualification but does not replace the user’s responsibility to classify the tool for their specific project and verify that the certified use cases match their actual usage.
Mistake 2: Classifying all tools as TCL1 without proper analysis. Some projects attempt to argue TD1 for every tool to avoid qualification. This is only valid if subsequent process steps genuinely detect the tool’s potential errors. The argument must be specific, documented, and credible.
Mistake 3: Not qualifying the compiler. If the compiler is classified as TCL1 based on TD1 (full verification of generated code), the argument is valid. But if the project’s testing does not fully cover all compiler-generated code paths, the TD1 claim is not justified — and the compiler needs qualification.
Mistake 4: Ignoring tool version changes. Tool qualification is specific to a tool version. When the tool is updated (even a minor version), the qualification validity must be reassessed.
Mistake 5: Not documenting the Criteria Evaluation Report. Even for TCL1 tools, the classification analysis (TI, TD, TCL, rationale) must be documented. The absence of this documentation is a common audit finding.
Mistake 6: Treating tool qualification as a tool vendor problem. Tool qualification is the project’s (user’s) responsibility. The vendor can support with evidence and certification, but the user must perform the classification and ensure the qualification covers their use cases.
19. Frequently Asked Questions
Q1: Is tool qualification required for ASIL A projects?
Yes. Part 8 Clause 11 applies to all ASILs. The classification (TI, TD, TCL determination) must be performed for all projects. However, the qualification methods for TCL2/TCL3 tools at ASIL A are less stringent (all methods are “recommended” rather than “highly recommended”).
Q2: Can I use the same tool qualification across multiple projects?
Yes, if the tool version, configuration, use cases, and ASIL are the same. The Criteria Evaluation Report and Qualification Report can be reused with documented evidence that the project-specific conditions match. If use cases differ, additional project-specific analysis is needed.
Q3: Does a tool certified to IEC 61508 satisfy ISO 26262?
IEC 61508 tool certification provides strong evidence that can be leveraged for ISO 26262 method 1b (evaluation of development process). However, ISO 26262 has specific automotive requirements that may go beyond IEC 61508. The user must verify that the IEC 61508 certification covers the ISO 26262 requirements for their specific use cases.
Q4: Can open-source tools be used and qualified?
Yes, but qualification is more challenging because the development process (method 1b) is typically not assessed by a third party, and the user may need to perform extensive tool validation (method 1c) themselves. GCC compiler, for example, can be used in safety projects if properly qualified – but the qualification effort may be significant.
Q5: What is a Tool Qualification Kit (TQK)?
A TQK is a package provided by the tool vendor that includes tool use case descriptions, tool classification analysis supporting evidence, validation test suites (for method 1c), development process documentation (for method 1b), and templates for the user’s Criteria Evaluation Report and Qualification Report. Leading tool vendors (Parasoft, QA Systems, LDRA, MathWorks, VectorCAST) provide TQKs specifically for ISO 26262.
20. Conclusion
Tool qualification is a necessary – and often underestimated – aspect of ISO 26262 compliance. By systematically classifying every tool’s impact (TI) and error detectability (TD), determining the required Tool Confidence Level (TCL), and applying the appropriate qualification methods (1a–1d), development teams can ensure that their tools do not become a hidden source of undetected safety errors. The key to efficient tool qualification is integrating it into the project planning from day one, leveraging vendor-provided TÜV certifications and TQKs where available, and maintaining clear documentation of the classification rationale for every tool in the development chain.
This article is part of our comprehensive ISO 26262 series at PiEmbSysTech. For the foundational Part 8 coverage, see Part 8 – Supporting Processes & Tool Qualification.
Stay safe. Stay tool-qualified. Keep engineering the future.
— The PiEmbSysTech Team
Discover more from PiEmbSysTech - Embedded Systems & VLSI Lab
Subscribe to get the latest posts sent to your email.
