Functional Safety Decomposition
Introduction
Functional safety decomposition is a key concept in designing a functional safety system. It is used everywhere in our daily life, such as airplane, rocket, railway, and car, but people might just have not been aware of it.
In this blog post, I would like to discuss functional safety decomposition using examples.
Functional Safety
Functional safety has been briefly discussed in my previous post “Shallow Understanding of Functional Safety and Safety Certification”. Basically, functional safety is the absence of unreasonable risk due to hazards caused by malfunctioning behavior. For example, functional safety can be stopping the car if sonar has detected the car is too close to another nearby car, maintaining the airplane communication with the airport control, preventing the car from unwanted breaking, etc.
In different industries, different functional safety standards have been proposed and adopted. For example, ISO 26262 is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles, and IEC 62304 is a standard which specifies life cycle requirements for the development of medical software and software within medical devices..
Safety Integrity Level
For functional safety, it is compulsory to classify its Safety Integrity Level (SIL) based on hazard analysis and risk assessment. Different functional safety could have different level integrity level.
For example, in automotive industry, its SIL classification scheme is called Automotive Safety Integrity Level (ASIL). ASIL has five levels, from the lowest to the highest, QM, ASIL A, ASIL B, ASIL C, and ASIL D. ASIL D represents the highest degree of automotive hazard and highest degree of rigor applied in the assurance the resultant safety requirements whereas QM represents application with no automotive hazards and, therefore, no safety requirements to manage under the ISO 26262 safety processes.
Some key functional safeties, such as electric power steering, airbag, antilock braking, are of ASIL-D, whereas other less critical functional safeties, such as rear lights, are of ASIL-A.
In some scenarios, high-level functional safety is decomposed into multiple low-level functional safety components in the implementation in practice.
Functional Safety Decomposition
Example of Two-Engine Aircraft
An extremely common example for functional safety decomposition that everybody might have known without actually being aware of is the two-engine architecture for the modern jet airplane. Suppose the functional safety for the aircraft system is to have the engine failure rate less than $1^{-10}$ for each flight. Suppose it is technically impossible to manufacture an engine that would fail with a probability of less than $1^{-10}$ for each flight, we would have to do functional safety decomposition. In this case, if it is technically possible to manufacture an engine that would fail with a probability of less than $1^{-5}$ for each flight and an aircraft is equipped with two such engines, by making sure that the two engines are functionally independent from each other, i.e., failure from one of them does not interfere with the function of the other, we could still achieve the functional safety because by the independence of the probability $1^{-5} \times 1^{-5} = 1^{-10}$. This means that the original stringent functional safety for one system has now been decomposed into two less stringent functional safety in two components or subsystems. This is called functional safety decomposition.
Sometimes, functional safety decomposition was conducted because of the cost-effectiveness rather than the technical infeasibility. For example, suppose manufacturing an engine with a failure rate less than $1^{-10}$ for each flight will take 2 years and cost 1 billion dollars, but manufacturing an engine with a failure rate less than $1^{-5}$ for each flight will only take 3 months and cost 100 million dollars. This means manufacturing two engines with a failure rate less than $1^{-5}$ for each flight will only take 6 months and cost 200 million dollars. As long as the two engines are functionally independent from each other, we could achieve the same functional safety by equipping two cheaper engines rather than a single expensive engine, and it would save us 1.5 engineering years and 800 million dollars.
One of the interesting observation was that for some old airplanes, such as Boeing 747-400 manufactured in 1988, there are four engines equipped, whereas the latest upgraded airplanes from the same company, such as Boeing 787-800 manufactured in 2009, there are only two engines equipped.
This does not mean Boeing 747-400 is safer than Boeing 787-800. Instead, Boeing 787-800 should be definitely safer than Boeing 747-400. This is because modern engines are much better and have much smaller failure rate than old engines. Therefore, probabilistic speaking, equipping two modern engines are already safer than equipping four old engines.
ASIL Decomposition
ASIL decomposition combinations have been specified by ISO 26262 as follows. Basically, a high level ASIL system could be decomposed into two low level ASIL subsystems.
ASIL Value | ASIL Decomposition Combinations | ||
---|---|---|---|
D | C(D) + A(D) | B(D) + B(D) | D(D) + QM(D) |
D(D) | C(D) + A(D) | B(D) + B(D) | D(D) + QM(D) |
C | B(C) + A(C) | C(C) + QM(C) | |
C(D) | B(D) + A(D) | C(D) + QM(D) | |
C(C) | B(C) + A(C) | C(C) + QM(C) | |
B | A(B) + A(B) | B(B) + QM(B) | |
B(D) | A(D) + A(D) | B(D) + QM(D) | |
B(C) | A(C) + A(C) | B(C) + QM(C) | |
B(B) | A(B) + A(B) | B(B) + QM(B) | |
A | A(A) + QM(A) | ||
A(D) | A(D) + QM(D) | ||
A(C) | A(C) + QM(C) | ||
A(B) | A(B) + QM(B) | ||
A(A) | A(A) + QM(A) |
Caveats
Functional Independence
The functional safety decomposition assumes the independence between the decomposed components. The correlation between the decomposed components will compromise functional safety significantly. Therefore, designing and evaluating the functional independence in a functional safety decomposed system is extremely critical.
For example, the following functional safety decomposition is a flawed one. Suppose the two engines on the airplane are sharing the same fuel pipeline. Even though the two engines appear running independently, but if the fuel pipeline is broken, both of the engines will fail.
Decomposition or Not?
If we could have options to choose whether decomposing functional safety or not, do we really have to decompose? It really depends, but usually we choose the most cost-effective one that allows engineers to minimize engineering time, manufacturing cost, and maintenance cost.
References
Functional Safety Decomposition
https://leimao.github.io/blog/Functional-Safety-Decomposition/