How to improve the result of FMEDA without complicated hardware circuit

These Informations are copy/Paste from ISO-26262-5:

_____________________________________________________________________________

The diagnostic coverage, with respect to residual faults that is achieved by the safety mechanisms, shall be evaluated.

The effectiveness of these typical safety mechanisms for the given elements is categorized according to their ability to cover the listed failure modes to achieve low, medium or high diagnostic coverage of the element. These low, medium and high diagnostic coverage rankings correspond to typical coverage levels at 60 %, 90 % or 99 %, respectively.

If justified, higher diagnostic coverage can be estimated, up to 100 % for simple or complex elements

??????? i.e these values are starting point of discussion. It is possible to get higher value with proper rationale.

__________________________________________________________________________

Here is an example with a μC, Voltage monitoring and Watch-dog as safety mechanisms.

How to improve the result of FMEDA without complicated hardware circuit.

Remark: The three safety mechanisms(SM) running in a standard μC are not considered here (non-deactivable SM, deactivable SM and user defined SM)

The function of μC can be trusted only if it powered by voltage specified by μC manufacturer, i.e. implemented safety mechanism shall be supply voltage monitoring.

Dead locking of Software components is monitored via Watchdog manager.

The 100 PMHF of ASIL C safety goals are distributed on different functional group with 10 FIT for μC.

DC of external watchdog = 99% ( D.2.9.2, Annex-D, ISO-26262-5 with restricted window to get 99% DC)

DC of voltage monitoring with only over and under-voltage monitoring = 60% (write here reference from Annex –D)

Total derated FIT of μC at standard mission profile = 250

50% of FIT are considered as safe

Resulting PMHF = (1?99/100) x 125 + (1?60/100) x 125

? = 1.25+50 = 51.25 >>> target value 1

60% because of only under and over voltage monitoring: drift within these voltage range can not effect the correct functioning of μC, i.e. it is not necessary to detect the drift within under and overvoltage range. Drift outside these range are detected by under and overvoltag monitoring. i.e. this is rationale to get DC= 90% without any more afford

If also oscillation within the range can not effect the correct functioning of μC, use a decoupling capacitor with enough margin not allow spikes to μC.

Use here open mode decoupling capacitor, two in parallel to avoid the single point fault.

i.e. DC = 99% can be used

Result after these rationale:

? PMHF = (1?99/100) x 125 + (1?99/100) x 125

? = 1.25+1.25 = 2.50

? Far better PMHW than target value only with no significate cost of decoupling capacitors.