CAM0500244-01
Method: FTA
Maturity
Creator
Name: Jean-Marc Astruc
Department: BU ES Q
30.11.2010
eSign List ID: 1116849
draft
valid
Process Owner
Change Reason
Objective
Subject:
This method description provides an overview of the Fault Tree Analysis (FTA) method and
subjects to analyzed.
Goal:
FTA is a deductive failure analysis which is often applied (but not restricted) to reliability prediction
and safety analysis of the systems. The method is based on the identification and evaluation of
conditions and factors which cause or contribute to the occurrence of one particular undesirable
event. This event is usually denominated as an undesired top-level event or top event. A further
goal of the method could be the analysis and determination of cutsets, which is the basis for the
design of safety mechanism.
The FTA could be further on used, to analyse the paths of real occurred failures of the
system, to localize the causes of the system failures. The different cut sets are showing
the paths with the highest probability for the occurrence of the failures.
Scope
This method description is applicable to Conti Automotive. It can be complemented with local or application-specific
working instructions.
This regulation is mandatory for:
Continental Automotive and its majority
interests as well as minority interests with
management control by Continental Automotive.
Division
Business Unit
Automotive Function
Region
Country
Site
Plant
Other
Page 1 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
Table of Content
Method: FTA .................................................................................................................................................................1
1 Method...................................................................................................................................................................3
1.1
Preparation of a Fault Tree Analysis ............................................................................................................3
1.2
Fault Tree Construction ................................................................................................................................4
1.3
Qualitative Evaluation of Fault Tree..............................................................................................................4
1.4
Quantitative Evaluation of Fault Tree ...........................................................................................................5
1.5
Use of FTA Outcomes ..................................................................................................................................5
1.6
Archiving of the FTA Documents ..................................................................................................................5
2 Metrics and Performance Indicators......................................................................................................................6
2.1
Graphic Symbols...........................................................................................................................................6
2.2
General Hints on FTA Usage........................................................................................................................8
3 Further Definitions .................................................................................................................................................9
3.1
Acronyms ......................................................................................................................................................9
3.2
Definitions .....................................................................................................................................................9
3.3
Example of Fault Tree Diagram ..................................................................................................................10
3.4
Example of Primary Events Dictionary .......................................................................................................12
3.5
Example of Qualitative Evaluation ..............................................................................................................12
4 References ..........................................................................................................................................................14
4.1
Mandatory ...................................................................................................................................................14
4.2
Other ...........................................................................................................................................................14
5 Document History ................................................................................................................................................14
6 Responsible Persons...........................................................................................................................................14
6.1
Process Owner ...........................................................................................................................................14
6.2
Process Manager........................................................................................................................................14
6.3
Process Team .............................................................................................................................................14
Page 2 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
1
Method
The top events usually come out of Hazard & Risk Analysis or higher-level analysis (such as FMEA, FTA, ETA etc.)
previously carried out at vehicle level by the car manufacturers. In some cases, they can be directly derived from
the experience.
Ideally, the development of the fault tree should start early in the concept phase, so that results could affect the
design of the function, system or component. FTA could be considered as complementary method of a FMEA. For
ASIL C & ASIL D, deductive analysis such as FTA is mandatory in addition to FMEAs. The FTA could be used to
develop the function net of a VDA-FMEA. The higher order cutsets should be resulting in the connection of the
function net.
FTA can also be carried out retrospectively on existing or reused systems in order to check / confirm their
compliance with given safety requirements or objectives.
Responsibility for FTA shall be planned as part of the Project (Safety) Plan.
Whatever the context is, the steps described below should be completed.
1.1
Page 3 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
1.2
Are there any single failures, which will cause the event under consideration to be true?
Are there any common cause failures, which will cause the event under consideration to be true?
Are there any multiple failure combinations which will cause this event to be true?
When considering fail-safe properties of a system the following structure should be sought whenever possible
in order to identify which measures are taken at system design level in order to preclude or reduce effects of
faults and failures:
event
G17
failure(s)
or fault(s)
G18
protection
mechanism (or
measure)
inoperative
G19
Extend the branches of the fault tree down to the primary events.
It consists in developing each event down through successively more detailed levels of the
system design until the root causes are established or until further development is thought
no more necessary.
1.3
Page 4 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
1.4
Quantitative evaluation is usually restricted to complement qualitative evaluation of the most critical applications. It
is carried out on a case by case basis depending on customer's demands. It consists in calculating the probability
of occurrence of the top event (or any intermediate event) from the probability of occurrence of each primary event.
The probability of primary events is usually based on data such as failure rate, exposure time, and failure detection
coverage by monitors, etc. ISO 26262 does not consider any quantification of systematic fault.
Caution:
1.5
Cutsets containing primary events related to software or hardware development errors (i.e.
systematic errors) must only be evaluated by qualitative approach. Quantitative evaluation cannot be
performed because the current methods for estimating the post-verification probabilities of errors do
not provide results that are commensurate with safety objectives usually assigned to critical
applications.
