The “ISO 26262 Road vehicles – Functional safety” specification defines the concepts of “Independence”, “Interference” and other terms which can be a little confusing. This discussion will try to make the concepts clearer.
Independence
Let’s talk about “Independence” and associated concepts first. “Independence” is a concept used within Dependent Failure Analysis (DFA) (ISO 26262-9:2011 Clause 7) or Automobile Safety Integrity Level (ASIL) (ISO 26262-1:2011 1.6) decomposition. DFA is a method to determine if violation of a safety goal occurs between elements that should have “Independence” with respect to a single event/cause. The DFA method is not considered further in this discussion.
The definitions used are the ones from ISO 26262-1:2011. Some of the confusion occurs because people use a common definition of a term instead of the official ones in ISO 26262-1:2011. The section of ISO 26262-1:2011 that has the definition will be noted as “(1.x)” where 1.x is the section that has the definition e.g. “Element” is defined in (1.31). This discussion will try to build up to the concept of “Independence” from the basic definition building blocks.
An “Element” is a system or part of a system e.g. components, hardware, software, etc. (1.31). A “Fault” is an abnormal condition that causes an element to fail (1.42). A “Failure” means an element is no longer able to perform a specific function as required (1.39). If we combine these terms, we can create a diagram showing the relationships:
You can note that this is a general definition of failure of an element. So, if we had an element, e.g. software component, that calculated the speed of the vehicle then if some fault such as unhandled overflow caused invalid speed to be output from the element this would be failure of the element to perform its intended function which is correct speed calculation. Note that there is no mention of any safety goal violations; this is just a general concept for any part of the system.
There are two basic ways in which failures can be combined namely parallel or sequential and this leads to the concepts of Common Cause Failures or Cascading Failures.
A “Common Cause Failure” (CCF) (1.14) is a failure due to a single specific event (aka root cause) that causes multiple elements to fail. The event triggers a fault in multiple elements and the event can be internal or external to the elements. Note that CCF says nothing about safety goal violations. We can diagram the concept of CCF as follows:
A “Cascading Failure” (CF) (1.13) is a failure that causes an element to fail which in turn causes another element to fail. Note that this says nothing about safety goals violations. Our diagram looks like this:
The term “Dependent Failure” (1.22) is “a failure whose simultaneous or successive occurrence cannot be expressed as the simple product of the unconditional probabilities of each of them”. [JD1] The definition for CF (1.33) Note 1 states that CFs are dependent failures that are not CCFs meaning dependent failures are CFs or CCFs and there are no other types of dependent failures. We see this in the diagram below.
Now we get to the term “Freedom From Interference” (FFI) that seems to cause more confusion then the others described so far. It is important to not think in common usage terms here. “Freedom From Interference” (1.49) is a term indicating there is NOT a Cascading Failure between elements which leads to a violation of safety goals. Here is the first mention of violation of safety goals. Note that it also only considers CFs; CCFs have no bearing on FFI. FFI is an attribute between two or more elements which is either True or False. Now, it is important to note that there is no mention of ASIL! This, again, causes some confusion with the term “Interference” used in 26262-9:2011 section 6.2, which does consider ASIL, that will be talked about later. So, to reiterate, FFI has nothing to do with ASILs especially interactions between lower ASIL elements and higher ASIL elements.
Now we get to the term used in the DFA namely “Independence” (1.61) which is the absence of any dependent failures, i.e. CFs or CCFs, leading to a violation of safety goals. Note that “Independence” includes the ideas of CFs, CCFs, and safety goal violations. Consider two or more elements: Dependent failures are made up of CFs and CCFs. CFs either do or do not lead to a safety goal violation. CCFs either do or do not lead to a safety goal violation. Independence occurs only if all CFs and CCFs do not lead to a safety goal violation. Let us try to diagram this idea in Figure 4:
Notice that “Freedom From Interference” is the path where there are no CFs between the elements that violate a safety goal however there may be CFs that do NOT violate any safety goals. So, the answer to the question “Can there be CFs between elements that have FFI?” is “Yes” because the CFs do not cause any safety goal violations.
Using the definitions and our diagram we can create an algorithm to determine if elements are independent. Flowcharting the algorithm might look something like Figure 5:
Now we have a way to determine if our ASIL decomposition has sufficient independence as described in 26262-9:2011 for ASIL decomposition or when doing a DFA.
Interference
Let’s discuss the word “Interference” as used in 26262-9:2011 Section 6.2:
“Interference is the presence of cascading failures from a sub-element with no ASIL assigned, or a lower ASIL assigned, to a sub-element with a higher ASIL assigned leading to the violation of a safety requirement of the element”
You will note that “Interference” is not formally defined in 26262-1:2011. Confusion sets in when thinking that “Freedom From Interference” is the lack of “Interference” however this is not the case. The reason being that “Freedom From Interference” does not consider ASIL while “Interference” does consider ASIL. Be sure to keep the distinction clear. Perhaps a better term for “Interference” used in Section 6.2 would be “ASIL Up Level Interference”. If there are two same ASIL level elements A and B there cannot be “Interference” between A and B but there could be a lack of “Freedom From Interference” between A and B. Some examples of the answers to FFI and/or Interference are in Figure 6:
Element E is made up of sub-elements E1-E5 with given ASIL levels
Event causes Cascading Failure (CF) Safety Goal Violation (SGV)
Hopefully this discussion has cleared up the concept of “Independence” and “Interference” among other terms and has given you a way to determine “Independence”.
Related Items
- exida Automotive ISO 26262 Certification
- ISO 26262 Road Vehicles Functional Safety - Hardware Development and Analyses Course
- ISO 26262 Road Vehicles Functional Safety - Product Development at the Software Level Course
Tagged as: Jeff Davis ISO 26262 Dependent Failure Analysis Automotive