Skip to main content

ASIL Certification for HW Components and HW Evaluation

In our previous post, we introduced the topic of ASIL certification for HW elements. In this article, we will give you an idea of what is done as part of ASIL Certification. We will then introduce the concept of HW Evaluation, how it is to be done and what are the challenges in doing it.  

Note: ISO26262 does not talk about "Certification" and what is the way to "certify" a component.  ASIL Certification means that a component was developed according to ISO26262, it was audited by Independent Safety Auditors and the Auditor confirmed that the Component meets the qualitative and quantitative expectations for that ASIL level.

The Idea behind “ASIL Certification”

Basics first.

How is Safety is achieved in an Item?

  1. By sufficiently preventing Systematic failures - by good design and following ASIL development processes
  2. By introducing safety mechanisms to detect random hardware failures and achieving the required quantitative Hardware Metrics for that ASIL level. 

Let us take this expectation on Systematic failures and random hardware failures, down to the HW element level.

The whole idea behind “ASIL certification” for hardware elements is to ensure that 

  1. the Systematic failures in that HW element’s design and IC manufacturing have been sufficiently eliminated and 
  2. the FIT is sufficiently low that a product integrating this HW element can achieve its hardware metric target or the FIT can be sufficiently reduced by introducing Safety mechanisms to detect failures of the HW element

Let's take a Micro. An ASIL certification for a Micro means that the ISO26262 process was followed while developing the Micro design. 

This means various measures such as

  1. Developing the Micro as an SEoOC with assumptions on Safety goals and Context of use
  2. Identifying the exact requirements for every block or peripheral of the Micro. Though this is generally required for all the blocks of the Micro, from a Safety context, it becomes important to identify the peripherals of the Micro that are safety relevant and the Safety requirements for these peripherals.
  3. Doing an FMEA and (optionally) FTA for a systematic analysis of all the failure modes and defining the measures to prevent or detect and mitigate failures from occurring. These measures can be reviews, tests, safety mechanisms or other process measures.
  4. Defining the Micro manufacturing process with required checks and tests such that each of the manufactured Micros performs as intended
  5. Ensuring that the Micro functions correctly in the worst case operating conditions and is sufficiently robust to extreme environmental conditions such as EMCs, high temperature and humidity conditions etc
  6. The failure modes of each of the peripherals of the Micro are known and the failure distribution between the different failure modes is known
  7. The FIT of the Micro is known based on predicted reliability and (optionally) also based on actual field operation data
  8. Accelerated life tests and statistical analysis have been performed to prove the reliability of the Micro over the complete lifetime.
  9. Safety manual provided to the Integrator highlighting the SEooC assumptions and requirements placed on the Integrator
  10. The Micro’s development was audited and assessed, after which it was certified as ASIL

HW Evaluation –An Alternative to ASIL Certification? 

There are cases where a Class III element has features and Safety mechanisms to support Safety critical ECUs, but the element itself was not developed according to ISO26262 processes and is already produced and probably, also in the cars driving in the road. In such scenarios, the element can be ‘evaluated’ to ensure its fitment in the ASIL program.

HW Evaluation is a process by which the Class III element is “qualified” (for use in an ASIL context). The main intention or goal is to gain high confidence in using the HW element to achieve Safety requirements. It is applicable for Class III and Class II elements.

Evaluation is performed based on various aspects such as:
  1. Whether the Safety requirements for the HW element are clearly defined
  2. Whether the HW element’s failure modes and its distribution are known
  3. by analysis
  4. by testing
  5. Taking additional measures at System level to qualify the HW element
  6. Using alternative arguments
An HW element can be evaluated based on a combination of the various methods listed above to prove that the Systematic failures of the element are sufficiently reduced.  Aspects 5 and 6 mentioned above are not required for Class II elements but required for Class III elements.

The first step in HW Evaluation is to clearly define the scope of Evaluation. For example, if you take a Micro, you should ask the question whether you need to qualify all the HW blocks within the Micro or only some HW blocks that are safety relevant.

Let us understand how to perform an Evaluation with some examples for a Class III element

HW Evaluation may be done by 
  1. the Semiconductor supplier or 
  2. the Integrator of the Class III element or 
  3. 1 and 2 together, or 
  4. A third party with the support of 1 and 2. 

Challenges with HW Evaluation

There are several challenges with HW evaluation:
  1. There is no standardized method of doing this. Even though the standard gives guidelines and requirements, it is a challenge to figure out how to achieve them. Choosing the right methods and building a compelling argument is a challenging task.  It is very important to involve the experts in this area to take the right direction.
  2. There are many ways of evaluating. For e.g., Class III element may be decomposed as ‘n’ no of Class II elements and each of the Class II elements may be qualified. Alternatively, the Class III element may also be qualified as such without any decomposition into smaller parts. One should decide which is the most suitable way for their use case.
  3. There will be a significant increase of Engineering effort if it is required to carry out additional analysis or testing activities. 
  4. For the System that uses the HW element, there will also be an increase in BOM cost if HW changes are required due to the evaluation, such as adding an External watchdog to monitor the Class III element. 
HW Evaluation uses standard-quality based arguments as a base. We need to look at standard quality processes with a “Safety eye” and eventually build on top of that with additional measures.

HW evaluation is not an alternative to ASIL Certification in all contexts. “let us buy an ASIL certified micro or else let us buy a QM micro and qualify it” is not an approach one should take. The ISO26262 standard does not recommend this approach for Class III elements.

HW Evaluation is to be considered only when a produced Class III HW element is for some reasons already used in the HW design and it is too late now to switch to an ASIL certified part. In such a case, only if the Evaluation provides sufficient confidence about the HW element should we go ahead and use it in the design. If not, the Safety Manager should not hesitate to escalate the risk of using a non-qualified part in a Safety critical Item. Safety Managers should proactively ensure that only ASIL certified HW elements are chosen for high complexity ICs in the HW design. The thought process should start right at the RFQ stage.

From the perspective of a Tier 1, it is relatively lesser work to choose an ASIL compliant HW element than to do HW evaluation. For ASIL C and D systems, HW Evaluation should not be considered at all as an option for qualifying the complex ICs.