Fault trees containing primary events related to both hardware random faults and hardware or
software development errors require performing quantitative analysis only on primary events related
to hardware random faults.
Discriminate the responsibilities related to the causes leading to a given hazardous top event,
Adequate budgeting of average from reliability targets (e.g. PMHF) for sub-elements.
Supports design improvement, especially for higher order cutsets and establishing of barriers for sufficient
independence or freedom of interference.
Evidence about potential cause of depending failure or potential common cause effects and cascades
Establish coverage of the failures leading to this event by the system built-in protection mechanisms,
Define relevant test cases that aim at showing that the actual system reacts as intended in failure
conditions.
Show compliance with safety (only PMHF) or other key-characteristic objectives assigned to the system.
Arguing sufficient effectiveness of safety mechanism, especially if different operating modes are
considered. (Event Tree Analysis (ETA) would be considered as a deductive analysis.)
Assess the impact of design changes on safety or other key-characteristic.
1.6
The data resulting from the FTA should be documented and recorded in the corresponding project folder. All the
FTA documents (electronic or paper versions) must be archived for the same period of time as all other R&D
documents of the corresponding project unless a stronger demand of the customer exists.
Page 5 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
2
2.1
The Fault Tree Diagram is based on graphic symbols, which provide a straightforward and hierarchical
representation of the relationships between the events that can lead to the top event. A definition of the most
common graphic symbols is provided in the table below:
Caution: Symbols in tools could be different.
Name
Basic event
Illustration
Definition
Primary event which is internal to the system under
analysis. It requires no further development.
Here :
- "comp-B1" is the name of the basic event
- "component #B1 fails" is a comment attached to
the basic event (see example in Appendix A)
component
#B1 fails
comp-B1
Undeveloped
event
SW design
error
comp-A/01
OR-gate
component
#A fails
G11
AND-gate
G7
G14
Page 6 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
Configuration
event
specific
operating
conditions
cond-01
Subtree
transfer
Transfer-in :
Transfer-out :
{2}
incorrect
operation of
Function 'C'
{2}
incorrect
operation of
Function 'C'
G5
Identical
transfer
Top of subtree :
Replication :
{1}
component
#A fails
{1}
component
#A fails
G11
More sophisticated graphic symbols may be used whenever necessary1 such as:
Exclusive-OR gate: type of logical disjunction on two operands that results in a output of true if exactly one of
the operands has a value of true
NOT gate: Output event is an inverse of the input event. NOT gate associated with AND gate becomes NAND
while associated with OR gate it becomes a NOR gate.
'M out of N' gate: Output of this gate occurs if at least M of the N input events are true
Page 7 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
2.2
Starting with the top event, this top-down process consists in systematically determining all foreseeable singlecauses or multiple-causes that could lead to it. The analysis proceeds down through successively more detailed
(lower) levels of the system design until primary events (root causes) are identified. The resulting Fault Tree
Diagram is then evaluated.
Criteria for the decision to use FTA are (not limited to):
Page 8 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
3
Further Definitions
3.1
Acronyms
EMS
ETA
PMHF
ETC
FTA
FMEA
H&RA
3.2
Definitions
Set of primary events, which (may) cause the top event to happen when occurring together.
st
nd
th
N order cutset:
Minimal cutset:
Smallest cutset in which all primary events must occur for the top event to occur. Usually, from
st
safety viewpoint, it is not recommended to keep 1 order cutset(s) as minimal cutset: it means
that single-point failure(s) exists that leads directly to the undesired top-level event.
1 order cutset:
2 order cutset:
Page 9 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
The following Fault Tree is intended to be used as an example. It has been drawn using the software tool ARALIA
WORKSHOP - SIMTREE. Symbols in the tool FaultTree+ are different.
3.3
ORed events
no operation of
Function 'A' on
demand
loss of
Function
'B'
incorrect
operation of
Function 'C'
G9
G4
{2}
event developed
in subtree {2}
specific
operating
conditions
component
#B1 fails
component
#B2 fails
'B' backup
fails
comp-B1
comp-B2
G3
ANDed events
cond-01
{1}
component
#A fails
component
#B3 fails
component
#A fails
comp-B3
{1}
subtree {1}
replication
G11
SW design
error
G14
HW design
error
comp-A/01
comp-A/02
HW random
fault
comp-A/03
HW
monitoring
inoperative
comp-A/04
fail-safe
structure
Page 10 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
{2}
incorrect
operation of
Function 'C'
G5
G7
protection
mechanism #D
inoperative
fail-safe
structure
G6
component
#C fails
other
causes
G2
comp-C
part #x
fails
part #z
fails
part-x
part-z
G13
no timely
detection by
#D
potential common
cause failure
prot-D/01
erroneous
control by
operator
incorrect
system
reaction after
detection
G16
human and
process issues
G8
part #y
fails
part #z
fails
other
causes
part-y
part-z
prot-D/02
human
error
inadequate
procedure
human-D
proc-D
Page 11 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
3.4
A dictionary of this type can be built from results computed by the tool. While the "Remarks" column can be used to
define more precisely each primary event, the last column is intended to bound the scope of analysis under
CONTINENTAL Automotive responsibility.
ID
human-D
comp-A/01
comp-A/02
comp-A/03
comp-A/04
comp-B1
comp-B2
comp-B3
comp-C
Primary events
human error
SW design error
HW design error
HW random fault
HW monitoring inoperative
component #B1 fails
component #B2 fails
component #B3 fails
other causes
Remarks
Responsibility
ID
part-x
part-y
part-z
proc-D
prot-D/01
prot-D/02
Primary events
part #x fails
part #y fails
part #z fails
inadequate procedure
no timely detection by #D
other causes
Remarks
Responsibility
3.5
Twice the tool has computed the following cutsets. The first column lists the cutsets when cond-01 is true and the
last column when it is false:
Presence of specific operating conditions Absence of specific operating conditions
st
1 order cutsets : comp-A/01 SW design error
comp-A/02 HW design error
nd
2 order cutsets : comp-A/03 HW random fault
comp-A/04 HW monitoring inoperative
prot-D/01
no timely detection by #D
prot-D/01
no timely detection by #D
comp-C
other causes
comp-C
other causes
prot-D/01
no timely detection by #D
prot-D/01
no timely detection by #D
part-x
part #x fails
part-x
part #x fails
prot-D/01
no timely detection by #D
prot-D/01
no timely detection by #D
part-z
part #z fails
part-z
part #z fails
human-D
human error
human-D
human error
part-z
part #z fails
part-z
part #z fails
part-z
part #z fails
part-z
part #z fails
proc-D
inadequate procedure
proc-D
inadequate procedure
Page 12 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
rd
human-D
comp-C
part-y
comp-C
part-y
proc-D
prot-D/02
human-D
comp-C
prot-D/02
comp-C
proc-D
human-D
part-x
part-y
part-x
part-y
proc-D
prot-D/02
human-D
part-x
prot-D/02
part-x
proc-D
th
4 order cutsets :
human error
other causes
part #y fails
other causes
part #y fails
inadequate procedure
other causes
human error
other causes
other causes
other causes
inadequate procedure
human error
part #x fails
part #y fails
part #x fails
part #y fails
inadequate procedure
other causes
human error
part #x fails
other causes
part #x fails
inadequate procedure
comp-B1
comp-B2
comp-B3
comp-A/01
comp-B1
comp-B2
comp-A/02
comp-B1
comp-B2
human-D
comp-C
part-y
comp-C
part-y
proc-D
prot-D/02
human-D
comp-C
prot-D/02
comp-C
proc-D
human-D
part-x
part-y
part-x
part-y
proc-D
prot-D/02
human-D
part-x
prot-D/02
part-x
proc-D
comp-A/03
comp-A/04
comp-B1
comp-B2
Page 13 of 14
Template: CAP0103001-F02-02
Automotive
CAM0500244-01
4
References
4.1
Mandatory
/1/ CAPM
4.2
Other
CAP0500131 FSM-Guideline
CAP0500032 FMEA
ISO 26262
Document History
Rev. #
01
Change Description
First version
Process
Owner
Date
Hans-Leo
Ross
30.11.2010
(dd.mm.yyyy)
02
03
6
6.1
Responsible Persons
Process Owner
Hans-Leo Ross
6.2
Process Manager
6.3
Process Team
The members of the Process Team have reviewed the method and their feedback has been considered.
The Process Owner keeps records about the Review.
Name
Department
Location
Dieter Strohmeier
Quality ES
Regensburg
Paolo Pedri
Quality Automotive
Auburn Hills
Dieter Knoedler
BU SEN
Frankfurt
Uwe Kley
BU HBS CHTBK
Frankfurt
Thomas Hmmrich, Jrg Steinmetz, Karl-Heinz Henne,
BU TR
Nrnberg
Wolfgang Spengler
Peter Lascych
BU HEV
Nrnberg
Masao Chiba
R&D EBS
Nakaze, Japan
Dr. Harald Luetteke, Sandro Syguda
BU C&S, S&T
Frankfurt
Thomas Gbel
BU EBS
Frankfurt
Christian Brand
BU B&S
Regensburg
Dieter Brasin
C&S PSAD
Regensburg
Tom Eibergen
C&S S&T
Auburn Hills
Habel Stephan
BU CHS
Nrnberg
Dr. Eva Schwarze, H.-A. Schneider
BU HBS EPB
Frankfurt
Page 14 of 14
Template: CAP0103001-F02-02