Automating Tool Qualification for Safety-Critical Systems

See what API testing solution came out on top in the GigaOm Radar Report. Get your free analyst report >>

Tool Qualification for Safety-Critical Airborne Systems

Safety-critical software development standards recommend that manufacturers prove that the tools they’re using to develop software don’t introduce issues and do provide correct, predictable results.

The process of providing such evidence is known as tool qualification. While it’s a necessary process, tool qualification is often a tedious and time-consuming activity for which many organizations fail to plan. To make this painless, select tools are certified and have a history of being used in the development of safety-critical applications.

In the case of airborne systems software development, DO-330, Software Tool Qualification Considerations, provides guidance on tool qualification. The purpose is to provide a framework for a tool qualification life cycle that includes planning, verification, quality assurance, and documentation. There are different levels of tool qualification from 1 to 5, with 5 being the least rigorous. The level is based on the possible impact of the tool on system safety.

Here are some of the key steps involved in tool qualification, according to DO-330.

Plan for Tool Qualification

A comprehensive tool qualification plan (TQP) is required. In this plan, define the scope of the qualification effort, identify the tools to be qualified, outline the qualification activities, and specify the qualification objectives.

Tool Classification

Software tools are classified based on their impact on system safety primarily but also the potential impact on the development and verification processes. Tools are classified into one of five Tool Qualification Levels (TQL): TQL 1, TQL 2, TQL 3, TQL 4, TQL 5. TQL 1 represents the highest impact and TQL 5 the lowest.

Tool Assessment

Conduct a thorough assessment of each tool’s development process, documentation, and characteristics to determine its qualification requirements. This includes reviewing the tool’s design, verification, validation, and maintenance procedures. Obviously, this requires cooperation if tools are purchased from third parties.

Tool Qualification Assurance Levels (AL)

Assign an Assurance Level that corresponds to DO-278A assurance levels to each tool based on the TQL and the level of confidence in the tool’s development process. ALs range from AL 1 (highest assurance) to AL 5 (lowest assurance).

Tool Verification and Validation

Perform the necessary verification and validation activities for each tool, demonstrating correct operation and accurate results.

Tool Life Cycle Maintenance

Establish a process for the ongoing maintenance and monitoring of each tool. This includes periodic reviews, updates, and requalification as needed when changes occur to the tool or its environment.

Qualification Records

Maintain records of all tool qualification activities, including the assessment, verification, validation, and results. These records are essential for audit purposes and to demonstrate compliance with DO-330.

Final Qualification Report

Prepare a final qualification report for each tool, summarizing the entire qualification process, the results of assessments and verification and validation activities, and the compliance status with DO-330 requirements.

The end deliverable is proof in the form of documentation. The qualification process outlined in DO-330 is complex and time consuming. Parasoft’s Qualification Kits for C/ C++test includes a convenient tool wizard that brings automation into the picture and reduces the time and effort required for tool qualification.

Image of the Parasoft C/C++test and C/C++test CT TÜV SÜD certificate — Parasoft C/C++test and C/C++test CT TÜV SÜD certificate

Precertified Tools

Tool qualification needs to start with tool selection to ensure that you’re using a development tool that’s certified by an organization like TOV SOD. This will significantly reduce the effort when it comes to tool qualification.

Parasoft C/C++test, C/C++test CT, and DTP are certified by TOV SOD for functional safety according to IEC, ISO, and other functional safety industry standards for both host based and embedded target applications. Though the certificate is not enough for RTCA DO-178C/DO-330, it demonstrates a historical commitment by Parasoft in providing quality products.

To satisfy DO-330 tool qualification requirements, C/C++ software development paves the way for a streamlined qualification of static analysis, unit testing, and coverage requirements for the safety-critical standards by offering a tool qualification kit that automates the tool qualification process for any development host and/or target ecosystem.

Automating Tool Qualification Testing

Traditionally, tool qualification has meant significant amounts of manual labor, testing, and documenting to satisfy a certification audit. But this documentation-heavy process requires manual interpretation and completion. As a result, it’s time consuming and adds to an organization’s already heavy testing schedule and budget.

