Effect of Safety Concept (Error reaction) on LFM

This is 'The GSEG (Global Safety Experts Group)'.

 

We would like to explain the influence of safety concept (expecially error reaction part) on one of the HW metrics, LFM (Latent Fault Metric).

 

This part can remind you once again of the importance of safety concept, and it is one of the parts where the person in charge of analyzing FMEDA makes the most mistakes, so you must understand it correctly.

 

Effect of Safety Concept (Error reaction) on LFM

 

The above is a simplified safety concept that activates a safe path as part of an error reaction from HW failure monitoring.

 

And depending on how the error reaction is designed in this safety concept, the HW metric - LFM (Latent Fault Metric) result can be affected.

 

In other words, FMC (Failure Mode Coverage) for the latent fault of the related HW failure mode is inevitably determined differently depending on the function provided during error reaction, which eventually affects the LFM result.

 

The different three types of scenarios are as follows (see 'λMPF_L' in the figure below).

 

Effect of Safety Concept (Error reaction) on LFM

 

 

1) Activation of safe path as an error reaction together with visually recognizable warning light or message to the driver

In the most ideal case, after HW failure mode 'A' is detected, the safe path is activated as intended and the related error message is delivered to the upper level or external ECU which is responsible for the vehicle computer display.

And the external ECU responsible for the upper level or vehicle computer display transmits relevant messages to the driver visually or audibly (e.g. warning lights on).

(For reference, this is a so-called bottom-up requirement, and it must be documented from the supplier providing the

error reaction to the customer and details on , for example, the exchanging method of such requirements or responsible party of final verification and so on must be discussed and agreed upon in the DIA 'Development Interface Agreement'.)

Therefore, it is expected that the driver can intuitively recognize whether HW failure mode 'A' has occurred and take 

related measures (eg, vehicle inspection) before an error occurs in the SM itself.

 

Under this circumstance, you can claim 100% FMC for this latent fault.

 

2) Safe path activation only as an error reaction

If only the safe path is activated as part of the error reaction, even if the HW failure mode 'A' is detected, the driver cannot recognize it and not able to take related measures accordingly in a timely fashion, so the FMC for the latent fault can be said to be '0%'.

 

In certain cases, monitoring and correction of HW failure mode is possible but error reaction couldn't be provided due to HW restrictions (e.g. memory fault detection through ECC without profiling).

 

For example, ECC (Error Correction Code) can detect a 1-bit error that can occur during data transfer and also able to automatically correct it to the original data for itself, so there are many cases that do not provide a special reaction from the HW side.

 

Therefore, in this case, the driver cannot recognize whether HW failure mode 'A' has occurred, and if an error occurs in 

the related SM afterwards, the safety goal will be violated in the end.

 

If the memory size being used is small, FMC 0% for latent faults might not have a significant effect on LFM, but it cannot be overlooked in the case of autonomous driving related ECUs (ADAS or AD ECU) that use relatively large amounts of memory.

 

Therefore, these requirements should be clarified in the related safety concept, and based on this, the corresponding requirements should be considered when selecting HW components (e.g., information on ECC detection is provided with a memory address in a specific register). 

 

3) Safe path activation only followed by degration support as an error reation

If the safe path activation followed by limp-home function is provided as part of the error reaction, the driver is also able to recongnize the error situation via the deterioration of the intended function but the FMC for latent faults is inevitably  limited as it is not ensured that all drivers can recognize the error sitatuion properly.

 

And there is no clear guideline or criteria for what percentage of FMC is appropriate from ISO26262.

 

Therefore, it is desirable to determine the LF FMC for HW failure mode 'A' through consultation at the project or company level, and 'The GSEG' judges that the most conservative value, 60%, is appropriate here.
(Judging that taking a conservative value is highly likely to be accepted by the safety assessor during safety assessment).