Fusa_007_How to Perform Dependent Failure Analysis...

From the sharing on the dependent failure before, we have known what is dependent failure, why we need to perform dependent failure analysis and root cause of the dependent failure initiator. Now it’s time to talk about how to perform the dependent failure analysis.

1-  Dependent Failure Analysis workflow?

In 4.7.6 chapter of ISO 26262-11:2018, the workflow of dependent failure analysis is provided as the picture below.

12 main activities or steps are defined for performing the dependent failure analysis, we will discuss them in detail in the following chapters.

1.1     B1- DFA Descision: Identify HW and SW elements

The first step is to check if a dependent failure analysis is necessary to be performed or not based on the safety-oriented analysis results which have been prefromed before such as FTA, FMEA approaches and so on. Dependent failure analysis is not always required during the development progress, it is only required when one or more elements in the architecture are required to have independence or freedom from interference.

The focus of this step is to analyse the architecture and identify each pair or group of elements that can be affected and to evaluate if the architectural description is detailed enough to capture the overall design dependencies.

The outcome of this step is alist of each pair or group of elements that can be affected by dependent failures and associated independence or freedom from interference requirements.

1.2    B2-Identify DFI

This step is based on the prior architectural analysis and it targets a check of the completeness ofthe derived independence or freedom from interference requirements and breaks them down wherever different initiators can lead to a dependent failure.

The outcome of this step is a consolidation of the listfrom the previous step.

1.3    B3-Evaluation the Insight Sufficiency to DFIs

This step verifies that theavailable documentation provides sufficient insight to each DFI that was evaluatedduring previous steps.

1.4    B4-Improvement Information

Based on evaluation results of  the step above, in case that the insight to each DFI is insuffient provided by the documents before, then  additional information is required to judge the validity of a DFI for the target architecture.

1.5    B5-Consolidate  list of Relevant DFIs

Based on the information provided, the list of identified DFA relevant elements, independence requirements and the related DFI for the fulfilment of the safety requirements is consolidated (e.g. by review).

From the consolidated list,dependent failures that are caused by random hardware faults can be incorporated into the quantitative analysis of the required metrics in accordance with ISO26262-5:2018 Clauses 8 and 9.

1.6    B6-Identify necessary Safety Measures

In order to fulfilindependence requirements or freedom from interference requirements, necessary safetymeasures are added to mitigate the effect of the dependent failures that arerelevant for the target architecture.

1.7    B7-Evaluation of the Safety Measures

This step verifies that the available documentation provides sufficient insight to analyse the effectiveness of the safety measures that were introduced during the previous step.

1.8    B8-Improvement information

Based on the verification results of the step above , in case that the information available is deemed insufficient for proper evaluation, additional details can be added to the DFI mitigation measure definition.

1.9    B9-Consolidate List of Safety measures 

The list of the defined safetymeasures for the mitigation of dependent failures is consolidated based on theupdated documentation (e.g. by review).

1.10  B10-Evaluation Effectiveness of the Safety Measures against Dependent Failure

The effectiveness of the introduced safety measures to mitigate or avoid dependent failures is verified.The verification methods that can be applied are identical to those that are applied in the case of safety measures defined to avoid or mitigate the effectof random hardware or systematic failures according to ISO 26262-5:2018, Clause10. The following techniques can be useful:

• FTA, ETA, FMEA;
• Fault injection simulation
• Application of specific design rules based on technology qualification tests
• Overdesign with respect to e.g.device voltage classes or distances
• Stress testing with respect to temperature profile or overvoltage of supply and inputs
• EMC and ESD testing
• Expert judgement.
  

1.11  B11-Assessmentof Risk Reduction Sufficiency

To close the DFA an evaluation ofthe remaining risks of dependant failures is completed.

1.12  B12-Safety Measures Improvement 

Based on the evaluation results of above step, in case that the mitigation is not regarded to be sufficient,the safety measure is improved and the evaluation of the effectiveness is repeated.

2-  Reference

[1] ISO 26262-9: 2018 Automotive safety integrity level (ASIL)-orented and safety-oriented analyses

[2] ISO 26262-11: 2018 Guidelines on application of ISO 26262 to semiconductors

3-  About 功能安全沙龙

功能安全沙龙 is used as  an Wechart Public Account for the technical sharing platform on following topics :

• ISO 26262
  
• SOTIF/ ISO 21448
• Cyber-security/J3061 or ISO-21434
• Powertrain Control of PHEV and EV
• ADAS or ADS or AD vehicles