Minimal Cut Sets in FTA and How to apply it in ASIL Decomposition

Hi there! Thanks for following and encouraging me in my series of article on Functional Safety. I am highly appreciated any comment or feedback which help us to know how to understand and practice better about ISO26262 while doing Functional Safety (FUSA) in real applications.

In one of my previous article named Hazard Analysis Techniques for Functional Safety (Part 1: FTA and FMEA) , I have introduced to the FTA and how to use it in Safety Analysis. And in this article, I'd like to share my study about the concept of Minimal Cut Set (MCS) in constructing an Fault Tree (FT) for Safety Analysis and How to apply it in ASIL Decomposition.

1. Overview of Fault Tree

To be easy to follow the content of this article, I'd like to remind some main points of Fault Tree (FT) and Fault Tree Analysis (FTA) method first. In particular,

• Fault trees (FTs) are graphical models. The entries of a fault tree are called nodes. There are two basic node types, the events and gates. Fault tree events represent faults or failures of elements of the system, or a general undesirable state of a system, subsystem, unit, leading to the undesired top event. Gates link the fault tree events to each other, adding logic structure to the fault tree.
• Fault Tree Analysis (FTA) is an analytical technique used to find realistic ways, that lead to a single undesired event. The goal is to identify all faults and failures of a system, that contribute to the occurrence of the undesired event.

Fault tree events can be divided into:

• The Undesired Top Event (or Top Event): Each fault tree has a single undesired event at the top. As FTA is a deductive method, the top event represents the starting point of the safety analysis process. During fault tree construction, first the occurrence of the undesired top event is assumed, then other fault tree events, are added to the fault tree, from Top to Down. Concerning functional safety, the top event can be defined as the violation of a safety goal.
• Basic Events: Basic events are located at the bottom of the fault tree. They are not developed any further, either because a specific level of resolution is reached (the event is a root cause, it is atomic), or due to lack of information. This means, that basic events are not caused by any other event included in the fault tree. Basic events are faults and failures on component level. hardware faults, software faults, etc. are examples of possible basic events.
• Intermediate Events: Intermediate events link the basic events to the top event. They represent higher level faults/failures of subsystems and or functional units. Intermediate events are not considered basic events, since they are caused ("commanded") by the occurrence of lower level events. Intermediate events are also referred to as the command path of the fault tree.

A structure of a typical Fault Tree is as following:

As seen in the Figure 1, a fault tree can be divided into levels and branches. The events "A" and "B" are the top events of two different fault tree branches. The fault tree events increase in level of technical detail as the bottom of the fault tree is approached. The top event of the fault tree refers to a specific system-level malfunction, while the basic events at the bottom refer to component-level faults and failures. The intermediate events in between refer to subsystem-level and lower system-level malfunctions.

2. Minimal Cut Set (MCS) Concept

Minimal Cut Sets (MCSs) belong to the qualitative fault tree evaluation methods. Complex fault trees are hard to analyze, due to their size and amount of levels. MCSs present a way to reduce the number of fault tree levels to a minimum. This is achieved by cancelling out the intermediate events of the fault tree, thus directly linking the basic fault tree events to the top event. MCSs are used to highlight the single and multiple point failures of the system.

• A minimal cut set is a set of basic events, which if they all occur, lead to the occurrence of the top event of the fault tree. A MCS does not include intermediate events. It is purely comprised of basic events, which are directly linked to the top event with an AND-gate.
• MCSs therefore represent multiple point failures. The number of basic events of the MCS determines the order of the multiple point failure.
• A fault tree, in general, has several minimal cut sets. To obtain the MCSs, the fault tree has to be transformed. All MCSs of a fault tree form a logically equivalent form of the fault tree itself. They comprise all possible combinations of basic events of the fault tree, which lead to the top event.

Notes: Both fault trees in the Figure 2 are logically equivalent to each other (see in the following explanation). The advantage of MCSs is that the intermediate events are cancelled out, MCS directly link the basic events to the top event.

The occurrence probability P(A) of the top event of the left fault tree in the Figure 4, can be calculated as follows:

The fault tree has two multiple occurring events (MOEs), the event F and the event G. The cut set {FF} in the above equation, implies that the cut set represents a dual point failure, were the occurrence of the events F and F leads to the top event with the probability P(F)^2. However, the cut set {FF} is not a combination of two independent faults, but of the same fault. Therefore, the dual point failure {FF} is really just the single point failure F, which leads to the top event with the occurrence probability P(F). The similar analysis for the cut set {GG}, and then we can reduce as following:

3. ASIL Decomposition based on the Minimal Cut Sets (MCSs)

The ISO26262 provides the ASIL decomposition method to lower the ASILs of components related to a higher ASIL safety requirement. The method helps to reduce cost and effort during development. ASIL decomposition is achieved, by redundant implementation of safety requirements, by sufficiently independent architectural elements of the item. ASIL decomposition requires a safety requirement to be decomposed into two redundant safety requirements. This means, that only the violation of both decomposed redundant safety requirements leads to the violation of the higher level safety requirement. The redundant decomposed safety requirements have to be assigned to independent architectural elements of the item.

