There’s a difference between the Fault Tolerant Time Interval (FTTI) and the Fault Reaction Time Interval (FRTI). One should fit within the other. But for some reason there seems to be a lot of confusion amongst the functional safety community about how to define each term.

So what does the ISO 26262 standard say? Part 1, 1.44 defines FRTI as, “time-span from the detection of a fault (1.42) to reaching the safe state (1.102)”. Part 1, 1.45 defines FTTI as, “time-span in which a fault (1.42) or faults can be present in a system (1.129) before a hazardous (1.57) event occurs”. Figure 4 below shows that timing for both the FTTI and FRTI begin when the fault occurs.

Fault Tree Chart

The Fault Tolerant Time Interval should be determined for each safety goal. The FTTI is simply the time that a fault can be present in a system before a hazard occurs. Therefore the FTTI represents a total target time the system needs to meet in order to transition to a safe state. The system, whenever possible, needs to switch to a safe state within the FTTI.

In contrast to the FTTI, the FRTI is determined by the item’s time to achieve a safe state. FRTI begins once a fault has been detected. Note that the standard only shows the time when a fault is detected, and does not include “maturation timing” of a fault. There may be cases where getting to a safe state will occur prior to maturing of a fault. However, if notification of the driver is part of the safety mechanism for the safety goal, the fault maturation will need to be included in the FRTI.

To ensure safety of a system the time from the detection of a fault plus the time for the system to achieve a safe state shall be less than the FTTI for the safety goal. This idea can be illustrated in the following equation:

FTTI > Diagnostic Test Interval (DTI) + Fault Reaction Time Interval (FRTI)

When analyzing the FTTI of a system, all the propagation delays of all the sub-systems will need to be summed. Knowing the DTI and FRTI of each sub-system will help confirm that the safe state can be reached by the FTTI period. If the FRTI of a parent system is known, then the allocation of the remaining FTTI can be distributed to the children sub-systems. It is good practice to reduce the remaining FTTI by some margin of time to allow for dependent time delays between the children sub-systems or between the child and parent systems.

Leave a Reply.

  1. David Jennings CENG MIET comments on How can we specify safety-critical time intervals?
    David Jennings CENG MIET

    What if there is no failure? E.g. German (commercial) pilot, trained to obey Air Traffic Control (over any instruments), a Russian pilot trained to follow instrument (even if counter ATC instruction). Two cargo planes on a collision course; Ger told to increase altitude by ATC but on-board anti-collision, say decrease – pilot follows ATC. Russian told to decrease by ATC but follows on-board anti-collision and increases altitude – result real accident! No global standard possible either!

    • Doug Barnes comments on How can we specify safety-critical time intervals?
      Doug Barnes

      You’re right, there’s no provision in ISO26262 or in the definitions of FTTI that would prevent a tragedy like this. According to the scope of the standard, the failures described in this scenario are out-of-scoop for ISO 26262. The standard’s states: “ISO 26262 addresses possible hazards caused by malfunctioning behavior of E/E safety-related systems” in series production passenger cars <= 3500kg.
      What you are mentioning is in part Safety of the Intended Function (SOTIF), systematic failures, and possible human errors. The SOTIF part would be the assurance that the instruments were giving the correct guidance. Systematic failures could be: 1) failure to follow the rules of the controlled airspace; 2) incorrect instructions were given to the pilot(s); and/or 3) the ATC not following the same guidelines by which the instruments were designed. Of course, this last possibility could potentially be human error. Although the current ISO 26262 edition does not address SOTIF, future releases are planned to include it.
      What the blog addresses, however, is the timing from when a malfunctioning behavior of an E/E safety-related system occurs to the time when harm (injury of a person or persons) could happen.

      Moderator Reply