Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Understanding CAN/CSA ISO/IEC TR 19755-12:2016 — Guidance for Evaluating Software Development Tools in Safety-Critical Environments
A Canadian adoption of an international technical report delivering a structured framework for tool qualification and process assurance
Scope and Purpose
CAN/CSA ISO/IEC TR 19755-12:2016 is the Canadian adoption of the International Standard Technical Report ISO/IEC TR 19755-12:2016, developed by ISO/IEC JTC 1/SC 7. This Technical Report provides a framework for evaluating software development tools that are used in the creation of safety-critical systems. It is part of a multi-part series offering guidance across various aspects of tool evaluation, and this specific part addresses the classification, selection, and qualification of tools based on their potential impact on system safety.
The document applies to a wide range of safety-related industries including automotive (ISO 26262), aerospace (DO-178C), medical devices (IEC 62304), and industrial automation (IEC 61508). Its primary purpose is to help organisations determine the level of confidence required for a development tool and to define an appropriate evaluation strategy that balances rigour with cost-effectiveness.
The report is voluntary but may be used to demonstrate due diligence during certification or regulatory audits. It provides a common terminology and a systematic approach that can be referenced in contractual agreements and internal quality processes.
Technical Requirements and Framework
Tool Classification According to Influence on Safety
The core technical concept introduced in CAN/CSA ISO/IEC TR 19755-12:2016 is the classification of software development tools according to their influence on the safety of the final product. Three tool influence levels (TILs) are defined:
- TIL 1 – Tools that do not directly produce or verify safety-related outputs and are unlikely to introduce errors into the safety process.
- TIL 2 – Tools that produce or partially verify safety-related outputs and whose failure could affect functional safety.
- TIL 3 – Tools that directly generate or verify safety-critical artifacts, and whose undetected failure could lead to a hazardous outcome.
| Tool Influence Level | Description | Example Tools | Typical Qualification Measures |
|---|---|---|---|
| TIL 1 | No direct safety-related output | General text editor, version control system | Vendor documentation review, user confidence |
| TIL 2 | May produce or partially verify safety-related artifacts | Static code analyzer, unit test framework | Tool confidence classification, additional testing, field experience |
| TIL 3 | Directly generates or verifies safety-critical outputs | Code generator for safety logic, model checkers for hazard analysis | Independent functional tests, formal verification, compliance with safety standards |
Tool Confidence Levels and Error Detection
The report also introduces the concept of Tool Confidence Level (TCL), which reflects the degree of assurance that a tool will not introduce or fail to detect errors in its output. The TCL is determined by combining the tool influence level with evidence of its reliability. CAN/CSA ISO/IEC TR 19755-12:2016 describes several acceptance criteria:
- Direct evidence from tool vendor (certification reports, development process audits)
- Evidence from increased confidence through use (field experience, defect history)
- Evidence from tool validation by the user (benchmarks, trial usage, output comparison)
Tip: When classifying a tool, involve all stakeholders including safety engineers, project managers, and tool administrators. A single misclassification can lead to inadequate qualification or unnecessary expenditure.
Implementation Highlights
Implementing the guidance of CAN/CSA ISO/IEC TR 19755-12:2016 typically involves a structured process that can be integrated into a company’s development lifecycle. The following steps are recommended:
- Tool Inventory and Initial Classification: Create and maintain a list of all software development tools used in the safety-related development process. Assign an initial TIL based on the intended use of the tool.
- Evaluation Planning: For each tool with TIL > 1, develop a qualification plan that includes specific acceptance criteria, responsible parties, and a schedule.
- Evidence Collection: Gather relevant documentation (vendor certificates, test reports, use logs) or perform targeted tests.
- Review and Approval: A qualified safety assessor reviews the evidence and decides if the tool achieves the required confidence level.
- Periodic Re-evaluation: Tools must be re-assessed after any significant change (version upgrade, change in use context) or periodically (e.g., annually) to ensure continued confidence.
