As described in “Determining Diagnostic Coverage”, ISO 26262 provides estimates of Diagnostic Coverage (DC) to be used for various safety mechanisms during quantitative analysis.
But what do we do when there are multiple safety mechanisms applicable simultaneously to cover against a single failure mode? How is Diagnostic Coverage estimated in such a real-world scenario?
ISO 26262 provides a “starting point” for estimating the DC values of a safety mechanism based on their applicability to a system. In cases where multiple safety mechanisms cover a single fault mode, we need to provide sufficient rationale while evaluating the effective coverage of all the diagnostics acting in tandem to detect that specific fault. Following are some of the methods that can be used to estimate effective diagnostic coverage provided we have sufficient evidence to support our claim.
Let us assume we have 3 safety mechanisms SM1 (with DC1 = 90%), SM2 (DC2 = 60%), and SM3 (DC3 = 50%) applicable to a failure mode (10 FIT). We could then employ one of several methods:
The Lower Bound Approach.
- Equivalent DC = DC of the most effective safety mechanism (SM1)
- This is the most conservative approach, as less effective safety mechanisms are not considered
Upper Bound Approach
- Every safety mechanism applicable covers independent parts of the fault. For example, SM1 detects 90% of the failure mode, SM2 detects 60% of the remaining faults after SM1, and SM3 detects 50% of the faults remaining after SM1 and SM2
- This is the most non-conservative approach
Averaged DC Approach
- Equivalent DC = DC of the independent SM + average of other safety mechanisms (assuming it independence from SM1)
- This estimate considers that a small portion of the failures detected are common between safety mechanisms (SM2 & SM3)
Normalized DC Approach
- Lower bound is defined by the most effective safety mechanism – SM1 (90%)
- Effective DC of the remaining safety mechanisms is calculated assuming the worst-case scenario (0% DC) for the lower bounded safety mechanism
- This approach is the most suitable, as it combines the positives of all the above approach and provides a reasonable estimate which is not too conservative nor overly permissive
Actual DC Approach
- In an ideal scenario each safety mechanism would be studied in detail along with their applicability to various failure modes. The same safety mechanism applicable to different failure modes may have different effectiveness
- One way to evaluate this would be to perform fault injection testing and observe the reactions of the safety mechanisms and then define their effectiveness
- This may be a very tedious approach and may be considered impractical to be executed within the timescale of a normal project