Fault Tree Analysis (FTA)
FTA in ISO 26262 Functional Safety Standard
Fault Tree Analysis (FTA) is a powerful tool for analyzing the failure propagation path of a system and identifying its cause, and plays an important role in functional safety analysis in the automotive industry. In particular, it is used as an essential methodology for evaluating the safety of a system and managing risks in the ISO 26262 standard.
1. Deductive Analysis and ASIL
- Deductive Analysis is a deductive technique that predicts and analyzes risks based on the operation of a system.
- ASIL (Automotive Safety Integrity Level)* is an indicator for evaluating the safety level of a system, with ASIL C and D requiring the highest level of safety. Deductive Analysis is essential for this level.
2. Role of Fault Tree Analysis (FTA)
- FTA is a static analysis technique that visually analyzes the failure path of a system. It systematically models all possibilities that can cause failures and evaluates safety. – Deductive Analysis Approach is used to identify the impact of system, event, and component behavior on the top event.
- The purpose of FTA is to assume the top-level accident of the system and systematically analyze various causes of failure that can cause it.
3. FTA Process
1. Define the top event:
- This is the starting point of the analysis, an event that violates the safety goal of the system or fails to meet safety requirements.
- For example, the failure of the car braking system can be the top event.
2. Use of logic gates:
- Visualize various failure paths using AND, OR gates, etc.
- Each gate shows how the sub-events contribute to the top event.
3. Causal Analysis:
- Analyze the causes of each sub-event to identify all possibilities that contribute to the top event.
- This can identify vulnerabilities in the system and devise improvement measures.
General Fault Tree Analysis Methods
1. Importance of Architecture Design
In order to effectively perform FTA, architecture design must be done first. This design helps to understand the logical/physical connections and function/data flow of the system. In general, architecture design consists of the following structures:
- Input: A section that acquires various information
- Control: A section that processes input information
- Output: A section that transmits processed information
This structure is the basis for clearly understanding the operation of the system and visually analyzing the propagation path of the fault.
2. When to perform safety analysis
ISO 26262 functional safety defines the points at which safety analysis is performed at various levels:
- System level: After system design
- Hardware level: After detailed design
- Software level: After architecture design
Analysis at these stages is important for identifying fault propagation paths and system vulnerabilities.
3. Fault propagation path analysis using FTA
Fault propagation path analysis using FTA starts from the system output and moves back to the input. This method consists of the following steps:
1. Identification of Top Events:
- Identify events that may violate safety goals or safety requirements.
2. Analysis from Output to Input:
- In the architecture design, analysis is performed in the order of output (Element D) to control (Element C), and input (Element A and B).
- Identify the interrelationships between each component to identify the fault propagation path.
3. Cause Analysis and Identification:
- Analyze the cause based on the fault propagation path identified in each step, and devise measures to improve safety based on this.
4. FTA Application Example
The image below shows an example of FTA application:
FTA using the P-S-C concept
1. What is the P-S-C concept?
The P-S-C concept is a method of analyzing system failures by dividing them into three causal factors: Primary (P), Secondary (S), and Command (C). These questions allow the analyst to focus on a specific causal factor, each of which has the following characteristics:
- Primary (P) failure:
- A unique failure of a system element.
- Caused by a failure of an internal component, independent of the failure of other elements.
- For example, a failure due to a defect in a specific electronic component.
- Secondary (S) failure:
- Failure caused by external forces or environmental factors.
- When a component fails due to external influences.
- May be related to the failure of other elements.
- For example: Failure of a component due to a sudden increase in external temperature, vibration, or electromagnetic interference (EMI).
- Command (C) failure:
- Indicates a failure related to the signal flow within the system.
- A problem that occurs in the signal transmission path, where there is a dependency between components.
- For example: Failure of the system to operate due to a signal transmission error.
2. How to apply FTA
FTA using the P-S-C concept can perform safety analysis required by the ISO 26262 functional safety standard more systematically. The procedure for applying FTA is as follows:
Step 1: Identify the top-level accident
- Clearly define the safety goal or safety requirement, which is the top-level accident.
- In this step, assume a failure that violates the safety goal or safety requirement and start the analysis.
- For example, a complete failure of the car braking system can be the top-level accident.
Step 2: Architecture Structure Analysis
- List the system architecture in order from output to input components.
