They are performed at the appropriate level of abstraction during the concept and product development phases. There are different kinds of safety analyses classification. One of them is to divide them between quantitative methods (predict the frequency of failures) and qualitative methods (identify failures but do not predict the frequency of failures). Examples are: 

Qualitative analysis methods include: 

— qualitative Failure Modes and Effects Analysis (FMEA) at the system, design or process level; 

— qualitative Fault Tree Analysis (FTA);  

— Hazard and Operability Analysis (HAZOP);  

— qualitative Event Tree Analysis (ETA). 

Quantitative analysis methods include: 

— quantitative FMEA; 

— quantitative FTA;  

— quantitative ETA; 

— Markov models;  

— reliability block diagrams. 

What is FMEA and why it’s important? 

FMEA is one of the most widely known inductive analysis used in the automotive sector.  

FMEA – is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service. The most important outcomes are: 

– identification of new hazards not previously identified during the hazard analysis and risk assessment (HARA); 

– evidence for the suitability of safety concepts; 

– definition of safety measures for fault prevention or fault control; 

– identification of design requirements and test requirements. 

There are different types of FMEA. The main 2 groups are: Design and Process FMEA. The main goal of Design FMEA (DFMEA) is to uncover potential failures associated with the product design – product malfunctions, shortened life etc. On the other hand the main objective of Process FMEA (PFMEA) is to uncover failures related to process reliability, impact product quality, etc. 

There are several trusted publications describing the approach to the Design and Process FMEA like: Failure Mode and Effect Analysis Handbook (issued by AIAG & VDA) or Design & Process FMEA (issued by SAE).  

How important is SW Safety Analysis? 

The best illustration of the role of SW safety-oriented analyses can be found in Annex E from the Part 9 of ISO26262:2018 (2nd edition): 

FMEA analysis what it is and why it’s important

The best time for safety analysis as per the diagram above is SW Architectural Design. It can be done using deductive or inductive analyses. One of the most efficient solution for inductive analysis, is SW FMEA. The best if it is supported by a deductive approach like SW FTA along with DFA. 

When it comes to the SW FMEA availability of standards/guidelines is very low and it is not easy to verify the sources of publications. One of them is “Effective Application of SW Failure Modes Effect Analysis” by Ann Marie Neufelder.  

 This is a very complex approach containing a lot of different approaches, methods and steps. Especially for the companies which are at the beginning of ISO26262 journey, it might be very difficult to adapt it to their technology and processes without extensive support and time.  

Spyrosoft FUSA Engineers over the various ISO26262 projects were able to develop their own approach to SW FMEA. It is continuously evolving to adapt new technologies and lessons learnt. It is also worth to add that SpyroSoft safety analyses reports based on the SW FMEA already passed several FUSA Assessments. 

Learn more about ISO 26262 guide blog banner

What are the steps of SW FMEA?

 The general approach to SW FMEA is similar as for Design FMEA (AIAG & VDA). The Safety Analysis Sheet columns for SW FMEA might be organised as follows:

First step of SW FMEA contains 4 steps as shown in the flow diagram below: 

FMEA analysis what it is and why it’s important

HAZOP (Hazard and Operability Study) – systematically investigates each element in an Architecture or any other model/system/process. The goal is to find potential situations that would cause that element to pose a hazard or limit its operability. In this approach key words like “NO or NOT”, “PART OF” etc. help in defining potential failures in function/element.  

Each Potential Failure Cause shall contain Occurrence (O) rating. It describes the potential of the failure cause to occur in customer operation, according to the rating table, considering results of already completed detection controls. 

Generally in SW FMEA approach we are dividing two kinds of Failure Effects:​ 

  • Potential Failure Effects which might directly violate Safety Goal/s​ 
  • Potential Failure Effects which might impact system/subsystem, local entities, results in non-compliance with the regulations, poor performance, loss of intended functions etc. 

Each Effect shall be rated using Severity (S) measure. It is associated with the most serious failure effect for a given failure mode on the function being evaluated. 

Each prevention/detection control shall be rated using Detection (D) measure. It is an estimated measure of the effectiveness of the detection control to reliably demonstrate the failure cause or failure mode before the item is released for production. 

  • Second step of SW FMEA analysis is Risk Assessment, FMEA SW Validation and Optimization 
  • The first contact point shall be SW Architect responsible for implementing SMs within SW Architecture and filling „SM implementation” column​ 
  • „Requirement Coverage” column is maintained by  requirements engineer (Req Eng.) It shall contain already existing SW Safety Requirements or brand new ones derived directly from SW FMEA.​ 
  • „Test Coverage” column shall be filled with Test Cases IDs (on Unit or Integration level) which are made for checking the Safety Mechanisms correct behaviour during start-up/normal operation. 

 Do not forget about the proper Safety Analysis Verification Report required by ISO26262.  

It shall summarise and communicate the results of the SW FMEA activity, confirmation of the effectiveness of the implemented actions, record of risk analysis and risk reduction to acceptable level. 

What are the hints and best practises to perform a good SW FMEA? 

  • Static View: the FUSA critical components shall be clearly marked. The critical signal path shall be shown from the HW peripherals through MCAL, ECUAL, BSW up to Application Layer (in AUTOSAR projects). Based on such diagram FUSA critical components (also QM ones if they are on the way of critical path) shall be taken into consideration for SW FMEA.  
  • Dynamic View: where faults like: delay of transmitted data, blocking access to communication channel, memory corruption can be identified. 

If you struggle with the SW FMEA or anyother SYS/SW Safety Analyses – please visit our website for more information 

You can book face-to-face or online training for you and your team to learn about the basics and processes based on a well-structured life example case studies and exercises. 

About the author

Paweł Kazmierczak photo

Pawel Kazmierczak

Functional Safety Engineer