ISO 26262-Compliant Safety Analysis Methods

The FMEA analysis is known for its beginning with analyzing causes of malfunctions of each structural element in the system to study malfunctions of elements inductively, and thus to develop the optimization measures for potential unacceptable failures. As a typical application in the automotive industry, FMEA can be performed by qualitative or quantitative methods in analyzing failures and malfunctions in safety-system designs. Usually performed as an inductive (bottom-up) approach, FMEA focuses on how failures present among system elements, and how these failures affect systems.

Failure Modes, Effects and Diagnostic Coverage Analysis (FMEDA)

Failure Modes, Effects and Diagnostic Coverage Analysis (FMEDA) methodology was first developed by exida in the 1990s. In 2011, the functional safety standard ISO 26262 adopted this method as a recommendation. The method FMEDA can be considered as the quantitative extension of the FMEA methods, as FMEDA considers quantitative failure rates for the hardware elements, which are defined as failure rates and the distributions of failure mode for these elements, and it identifies critical failure modes by considering the safety mechanisms of the corresponding failure modes and their diagnostic coverage.

The FMEDA method is mainly utilized in the phases of hardware architectural design and hardware detailed design. We need to calculate the hardware architectural metrics at the hardware design level, such as single-point fault metric (SPFM) and Latent fault metric (LFM). Iterative use of FMEDA method can improve the hardware designs.

Fault Tree Analysis (FTA)

Fault Tree Analysis (FTA), developed in the early 1960s by Bell Labs, was used to evaluate a ballistic missile launch system. This analysis method was then standardized by IEC in 2006 and has been referenced by standards such as ISO 26262 as a potential or recommended analysis method.

We can apply FTA in qualitative or quantitative analysis techniques. For example, starting with the qualitative fault analysis, then we implement the quantitative statistics to the analysis to strengthen the analysis and get the quantitative variant.

Contrast to FMEA, FTA is a deductive (top-down) analysis method (see Figure 3) that helps us identify base events or combination of base events that may lead the defined top event to failure. Typically, the top event is an undesired system event that violates a safety goal, or a safety requirement derived from a safety goal.

If we want to establish an FTA, we can start with the undesired top event, and progressively build a graphical tree structure. The interaction of potential causes for the undesired event is represented by Boolean logic operations, such as AND gate, OR gate and NOT gate. The quantitative variant of FTA can be implemented to calculate our third PMHF metrics, which is also the recommended method by ISO 26262 standards.

Typically, safety analyses are associated with design phase activities (e.g., concept phase, system and hardware development phases). Safety analyses are associated with activities in the concept, system and hardware development phases (e.g., activities such as architectural design and integration verification of system hardware) (Figure 7), and similarly, in the software development phase, safety analyses are associated with software development activities, such as software architecture unit design and verification activities (Figure 8).

Safety Analyses in Hardware Design Phase

1. Qualitative Safety Analyses in Hardware Design Phase

In the hardware design phase, we combine the application of various safety analysis techniques. On the one hand, there is the qualitative safety analysis of the hardware design. For example, qualitative FTA methods help us to identify the causes of failures and the effects of hardware failures. For safety-relevant hardware components or hardware units, qualitative FMEA helps us to identify different types of failures, in particular which are safety failures, which are single-point failures or residual failures, and which are multi-point failures. Similarly, according to the specification recommendations of the ISO 26262R standard, we need to use a combination of deductive and inductive analysis methods for safety analyses.

2. Quantitative Safety Analyses in Hardware Design Phase

On the other hand, when we discuss random hardware failures, we need to perform quantitative safety analysis related to hardware design. Quantitative safety analysis helps us to evaluate or calculate metrics related to hardware architecture design. Hardware architecture design metrics include single point of failure metrics (SPFM), latent failure metrics (LFM), and stochastic hardware failure rate metrics (PMHF). Typically, we use the Failure Mode Effects and Diagnostic Analysis (FMEDA) methodology to perform a quantitative analysis to evaluate the applicability of the hardware architecture design given by the validation in detecting and controlling safety-related random hardware failures. This is done by analyzing scenarios where safety objectives are violated due to random hardware failures and thus calculating specific metric values for the hardware architecture design in question.

2.1. Failure classification of safety-related hardware components

Failures occurring in safety-related hardware components should be categorized as:

a） Single point fault

b） Residual fault

c） Multiple point fault

d） Safe fault

Multi-point faults need to be differentiated between latent, detected and perceived faults. Thus, safety-related hardware Elements failures are categorized as in Figure 9.

And：

-Distance n indicates the number of independent failures that simultaneously lead to a violation of safety goals (single-point or residual failures n = 1, dual-point failures n = 2, etc.).

-Failures at distance n are located between the n-ring and n-1-ring.

