The ISO 26262 standard was established to ensure the safety of vehicles by preemptively analyzing risks caused by hardware failures and providing methods to manage these risks. In particular, assessing the impact of random hardware failures on safety goals is critical. In this post, I will explain the hardware failure assessment methods presented in ISO 26262 and introduce PMHF (Probabilistic Metric for random Hardware Failures) in a simple way.
1. Purpose of Hardware Failure Assessment
The main objective is to provide evidence that the risk of violating safety goals due to hardware failures is sufficiently low. Here, “sufficiently low” means that it is comparable to systems that have been safely used in the past.
2. Definition and Purpose of PMHF
PMHF is a key metric that represents the probability of violating safety goals due to random hardware failures. Its primary purposes are:
Safety evaluation of hardware design: Assess whether the hardware meets safety goals.
Comparison of new and existing designs: Provide guidance to evaluate the safety of new designs compared to existing ones.
Proof of compliance with safety goals: Serve as evidence that the design meets safety goals.
PMHF must meet target values based on the ASIL (Automotive Safety Integrity Level), and it is assessed alongside SPFM (Single Point Fault Metric) and LFM (Latent Fault Metric) to comprehensively evaluate the safety of the hardware architecture.
3. PMHF Assessment Methods
PMHF is assessed using two main techniques: FMEDA (Failure Mode and Effects Diagnostic Analysis) and FTA (Fault Tree Analysis). These techniques analyze the logical structure and failure modes of the hardware and calculate the PMHF value based on the results. PMHF quantitatively evaluates the likelihood of violating safety goals due to random hardware failures.
4. Characteristics and Applications of PMHF
Uncertainty: The values used to calculate PMHF, such as failure rates, failure modes, and diagnostic coverage, may carry some uncertainty.
Flexible interpretation: Even if the PMHF target value is not met, if the design can reasonably prove its safety, it may still be considered safe.
PMHF vs. ECC: PMHF is a global approach that explains the probability of violating safety goals for the entire system. On the other hand, ECC (Evaluation of Each Cause) analyzes each failure cause individually and is more suitable when detailed analysis of specific failure causes is required.
5. Assessment Methods
ISO 26262 offers two methods to assess hardware failures:
Probabilistic Metric for random Hardware Failures (PMHF): This method quantifies the probability of violating safety goals when random hardware failures occur. The results are compared to target values to evaluate safety.
Evaluation of Each Cause (EEC): This method assesses the likelihood of failure for individual hardware components. It evaluates single-point faults, residual faults, and dual-point faults separately.
6. Information Required for Assessment
To perform these assessments, the following information is required:
Hardware safety requirements: The safety requirements that the hardware must meet.
Hardware design specifications: Information about the structure and design of the hardware.
Hardware safety analysis report: The results of safety analyses for the hardware.
Additionally, technical safety concepts or system architecture design specifications may be referenced.
7. Safety Goal Violation Assessment Criteria
Single-point fault assessment: Evaluate the likelihood of violating safety goals when a single failure occurs in a specific component. The likelihood of failure must be demonstrated to be low.
Residual fault assessment: Even when the diagnostic system misses a failure, the likelihood of that failure occurring must still be low for it to be acceptable.
Dual-point fault assessment: Evaluate the likelihood of two or more failures occurring simultaneously. Both the likelihood of failure and the effectiveness of safety systems are considered.
8. Verification of Assessment Results
The results of these analyses must be reviewed for technical accuracy and completeness according to the ISO 26262 standard. This verification process ensures that the analysis has been properly conducted and that the system satisfies safety goals.
9. Conclusion
The hardware failure assessment process and PMHF in ISO 26262 play a crucial role in ensuring the safety of automotive systems. Identifying potential risks caused by hardware failures and implementing appropriate countermeasures are essential for maintaining vehicle safety. PMHF is particularly useful for systematically assessing the risk posed by random hardware failures. Adhering to these standards is vital for enhancing the safety of automobiles.
I hope this post has helped you better understand ISO 26262, hardware failure assessment, and PMHF!