Relation to safety standards

Safety standards like ISO 26262, DO-178B, DO-178C, IEC-61508, and EN-50128 require identifying functional and non-functional hazards and demonstrating that the soft­ware does not violate the rele­vant safety goals.

Some non-functional safety hazards can be critical for the correct functioning of the system: violations of timing constraints in real-time software and software crashes due to runtime errors or stack overflows. Depending on the criticality level of the software the absence of safety hazards has to be demonstrated by formal methods or testing with sufficient coverage.

The IEC-61508 demands to use software off-line support tools as a part of the software development activities. This includes translation tools like compilers, assemblers, linkers, and verification/validation tools such as static code analyzers or theorem proving assistants.

The IEC-61508 defines three tool classes:

T2/T3 tools are required to have specification which defines the behavior of the tool and any instructions or constraints on its use. For T3 tools, evidence has to be provided that the tool meets its specification. This evidence may be based on confidence from use or on a tool validation. The evidence listed for T3 may also be used for T2 tools. The requirements on tool validation results are formulated in clause and include:

Each new version of the off-line support tool has to be qualified.

The requirements of CENELEC EN-50128 on providing evidence for correct tool behavior are mostly identical to those of the base norm IEC-61508. Likewise for IEC 60188 and ISO 25119.

User story

Report by MTU Friedrichshafen on integrating and qualifying CompCert, aiT, StackAnalyzer, Astrée and RuleChecker according to IEC 60880 and IEC 61508-3:2010, for a certification project in the nuclear energy domain.