Hazard Analysis Techniques for Functional Safety (Part 3: DFA)

Hi everyone! Nice to meet you again.

This is the last article related to the Hazard Analysis series which I would like to share my own study about functional safety in the Concept phase (ISO26262-Part 3). You can refer 02 first my articles of this series at:

Hazard Analysis Techniques for Functional Safety (Part 1: FTA and FMEA)

Hazard Analysis Techniques for Functional Safety (Part 2: HAZOP and ETA)

As you may know, safety analyses form a huge chunk of safety activities defined in ISO 26262 standard. Different safety analyses have specific outputs to achieve. For instance, FMEA identifies failure modes and their effects. Similarly, FTA analyses the causes or combination of causes that lead to an undesirable event. The bottom line is to detect and eliminate weaknesses in the design and ensure there is no safety goal violations.

Dependent failure analysis (DFA) is one such safety analysis which is very crucial to developing safety-critical automotive systems. In this article, I will share my understanding about DFA method.

1. Introduction to Dependent Failure Analysis (DFA)

Dependent Failure Analysis (DFA) is a methodology used to identify and analyze potential failures in systems where failures are not independent but rather can influence each other. This analysis is particularly relevant in complex systems where the failure of one component can cause or influence the failure of others. In the context of Functional Safety, especially as outlined in ISO 26262 (the international standard for functional safety in automotive systems), DFA helps to ensure that safety-related systems are robust and can handle the interdependencies between different components and failure modes.

Key Aspects of Dependent Failure Analysis (DFA):

1. Understanding Dependencies: DFA involves identifying how failures in one component or system can lead to failures in other components due to interdependencies. This is crucial in complex systems where components interact with each other.
2. Failure Modes and Effects: DFA requires a thorough examination of all possible failure modes and their effects on the system. This includes understanding how a failure in one component might propagate and influence the failure behavior of other components.
3. System Interaction: Since automotive systems are increasingly complex with numerous interacting components, DFA helps in understanding how failures can spread and affect the overall system.

2. Understanding Independence, Interference and Freedom from Interference

There are two types of dependent failures (see the Figure 1 and Figure 2),??

1. Common cause failures (CCF) that occurs when two or more elements fail due to a single specific event or root cause.
2. Cascading failures (CF) that occurs when the failure of one component leads to the failure of another in a cascading fashion.

Dependent Failure Analysis (DFA) involves a systematic approach to identify and analyze both cascading and common cause failures. DFA aims to detect the single causes/events and eliminate these dependent failures to achieve freedom from interference and independence in automotive systems. The ISO 26262 standard (Part 6, 7 and 9) provides guidelines for performing dependent failure analysis, and various tools are available to aid in the analysis process.

Some points to remember about dependent failure analysis:

• It validates Freedom From Interference (FFI) between the elements by identifying the cascading failures;
• It validates independence between the elements by identifying both cascading and common cause failures;
• Dependent Failure Analysis helps in putting in place appropriate safety mechanisms to contain the faults within the element and prevent it from cascading;
• Dependent Failure Analysis can be performed at system, software, and hardware level;
• The analysis brings forth the points that are susceptible to failures;
• It can be performed with both deductive and inductive approaches;

According to [4], then

• Automotive Functional Safety consultants use the term "independence" only when the dependent failures (including both cascading and common cause failures) do not lead to any safety goal violation. Independence can be ascertained by performing a dependent failure analysis (DFA).
• Another term that we must understand before we explain dependent failure analysis is interference. We can understand interference as partially opposite of independence. It is the presence of cascading failure from a non-ASIL or a lower ASIL component to a higher ASIL component that leads to one or many safety goal violations.
• Finally, freedom from interference (FFI) implies absence of cascading failure between elements that leads to safety goal violation. Remember that it does not include common cause failure.

Achieving Freedom from Interference and Independence?[3]

Freedom from interference between elements is validated by identifying cascading failures and ensuring that faults in lower ASIL components do not propagate to higher ASIL components. A query might arise as to why not construct all system segments to conform to ASIL C/ASIL D standards. The simple answer is that it is not financially viable. Moreover, the same outcome can be attained by a combination of lower ASIL-rated systems or components that operate independently of one another and exhibit non-interference.

Achieving freedom from interference involves mitigating cascading failures through various safety measures. One approach is block partitioning, where faults detected in one block are contained within that block and do not cascade into other blocks. ?

3. How to identify Dependent failure types?

Dependent Failures can arise from systematic failures and random hardware failures.

Dependent Failures can be identified from Safety Analysis. In other words, DFA can be approached in two ways: top-down (deductive) and bottom-up (inductive) analysis.

Top-down or Deductive analyses:

Top-down approach follows a deductive analysis paradigm where the FuSa analyst begins from the top-level failure or a safety goal violation.

Such failures and violations are first broken down to understand the failure modes and further dissected to identify the dependent failures i.e. cascading, common cause or independent failure. Next step is to identify the potential risk that can emanate from the dependent failure. Deductive analysis is recommended at the architectural design phase as it gives important inputs for taking design decisions.

• Fault Tree Analysis (FTA) is an example of deductive analysis
• Recommended for ASIL B and required for ASIL C and ASIL D

Bottom-up or Inductive analyses:

Bottom-up or the inductive approach comes at a later stage when architecture design is at a more refined level. Here, we start with a set of initiating causes and analyze the failures they may cause.

• Failure Mode and Effects Analysis (FMEA) is an example of inductive analysis
• Inductive Analysis is recommended for all ASIL Levels (ASIL A to ASIL D)

Top down combined with bottom-up approach of performing DFA gives a complete picture of the dependent failures and contribute to meeting functional safety requirements.

4. Using DFA for Hazard Analysis in ISO 26262

DFA begins with identifying and analyzing all the blocks or sub-blocks that require independence. The analysis is applied to the level for which the FFI or technical independence requirements are to be achieved, for example at the system, HW, or SW levels. The top-level safety requirement is translated into detailed HW or SW safety requirements for implementation by independent elements. Functional redundancy approach can be used such that two independent architectural elements allow monitoring and detecting faults. These elements are sufficiently independent to ensure:

• Dependent failures that can detect safety requirements violation
• Each identified dependent failure is detected and controlled by an adequate safety measure

As a result, the adequate safety measures can be selected to prevent or to detect and control failures with the potential to violate safety requirements.

The following steps are recommended when using DFA for Hazard Analysis in ISO26262:

Step 1: Identify Components and Interactions:

• List all components of the system and their interactions.
• Determine how failures in one component might affect others. For example, if a sensor fails, it might cause the control unit to misinterpret data, leading to unsafe actions.

Step 2: Analyze Failure Dependencies:

• Assess the potential failure modes of each component and how these might interact with failures in other components.
• Consider scenarios where multiple components fail in a dependent manner and how these combined failures could lead to hazardous conditions.

Step 3: Evaluate Impact on Safety Goals:

• Determine how dependent failures might impact the safety goals defined for the system.
• Analyze if these failures might lead to a safety hazard and, if so, how severe the impact might be.

Step 4: Implement Safety Mechanisms:

• Based on the DFA results, design safety mechanisms and redundancies to mitigate the risks posed by dependent failures.
• Ensure that safety mechanisms are capable of detecting and responding to failure dependencies effectively.

Step 5: Document and Review:

• Document the DFA process and findings as part of the safety case for the system.
• Regularly review and update the DFA analysis as the design evolves or new failure modes are identified.

Integration with ISO 26262:

In ISO 26262, DFA fits into the broader context of hazard analysis and risk assessment. It complements other analyses like Failure Mode and Effects Analysis (FMEA) and Fault Tree Analysis (FTA) by focusing on the dependencies between failures.

• Hazard Analysis and Risk Assessment: DFA helps in understanding how dependent failures could contribute to hazardous situations and assessing the associated risks.
• Safety Requirements and Design: Based on the DFA, safety requirements can be derived to address identified risks and ensure that the system design includes adequate measures to handle dependent failures.
• Verification and Validation: DFA supports the verification and validation process by ensuring that the safety measures effectively address the risks posed by dependent failures.

By integrating DFA into the hazard analysis process, you ensure a comprehensive approach to identifying and managing risks associated with failure dependencies in automotive systems. This ultimately contributes to achieving the required safety integrity levels (SILs) as specified by ISO 26262.

Modern automotive product development requires dedicated functional safety features to avoid or to control failure risks. The functional safety development flow involves various safety analyses, including DFA which is initiated from the project’s early stages, ensuring FFI or technical independence, as illustrated in Figure 4.

Finally, I highly recommend you to read the following very good article of the author Chunguang Wei: Overview of Dependent Failure Analysis-Freedom From Interference and Safety Analysis

5. Conclusion

ISO26262 standard makes different analyses a very important part of safety lifecycle. Dependent failure analysis (DFA) is one such analysis that helps achieve freedom from interference and independence. It demonstrates that requirements to reduce the dependencies between the elements have been met and are in sync with the technical safety requirements and functional safety requirements. At the end of the analysis, the engineers have clear insights on the common and cascading failures which help them reinforce the safety measures.

In summary, DFA is a valuable tool in safety analysis as it provides a detailed understanding of failure interactions, enhances the effectiveness of safety measures, and supports compliance with safety standards. By addressing the complexities of dependent failures, DFA helps in creating safer and more reliable systems.

References:

[1] ISO26262:2018 Part 6, 7, and 9.

[2] Marco Bozzano (2011), Design and Safety Assessment of Critical Systems.

[3] https://www.3sk.co.uk/3sk-blog/dependent-failure-analysis/

[4] https://www.embitel.com/blog/embedded-blog/how-important-is-dependent-failure-analysis-in-iso-26262

[5] https://embeddedinembedded.blogspot.com/2017/02/iso-26262-dependent-failure-analysis-dfa.html

[6] Google Photos