In our previous post, we introduced the topic of ASIL certification for HW elements. In this article, we will give you an idea of what is done as part of ASIL Certification. We will then introduce the concept of HW Evaluation, how it is to be done and what are the challenges in doing it.
Note: ISO26262 does not talk about "Certification" and what is the way to "certify" a component. ASIL Certification means that a component was developed according to ISO26262, it was audited by Independent Safety Auditors and the Auditor confirmed that the Component meets the qualitative and quantitative expectations for that ASIL level.
The Idea behind “ASIL Certification”
How is Safety is achieved in an Item?
- By sufficiently preventing Systematic failures - by good design and following ASIL development processes
- By introducing safety mechanisms to detect random hardware failures and achieving the required quantitative Hardware Metrics for that ASIL level.
Let us take this expectation on Systematic failures and random hardware failures, down to the HW element level.
The whole idea behind “ASIL certification” for hardware elements is to ensure that
- the Systematic failures in that HW element’s design and IC manufacturing have been sufficiently eliminated and
- the FIT is sufficiently low that a product integrating this HW element can achieve its hardware metric target or the FIT can be sufficiently reduced by introducing Safety mechanisms to detect failures of the HW element
Let's take a Micro. An ASIL certification for a Micro means that the ISO26262 process was followed while developing the Micro design.
This means various measures such as
- Developing the Micro as an SEoOC with assumptions on Safety goals and Context of use
- Identifying the exact requirements for every block or peripheral of the Micro. Though this is generally required for all the blocks of the Micro, from a Safety context, it becomes important to identify the peripherals of the Micro that are safety relevant and the Safety requirements for these peripherals.
- Doing an FMEA and (optionally) FTA for a systematic analysis of all the failure modes and defining the measures to prevent or detect and mitigate failures from occurring. These measures can be reviews, tests, safety mechanisms or other process measures.
- Defining the Micro manufacturing process with required checks and tests such that each of the manufactured Micros performs as intended
- Ensuring that the Micro functions correctly in the worst case operating conditions and is sufficiently robust to extreme environmental conditions such as EMCs, high temperature and humidity conditions etc
- The failure modes of each of the peripherals of the Micro are known and the failure distribution between the different failure modes is known
- The FIT of the Micro is known based on predicted reliability and (optionally) also based on actual field operation data
- Accelerated life tests and statistical analysis have been performed to prove the reliability of the Micro over the complete lifetime.
- Safety manual provided to the Integrator highlighting the SEooC assumptions and requirements placed on the Integrator
- The Micro’s development was audited and assessed, after which it was certified as ASIL
HW Evaluation –An Alternative to ASIL Certification?
- Whether the Safety requirements for the HW element are clearly defined
- Whether the HW element’s failure modes and its distribution are known
- by analysis
- by testing
- Taking additional measures at System level to qualify the HW element
- Using alternative arguments
- the Semiconductor supplier or
- the Integrator of the Class III element or
- 1 and 2 together, or
- A third party with the support of 1 and 2.
Challenges with HW Evaluation
- There is no standardized method of doing this. Even though the standard gives guidelines and requirements, it is a challenge to figure out how to achieve them. Choosing the right methods and building a compelling argument is a challenging task. It is very important to involve the experts in this area to take the right direction.
- There are many ways of evaluating. For e.g., Class III element may be decomposed as ‘n’ no of Class II elements and each of the Class II elements may be qualified. Alternatively, the Class III element may also be qualified as such without any decomposition into smaller parts. One should decide which is the most suitable way for their use case.
- There will be a significant increase of Engineering effort if it is required to carry out additional analysis or testing activities.
- For the System that uses the HW element, there will also be an increase in BOM cost if HW changes are required due to the evaluation, such as adding an External watchdog to monitor the Class III element.