Cookbook for FMEDA
Question: How to start the FMEDA. Any links are available.
This question was asked about 7 years ago. Here is my answer. You can consider this answer a cookbook for FMEDA.
My answer: First of all, there is no such book and no such link (as far as I am informed)
Step 1: First, the prerequisites to start FMEDA: Hazard analysis and risk assessment should be completed and the ASILs of the related safety goals should be clear. In general, there are many safety goals for one item (=ECU). According to ISO 26262, you need to perform an FMEDA for each safety goal i.e. to save time and cost for the FMEDA, you need to derive (summarize) effective safety goals from as many goals as possible because the information on the safety goals overlaps. If you don't understand my approach, I'll write you an example next time.
You need to agree with your customer on the following points
* Your effective safety goals fully cover the generally defined safety goals
* Your FMEDA tool should be classified and qualified
?* Confidence level you need to use for your raw FITS (there is no hard and fast rule)
* the mission profile of your ECU (see pages 22-24 of TR 62380) that you need for calculating the raw fits
?* standards you need to consider for your raw FIT calculation (SN29500 or IEC TR 62380). For more information, SN29500 is easy to use and the calculated FITs are relatively high and and IEC TR 62380 is little complicated and you will get better FITS.
Step 2: You must define the parts of the hardware that are related to the safety goals x (SGx), e.g. if ECU unit receives the reference position of the BLDC from the Master controller via the CAN bus and your safety goal is e.g. the BLDC must reach the reference position within xx mS, otherwise it will violate the SGx, then the associated hardware parts are CAN lines, CAN driver, μC, BLDC driver, BLDC power supply, BLDC itself, BLDC rotor position sensor and back to the μC to evaluate the deviation of reference and current position, as well as all electronic components are in these paths.
?
Now you need to analyze your circuits defined above using the table in ISO 26262-10 (page 26 or effectively page 20), e.g. there is always a common mode choke between master controller and CAN driver in your ECU, the failure modes of the common mode choke are defined in the book by Birolini (old version is free to download online) or these failure mode can also be found in TR62380. First consider a failure mode, e.g. a short circuit between two lines of the common mode choke, which means that your ECU cannot receove the reference position from the master, i.e. you automatically generate a deviation between the reference and current rotor position because the reference position is not updated, e.g. short circuit of the common mode choke violates the SGx. What does your safety mechanism look like in this case? Your ECU expects a continuous target position, if this is not reached, ECU then there is a timeout function, etc. The diagnostic coverage is around 99% (ISO26262-5, Annex D).
领英推荐
The raw FIT of your choke for your design is e.g. 10 FIT and acc. to Birolini, the failure mode short of the common mode chke is 40% i.e. resulting FIT for short failure mode is 10 x 0,4 = 4.
Result of your analysis: Your common mode choke violates the SGx in the case of a short circuit (single point failure) - the associated safety mechanism is the timeout function of the CAN controller in your ECU, the resulting residual error is equal to the raw fit x (1-DC/100) = 4x (1- 99/100) = 0.04
You must take the latent point fault into account in the same way. In this way, you must analyze each electronic component with failure modes based on ISO 26262-10 (page 26).
Step 3: It is useless to calculate the single FIT for a μC because it will be too high and you only need to consider the related parts of the μC for your SGx (not all). You have to send your mission profile to your μC suppliers who will create an FMEDA extract and you need to configure it. About raw FIT: you can get raw FIT from the supplier of chips which are better than calculated. E.g. Texas instruments or linear technology are providing these information online. It is called reliability data reports.
https://focus.ti.com/quality/docs/singlesearchresults.tsp?&template Id=5909&navigationId=11213&appType=folders&searchType=or derableOption&partialSearch=false&mtbfType=true&orderable PartNumber=TPS57112QRTERQ1
?You will need to derate these values to your application. There is an article here
?Your report looks like this: For SGx, PMHF= Residual fault + Single point fault + contribution of the dual point fault = xx ?
Single point fault metric = xx %
?Latent fault metric = xx %
The biggest difficulty is to map your safety mechanism to the DC values defined in ISO 26262-5 Annex D. It is also possible to get higher DC values than specified ?in Annex D, you have to convince your customer with some arguments to get better DC values. how? I have written one article in this regards.
?My suggestion: FMEDA, FMEA are not one man-show, hardware design expert, software design expert, functional safety manager must work with you. Make this clear to your boss. In the first approach, take some rough values for voltage, current etc. for your calculation and slowly refine them. I hope I have written enough, sorry for writing too much (there are many grammatical errors, I don't have much time to correct these things) Good suggestions are welcome; you can keep critics by yourself
PhD Electrical Engineering - Power Design Engineer
9 个月well explained, it would be great if you can also share an excel template for FMEDA