The GSEG (Global Safety Experts Group).
We would like to investigate in which way the ASILs assigned to the requirements (SMs) can be affected by the HW fault classification (SPF or DPF).
As defined in ISO 26262, the failure modes of HW components can be classified as follows, considering te impact on each safety goal.
1) SPF, RF (Single-point Fault, Residual Fault)
2) MPF (Multiple-points Fault): The case where n=2 is called DPF (Dual-points Fault) and is the main subject of analysis.
So how does the classification of these HW failure modes (SPF/DPF) correlate with ASIL for the requirements to monitor
them?
When the Functional Safety Concept is extended to the Technical Safety Concept, a technical method (commonly named SM 'Safety Mechanism') must be defined to monitor random HW failures which have the potential to violate the safety goal.
The ASIL (or required quality) is therefore assigned to such requirements / SMs that provide monitoring for relavant random HW failures.
For example, if potential random hardware failure in a system with ASIL C safety goal is classified as SPF, the function that monitors it (i.e. safety mechanism) must be developed with ASIL C whereas ASIL A allocation is sufficient for the monitoring of random HW failures if its random HW failure is classified as DPF.
A brief summary of this is as follows:
| ASIL assigned to the function implemented by HW component |
HW Fault Classification | min. ASIL required to monitor random HW failure |
| ASIL D | SPF | ASIL D |
| DPF | ASIL B | |
| ASIL C | SPF | ASIL C |
| DPF | ASIL A | |
| ASIL B | SPF | ASIL B |
| DPF | ASIL A | |
| ASIL A | SPF | ASIL A |
| DPF | QM |
The above principle applies equally regardless of whether ASIL decomposition is applied or not, and the explanation will
continue with an example in which the specific requirements below are decomposed in-between HW_ASIC and HW_switch.
- ASIL Decomposition: ASIL C = ASIL A(C) + ASIL B(C)
- HW_ASIC: ASIL A(C)
- HW switch: ASIL B(C)
In the case where the above ASIL decomposition is applied, the random HW failure of HW_ASIC can be classified as a
potential DPF therefore ASIL QM (C) instead of ASIL A(C) can be assigned to the requirement to monitor it (safety mechanism).
In a similiar way, ASIL A(C) instead of ASIL B(C) can be assigned to the requirements (SM) to monitor the random HW failures of HW_Switch.
But, one thing to note here is that it defines the quality level (ASIL) that must be satisfied as "minimum".
That means that SM that monitors random HW failure of HW_ASIC can be also developed with ASIL A(C).
At first glance, it may seem like giving away the benefits of appying ASIL Decomposition here, but in addition to such benefits, ASIL allocation must be determined in a systematic way or within an overall strategy.
For instance, if the SWCs within the HW_ASIC except for the SM that monitors the DPF of the HW_ASIC are all designed to satisfy the ASIL A(C), it is mandatory to prove freedom from interference which requires more effort and cost.
Therefore, which ASIL is proper to the SM that monitors the random HW failure of HW_ASIC should be determined from a wider perspective.
'04. System Development & Verification > English' 카테고리의 다른 글
| Effect of Safety Concept (Error reaction) on LFM (0) | 2022.12.08 |
|---|
Comment