[Question] - Can a QM Microcontroller Be Used to Implement an ASIL Function?

The question of whether a QM (Quality Management) microcontroller can be used to implement an ASIL (Automotive Safety Integrity Level) function is a fundamental consideration in ISO 26262. The answer depends on specific conditions and strategies used to meet the functional safety requirements. Below is a detailed explanation according to ISO 26262:

Short Answer:

Yes, a QM microcontroller can be used to implement an ASIL function, but only under strict conditions and with appropriate measures to compensate for the QM microcontroller's lack of intrinsic safety mechanisms.

Alternatively, if the required measures are not feasible or adequate, the use of a QM microcontroller is not recommended.

Detailed Answer:

1. Definitions and Context:

• QM microcontroller: A device that does not meet the functional safety requirements defined by ISO 26262 and lacks built-in safety mechanisms (e.g., error detection, diagnostic capabilities, redundancy).
• ASIL function: A function with a safety goal assigned an ASIL rating (ASIL A to ASIL D) that must achieve a defined level of risk reduction per ISO 26262.

The challenge arises because QM components do not inherently fulfill the requirements for implementing ASIL functions.

2. When Can a QM Microcontroller Be Used for ASIL Functions?

Using a QM microcontroller is allowed if:

A. Safety Requirements Can Be Fulfilled at the System Level

ISO 26262 permits the use of QM components if the necessary functional safety requirements can be achieved through system-level measures. For example:

• External Diagnostic Measures: Adding external diagnostic mechanisms (e.g., external watchdogs, memory testing tools, or error detection mechanisms).
• Redundancy: Implementing safety redundancy in other hardware or software components to compensate for the lack of safety features in the QM microcontroller.
• Fault Tolerance: Designing fault-tolerant architectures (e.g., safety mechanisms at the software/system level that can detect and mitigate faults in the QM microcontroller).

B. ASIL Decomposition

• ASIL decomposition can reduce the requirements on the microcontroller by splitting the ASIL function into components with lower ASIL ratings or QM classification.

C. Failure Rate Compliance

The QM microcontroller must meet the failure rate targets for the intended ASIL. This includes:

• Random Hardware Failures: Evaluating failure rates per the Hardware Architectural Metrics (e.g., SPFM, LFM) and ensuring compliance with ISO 26262 Part 5.
• Systematic Failures: Addressing systematic faults in development through processes like ISO 26262 Part 8 (Supporting Processes).

3. How to Implement an ASIL Function with a QM Microcontroller?

If a QM microcontroller is to be used, the following steps must be followed:

Step 1: Hazard Analysis and Risk Assessment (HARA)

• Identify the safety goals and assign ASIL levels to the function.

Step 2: Derive and Verify Safety Requirements

• Determine the functional and technical safety requirements that the system must meet.

Step 3: Assess the QM Microcontroller

• Analyze the capabilities and limitations of the QM microcontroller (e.g., diagnostic coverage, fault tolerance).

Step 4: Design Additional Safety Measures

• Diagnostic Coverage: Add external diagnostic measures, such as a software-based or hardware-based self-test.
• Redundancy: Use external redundant components (e.g., a redundant safety microcontroller for cross-monitoring).
• Error Detection and Mitigation: Use watchdogs, CRC checks, memory integrity tests, etc.

Step 5: Perform Quantitative Analyses

• Evaluate Hardware Architectural Metrics (SPFM, LFM, PMHF) to ensure compliance with ISO 26262 Part 5.

Step 6: Validate the System

• Conduct safety validation to ensure the implemented measures fulfill the safety goals.

4. When Is It NOT Allowed to Use a QM Microcontroller for ASIL Functions?

A. Inability to Meet Safety Goals

If the safety goals cannot be achieved due to the QM microcontroller's limitations or the inability to compensate with system-level measures, its use is prohibited.

B. Non-Compliant Failure Rates

• If the QM microcontroller cannot meet failure rate targets for the required ASIL (e.g., for ASIL D, the probabilistic metric for hardware failure (PMHF) must be < 10^-8/hour).

C. ASIL D Complexity

For ASIL D functions, the stringent requirements (e.g., dual-channel redundancy, very high diagnostic coverage) make the use of QM microcontrollers impractical or even impossible without significant architectural changes.

5. Practical Considerations:

• Cost vs. Safety Trade-Off: Using a QM microcontroller may reduce costs but increases complexity in system-level safety design.
• Development Effort: Compensating for the QM microcontroller's lack of safety mechanisms requires significant effort in design, testing, and validation.
• Regulatory Approval: Justifying the use of QM microcontrollers requires a robust safety case to ensure regulatory and stakeholder acceptance.

Conclusion:

The use of a QM microcontroller for an ASIL function is technically possible under ISO 26262, provided:

1. The functional safety requirements are met at the system level through external safety mechanisms, redundancy, or ASIL decomposition.
2. Failure rate and diagnostic coverage requirements are fulfilled.

If these cannot be achieved, a QM microcontroller should not be used, and an ASIL-certified microcontroller is recommended instead.