Parasoft leverages its own software test automation tool qualification with Qualification Kits, which include a documented workflow to dramatically reduce the amount of effort required.

Photo of a Bell Boeing V-22 Osprey preparing to land atop a dirt field with dust kicking up and green hills in the background.

Benefits of Using the Qualification Kits

Automatically reduce the scope of qualification to only the parts of the tool in use.
Automate tests required for qualification as much as possible.
Manage any manual tests as eloquently as possible and integrate results alongside automated tests.
Automatically generate audit-ready documentation that reports on exactly what’s being qualified-not more, not less.

Qualify Only the Tools Used

There should be no need to do any extra work for qualifying capabilities not used during development. Reducing the scope of testing, reporting, and documentation is a key way to reduce the qualification workload.

For example, as part of the DO-178C/DO-330 tool qualification kit and process, users can select Parasoft C/C++test for static analysis of C/C++ code to check its compliance to the MISRA C:2023 standard. The tool then selects only the parts of the qualification suite needed for this function.

Two side by side screenshots of C/C++test. The one on the left lists Use Cases of C/C++test. The one on the right show lists Standard and Level Selection for Qualification.

Screenshot of Parasoft C/C++test showing Feature Selection for Parasoft Qualification Kits. — Parasoft Qualification Kits allow users to select the options required for their project. Upon selection, only tests and documentation are used and provided from this point forward.

Leverage Test Automation & Analytics

A unique advantage to qualifying test automation tools is that the tools can be used to automate their own testing. Automating this as much as possible is key to making it as painless as possible. Even manual tests, which are inevitable for any development tool, are handled as efficiently as possible. Step by step instructions are provided and results are entered and stored as part of the qualification record.

Parasoft C/C++test collects and stores all test results from each build. Tests run as they do for any type of project. These results are brought into the test status wizard in the Parasoft Qualification Kits to provide a comprehensive overview of the results like those shown below.

Screenshot of Test Status From Tool Chain With C/C++test — Leveraging centralized data collection and automating the qualification process greatly reduces manual tracking of the compliance progress.

Managing Known Defects

Every development tool has known bugs and any vendor selling products for safety- critical development must have these documented. There’s more to dealing with known defects than just documenting them.

Screenshot of Parasoft C/C++test Mitigation Selection listing known defects. — Known defects are managed directly in Parasoft C/C++test.

Tool qualification requires proof that these defects are not affecting the results used for verification and validation. For each known defect, the manufacturer must provide a mitigation for each one and document it to the satisfaction of the certifying auditor.

It’s incumbent on the tool vendor to automate the handling of known defects as much as possible. After all, the vendor is expecting customers to deal with third-party software bugs as part of their workload!

The Parasoft C/C++test Qualification Kits include a wizard to automate the recording of mitigation for known defects as shown in the example below.

Automation of Tool Qualification Documentation

The end result of tool qualification is documentation and lots of it. Every test executed with results, every known defect with mitigation, manual test results, and exceptions are all recorded and reported. Qualification kits from other vendors can be just documentation alone and, without automation, documenting compliance is tedious.

Instead, using the Qualification Kits for C/C++test, the critical documents are generated automatically as part of the workflow.

Tool Classification Report

Determines the qualification needed and presents the maximum safety level classification for C/C++test and C/C++test CT based on the use cases selected by the user.

Tool Qualification Plan

Describes how C/C++test and C/C++test CT will be qualified for use in a safety relevant development project.

Tool Qualification Report

Demonstrates that C/C++test and C/C++test CT have been qualified according to the tool qualification plan.

Tool Safety Manual

Describes how C/C++test and C/C++test CT should be used safely, for example, in compliance with safety standards like IEC 62304 in safety-critical projects.

In each of these documents, only the documentation required for the tool featured in use is generated because the scope of the qualification was narrowed down at the beginning of the project. Teams greatly reduce the documentation burden with automation and narrowing the qualification scope.