Figure 3 shows possible ASIL decompositions for ASIL D. ASIL D can be decomposed into one ASIL C and one ASIL A safety requirement, or into two individual ASIL B safety requirements, or into one ASIL D and one QM-rated requirement. The following table summarizes for all ASIL Decomposition level according to ISO26262:

Figure 4 shows an ASIL Decomposition example, this figure shows the system architecture of an exemplary vehicle system on the left. In order to apply ASIL Decomposition to safety requirements, which are allocated to the actuator control ECU, an independent architectural element is introduced (redundant switch). The improved system architecture on the right allows for ASIL Decomposition between the actuator control ECU and the redundant switch.

Note that: ASIL decomposition can be applied to safety requirements at any level. This includes functional, technical, hardware and software safety requirements. Instead of redundant implementation by two independent architectural elements, ASIL decomposition can also be applied to a function of the item and a safety mechanism, which covers the function.

ASIL allocation and decomposition is often based on fault trees and their minimal cut sets. As mentioned above, the MCSs of a fault tree, represent multiple point faults of the system, where the occurrence of all events included in a cut set leads to the violation of a safety goal. MCSs with more than one event, represent redundant implementation of the safety goal, where more than one fault needs to occur, in order to cause a violation of the safety goal. In particular,

• If the events of a MCS are all independent of each other and refer to faults and failures of different components of the system, then ASIL decomposition can be applied, to the components.
• ASIL decomposition cannot be applied, if the events included in the MCS refer to different fault modes of the same component, due to the fact that ASIL decomposition requires independence of elements/components.

Following the above example in the Figure 2, we can see that:

• The events B and F directly lead to the top event A. The components associated with the events B and F are therefore assigned with the same ASIL as the top event A (violation of a safety goal).
• ASIL decomposition can be applied to the minimal cut sets, {GF}, {GI} and {F IG}. If the top event A, which is related to the violation of a safety goal, was assigned with an ASIL D, for example, any of the ASIL D Decomposition schemes (see in Figure 3) provided by ISO 26262, could be applied to the cut sets {GF} and {GI}.
• Due to the fact that the cut set {F IG}, consists of three events, the ASIL Decomposition schemes, given by ISO 26262, cannot be applied directly. The ASIL decomposition schemes, provided by the standard only apply to MCSs, comprised of two events. A different approach has to be taken, in order to apply ASIL decomposition to higher order MCSs (see more detailed in the reference document [4]).
• If the events G and F of the cut set {GF}, for example, refer to different faults, respectively fault modes, of the same component, no ASIL decomposition can be applied, due to the fact that ASIL decomposition requires redundant implementation by independent elements.

In fact, the fault trees of E/E vehicle systems tend to be very large. This results in a vast number of minimal cut sets. ASIL allocation and decomposition based on these cut sets, include a huge amount of possible solutions. For bigger systems, ASIL allocation and decomposition results in an optimization problem. The goal is to satisfy the safety requirements and safety goals and their respective ASILs, while minimizing development costs and effort.

In summary, in this article I have shared my deeper study about FT, FTA, MCS, and benefits of MCS in ASIL Decomposition. Both FTA and MCS enhance the understanding, analysis, and management of risks in safety-critical systems, making them indispensable in achieving and maintaining functional safety in automotive and other industries governed by ASIL standards.

PS: Hoping to receive your comments or knowledge sharing about this topic as usual. (^_^)

Reference:

[1] ISO26262:2018 Part 2, 3, 4, 5, 6, 9

[2] Marco Bozzano (2011), Design and Safety Assessment of Critical Systems.

[3] Clemens Schmid, Safety Consideration of Vehicle Dynamics Control System

[4] R. Mader, E. Armengaud, A. Leitner, and C. Steger. Automatic and Optimal Allocation of Safety Integrity Levels . Proceedings Annual Reliability and Maintainability Symposium, 2012.

[5] Y. Gheraibia, S. Kabir, K. Djafri, and H. Krimou. An Overview of the Approaches for Automotive Safety Integrity Levels Allocation . Technical report, Springer, 2018.