Functional Safety Analysis

In the rapidly evolving world of automotive technology, working to strengthen the safety of electrical and electronic systems is paramount. ISO 26262:2018, the international standard for implementing functional safety in road vehicles, helps support this effort. It provides a comprehensive framework for addressing the hazards caused by malfunctioning behavior of complex electrical and electronic systems.

At the core of this standard is functional safety analysis (or safety analysis), a comprehensive process designed to uncover faults and failures in automotive systems before implementation.

In the traditional V model for system development, the analysis methods fall on the left-hand side of the V. If agile methodology is employed, safety analysis is also an iterative process. The analysis is performed on design or architecture at the Concept, System, Hardware or Software level to derive or verify safety requirements in the respective phases.

The Functional Safety Analysis process

A critical aspect of safety analysis is the systematic and thorough examination of the design/architecture to identify potential faults. This involves methodically analyzing the design to determine possible failure modes and implementing appropriate countermeasures to manage them effectively. The goal is to ensure that the design meets safety requirements and is robust enough to handle any identified faults through prevention, detection and mitigation strategies. The safety analysis techniques required by ISO 26262:2018 are inductive and deductive analysis.

Functional Safety Analysis methods according to ISO 26262 

Inductive analysis is a bottom-up approach while deductive analysis is a top-down approach. Both are complementary methodologies required to achieve safety.

The ISO 26262 standard provides specific guidelines about these analyses as per the assigned ASIL. Inductive safety analysis must be performed for all ASIL levels A through D. However, deductive analysis is only required for ASIL C and D systems. In an ideal analysis, the inductive and deductive analysis will yield the same results. These systematic approaches provide a clear and logical pathway for identifying root causes and developing mitigation strategies. This facilitates proactive identification and management of risks, reducing the likelihood of system failures. The analysis could be qualitative or quantitative as the standard requires quantitative analysis only at the hardware level. Analysis methods include:

Deductive analysis

Deductive analysis is a method used to identify potential causes of system failures. It starts with a known undesirable event often termed as a vehicle level hazard (the top-level event) and works backwards to determine the root causes or contributing factors that could lead to this event often termed as a fault. By tracing all possible faults that could lead to a vehicle level hazard, deductive analysis helps ensure no potential fault is overlooked.

Fault Tree Analysis

Fault Tree Analysis (FTA) in ISO 26262 is one of the common deductive methods used to determine the root causes of system failures. FTA uses logical gates like AND and OR to map out the pathways that lead to the top-level event, providing a visual representation of how different failures at base level combine to cause a system failure. FTA is crucial in the context of ISO 26262, as it supports the identification and management of potential hazards in automotive systems, ensuring that appropriate safety measures are implemented to prevent or mitigate failures.

Inductive analysis

Inductive analysis is an effective technique to identify the vehicle level impact of a potential failure. It often starts with a potential identified fault at the component/subsystem level and works towards determining the vehicle level impact of the fault.

Failure Mode and Effects Analysis

Failure Mode and Effects Analysis (FMEA) in ISO 26262 is an inductive structured approach used to identify and evaluate potential failure modes within automotive electronic systems and their effects on system performance and safety. The process involves systematically examining each component/subsystem to determine how it might fail, the potential effects and causes of each failure and identifying the appropriate safety mechanism that covers its effects at the vehicle level. By identifying high-risk failure modes, FMEA helps engineers develop and implement mitigation strategies to enhance the overall reliability and safety of the system.

Failure Mode Effects and Diagnostic Analysis

Failure Mode Effects and Diagnostic Analysis (FMEDA) is an inductive analysis which is quantitative in nature and performed at the hardware level. This method is used to determine random hardware failure metrics. The hardware detailed design is analyzed to compute hardware architecture metrics, such as the Single Point Fault Metric and latent Fault metric, to verify if it meets the targets for the respective ASIL. Another metric that is calculated is the Probabilistic Metric for Random Hardware Failure. FMEDA requires deep expertise in hardware analysis and is a tedious process which must be executed precisely.

Dependent Failure Analysis

As systems become more complex, the interdependencies between system elements increase significantly and can lead to dependent failures. Dependent Failure Analysis (DFA) is the method recommended in ISO 26262 to identify and evaluate failures that affect the freedom of interference and independence at various levels within a system. The two categories of dependent failures are cascading failures and common cause failures.

One key aspect of DFA is the identification of cascading failures, where the failure of one component triggers failures in other components, leading to a chain reaction of failures. Another important consideration is the identification of common cause failures, where multiple components fail due to a single underlying cause, such as a shared environmental factor or a design flaw. While eliminating dependent failures is often challenging, DFA aims to recommend appropriate strategies to mitigate their impact. These strategies include introducing redundancy and diversity in critical architectural elements as well as development lifecycle.