Safety beginners are quite often very confused about how Safety affects the hardware design and choice of components in the BOM. “Should I use ASIL certified Micro controllers, CAN transceivers, PMICs and switches in my ASIL program? What about the resistors and capacitors? Do we even have ASIL certified passives in the market?” they ask.
In this blog and next ones to come, we will clear the confusion surrounding “ASIL” certification and qualification of Hardware elements. We will cover several questions surrounding this topic.
This blog post will cover the following questions:
1. Background – How the ASIL certification for HW really started
2.Scope of ASIL Certification for HW – Which HW elements are expected to be ASIL Certified and which need not be
Background – How the ASIL certification for HW really started
It was in the ISO26262-2018 edition, Part 8, Clause 13 “Evaluation of Hardware elements” that for the first time, the idea of “ASIL certified” ICs was introduced. In this clause, the standard states that very complex ICs such as Microcontrollers or PMICs that are used in Safety critical systems must be ASIL certified. Before this, the concept of “ASIL certified” ICs was not known. However, the Micros offered “Safety related” features or mechanisms such as a Watchdog, ECC or clock monitoring or lockstep processing even before the ISO26262 formally introduced the idea of functional safety.
In addition to the concept of “Evaluation of Hardware elements”, the 2018 edition also introduced a guideline on how to apply ISO26262 to semiconductors. This introduction, together with the growing awareness on functional safety amongst OEMs and the increasing advent of several Safety critical Next-Gen ECUs for ADAS, Driver monitoring systems and EVs led to a sea change in ASIL certification in the semiconductor area. Very soon, the market started seeing a lot of ASIL certified Microcontrollers. Today, the market is flooded with several ASIL-D certified Microcontrollers, PMICs, Sensors and even Memories (DDR4, DDR5 etc).
Scope of ASIL Certification for HW – Which HW elements are expected to be ASIL Certified and which need not be
The ISO standard broadly categorizes HW Elements into three:
1. Class I
2. Class II
3. Class III
Class I elements are very simple elements, and Class III are Extremely Complex elements. Class II is ‘neither simple nor extremely complex’ category between Class I and Class III. The table below summarizes the characteristics of these elements along with some examples.
The Standard guides us to classify the HW components as Class I, II or III depending upon their characteristics as stated in the table above. ASIL Certification is required only for Class III complexity Elements.
Why do we not need ASIL certification for Class I and Class II elements?
There are various reasons for this:
- Typically, all HW elements used in an Automotive application are qualified according to world-wide quality standards such as AEC-Q100 or AEC-Q200. This ensures that the HW element has a sufficiently high quality and performance.
- The Class I and Class II HW elements do not provide any safety mechanisms by itself. The failures of these HW elements can be detected by implementing Safety mechanisms in the System in which it is used. The HW elements can also be sufficiently tested in the System in which they are used.
- The failure modes of Class I elements and many Class II elements are similar irrespective of the supplier, and these modes and its distribution can be picked up from hardware failure mode libraries like the MIL Standard library and IEC failure mode library. For e.g., here is a snippet from the MIL Standard library that shows the failure modes and distribution for different types of resistors. Immaterial of the supplier of the resistor, these remain the same.
Summary
HW elements of Class I and Class II complexity levels do not need “ASIL certification” because the existing quality measures, System-level Integration and System level testing measures are sufficient to ensure that these elements have a sufficiently high quality and perform its intended functionality. However, this is not true for Class III HW elements.
Class III indicates the very high complexity of the HW element. Because of their complexity, these elements need rigorous process measures to ensure correct functionality under varied operating conditions. They implement Safety mechanisms, which means that developing according to ISO26262 is required to ensure that the Safety mechanisms work correctly. Also given the FIT of Class III is relatively higher than Class I or Class II elements, a supplier needs to ensure that the Class III element FIT is sufficiently low for the System in which it is integrated.
The whole idea of classifying HW elements into different classes was done for performing ‘HW Evaluation’ activities accordingly. In our next post, we will cover HW Evaluation and touch upon the complexities around HW Evaluation. We will also go further into what goes behind the ASIL certification of HW elements.