Mentor has an especially strong position in the automotive space given their broad span of embedded, SoC, mechanical and thermal and system design tools. Of course, these days demonstrating ISO 26262 compliance is mandatory for semiconductor and systems suppliers, so EDA vendors need to play their part to support those suppliers in demonstrating that components and design tools they offer meet appropriate levels of certification.
Mentor has recently announced the Mentor Safe Program which aims to comprehensively qualify and document, to ISO 26262 standards, a select range of components and design tools used in the design of automotive systems. This includes the software components Nucleus SafetyCert and the Volcano VSTAR AUTSAR basic software stack, as well as several design tool qualifications. This is an important addition for systems suppliers who ultimately must demonstrate complete compliance to the standard. The Safe Program provides the documentation and certification to back that up in areas covered by Mentor components and tooling.
Nucleus SafetyCert is a version of the popular Nucleus RTOS, in the certification process with TÜV-SÜD, and is verified and documented to meet requirements for device manufacturers developing to avionics DO-178C Level A, industrial IEC 61508 SIL 3, medical IEC 62304 Class C, and automotive ISO 26262 ASIL B. Volcano VSTAR is also TÜV-SÜD certified to ASIL B. The process for design tools is a little different because what is required for a tool depends on the tool classification level (TCL). I’ll talk a little about that further on in this piece.
ISO 26262 is dry stuff, but we need to understand it if we want to succeed in this rapidly growing market so it’s worth digging into the process in a bit more detail. By way of example, look at what Mentor supplies in the Nucleus SafetyCert certification package:
- Source code
- Documentation on the software development, configuration management and QA processes
- Documentation on the requirements process, designs standards and coding standards
- Documentation on the software verification process, the test plan and the complete software test suite
- A safety manual to be used by system integrators to guide correct/permissible usage
All of this with traceability across the safety lifecycle and extensive hyperlinking to simplify audits and reviews. (And yes, you need to sign an NDA to get access to this package!)
For tools, Mentor generates a report which becomes a component of documentation for their product certification where required. These have up to 8 sections:
- Sections 1, 2 and 3 covering boilerplate information on the document and the tool classification process.
- Section 4 covering the tool classification– the tool impact (TI) and tool error detection (TD) levels, leading to a tool confidence level (TCL), based on use-cases, configuration, environment, safety checks and tool/tool-chain restrictions. If the classification is TCL1, the rest of the report is not required.
(The following sections are only required for tools at TCL2 or TCL3 levels)
- Section 6 describes the software tool qualification process
- Section 7 describes the tool qualification – QA documents, test-cases, errata and tool error detection relative to use-cases
- Section 8 describes the software tool qualification conclusion
Tools that are currently covered by this certification program are several of the Tessent silicon test and yield analysis tools and ReqTracer for requirements tracing. Mentor intends to add more tools over time.
Nine of the Tessent silicon test and yield analysis tools can be used at the TCL2 level so have been certified through SGS-TÜV-Saar for use at any TCL level. ReqTracer is classified as TCL1 so is not required to have certification. However, Mentor provide justification in their report for the tool on why they classified tool impact (TI) and tool error detection (TD) levels leading to this TCL classification.
Per the ISO 26262 standard, this is all Mentor must do to demonstrate compliance for a TCL1 tool but they have actually taken it a step further for ReqTracer. The standard requires that confirmation measures (review and approval of the process) are assessed by a different person than the one performed the classification (a level I1 degree of independence per the standard), but Mentor took review to level I3 where the review was performed by independent Functional Safety Certified Automotive Manager (FSCAM). Looks like they take this pretty seriously.
You can read more about the Mentor Safe program HERE.Share this post via: