For newcomers to functional safety, it isn’t always obvious that the ISO 26262 standard is built around safety, not reliability.

One can argue that safety is something needed to satisfy the customer. Notwithstanding, so is comfort, reliability, performance, etc. These latter attributes take focus away from the goal of the ISO 26262 standard, which is centered on the safety of humans.

Failure Mode and Effects Analyses (FMEAs) have been used in automotive since the late 1960’s to identify failures and evaluate the effects and causes. The SAE J1739 standard helps define and harmonize the traditional automotive FMEA. However, the focus is aimed towards efforts “to satisfy the customer”.

One attribute of the traditional automotive FMEA is the Risk Priority Number (RPN). The RPN is the product of the severity, occurrence, and detection ranking. For example, a resistor failing open doesn’t lend itself to causing some severity. It takes a resistor, inside of a component that is part of a system installed on a vehicle, that can cause a concern of severity. Note that there are no RPN values shown in the safety FMEA. These yield limited support in reducing the risk to harm. Even the authors of the SAE J1739 have recognized the limitations to the RPN numbers:

“The FMEA methodology has proven itself useful in the prevention and mitigation of potential failure modes. However, a growing need developed for improved failure mode ranking criteria and a change in thinking about the use of the Risk Priority Number”RPN

The ISO 26262 standard evaluates this risk to severity at the vehicle level using a tool called the Hazard Analysis and Risk Assessment (HARA). So the question of severity is in the wrong place when put inside of the FMEA. Occurrence is also handled differently in the ISO 26262 standard by means of a quantitative analysis, instead of the qualitative FMEA.

One question that first needs to be asked and understood is whether the signal, component, etc., is safety related. To answer that, we need to understand what higher level failures add risk to human lives. The output of the HARA, and refinement to lower level safety requirements aids in identifying what is safety related and what is not. Secondly, it is important to understand if the particular failure can directly cause a safety concern, thus a single-point or dual-point fault. Around these faults, we need to identify measures to prevent the fault from manifesting into a failure which could cause harm to humans. The below modification of the FMEA is an example of a safety FMEA we use at kVA in compliance to the ISO 26262 standard.

Safety FEMA Chart

Leave a Reply.

  1. Crisostomo Mancini Martins comments on The Safety FMEA
    Crisostomo Mancini Martins

    Hi Jody,

    I saw this article during our conference call (Thursday Aug 16th).
    As mentioned during my introduction, there is some interesting and challenging aspects of communizing the SRC (Safety Related Characteristics) in the DFMEA process and ISO 26262 methodology. Moreover, you may have some experience of deploying ISO 26262 for “Non-Electrical” systems”.
    Please contact me, thus we would progress and develop some tasks on all this.
    Best regards,