Dependent Failure Analysis (DFA)
The ISO 26262 standard specifies the requirements and processes required to perform safety activities during the safety life cycle of electrical and/or electronic (E/E) control systems. This standard requires product development at the system, hardware, and software levels, and ensures sufficient functional safety through activities such as requirements specification, design, integration, and testing at each level. One of the important parts of this process is Dependent Failure Analysis (DFA).
Dependent failure analysis is used to verify whether the design sufficiently secures independence or freedom from interference between elements in the system. This allows the possibility of identified dependent failures violating safety goals or requirements to be identified, and the effectiveness of safety measures to mitigate them can be verified.
In this post, we will first understand the concept of dependent failures, how to identify dependent failures, analyze failure propagation paths using dependent failure initiators (DFIs) and coupling factors, and explain the dependent failure mitigation measures and verification methods based on this.
Understanding Dependent Failures
Dependent failures are non-statistically independent failures. In other words, failures that occur in multiple elements (components) are not mutually independent, and one failure affects the other, so that the combined failure probability is not equal to the product of the independent failures.
For example, let’s say there are two elements in a system, C1 and C2. If C2 receives and processes input from C1, or if C1 and C2 share common resources, a fault in C1 may affect C2. In this case, C1 and C2 can be said to be dependent, and the failure that occurs as a result is a dependent failure.
The ISO 26262 standard distinguishes these dependent failures into two main types:
- Cascading Failure (CF): This is a situation where a failure in one element causes a cascade of failures in other elements. For example, a failure in C1 propagates to C2, causing C2 to fail as well.
- Common Cause Failure (CCF): This is a situation where multiple elements fail simultaneously due to the same cause. For example, C1 and C2 fail simultaneously due to a common power supply failure.
The ISO 26262 standard requires that conditions that can cause these dependent failures (cascading failures and common cause failures) be identified and that appropriate measures be put in place to mitigate or control them. These measures play a critical role in ensuring the safety of the system.
Dependent failure analysis
- Dependency Failure Analysis (DFA) is the process of identifying the dependencies of elements within a system and assessing the possibility that these dependencies will adversely affect safety goals or requirements. This analysis focuses on ensuring that the system design has sufficient independence or freedom from interference (FFI), and defining safety measures to mitigate dependent failures if necessary.
Identifying Elements Related to Dependent Failures:
Elements related to dependent failures can be identified primarily through the results of safety analysis tools such as Failure Modes and Effects Analysis (FMEA) or Fault Tree Analysis (FTA). Safety analysis focuses on analyzing the possibility that a specific element will violate safety goals or requirements and defining Safety Mechanisms (SM) to mitigate them. On the other hand, Dependent Failure Analysis ensures that these safety mechanisms are not affected by Dependent Failure Initiators (DFIs).
Situations to be considered in the dependent failure analysis:
- In the absence of a safety mechanism: Consider cases where a specific element can directly violate the safety goal or requirement. Such elements should be identified first in the dependent failure analysis.
- Effects of a safety mechanism failure: Analyze elements where a failure of a safety mechanism can lead to a failure of the primary function, or vice versa. Such elements are important to consider in the dependent failure analysis because they can put the primary function of the system at risk.
- Possibility of simultaneous failure of the primary function and the safety mechanism: Analyze elements where the primary function and the safety mechanism can fail simultaneously.
- Interfaces between ASIL QM elements and ASIL A, B, C, D elements: Consider possible dependencies that may occur at the interface between an ASIL (Automotive Safety Integrity Level) QM element and a higher ASIL element. Since elements with higher ASIL levels must meet higher safety requirements, the possible dependent failures that may occur in the interaction between them must be thoroughly analyzed.
For situations 1, 2, and 3, potential dependent failures can be identified through deductive analysis such as FTA’s Cut Sets, or through inductive analysis of parts or components that repeatedly exhibit similar failure modes in FMEA.
Example of dependent failure analysis using FTA
The above dependent fault identification criteria were applied to the functions in ISO 26262-5:2011 Annex E.
Since the elements related to dependent faults must be identified from the results of safety analysis, FTA was first performed based on the architecture design of the diagram above.
The Cut sets of the FTA performed above were identified as follows.
Through cut sets, we can consider the elements of EV5 as having the potential for cascading failure, and the elements of EV1 & EV2, EV3 & EV4 as having the potential for cascading failure or common cause failure.
Dependent Fault Initiator (DFI) and Coupling Factor Analysis
- Dependent Failure Initiator (DFI)* refers to a single root cause that causes multiple elements to fail simultaneously. These initiators can be identified through coupling factors between elements in the system. Coupling factors play a key role in identifying the root cause of dependent failures, which is essential for the analysis of Cascading Failure (CF) and Common Cause Failure (CCF).
ISO 26262-9:2018 Annex C provides a classification of coupling factors, which can be used to identify single root causes that can potentially cause dependent failures at the system, software, hardware, and semiconductor levels.
Table 1 below shows the classification of coupling factors that affect the system, software, hardware, and semiconductor levels.
Based on the classification of these coupling factors, the potential causes that can cause dependent failures and consequently the possibility of violation of the required independence or freedom from interference (FFI) between the given elements can be evaluated. That is, for the identified elements with the potential for dependent failures, the single root cause that can occur between the elements is identified by referring to the coupling factors presented in Table 1.
Control or mitigation measures for dependent failures
After identifying the single root cause corresponding to the dependent failure through the classification of coupling factors, safety measures should be added to control or mitigate the effects of the dependent failure related to the architecture in order to satisfy the independence requirement or freedom from interference (FFI).
The effectiveness of the safety measures should be verified to confirm whether the added safety measures are sufficient to effectively control or avoid the dependent failure. ISO 26262-11:2018 suggests the following methods for this verification:
- FTA (Fault Tree Analysis), ETA (Event Tree Analysis), FMEA (Failure Modes and Effects Analysis)
- Fault Injection Simulation
- Application of specific design rules based on Technology Qualification Tests
- Over-design related to the voltage class or distance of the device
- Stress testing for temperature profiles or overvoltages of power and input
- EMC (Electromagnetic Compatibility) and ESD (Electrostatic Discharge) testing
- Expert Judgement
This posting refers to “ISO 26262 Dependent Fault Analysis Methodology for Functional Safety Response, 202j Korea Society of Automotive Engineers Spring Conference, Yang Dong-hyun, Kim Soo-hyun, Kim Yun-tak, Kim Hyun-hoon”
If you are interested in other articles about ISO 2626 Series, please refer to the links below!
[ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)
[ISO 26262] #2. Safety Mechanisms for Electrical and Electronic
[ISO 26262] #3. Safety Mechanism for Processing Unit
[ISO 26262] #4. Safety Mechanisms for IO units and Interfaces
[ISO 26262] #5. Safety Mechanisms for Communication Bus
[ISO 26262] #6. Safety Mechanisms for Power Supply
[ISO 26262] #7. Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring