One area that is important to all aspects of the Functional Safety design effort is how much time is available to recognize that something has failed, and then to take action to prevent a hazard from occurring. As engineers we are known to accidentally overwork systems in the pursuit of completing a task as quickly as possible to stay on the cutting edge of innovation, but there are some drawbacks.
This challenge is recognized in the ISO 26262 Road Vehicle – Functional Safety Standard [1]. This period of time is referred to as the Fault Tolerant Time Interval (FTTI). However, the standard does not provide much guidance on integrating this time constraint into the Functional Safety development process. What this series of articles endeavors to do is provide the practicing Functional Safety Engineer with some design step guidance.
To begin, consider the ISO 26262 [1] definition for FTTI:
Fault Tolerant Time Interval (FTTI) – ISO 26262-1:2018, 3.61 [1]: minimum timespan from the occurrence of a fault in an item to a possible occurrence of a hazardous event, if the safety mechanisms are not activated.
A careful reading of this definition indicates that the FTTI is a constraint upon the system. The Safety Mechanism must achieve safe operation of the vehicle within this period of time in order to be successful. That being the case, it is important to assess the meaning of the “minimum time span from the occurrence of a fault in an item to a possible occurrence of a hazardous event”. A further examination of this time period in Figure 1 below reveals that the FTTI can be further decomposed into two distinct segments:
- The period of time from the occurrence of a fault to the manifestation of a Malfunctioning Behavior at the vehicle level
- The period of time from the manifestation of a Malfunctioning Behavior to the occurrence of hazard/violation of a Safety Goal
Figure 1: Fault Tolerant Time Interval
To help further our understanding of these different periods, the following definitions have been introduced to account for these subintervals:
Malfunctioning Behavior Manifestation Time (MBMT): The minimum time span from the occurrence of the fault to the manifestation of the Malfunctioning Behavior at the vehicle level.
Hazard Manifestation Time (HMT): The minimum time span from the onset of the Malfunctioning Behavior to the violation of the Safety Goal.
These time intervals are illustrated in Figure 2 below.
Figure 2: MBMT and HMT
From the definition of FTTI provided by ISO 26262 [1], it is clear that the numerical value of the FTTI must be assessed without considering any Safety Mechanism. However, when the MBMT and HMT are considered as separate subintervals of the FTTI, it is apparent that the FTTI depends on the design of the system itself. This time dependency is represented by the MBMT, since the time it takes for a failure to manifest itself on a vehicle level is entirely dependent upon how the failing component is used in the system. For example, if input information is measured in one element of the system and sent over a communication network there is a delay of X time units and if the implementation is such that this input information is routed through a gateway module into a second communication network there would be a delay of Y units. This design dependency is contrasted by the HMT, which does not depend on the system design at all, but instead is influenced entirely by the operational scenario and the Malfunctioning Behavior being considered.
As a result, only the HMT can be assessed at a concept level, when an implementation has not yet been determined or specified. In general, it is the occurrence of the Malfunctioning Behavior which we use in the HARA to identify the relevant hazard that is considered along with the operational scenario in classifying hazardous events and determining ASIL’s and Safety Goals. Thus, the HMT forms the constraint that the system imposes on the design. In part 2 of this series, we will discuss the design considerations for the safety system.
