In part 1 of this 3-part series, we discussed the fact that at the concept level only a portion of the Fault Tolerant Time Interval (FTTI) can be estimated. If we work with the assumption that the Hazard Manifestation Time (HMT) is a reasonable approximation to the FTTI then we can examine the safety system design considerations.

Considering that FTTI represents the design constraint, it is useful to establish terminology that captures what is actually achieved by an implemented design. These terms are conveniently provided by ISO 26262 [1] as follows:

  • Fault Handling Time Interval (FHTI) – ISO 26262-1:2018, 3.56 [1]: sum of fault detection time interval and the fault reaction time interval

Whereas, the Fault Detection Time Interval (FDTI) and Fault Reaction Time Interval are defined as:

  • Fault Detection Time Interval (FDTI) – ISO 26262-1:2018, 3.55 [1]: Time-span from the occurrence of a fault to its detection
  • Fault Reaction Time Interval (FRTI) – ISO 26262-1:2018, 3.59 [1]: Time-span from the detection of a fault to reaching a safe state or to reaching emergency operation.

These intervals are shown visually in figure 3 below:

Figure 3: Illustration of FDTI and FHTI

For the purposes of this article, the term of importance is the Fault Handling Time Interval, which can be summarized as the time period starting with the occurrence of the fault to the successful execution of the Safety Mechanism. With regards to the usage of FHTI as a term, it is used to describe both the timing of the designed Safety Mechanism and the actual achieved value that is recorded at the time of testing (what the implemented design has achieved).

Considering these definitions together, it is possible to establish a few simple mathematical guiding principles between them. These principles are as follows:

FTTI = MBMT + HMT                              (Equation 1)

FHTI = FDTI + FRTI                                 (Equation 2)

FHTI <= FTTI                                           (Equation 3)

Equation 1 establishes the relationship between FTTI and its component intervals, whereas equation 2 does the same for FHTI. Equation 3 serves as the guiding principle when developing a safety system.

If equation 3 is violated by either the requirement specification or the implemented design, it would not be appropriate to claim safety coverage over the failures that the Safety Mechanism would be responsible for. This would impact the calculation of the metrics required by ISO 26262-5 [1] (Single Point Fault Metric and PMHF). It is important to note that the Malfunctioning Behavior Manifestation Time (MBMT) and FDTI are not equivalent. Additionally, the HMT and FRTI are also not equivalent.

It is easy to confuse these groups of terms since they tend to overlap each other. Keeping in mind that the FTTI is the constraint, and the FHTI is timing achieved by the implementation helps avoid this confusion. In a future post we will talk about establishing estimates of the FTTI interval at the Concept Level and a framework for accommodating the FTTI constraint throughout the safety-lifecycle.