Category Archives: Development Phase

Similarity between Academic paper and Requirements

When researcher writes academic paper, one of important thing is to make structure. Usually research is one’s own study so it is hard to understand for people who are not interested in the topic. So s/he has to consider how to reader can understand easily.

S/he also consider internal consistency for better understanding.

I realized that writing requirement is quite similar to write an academic paper. If requirements are written without consideration of structure, it is hard to understand. Readers cannot understand what are system’s sub systems, what are functions allocated to sub-systems.

It is not technical point of view. But if they are not clear it is hard to defense against audit, because auditor will confuse it and will not understand what you are saying.

Then s/he will not give a good grade.




Safety Analysis – FTA and FMEA

I’m not sure my opinion is aligned to ISO standard, but I believe it’s practical.

When starting safety analysis, I’m recognizing that it can be used as eliciting additional safety requirement. For me, FMEA(Failure Modes and Effect Analysis) is more comfortable.

FMEA is an activity of finding SPF, while FTA(Fault Tree Analysis) is finding both SPF(Single Point Fault) and MPF(Multiple Point Fault). If FTA can reveals SPF only, I’m not sure why I conduct FTA. Based on FMEA, FTA can be extracted automatically. If additional information about SM are considered in FMEA then some MPF can be drawn in FTA. So I believe that the purpose of FTA is to find MPF, not SPF.

I have one more comment about FTA.

It is a kinds of logical expressions. So MPF can be extracted by analyzing identified safety requirements. Let’s assume that Safety Requirements are specified as follows;

Top Requirement = AND(Group_REQ1, Group_REQ2, Group_REQ3)

Group_REQ1 = OR(REQ11, REQ12)

Group_REQ2 = AND(OR(REQ21, REQ22), OR(REQ23, REQ24))

Group_REQ3 = OR(AND(REQ31, REQ32), AND(REQ33, REQ31), REQ35))


Violation of Safety Goal is Negation of Top Requirement.

Based on this, Violation of SG can be expressed as logical expression.

To find CF, CCF, and MPF, these logical expression should be prepared, and it is during safety requirement elicitation phase.

Safety analysis in the architecture level is a deeper level of elicitation of safety requirement.

There is a mechanical procedure of drawing FTA from architecture such as Hip-Hops method. But its demerit is they do not consider logically expressed safety requirements, so constructing logical expression is weak point. It surely reviewed by safety analyzer.


Is watchdog always mandatory in the functional safety project?

Generally, a watchdog in system design seems to be considered as design for the purpose of safety. What do you think? Is it essential?

Assume that tester1 performs testing for 100 days, and tester2 performs testing for 10 days. They tested same product. Then can you determine that tester1 is better than tester2?

You will say “No”, because test criteria should be considered when evaluating quality of test.

It is similar. Is a system design with watchdog safer than system design without watchdog?

Why watchdog is required? Is it a problem if a system do not have a watchdog?

It surely helps for you to feel that it is safe. It is no more than that.

Before adapting watchdog, please consider what is safe state in your system. If a watchdog is necessary to enter safe state when something is wrong, it is mandatory. If not, it is a psychological remedy.

“Doing Nothing” is better than “Doing Wrong”


For E-GAS standard, monitoring unit has to wake always. It means that sleeping or being dead is hazardous event. In that case, watchdog is mandatory. But in reporting system case, the unit do not have to operate always. If some faults are found internally, operation will make it worse.