Prover Certifier just took a new major step when we received a certificate from TÜV Nord ensuring that Prover Certifier is a T2 tool appropriate for CENELEC EN50128 SIL4 projects. We are very proud that this has been achieved after a lot of work!
We did have a T2 certificate before, but this new certificate will be more useful for our users. Let us explain how. What we learned from our customers when they started using our previous T2 certificate in their safety cases, is that what they really need is not only a norm compliance certificate, but also a guarantee that the tool can be trusted.
A certificate ensures that the tool fulfills the requirements of the norm EN50128, but the requirements on T2 tools are not very strong in that norm. They do say something about what documentation must exist, and how the development must be organized, but they do not require the tool to have a certain quality. Instead, the norm puts the responsibility on the user to ensure that the tool is appropriate for its role within the project.
So even if we gave our users a T2 certificate, they still had to ask us to also provide evidence that the tool could be trusted for its task.
Our conclusion was that a certificate would be much more useful if it certified not only norm compliance, but also some strong claims about what role the tool can have in a safety case:
- Requirements that have been proven fulfilled with formal verification can be assumed to hold when planning the other V&V activities.
- V&V activities that are already covered by proven requirements can safely be omitted.
- V&V activities that are partially covered can be reduced without losing confidence in safety.
These claims are documented as parts of the product that now has been qualified as a T2 tool appropriate for SIL4 projects. Our users can therefore refer directly to these claims in their safety cases. This simplifies the overall safety argument a lot. So remember, don’t rely on just any certificate and risk spending major efforts providing safety evidence.
A certificate ensures that the claims about the product are correct, but the usefulness of the certificate really depends on these claims.