From the sharing on the dependent failure before, we have known what is dependent failure, why we need to perform dependent failure analysis and root cause of the dependent failure initiator. Now it’s time to talk about how to perform the dependent failure analysis. 1- Dependent Failure Analysis workflow? In 4.7.6 chapter of ISO 26262-11:2018, the workflow of dependent failure analysis is provided as the picture below.12 main activities or steps are defined for performing the dependent failure analysis, we will discuss them in detail in the following chapters.
1.1 B1- DFA Descision: Identify HW and SW elements
The first step is to check if a dependent failure analysis is necessary to be performed or not based on the safety-oriented analysis results which have been prefromed before such as FTA, FMEA approaches and so on. Dependent failure analysis is not always required during the development progress, it is only required when one or more elements in the architecture are required to have independence or freedom from interference. The focus of this step is to analyse the architecture and identify each pair or group of elements that can be affected and to evaluate if the architectural description is detailed enough to capture the overall design dependencies.
The outcome of this step is alist of each pair or group of elements that can be affected by dependent failures and associated independence or freedom from interference requirements.
1.2 B2-Identify DFIThis step is based on the prior architectural analysis and it targets a check of the completeness ofthe derived independence or freedom from interference requirements and breaks them down wherever different initiators can lead to a dependent failure. The outcome of this step is a consolidation of the listfrom the previous step.
1.3 B3-Evaluation the Insight Sufficiency to DFIs
This step verifies that theavailable documentation provides sufficient insight to each DFI that was evaluatedduring previous steps.
1.4 B4-Improvement Information
Based on evaluation results of the step above, in case that the insight to each DFI is insuffient provided by the documents before, then additional information is required to judge the validity of a DFI for the target architecture.
1.5 B5-Consolidate list of Relevant DFIs
Based on the information provided, the list of identified DFA relevant elements, independence requirements and the related DFI for the fulfilment of the safety requirements is consolidated (e.g. by review). From the consolidated list,dependent failures that are caused by random hardware faults can be incorporated into the quantitative analysis of the required metrics in accordance with ISO26262-5:2018 Clauses 8 and 9.1.6 B6-Identify necessary Safety MeasuresIn order to fulfilindependence requirements or freedom from interference requirements, necessary safetymeasures are added to mitigate the effect of the dependent failures that arerelevant for the target architecture.
1.7 B7-Evaluation of the Safety Measures
This step verifies that the available documentation provides sufficient insight to analyse the effectiveness of the safety measures that were introduced during the previous step.
1.8 B8-Improvement information
Based on the verification results of the step above , in case that the information available is deemed insufficient for proper evaluation, additional details can be added to the DFI mitigation measure definition.
1.9 B9-Consolidate List of Safety measures The list of the defined safetymeasures for the mitigation of dependent failures is consolidated based on theupdated documentation (e.g. by review).
1.10 B10-Evaluation Effectiveness of the Safety Measures against Dependent Failure
The effectiveness of the introduced safety measures to mitigate or avoid dependent failures is verified.The verification methods that can be applied are identical to those that are applied in the case of safety measures defined to avoid or mitigate the effectof random hardware or systematic failures according to ISO 26262-5:2018, Clause10. The following techniques can be useful:- Fault injection simulation
- Application of specific design rules based on technology qualification tests
- Overdesign with respect to e.g.device voltage classes or distances
- Stress testing with respect to temperature profile or overvoltage of supply and inputs
1.11 B11-Assessmentof Risk Reduction Sufficiency
To close the DFA an evaluation ofthe remaining risks of dependant failures is completed.
1.12 B12-Safety Measures Improvement Based on the evaluation results of above step, in case that the mitigation is not regarded to be sufficient,the safety measure is improved and the evaluation of the effectiveness is repeated.
2- Reference
[1] ISO 26262-9: 2018 Automotive safety integrity level (ASIL)-orented and safety-oriented analyses [2] ISO 26262-11: 2018 Guidelines on application of ISO 26262 to semiconductors
功能安全沙龙 is used as an Wechart Public Account for the technical sharing platform on following topics :
- Cyber-security/J3061 or ISO-21434
- Powertrain Control of PHEV and EV
- ADAS or ADS or AD vehicles
|