-Unless explicitly addressed in the technical safety concept, multi-point failures with a distance strictly greater than 2 are considered safety-relevant failures.

Note that in the case of transient faults, the safety mechanism restores the relevant item to a fault-free state, even if the driver is never notified of its presence, and such faults are detectable multipoint faults. If, in the case of protecting the memory from transient faults using error-correcting codes, the safety mechanism repairs the contents of the flipped bits within the memory array (e.g. by writing back the correction value) in addition to supplying the CPU with the correct value, the item in question is restored to a fault-free state.

2.1.1. Single point fault

Failures of a hardware element which is not prevented by any safety mechanism, and which can directly lead to a violation of the safety objective. For example, unmonitored resistors with at least one failure mode (e.g. open circuit) that may violate the safety objective.

2.1.2. Residual fault

There is at least one safety mechanism to prevent a fault of a hardware element that violates a safety objective that can directly result in a violation of the safety objective. For example, checking a random memory (RAM) module using only the safety mechanism of the checkerboard RAM test does not detect certain kinds of bridging faults. Violations of the safety objective due to these faults cannot be covered by the safety mechanisms. These faults are known as residual faults, when the diagnostic coverage of the safety mechanism is less than 100%.

2.1.3. Detected two-point faults

Failures that are detected by the safety mechanisms preventing them from lurking and that can only lead to a failure that defeats the safety objective in conjunction with another (two-point failure-related) independent hardware failure. For example, a flash memory failure protected by parity, a single bit fault is detected in accordance with the technical safety concept and triggers a response such as: shutting down the system and informing the driver via a warning light.

2.1.4. Perceived two-point faults

Failures that are detectable or undetectable by the safety mechanism within a defined period and are perceivable by the driver and that can only result in a violation of the safety objective in combination with another (two-point failure-related) independent hardware failure. Examples are two-point failures where the function is clearly and unambiguously affected by the consequences of the failure, and which are perceivable by the driver.

2.1.5. Latent two-point faults

Failures that are not detected by the safety mechanism nor sensed by the driver, where the system is always operational, and the driver is not informed of the failure until a second independent hardware failure occurs.

For example, for EDC-protected flash memory: ECC corrects a single bit permanent fault value during a read, but this is not corrected in the flash memory and there is no signal to indicate this. In this case. The fault cannot lead to a violation of the safety objective (because the faulty bit has been corrected), but it is neither detectable (because there is no signaling of a single bit fault) nor sensible (because it has no impact on the functionality of the application). If an additional fault occurs in the EDC logic, it can lead to a loss of control over the individual bit faults, leading to a potential safety objective violation.

2.1.6. Safe failure

Safety failures include the following two categories:

a）All n-point failures with n > 2, unless the safety concept indicates that they are relevant factors that violate the safety objective; or

b）failures that do not lead to a violation of the safety objective.

An example is a single bit fault that is corrected by ECC but not signaled in the case of flash memory protected by ECC and cyclic redundancy check (CRC). The ECC prevents the fault from violating the safety objective, but the ECC does not signal it. If the ECC logic fails, the CRC will be able to detect the fault and the system will shut down. Only when a single bit fault exists in the flash memory, the ECC logics fails, and the CRC checksum and monitoring fails, The safety objective will be violated (n=3).

2.2. Failure modes and failure rates of hardware elements

2.2.1. Failure modes of hardware elements

According to the fault classification model, the failure modes of hardware elements are categorized as shown in Figure 10.

2.2.2. Hardware Element Failure Mode Classification Process

The failure mode classification process is shown in Figure 11.

Only safety-related hardware elements of relevant items are considered. Hardware elements for safety faults or n-order multipoint faults (n>2) may be omitted from the calculation unless they are explicitly related to technical safety concepts. A graphical representation of the single point fault metric is shown in Figure 12.

Only safety-related hardware elements of relevant items are considered. Hardware elements for safety faults or n-order multipoint faults (n>2) are omitted from the calculation unless explicitly relevant in the technical safety concept. A graphical representation of the latent fault metric is shown in Figure 13.

2.3.3 Probability of Random Hardware Failure (PMHF) Measurement

As shown in Equation (1-4), the formula for calculating PMHF value is:

PMHFest = λSPF + λRF+ λDPF_det × λDPF_latent × Tlifetime (1‑4)

For each failure mode, calculate its contribution to the total PMHF value as a percentage.

2.4 Hardware Architecture Metrics Target Values

For specific metrics of hardware architecture design, the standard provides corresponding target values (as shown in Table 1), which typically depend on the highest ASIL level that the hardware design needs to meet. For ASIL A levels, the standard does not recommend target values, for ASIL D levels, the standard recommends the most stringent target values, and for some cases of ASILB and ASILC, the metrics are recommendations rather than mandatory requirements in the sense of the standard.