- Analyze the failure by applying the P-S-C concept to each component.
- Analyze each component in the order of Output section → Control section → Input section.
- Command path event failure corresponds to the signal flow, and the dependency between components is considered during the analysis.
Step 3: Fault Path Identification and Analysis
- Analyze the failure path by combining the failures of each identified component with OR gates and AND gates.
- OR Gate: Represents an individual failure, and a single failure can cause a higher-level failure.
- AND Gate: Represents a simultaneous failure, and multiple failures must occur simultaneously to cause a higher-level failure.
- Repeat the analysis until the lowest event in the fault tree is identified is identified.
3. Understanding through examples
The image below shows an example of an FTA that applies the P-S-C concept:
Efficient FTA method for safety analysis
1. Excluding S(Secondary) failures from FTA
Secondary (S) failures are failures that occur due to external influences on a component. Since these failures may have dependent relationships with other components, they can be more appropriately handled in dependent failure analysis. Therefore, in ISO 26262, it is efficient to perform analysis centered on the P(Primary)-C(Command) concept, excluding S(Secondary), when performing FTA.
2. FTA using the P-C concept
P(Primary) failure
- A unique failure of a system element, an internal failure that occurs independently.
- Example: Failure due to manufacturing defects in electronic components.
C(Command) failure
- A failure related to the signal flow within the system, and there is a dependency between components.
- Example: Failure of the system to operate due to incorrect signal transmission.
3. P-C concept application procedure
Step 1: Identify top-level events
- Identify safety goals or safety requirements, which are top-level events.
Step 2: Analyze architecture structure
- List components from output to input in a typical structure of architecture design.
- Identify P(Primary) and C(Command) failures for each component.
- Reduce the complexity of analysis by excluding S(Secondary) and focus on the main failure path.
Step 3: Identify and analyze failure paths
- Construct a fault tree using the P-C concept.
- OR Gate: Represents individual failures, and a single failure can cause a higher-level failure.
- AND Gate: Represents simultaneous failures, and multiple failures must occur simultaneously to cause a higher-level failure.
- Provides failure rates for each event to perform quantitative analysis.
4. Dependent Failure Analysis
- Dependent failure analysis is mandatory in ISO 26262 regardless of ASIL level.
- Dependent failure occurs when the failure of one component affects the failure of another component.
- Dependent failures are identified through Coupling Factors.
- Coupling Factors are classified by the ISO 26262 standard and indicate interference and dependencies between components.
Dependent Fault Identification Procedure
1. Using Checklist:
- Evaluate the possibility of dependent failures using an appropriate checklist.
2. Analyzing Coupling Factors:
- Identify the cause of dependent failures based on Coupling Factors.
- Examples: Environmental factors, physical coupling, signal interference, etc.
5. Benefits of FTA using P-C Concept
- Ease of quantitative analysis:
- FTA performed using P-C concept can be directly utilized for quantitative analysis by calculating failure rates.
- It can provide evidence needed to achieve quantitative target values.
- Increase efficiency of analysis:
- It narrows the focus of analysis to the P-C concept by excluding S(Secondary) and increases efficiency.
- Since S(Secondary) failures are sufficiently considered in dependent failure analysis, it can reduce the complexity of FTA and focus on the core.
- Provide evidence of goal achievement:
- It can prove that the customer’s required target values have been achieved through quantitative analysis of FTA.
6. Example: FTA excluding S(Secondary) from P-S-C structure
The image below shows an FTA that applies the P-C concept by excluding S(Secondary) from P-S-C structure.
This post references “An efficient safety analysis method using FTA for ISO 26262 functional safety response, 2021 Korea Society of Automotive Engineers Spring Conference, Yang Dong-hyun, Kim Soo-hyun, Kim Hyun-hoon”
If you are interested in other articles about ISO 2626 Series, please refer to the links below!
[ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)
[ISO 26262] #2. Safety Mechanisms for Electrical and Electronic
[ISO 26262] #3. Safety Mechanism for Processing Unit
[ISO 26262] #4. Safety Mechanisms for IO units and Interfaces
[ISO 26262] #5. Safety Mechanisms for Communication Bus
[ISO 26262] #6. Safety Mechanisms for Power Supply
[ISO 26262] #7. Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring