Evaluation of hardware elements is an alternative means of compliance with ISO 26262-5. Applicable either to commercial parts of the shelf (COTS) or parts that were not designed according to ISO 26262 but considered to be safety-related within the context of an ISO 26262 compliant item or element in which they are to be integrated.
If we are talking about IC´s with a complex functionality and already designed in internal safety mechanisms relevant to control or detect internal failures they are defined according to clause 13 as Class III hardware elements. This clause gives requirements about the evaluation of such parts even if it is stated that this is not the preferred approach and the next generation of this part should be developed in compliance with ISO 26262. But sometimes we have to go this way e.g. for new highly innovative systems where no ISO 26262 compliant hardware might be available.
Clause 13 there describes a clear separation between systematic faults and random hardware faults as who`s responsibility it is to show suitability. The suitability concerning random hardware failures is usually proven by an FMEDA. The IC supplier has to ensure that the risk of a safety goal violation or any safety requirement due to a systematic fault is sufficiently low and acceptable. Contrary to the interpretation of the 1st edition of ISO 26262, the new upcoming 2nd edition of this standard allocates the evidence for suitability of random fault management to the integrator and therefore to the next higher level of design integration. Is this the rationale that products, which were not developed in compliance with ISO 26262, the necessity to perform a, e.g., FMEDA on IC level is not given any more? And does that also mean that the related safety manuals of such parts need to be adapted in future?
The speech will focus on:
- Clear separation between systematic faults and random hardware faults as who`s responsibility it is to show suitability
- Semiconductors have to ensure that the risk of a safety requirement due to a systematic fault is sufficiently low
- Evidence for suitability of random fault management (which is proven usually by FMEDA) is allocated to the integrator to the next higher level of design integration
- Is this the rationale that the necessity to perform an FMEDA on IC level is not given any more?
Dipl.-Phys. Mathias Kamp, Director, Functional Safety Management, Elmos Semiconductor AG
Karol Niewiadomski, Product Manager Cyber Security, Functional Safety Expert, SGS-TÜV Saar GmbH