Security Analyses in the software design phase

1. Safety-related functions and attributes

The derivation of software safety requirements should consider the safety-related functionality and safety-related attributes required by the software, where a failure of safety-related functions or a failure of safety-related attributes may result in a violation of the technical safety requirements assigned to the software.

Safety-related functions of software typically include:

• Functions that enable safe execution of the nominal function
• Functions that enable the system to achieve or maintain a safe or degraded state
• Functions related to detecting, indicating, and mitigating failures of safety-relevant hardware elements
• Self-testing or monitoring functions related to detecting, indicating, and mitigating the failure of the operating system, underlying software, or the application software itself
• Functions related to on-board or off-board testing during production, operation, service, and end of life
• Functions that allow modification of software during production and service
• Functionality related to performance or time-critical operations

Safety-related attributes typically include:

• Robustness to erroneous inputs
• Independence or interference freedom between different functions
• Fault tolerance of the software, etc.

2. Security analysis in the design phase of software architecture

During the software architecture design phase, we should perform the appropriate software safety analysis activities, which the standard calls safety-oriented analysis methods. Safety-oriented analysis is essentially qualitative. First, safety-oriented analysis helps provide evidence that the software is suitable to provide the specified safety-related function and attributes as required by the desired ASIL level. Secondly, safety-oriented analysis helps to identify or validate safety-related software content. Finally, safety-oriented analysis supports the development of safety mechanisms and thus verifies the effectiveness of safety measures.

Relying on the requirement of non-interference or sufficient independence between safety-related elements, the standard recommends performing a Dependent Failure Analysis (DFA). The DFA identifies relevant failures or potentially relevant failures and their effects. The objective and scope of the DFA depends on the sub-stage and the level of abstraction at which the analysis is performed, and the elements of the failure of interest are defined before the analysis is performed (e.g., in the safety plan). This is also a part of the qualitative analysis.

3. Analysis of safety-related failures at the software architecture level

Embedded software provides the ability to specified functions, behaviors, and attributes, as well as the integrity required by the assigned ASIL. By applying safety-related failure analysis at the software architecture level to check or confirm the integrity of the corresponding safety functions and attributes and the corresponding assigned ASIL requirements.

3.1 Purpose of safety analysis at the software architecture level

During the software architecture design phase, relevant failure analysis shall be conducted  to identify possible single events, faults or failures that could lead to failure behavior of multiple software elements that require independence (e.g., cascading and/or common cause failures, including common mode failures), and single events, faults or failures that may initiate a chain of causality leading to a violation of a safety requirement that propagates from one software element to another (e.g., cascading failures). Through the failure analysis at the software architecture design stage, the degree of independence or  interference freedom achieved between related software architecture elements can then be tested.

3.2 Software Architecture Level Safety Analysis

Relevant failure analysis at the software architecture level shall consider the following:

• Identifying possible design weaknesses, conditions, errors, or failures that could trigger a causal chain leading to violation of safety requirements (e.g., using inductive or deductive methods)
• Analyzing the consequences of possible faults, failures, or causal chains on the functions and attributes required of software architecture elements Analyzing functions and attributes that software architecture elements required and the consequences of possible faults, failures, or causal chains

3.3 Application Scenarios for Relevant Failure Analysis at the Software Architecture Level

The following scenarios may require failure analysis at the software architecture level:

• Applying ASIL decomposition at the software level
• Implementing software safety requirements, such as providing the evidence for the effectiveness of software safety mechanisms, where the independence between monitored elements and monitoring elements must be ensured

4. Deriving Security Mechanisms from Software Architecture Level Safety Analysis

The safety measures include safey mechanisms derived from safety-oriented analyses that cover issues related to random hardware failures and software failures. The results of the safety analyses performed at the software architecture level require the implementation of error detection safety mechanisms and error handling safety mechanisms.

4.1 Error Detection Safety Mechanism

Error detection safety mechanisms include:

• Range checks on input and output data
• Plausibility checks (e.g., using reference models of the desired behavior, assertion checks, or comparing signals from different sources)
• Data error detection (e.g., error detection codes and redundant data storage)
• External element monitoring (e.g., ASIC) or another software element that executes the program that performs the watchdog function. The monitoring can be logical, temporal, or both
• Temporal monitoring of program execution
• Diverse redundancy design
• Access violation control mechanisms implemented in software or hardware, used to allow or deny access to safety-related shared resources

The example in Figure 14 illustrates the interference caused by conflicting use of shared resources (e.g., shared processing elements). The QM software element interferes with and prevents timely execution of ASIL software elements (this interference can also occur between software elements with different ASIL levels). The upper half of the figure shows the software execution without interference mechanisms. By introducing "checkpoints" into the software and implementing timeout monitoring of them, timing perturbations can be detected, enabling appropriate countermeasures.