This is 'The GSEG (Global Safety Experts Group)'.
As explained in the article below, the FMC (Failure Mode Coverage) of latent faults inevitably varies depending on the safety concept related to error reaction. This is the most error-prone part in performing FMEDA, so it is explained in modre detail with an example as shown below.
Effect of Safety Concept (Error reaction) on LFM
Effect of Safety Concept (Error reaction) on LFM
iso26262engineering.tistory.com
The example I told you through this example means the right (red dot) part of the FMEDA excerpt below.
In other words, it should be noted that the latent fault discussed in the example is about the failure mode of the HW parts that are being used for the intended function, and does not mean the failure mode of the HW parts that perform SM (Safety Mechanism).
** FMEDA example **
1) SM1: It monitors the 'R1 open' failure mode and includes a function to deliver a warning signal to the vehicle level as well as deliver related information to the error management unit when an open failure mode is detected.
(note: Lighting the warning lamp is regarded as the responsibility of the higher level ECU)
Therefore, SM1 itself includes a function of not only detecting the failure mode but also sending a warning signal to
the outside via CAN or other protocols.
2) SM2: It monitors the 'IC100 wrong processing' failure mode and contains no other functions other than forwarding relevant information to the error management unit upon detection of the failure mode.
3) SM3: It monitors the 'IC100 wrong sequence' failure mode and when it detects the failure mode, it delivers related information to the error management unit and includes a function to activate the degradation mode.
4) SM5: It monitors 'R1 closed' failure mode is monitored and when it detects the failure mode, it delivers related information to the error management unit.
Transmitting a warning signal to the vehicle level is done by SM6 in this case.
** FMC decision process for latent fault **
1) In the case of the 'R1 Open' failure mode, it is detected with 90% efficiency by SM1, so 0.35 FIT (5 * 0.7 * 0.1) is the
probability of a residual fault, and the remaining 3.15 FIT is a Multiple-points fault, as shown in the flow below.
It moves on to the next analysis step, and according to the answer to the question 'can the driver perceive the effects?' in the figure below, it is determined whether it is a latent fault (not perceived fault) or a perceived fault.
In this case, 3.15 FIT is detected by SM1 and a warning signal is provided to the vehicle by SM1 which means that it is ensured that the driver can recognize it.
Therefore, 100% coverage through SM1 can be claimed for 3.15 FIT of 'R1 open' failure mode, so the latent fault of 'R1 open' failure mode becomes 0 FIT.
2) In the case of 'R1 closed' failure mode, it is detected by SM5 and related information is delivered to the vehicle
level by SM6 after detection, so 100% coverage can be claimed for the latent fault of 'R1 closed' failure mode as same as that of 'R1 open' failure mode.
Therefore, the failure probability corresponding to MPF_perceived is 0.9 FIT (5 * 0.3 * 0.4) and the failure probability corresponding to MPF_L is 0 FIT.
3) The 'IC100 wrong sequence' failure mode is detected by SM3, but only degradation support is provided without a separate warning signal after its detection.
In this case, as shown in the figure below, only 60% of 28.8 FIT detected by SM3 corresponds to MPF_perceived and 11.52 FIT (60 * 0.6 * 0.8 * 0.4) will remain as a latent fault.
In this case, SM3 can be used as SM because degradation mode activation is determined by SM3.
4) 'IC100 wrong processing' failure mode is detected by SM2, but since IC100 cannot perform any function after detection, all 21.6 FIT (60 * 0.4 * 0.9) detected by SM2 remain latent.
Comment