Frameworks for Safety Analysis

Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA) are two

frameworks commonly used in the automotive industry to analyse system safety. These tools are the starting point for system safety design, and are used to identify the safety-critical

elements of the vehicle’s real-time control system. FMEA and FTA are, respectively, used as bottom-up and top-down approaches to system analysis. Used together, they are

complimentary processes that enable more complete coverage of a system than either process can achieve alone.

FTA is a top-down approach to system safety analysis. System faults are identified through brainstorming sessions, which form the top-level entry for a fault tree [49]. For each fault, immediate causes or events are listed. Those causes or events are further caused by other, lower-level events or combinations thereof. A logical tree of events is thus constructed, leading from the top-level fault to the most basic system events. Thus, FTA is an analysis that begins with known system-level faults and works down through causal errors to reveal root-level component failure mechanisms. FTA serves as a brainstorming tool to generate a list of critical system faults, and also provides insight into how system behaviours lead to these faults. FTA is a good tool to aid in designing controls for safety-related faults for several reasons. FTA shows single and multiple points faults, so it can help designers identify weak points (i.e. single point failures) in the system. It also shows all the intermediary steps between a root (bottom-level) cause and the (top-level) effect, which helps designers identify points of detection and mitigation within a critical sub-system.

FMEA is a bottom-up approach to system safety analysis. Systems are broken down into subsystems and components, and brainstorming sessions identify possible failure modes for each system component [50]. Once a list of failure modes is compiled for each component, the effect(s) of each failure are listed and quantified through a Severity Index (S). Next, the cause(s) of these effect(s) are listed, and quantified with an Occurrence Index (O). Design controls are identified next. In this implementation of FMEA, design controls are divided into two types. Prevention controls involve designing the system to reduce the occurrence of the causes of failure. Detection controls involve implementing methods that can be used to identify when failure causes occur. The ability of design controls to prevent or detect a failure is quantified using a Detection Index (D). The combination of Severity, Occurrence, and Detection indexes is used to rank and prioritize failure modes. FMEA is an analysis that

begins with known root-level component failure mechanisms and works up through the resulting errors to yield system-level faults.

FTA and FMEA provide two independent methods of performing a system analysis. As a deductive method, FTA is a good starting point when effects of failure are known (e.g. from previous experience with the particular application, brainstorming, hazard analysis) but the particular causes in the current system design are unknown [49]. As an inductive method, FMEA is useful when the causes of failure are known (e.g. from experience with

components) but the effects on the system are unknown [49]. For both methods it is critical that the right people are involved in the analysis and that an appropriate level of knowledge is available regarding the known causes or effects that serve as a starting point for FMEA and FTA, respectively.

For example, in designing a vehicle control system unintended vehicle movement is a critical effect of a failure in part of the system. During the design process a FTA for unintended vehicle movement would be performed in an effort to understand how certain events within the components of the vehicle control system can lead to this effect. Thus, FTA is an analytical process that is best executed by experts at the system integration or application level. A good FTA session may be preceded a brainstorming session at the system or application level to generate the failure effects that serve as the top-level of the fault trees. Conversely, FMEA is useful when detailed knowledge of a component and its failure

mechanisms are known. For example, in the same vehicle design project, a FMEA performed on a motor controller would identify an open or short on the torque control signal as possible causes of failure. This failure may lead to the effect of unintended vehicle movement. Thus, FMEA is a brainstorming process that lends itself to experts at the component or subsystem level. A good starting point for FMEA is a brainstorming session at the component level, to generate the failure modes that serve as bottom-level events for the analysis.

By approaching system analysis from both ends, top-down and bottom-up, and by involving both system-level and component-level experts in the brainstorming process, the likelihood of identifying and linking all safety-critical causes and events is increased. These methods

are only the beginning of designing a safe control system, however. Once safety-related design elements are identified, they must be addressed with appropriate controls. Those controls may occur in the design phase to reduce the probability of failure causes, and / or they may be implemented within the production system to detect known failure effects and take appropriate action. The focus of this chapter is on the latter through examples related to one of the most safety-critical elements of vehicle controls: torque delivery.