When conducting the FMEDA for the quantitative analysis, it is required to calculate the PMHF. There are formulas provided in the ISO 26262:2018 standard, however, the formula shown in Part 10 doesn’t have a physical or practical meaning. In this video we dive into the formulas and show you how to use them correctly.
Transcript (auto-generated)
Jody Nelson SRES Shorts. This short is going to be a little bit longer than our typical two minute short, but it’s a very important topic and a little bit complex. I want to talk about the PMHF form lists that are presented in the ISO 26262 standard. We use this formula when we conduct the FMEDA to meet our target values.
As we get into the higher ASIL levels, we’ll have target values we need to meet as hardware developers. In Part 5 of the standard, Annex F, we have an approximation of the PMHF, which is the summation of the single point faults, plus the residual faults, plus this expression, which includes dual point faults detected and dual point faults latent.
Well, many times, these are very small numbers. So, this is generally very small, and we can approximate as zero. When we do that, then this expression boils down to just the summation of the single point fault plus the residual fault. Now, I do want to note, it’s very important, that the only true calculation of PMHF is through the quantified fault tree.
So this is for support with the FMEDA. Now, in some cases, the dual point fault is not that small, and we need a bigger expression. So the standard does provide in the informative part 10, in clause 8, this expanded expression. And what we see here, um, it starts out with a summation of the single point fault plus residual fault that we had before, but now we break down what it means with the dual point faults.
So we have a risk for us in the dual point fault, and our risk is when the intended function fails and our safety mechanism fails. So we have to break this out into the different sections of the risk with the latent aspects of the safety mechanism, the detected aspects of the safety mechanism, and likewise for the intended function.
So this first expression we see that the latent portion of the safety mechanism is only a risk to us during the entire life of the vehicle because it’s latent. We don’t know what’s there. If we approximate this as 10,000 hours, for example. Now, the second portion is our risk of the safety mechanism, which is detected.
That means we’ve detected when we inform the driver. So now we’re only at a risk until the vehicle gets serviced. It could be 20 hours, 40 hours, 60 hours, whatever your calculation is. Here, I just assume 20 hours for the service. Likewise, we then have to look at the risk of the intended function during the lifetime of the vehicle.
So the dual point fault latent there. Also, then the dual point fault detected and again, it’s detected until we can get it serviced. Well, if we try to calculate this expression, we run into some issues. So first of all, I want to show that when we add single point fault plus a residual fault, the beginning of this expression, we have failures per hour plus failures per hour.
And this is fine. We can do this. And that’s the actual unit we want. Our PMHF is a failures per hour unit. However, if we look at these other expressions. We have failures per hour times failures per hour times hours. which gets failure squared per hour. Now this doesn’t make mathematical sense. This isn’t really addressed in the standard.
However, if you perform quantitative fault tree analysis, you understand how you need to do this calculation. So if we pull just that first portion of the expression into a small fault tree, and I just put some failure rate values in there, 10 to the minus 7 for the dual point fault of the intended function, In 10 to the minus 6 for the dual point fault, um, safety mechanism latent.
And if we assume these are independent of each other, then we can just multiply them. Well, as I just mentioned, we can’t multiply these values, because we can’t multiply fits, and we can’t multiply failures per hour. So what we need to do, and this is the key point, we need to first convert it to a probability.
Now, if you go into probability math, and we assume that the lambda times the time is very small, then our expression for probability is just equal to lambda times time. And this is where probability is a unitless value. So if I take that. And convert, um, my last expression into probabilities. Then the probability of the dual point fault.
The tendon function is 0.001 again, unitless, and then the dual point faultless safety mechanism, latent is 0.01. We multiply those, we get the expression at the top, and then now I need to convert it back into Lambda. So to do that, I take that probability divided by the times In this time, time in this case is times of the lifetime, which is 10,000 hours.
So this becomes lambda of 10 to the minus 9 failures per hour, which is one fit.
