Category Archives: Standard

FIT budgeting

FIT Budgeting occurs when a item consists of more than one system. It is very similar to apportion of Target level of safety(TLS) in avionics domain. FIT budgeting is related to division of random hardware failure rate for some systems. If more than one supplier has to develop, it will not be easy.

Regarding ASIL decomposition, decomposed QM means that the decomposed requirement do not have to develop according to ISO 26262, but FIT budgeting is still valid. Total FIT number is not changed even though you decompose safety requirements.

In this case, the system which is allocated QM(original ASIL) has determined to be no risks in the systematic aspect.

If this policy follows similarly in the avionics domain, a subsystem which is included in the high SIL systems but is not allocated to safety requirements, it might be okay develop as QM. Of course, FIT budgeting (I mean, apportion of TLS) needs to be considered. I’m not sure, it is my guess.



Safety Analysis – FTA and FMEA

I’m not sure my opinion is aligned to ISO standard, but I believe it’s practical.

When starting safety analysis, I’m recognizing that it can be used as eliciting additional safety requirement. For me, FMEA(Failure Modes and Effect Analysis) is more comfortable.

FMEA is an activity of finding SPF, while FTA(Fault Tree Analysis) is finding both SPF(Single Point Fault) and MPF(Multiple Point Fault). If FTA can reveals SPF only, I’m not sure why I conduct FTA. Based on FMEA, FTA can be extracted automatically. If additional information about SM are considered in FMEA then some MPF can be drawn in FTA. So I believe that the purpose of FTA is to find MPF, not SPF.

I have one more comment about FTA.

It is a kinds of logical expressions. So MPF can be extracted by analyzing identified safety requirements. Let’s assume that Safety Requirements are specified as follows;

Top Requirement = AND(Group_REQ1, Group_REQ2, Group_REQ3)

Group_REQ1 = OR(REQ11, REQ12)

Group_REQ2 = AND(OR(REQ21, REQ22), OR(REQ23, REQ24))

Group_REQ3 = OR(AND(REQ31, REQ32), AND(REQ33, REQ31), REQ35))


Violation of Safety Goal is Negation of Top Requirement.

Based on this, Violation of SG can be expressed as logical expression.

To find CF, CCF, and MPF, these logical expression should be prepared, and it is during safety requirement elicitation phase.

Safety analysis in the architecture level is a deeper level of elicitation of safety requirement.

There is a mechanical procedure of drawing FTA from architecture such as Hip-Hops method. But its demerit is they do not consider logically expressed safety requirements, so constructing logical expression is weak point. It surely reviewed by safety analyzer.


Negative feedback of ASIL decomposition

When I was a consultant, I explained the contents of ISO standard. While I presenting about ASIL decomposition, an audience asked me “is it okay to decompose many times?”

Recently, I found a meaningful statement in the standard.

According to ISO26262-9, 5.4.13, it is stated as follows;

Development of the decomposed elements at the system level and at the software level shall be performed, as a minimum, in accordance with the ASIL requirements (after decomposition) of ISO 26262-4 and ISO 26262-6. Development of the decomposed elements at the hardware level shall be performed, as a minimum, in accordance with the ASIL requirements (after decomposition) of ISO 26262-5, except for the evaluation of the hardware architectural metrics and the evaluation of safety goal violations due to random hardware failures (see 5.4.5).


In my thought, decomposing is a kind of partition(or split) of a risk and it essentially requires additional safety requirements. Merit is lowering risk, but demerit is additional safety requirement. Even though decomposition is performed, FIT target is not changed. You are freely to decompose highly risks of requirements into very low risks of requirements. It may requires additional hardware parts or components. But in order to implement this, you have to also consider total FIT target. If your additional hardware components increase, it may be hard to meet FIT target. Or you have to purchase more expensive parts. I don’t know if it is beneficial to you.

I think this statement(5.4.13) will prevent misuse of decomposition.

Someone says that “ASIL Decomposition is safer than original one”, which I don’t believe so, because if it really does, we have to decompose safety requirements as many as possible. In the overall system’s safety aspect, nothing changes.