Understand ISO 26262 hardware element classes to ensure safe designs

0

Members box download this article in PDF format.

Safety is an essential aspect of any automotive or industrial application. As automotive and industrial products become more autonomous, designers of these products face increasing pressure to meet functional safety standards, which involves anticipating what could go wrong and taking steps to reduce risk. at an acceptable level. Specific standards that address functional safety include IEC 61508 for industrial applications and ISO 26262 for the automotive industry.

Functional safety deals with two types of faults that can occur in an element such as an integrated circuit:

  • Systematic defects result from design errors or defects in the manufacturing process.
  • Random hardware failures are unpredictable but detectable and preventable using built-in functional safety mechanisms.

For your functional safety designs, you can select components that have been developed in full compliance with the relevant functional safety standard, certified by an independent body such as TÜV SÜD. On the other hand, if you choose parts not developed according to the standard, additional measures can be taken to demonstrate that your system using these elements meets the relevant safety criteria.

Sponsored resources:

Understanding functional safety in automotive and industrial sensing applications

ISO 26262 defines three classes of material elements for these parts. A Class I item has few or no states that can be analyzed from a security perspective without knowing its development process and implementation details. In addition, it lacks internal security mechanisms to control or detect failures. A Class I element, such as a capacitor, transistor, LDO, PTC temperature sensor, or simple logic gate, does not need to be evaluated for functional safety per se, but it can be assessed as part of a larger system.

A class II element has few states that can be analyzed from a security perspective without knowing the implementation details, and it may not have internal security mechanisms. However, documentation may exist to support assumptions about systematic defects. If you choose a Class II item, such as an op-amp, data converter, DC-DC converter, or CAN transceiver, be prepared to complete an evaluation plan backed up by analysis and testing to show that the item meets the necessary safety requirements.

Class III devices, including microprocessors, SoCs, multi-channel PMICs, motor drives, and single-board computers, have many modes of operation that are impossible to analyze without knowing the details of the development process and implementation . They also have internal safety mechanisms to control or detect failures. For these items, be prepared to complete an assessment plan and take additional steps to demonstrate that the risk due to system failures is sufficiently low.

Texas Instruments offers three categories of Functional Safety products: Functional Safety Compatible, Functional Safety Managed, and Functional Safety Compliant (Fig.1). Two of these categories roughly correspond to the three classes of the ISO 26262 standard.

Class I items, with few operating modes and no internal security mechanisms, roughly correspond to TI’s functional security category. More complex Class II items also roughly correspond to TI’s Functional Safety category, while Class III products roughly correspond to TI’s Functional Safety managed product category. (Fig.2). A review of concepts such as Safety Integrity Level (SIL) and Failure Over Time (FIT) calculation can help you better understand how this mapping works.

Functional safety measures

For industrial applications, IEC 61508 defines SILs in a range from SIL 1 to SIL 4, with SIL 4 being the strictest. Similarly, the ISO 26262 standard defines automotive SILs (ASIL) ranging from ASIL A to ASIL D, with ASIL D being the strictest. Each SIL or ASIL, in turn, defines limits for additional fault metrics.

The base failure rate (BFR) is a primary input for computing random hardware failure metrics., which quantifies the intrinsic reliability of a component under normal operating conditions. BFR is expressed in units of FIT, which is an estimate of the number of failures that could occur in one billion cumulative operating hours.

BFR is the basis of several other quantitative hardware failure metrics, including the point failure metric (SPFM), latent failure metric (LFM), and probabilistic random hardware failure metric (PMHF). The table shows the allowable values ​​of these metrics according to ISO 26262.

TI Functional Safety compliant products are manufactured using TI’s Functional Safety process, which is certified by TÜV SÜD. These products come with a FIT rate calculation, comprehensive failure modes, effects analysis and diagnostics (FMEDA) and functional safety manual. They can also be accompanied by a fault tree analysis and a functional safety product certificate.

The functional safety quality managed and functional safety capable categories include products manufactured using TI’s standard quality managed development flow instead of the certified functional safety flow. These products are accompanied by documentation and analysis that you can use in your own evaluation of the material elements.

Functional safety quality managed products include a FIT rate calculation, FMEDA and a functional safety handbook. Functional Safety enabled products come with a FIT rate calculation and a chip failure mode distribution or pin failure mode analysis.

Example of radar

Radar detection is an application area requiring functional safety in the automotive and industrial markets. TI offers millimeter wave radar devices specifically designed for automotive and industrial applications that require ISO 26262 and IEC 61508 compliance. These devices come with a functional safety manual, FMEDA, and FIT estimate. They also offer features such as customization of product functions, customization of security mechanisms, and custom diagnostics, allowing you to meet application-specific functional security requirements.

TI mmWave radar sensors also feature built-in monitoring and loopback patterns that continuously track system functionality to improve real-time operation of functional safety. Additionally, they reduce the load on the host processor while maintaining overall system performance and efficiency. With the multiple built-in security mechanisms shown in picture 3the devices provide the diagnostic coverage required to meet random hardware capability as high as ASIL B and SIL 2 at the component level.

Conclusion

Maintaining functional safety in accordance with ISO 26262 and IEC 61508 standards is essential for automotive and industrial applications. TI offers three categories of functional safety devices that help maximize design flexibility, two of which roughly correspond to three classes of hardware defined in ISO 26262. The devices come with the documentation and analysis you need. need to perform your own functional safety assessments.

Sponsored resources:

Share.

About Author

Comments are closed.