As described in “Determining Diagnostic Coverage”, ISO 26262 provides estimates of Diagnostic Coverage (DC) to be used for various safety mechanisms during quantitative analysis.

But what do we do when there are multiple safety mechanisms applicable simultaneously to cover against a single failure mode? How is Diagnostic Coverage estimated in such a real-world scenario?

ISO 26262 provides a “starting point” for estimating the DC values of a safety mechanism based on their applicability to a system. In cases where multiple safety mechanisms cover a single fault mode, we need to provide sufficient rationale while evaluating the effective coverage of all the diagnostics acting in tandem to detect that specific fault. Following are some of the methods that can be used to estimate effective diagnostic coverage provided we have sufficient evidence to support our claim.

Let us assume we have 3 safety mechanisms SM1 (with DC1 = 90%), SM2 (DC2 = 60%), and SM3 (DC3 = 50%) applicable to a failure mode (10 FIT). We could then employ one of several methods:

Method A

The Lower Bound Approach.

Determining Diagnostic Coverage Method A
  • Equivalent DC = DC of the most effective safety mechanism (SM1)
  • This is the most conservative approach, as less effective safety mechanisms are not considered

Method B

Upper Bound Approach

Determining Diagnostic Coverage Method B
  • Every safety mechanism applicable covers independent parts of the fault. For example, SM1 detects 90% of the failure mode, SM2 detects 60% of the remaining faults after SM1, and SM3 detects 50% of the faults remaining after SM1 and SM2
  • This is the most non-conservative approach

Method C

Averaged DC Approach

Determining Diagnostic Coverage Method C
  • Equivalent DC = DC of the independent SM + average of other safety mechanisms (assuming it independence from SM1)
  • This estimate considers that a small portion of the failures detected are common between safety mechanisms (SM2 & SM3)

Method D

Normalized DC Approach

Determining Diagnostic Coverage Method D
  • Lower bound is defined by the most effective safety mechanism – SM1 (90%)
  • Effective DC of the remaining safety mechanisms is calculated assuming the worst-case scenario (0% DC) for the lower bounded safety mechanism
  • This approach is the most suitable, as it combines the positives of all the above approach and provides a reasonable estimate which is not too conservative nor overly permissive

Method E

Actual DC Approach

  • In an ideal scenario each safety mechanism would be studied in detail along with their applicability to various failure modes. The same safety mechanism applicable to different failure modes may have different effectiveness
  • One way to evaluate this would be to perform fault injection testing and observe the reactions of the safety mechanisms and then define their effectiveness
  • This may be a very tedious approach and may be considered impractical to be executed within the timescale of a normal project

Leave a Reply.

You can use the following tags to spruce up your comments: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>