The derivation of a FMEDA for IEC 61508 and ISO 26262 (DC Worksheets) is supported for arbitrary SysML models. Since the Single Point Fault and Latent Fault Metrics (SPF/LF Metrics) as well as the Safe Failure Fraction (SFF) and Diagnostic Coverage (DC) are defined over a "flat" list of components, caution has to be taken when deriving worksheets for structured models.
If parts are nested, there are some cases where due to this model structure failure rates can appear multiple times in an FMEDA:
Percentage distribution FROM PARENT is used and both the parent and the children are visible in an FMEDA. In this case the failure rate at the parent and the same rate distributed to children is appearing in the worksheet.
The prediction mode FROM FAILURE MODES is used at a parent and failure modes aggregates failure rates from causes of contained elements. If the parent element and the children are shown in a DC worksheet, the failure rate is also duplicated.
The "Add children" option is active and the part as well as the children are appearing in the worksheet (see also WARNING [2]).
WARNING [8] — All three cases lead to failure rates appearing multiple times in a FMEDA. Caution is required when setting the "safety related" checkbox, because checking parent and child element will lead to duplicated FIT in the sum of total safety related and hence to wrong SPF/LF or SFF/DC metrics.
WARNING [9] — Note that all three cases lead also to a pessimistic "Total Failure Rate", since failure rates for children and parent are summed up and hence go into the total failure rate twice (or multiple times).
Note that the "Total Failure Rate" is not used for computation, but the display in the cases described might be misleading. Similarly, the "Prediction" tab of the properties view for a SysML element shows the failure rate for nested elements, which might also contain the failure rate (again) for the three cases above.
NOTE [8] — For typed and untyped elements the behavior is slightly different with respect to these fields, since the failure rate of parts contained in the type are not automatically considered in the instances. Refer to Modelling with types and instances for further details for the relationship of failure rates for types and instances.
RECOMMENDATION [8] — Use flat component lists in a separate model to avoid complex tree structures in the FMEDA worksheet. If required, use SysML packages to structure groups of hardware components according to circuits/PCB affiliation.
RECOMMENDATION [9] — If FMEDA is performed on a structured SysML model with parents and their nested components, use the "Level Selection" at the FMEDA/DC Worksheet to filter for a single level to be considered for the computation. As an alternative, avoid using the three cases of failure rate modelling above and make sure to double check the "safety related" flag in any case.
NOTE [9] — Note that DC Worksheets can be rooted at any element level. If one of the cases above exists, it might make more sense to derive the DC worksheet from a different level to not run into the situation with duplicated FIT values.
For Automotive users and projects based on the ISO 26262 domain template, the tool provides an option to compute the no part failures, safe failure fraction (SFF) and diagnostic coverage (DC) derived from the SPF/LF settings. The FMEDA metrics according to IEC 61508 leave some room for interpretation when relating them to ISO 26262 single-point (SPF) and latent point (LF) failures metrics. For this purpose, the following interpretation of combining ISO 26262 and IEC 61508 has been implemented:
If a component is safety related, but all its failure modes are considered not violating a safety goal, these are counted as no part failures in accordance with IEC 61508-4:2010, definition 3.6.13
The safe fault fraction of a failure mode will be counted into SFF, only if the failure mode violates a safety goal. This is in accordance with IEC 61508-4:2010, definition 3.6.14
The multiple-point fault metric is not considered as dangerous, but always counted as no part failures. The IEC 61508 does not state explicitly multiple-point faults, but the procedures described in IEC 61508-2:2010, Appendix C.1 suggest that the metrics are limited to individual failure modes (not failure combinations).