Success Story: An automotive tier 1 supplier applied the TR’s framework to qualify a model-based code generation tool for ASIL D applications. By following the TIL/TCL process, they reduced qualification effort by 30% compared to a prescribed approach while still meeting ISO 26262 requirements.
Caution: The TR does not prescribe specific confidence metrics; it only defines a framework. Organisations must tailor the evaluation criteria to their domain, company culture, and risk tolerance. Over‑reliance on vendor claims without independent verification is a common pitfall.
Compliance and Certification Notes
As a Technical Report, CAN/CSA ISO/IEC TR 19755-12:2016 is not a normative standard. Its adoption is voluntary. However, it can be used as a key reference to support compliance with mandatory safety standards such as:
- ISO 26262 (road vehicles – functional safety)
- DO‑178C (aerospace – software considerations)
- IEC 62304 (medical device software)
- IEC 61508 (functional safety of E/E/PE safety-related systems)
In Canada, the adoption of this ISO/IEC Technical Report under CAN/CSA confirms its relevance for the Canadian market. There is no legal requirement to use this report, but it can be cited by regulators and conformity assessment bodies as indicative of good practice. For organizations seeking certification, aligning with the TR’s framework can streamline the assessment process and provide a defensible rationale for tool qualification decisions.
Important: This Technical Report does not replace domain-specific regulations (e.g., Transport Canada’s standards for aerospace software). It should be used as a supplement to, not a substitute for, the applicable normative documents. Always verify the latest version and any regulatory interpretations.
Frequently Asked Questions
Q: Is CAN/CSA ISO/IEC TR 19755-12:2016 mandatory in Canada?
A: No. A Technical Report is a voluntary document. It provides guidance and best practices but does not have the force of a regulation or a normative standard. However, it may be referenced in contracts or certification agreements as a benchmark for good practice.
A: No. A Technical Report is a voluntary document. It provides guidance and best practices but does not have the force of a regulation or a normative standard. However, it may be referenced in contracts or certification agreements as a benchmark for good practice.
Q: What is the difference between Tool Influence Level (TIL) and Tool Confidence Level (TCL)?
A: TIL is based solely on the tool’s effect on safety outputs — it is a classification of the tool’s potential impact. TCL is a measure of the confidence that the tool is reliable enough for its intended use, determined by combining TIL with evidence of the tool’s quality and behavior. A tool with a higher TIL generally requires a higher TCL, but the exact relationship is defined by the organisation’s qualification criteria.
A: TIL is based solely on the tool’s effect on safety outputs — it is a classification of the tool’s potential impact. TCL is a measure of the confidence that the tool is reliable enough for its intended use, determined by combining TIL with evidence of the tool’s quality and behavior. A tool with a higher TIL generally requires a higher TCL, but the exact relationship is defined by the organisation’s qualification criteria.
Q: Can this report be used for agile development environments?
A: Yes. The framework is tool‑agnostic and can be adapted to any development methodology. The key is to identify the influence of tools on safety artifacts, regardless of whether development follows a plan‑driven or iterative approach. The qualification evidence requirements may be applied incrementally as the tool’s context evolves.
A: Yes. The framework is tool‑agnostic and can be adapted to any development methodology. The key is to identify the influence of tools on safety artifacts, regardless of whether development follows a plan‑driven or iterative approach. The qualification evidence requirements may be applied incrementally as the tool’s context evolves.
Q: Who is responsible for tool qualification under this framework?
A: Ultimately, the organisation developing the safety‑critical system holds the responsibility. The TR recommends involving multiple roles: safety engineers for classification, development teams for evidence collection, and an independent safety assessor for review. The framework does not prescribe a specific organizational structure but encourages a clear separation of duties.
A: Ultimately, the organisation developing the safety‑critical system holds the responsibility. The TR recommends involving multiple roles: safety engineers for classification, development teams for evidence collection, and an independent safety assessor for review. The framework does not prescribe a specific organizational structure but encourages a clear separation of duties.
Last updated: 2026. This article is provided for informational purposes and does not constitute professional or legal advice. Always refer to the official standard text for authoritative requirements.