One topic that has cropped up time and time again in ISO 26262 is the discussion on hardware parts and can/should requirements be assigned to them? Section 220.127.116.11 in ISO 26262-5:2018 gives the statement ‘The traceability between hardware safety requirements and hardware architectural design elements shall be established down to the lowest level of hardware components’.
The subsequent note states:
‘NOTE: The traceability of hardware safety requirements is not required down to the hardware detailed design. No hardware safety requirements are allocated to hardware parts that cannot be divided into subparts.
For example, it is neither meaningful nor beneficial to try to establish hardware traceability down to each capacitor and resistor, etc`.
ISO 26262 definitions:
non-system level element (3.41) that is logically or technically separable and is comprised of more than one hardware part (3.71) or one or more software units (3.159)
portion of a hardware component (3.21) at first level of hierarchical decomposition
EXAMPLE the CPU of a microcontroller, a resistor, flash array of a microcontroller.
This is a very interesting statement, but one that in reality is not correct. The concept of hardware components in ISO 26262 being formed of multiple hardware parts is clear and many discussion are based around amplifiers or power supplies, where it is not necessary to define requirements for each resistor and capacitor, due to the overall performance of the component can be verified, however these are only certain functions and are not representative of all cases.
When we look at the definition of hardware parts in ISO 26262-1, we see a hardware part could be a resistor, a capacitor over and above this it could also be a device such as an opto-coupler or magnetic coupler.
Many of these hardware parts are used in safety relevant circuits in items e.g. Y-capacitors across isolation barriers, opt-couplers or DC link capacitors, all of which can form critical hardware parts in the product. When you look at a DC link capacitor it has many requirements that are safety relevant e.g. self-healing, a maximum self inductance or reverse voltage withstand.
Likewise, Y-capacitors across isolation barriers will have clearly defined requirements for withstand voltage or leakage current (see IEC 60384-14) and these need to be defined as requirements for the hardware part.
Hardware Parts in the Medical Device Sector
Figure: Schematic flow chart for component qualification (Source: IEC 60601-1 Edition 3_1 2012)
We have in previous blogs (e.g The Future of IEC 60601-1) talked about IEC 60601-1 the safety standard in the medical device sector, that has a clear strategy for components of high integrity (these would be hardware parts in ISO 26262) and the selection process based on all the requirements to define how it meets the requirements of the single component (hardware part) in a critical location for safety. This situation is no different in the automotive industry and the world of ISO 26262, there will be hardware parts that have multiple requirements assigned to them and these requirements need to be verified to prove the suitability of that hardware part
The statement in part 5 of ISO 26262 could benefit from an update or amendment if we are going to see a revision 3 then this would be a helpful enhancement.
By Alastair Walker, Consultant