In the first part of our blog we looked at the process of evaluating hardware elements in ISO 26262. In part 2 we will look at the three classes of hardware element and how the process of their evaluation relates to ISO 26262-5:2018.
|Operating States||Failure Modes||Safety Mechanisms||Comments|
|Class I||Few||Can be analysed for safety relevant failures||None||Treated as a hardware part and analysed at the next level up e.g. through an FMEDA.
Failure modes can be identified from ISO 26262-5:2018 or reliability sources.
|Class II||Few||Analysis through existing documentation||None||Device such as sensor.
Evaluation of the hardware plan by defined analysis and testing.
|Class III||Multiple||Analysis requires knowledge of implementation to analyse failures||Internal safety mechanisms relevant to the safety concept||Complex device such as a microcontroller.
Requires full development in line with ISO 26262:2018.
Thus for the evaluation of hardware elements, only class II hardware elements require any specific evaluation outside the requirements of ISO 26262-5. Class I and Class III hardware elements should be included in the standard ISO 26262 development process. Class I hardware elements being handled as part of the ISO 26262-5 activities for the element or system where the hardware element will be utilised i.e. a resistor in a drivetrain.
For Class II hardware elements, the strategy suggested for the evaluation plan, analysis and testing does not deviate much from the strategies defined in ISO 26262:2018. An understanding of the environments, tools and personnel are also things required in other sections of ISO 26262. If the hardware element is part of an existing ISO 26262 project, the activities can be integrated into the existing ISO 26262 work products.
Class III hardware elements, e.g. hardware components that are deemed to be hardware parts according to ISO 26262-1:2018, require development fully in line with ISO 26262. Also encouraged is the use of known industry data, which is by no means a bad thing as failure rate information from reliability standards e.g. SN 29500 tends to be very conservative and this can mislead the outcomes of safety analyses. The hardest task is finding this industry data.
In summary, if ISO 26262-8:2018 is to be used as an alternative method for compliance with ISO 26262-5, for COTS hardware, the process will still be heavily dependent on ISO 26262-5 and evaluation planning analysis and testing should be based on existing ISO 26262 activities where possible.
By Alastair Walker, Functional Safety Consultant