Merging FMEA and FTA for safety analysis of sensors for ...2017.eurospi.net/images/EuroSPI2016/ppt/mergen_eurospi2016.pdf · Merging FMEA and FTA for safety analysis of sensors for

Attracting Tomorrow

TDK-EPCA TDK Group Company

SEN Business Group • Product DevelopmentBerlin, Germany

September, 15, 2016

Merging FMEA and FTA for safety analysis

of sensors for automotive applicationS. Mergen, W.J. Schreiber-Prillwitz, P. Schmidt-Weber

Merging FMEA with FTA [Chapter title]© TDK-EPC 2016

A TDK Group CompanyProduct Development 09/16 2

Attracting Tomorrow

• Motivation to write this paper

• Background on FMEA

• Background on FTA

• Integrative Methods in the Literature

• Forward Integration

• Backward Integration

• Simple Sensor Model

• Merging FTA and FMEA in 5 Steps

• Conclusions

Outline



Attracting Tomorrow

Motivation for this paper / ISO 26262 on safetyanalyses

In sensor development: traditionally Design-FMEAIncreasing ASIL level limitations of the FMEA analysis

Questions: Can we combine FTA and FMEA? Can we improve the quality of analysis? Is it less effort?Can it work? Has it been anyone done before?



Attracting Tomorrow

‚Traditional‘ analysis in component development

DFMEA

Analyse design faultsAssumption: processing is failure-free

PFMEA

Analyse failure in processAssumption: design is failure free

Outcome:- Single failures / risk rating- Design optimisation- Bottom-up approach: detailedanalysis of single parts and their interactions

Bottom up approach: detailedanalysis of single processing steps andtheir effects on the assembledcomponent

Not

ofm

uch

Con

cern

toIS

O26

262



Attracting Tomorrow

Automotive Design-FMEA (VDA)

Product andits parts

What are thefunctions of theproduct, parts, andtheir interactions

What are theFailures in of theProduct, partsTheir interactions

How to preventfailures earlier,how to reduce the risk?

Failure effect Failure mode Failure cause

How to preventfailures, how todectect them?

VDA – Qualitätsmanagement in der Automobilindustrie – Sicherung der Qualität während der Produktrealisierung Methoden und Verfahren, Band 4 Kapitel: Produkt- und Prozess-FMEA, 2. Auflage, 2006

Step 1:Structure analysis

Step 2:Functions analysis

Step 3:Failure analysis

Step 4:Detection andPrevention actions

Step 5:Optimisation



Attracting Tomorrow

FTA on a logic circuit example

A B

C D

Signal in Signal outNo outputsignal

A C A D B C B D

& & & &

≥1

- Focus on one failure (TOP EVENT)

- Single point and multiple point failures

- Can Include failures from processing, handling or experience



Attracting Tomorrow

ISO 26262-10 on combining FTA and FMEA

- Use FTA to analyse the hazards down to the component level- The failure modes of the components are analysed using an FMEA to determine their failure modes and safety mechanisms to close out the bottom level of the fault tree.



Attracting Tomorrow

Integrative FMEA / FTA Analysis

• Forward Integration: FMEA FTA

• Backward Integration: FTA FMEA

• Bi-directional / Bouncing Integration

the strength of forward integration: identification of latent failure modes

the strength of backward integration: coincident circumstances that allow failure mode to occur / more efficient in security analysis



Attracting Tomorrow

Forward Integrated Analysis: FMEA FTA

Hong, & Liu, B. 2009, ‘Integrated Analysis of Software FMEA and FTA’, Information Technology and Computer Science, ITCS 2009. International Conference on , vol.2, no., pp.184-187

Software development: Forward Integrated Analysis in Requirement Phase –comprehensive and meticulous analysis



Attracting Tomorrow

Backward Integrated Analysis: FTA FMEA

Hong, & Liu, B. 2009, ‘Integrated Analysis of Software FMEA and FTA’, Information Technology and Computer Science, ITCS 2009. International Conference on , vol.2, no., pp.184-187

Backward Integrated Analysis in Design Phase: more efficient and more suitable than forward integrated analysis



Attracting Tomorrow

Merging FMEA with the FTA



Attracting Tomorrow

Merging FMEA FTA – Case Study: Simple Sensor Model

Mechanical / electricalinterface to system

Package / housing/ PCB / stimulus inlet

accelerometer, gyroscope, current,pressure, temperature…

Not part of thesensor – system in which the sensor isintegrated



Attracting Tomorrow

Simple Sensor Model: Functions and failures

Safety goal 1: provide correct signal to the system

Failures: no signalsignal not within specificationssignal is not correct (undectected wrong signal)signal not on timesignal driftssignal offset

Safety goal 2: provide signal failure to the system

Failures: failure not detectedWrong failure assignedDiagnostics failedSelf test not availableSelf test fails temporarly



Attracting Tomorrow

Step 1: Do Design FMEA



Attracting Tomorrow

Step 1: Do Design FMEA



Attracting Tomorrow

Step 2: Create the FTA top-level

When can things go wrong?How can things go wrong?

DFMEA: What can go wrong?



Attracting Tomorrow

Step 3: Deduce dual-point faults from the FMEA and include them in the FTA

Bluvband, Z, Polak, R & Grabov, P 2005 ‘Bouncing Failure Analysis (BFA): The Unified FTA-FMEA Methodology’, Proceeding of Annual Reliability and Maintainability Symposium, pp.463 – 467

Analysis of all failures that do not contribute directly to thefailure effects (no signal, wrongsignal), and their combinations



Attracting Tomorrow

Step 4: Transfer dual-point faults back into the FMEA



Attracting Tomorrow

‚AND‘-gate in FMEA to represent Multiple-point failures



Attracting Tomorrow

Step 5: RPN calculation for multiple-point failures

Pickard, K, Müller, P & Bertsche, B 2005, ‘ Multiple Failure Mode and Effects Analysis – An Approach to Risk Assessment of Multiple Failures with FMEA’, Proceedings of the Annual Reliability and Maintainability Symposium, (2005), pp.457

Risk Priority Number (RPN) = Severity (S) X Occurence (O) X Detection (D)



Attracting Tomorrow

Step 5: RPN calculation for multiple-point failures



Attracting Tomorrow

Step 5: FMEA optimization // Double-point failure



Attracting Tomorrow

Conclusions

- The analysis is thorough with new failure modes found and included where applicable

- Improved product design with focus on safety

- Inclusion of multiple point failures (latent faults) in the FMEA

- Systematic approach through 5-Steps

- Working in one document only instead of two

www.global.tdk.com • www.epcos.com

Documents

Merging FMEA and FTA for safety analysis of sensors for ...2017.eurospi.net/images/EuroSPI2016/ppt/mergen_eurospi2016.pdf · Merging FMEA and FTA for safety analysis of sensors for