ISO 26262 ED2-5: EEC interpretation
[Author]
Renhong WENG, safety and security investigator
First: Analysis of methodology in EEC of ISO 26262ED2
Take SPFM target as example:
Second: EEC in ISO 26262ED2
EEC are Evaluation of Each Cause of safety goal violation, are one of the methodology for random hardware failure rate if violation towards safety goal.
Within here, EEC process as following:
EEC are directly to check if the failure rate class had been defined in the ISO 26262 ED2-5 tables defined as following, until then we can have more confirmations:
1. Single point fault
to see table 7:
From above:
we take following assumptions:
3. Dual point fault
for dual point process, listed as following:
And for ASIL level of safety goal the dual point failure rate class and coverage of hardware part:
Third: why EEC exists and how to regard this topic
Most of us familiar with PMHF and we know using FTA we can derive out FIT value for top events, but why EEC exists ?
Following reason contributes to EEC:
1. Innovation technologies or black box hardware parts, we cannot familiar to itself mission profile, and get detail failure rate value, or in reliability study, itself only can have the comparable failure value, but not the absolute failure value.
2. FMEA O value defined as potential matched with failure rate class:
(1) When in Single point fault
| ASIL | Failure rate class minimum level | Failure rate class maximum level | FMEA Minumum requirements |
| D | 1+dedicated measure in | O=1 D>=7 | |
| C | 2+dedicated measure | 1 | O=2 D>=7 |
| B | 2 | 1 | O=2 |
(2) When in single point, safety mechanism diagnostic coverage
Here the safety mechanism DC is the confidential value, we can get following calculation
And here:
when conf>=99.9%, then failure risk will downsizing 3 level
when conf>=99%, then failure risk will downsizing 2 level
when conf>=90%, then failure risk will downsizing 1 level
| ASIL | Conf>=99.9% | Conf>=99% | Conf>=90% | Conf<90% |
| D | 1+3 | 1+2 | 1+1 | 1 |
| C | 2+3 | 2+2 | 1+2 | 2 |
| B | 2+3 | 2+2 | 1+2 | 2 |
(3) Dual point analysis
Dual point similar to one failure has safety mechanisms, you can take them as somehow same, that means the failiure risk level will be add up 1 as well, but we will not take the ASIL B into consideration of dual point
| ASIL | Failure rate class minimum level | Failure rate class maximum level | FMEA Minumum requirements |
| D | 1+1+dedicated measure in | O=2 D>=5 | |
| C | 2+1+dedicated measure | 1+1 | O=3 D>=5 |
| B | 2+1 | 1+1 | O=3 |
when conf>=99%, then failure risk will downsizing 2 level
when conf>=90%, then failure risk will downsizing 1 level
| ASIL | Conf>=99% | Conf>=90% | Conf<90% |
| D | 2+2 | 2+1 | 2 |
| C | 3+2 | 3+1 | 3 |
| B | 3+2 | 3+1 | 3 |
[REF]
ISO 26262 ED2-5
- 用户评论
