Comparison of A Fault Tree Analysis (FTA) Versus A

Failure Modes, Effects, and Diagnostic Analysis (FMEDA)

A Report Submitted
by
Md. Murtoza Siddiqui
Matriculation No. 35529590
Winter Semester 2020-21

Course: Modelling of Safety Structure According to ISO 26262

Master Course: Functional Safety Engineering
Department of Electrical Engineering and Computer Science Computer Architecture and
System Programming

Universität Kassel

Submitted on 14 March 2021

 Abstract
This report titled ‘Comparison of a Fault Tree Analysis (FTA) Versus a Failure Modes, Effects,
and Diagnostic Analysis (FMEDA)’, has been prepared because it represents a certain
evaluation grade for the master course Functional Safety Engineering at the University of
Kassel, Hessen, Germany.
This report has been organized in an easy-to-follow way, where definitions for both of the
methods FTA and FMEDA are discussed first, followed by discussing the methodologies,
symbols, technical terms used, templates, assumptions, and examples are given at the end
of each topics to provide a comprehensive understandings on both methods. Where
appropriate, derivations or interpretation on data or information are provided. Therefore, this
report could be used as a resourceful reference on the relevant ideas.
The report starts off with a detailed explanation on FTA method in section 2 followed by
FMEDA method in section 3. In section 4, some of the significant advantages and
disadvantages of both methods are discussed, which could be used as a quick recap on the
important aspects of each methods highlighted in previous sections of this report. Thus, it
would be easy to make a comparison and make the right decision on which of the methods to
use in what circumstances during risk analysis as suggested by ISO 26262 and IEC 61508.
The contents of this report are mostly composed of adapted relevant information cited from
various sources including websites, online documents, published research papers, and from
the relevant functional safety standards. Therefore, the scope of this report has been limited
by the availability of these sourced information and the time constraints. In addition, there is
only a handful of limited resources available for free of cost or made public and mostly these
available sources are withdrawn or outdated or revised by the proprietary organizations from
time to time. Therefore, some of the contents may no longer be applicable or used. Section 6
of the report provides the list of references for those who are interested in further research on
similar topics.
Finally, this report could be used as a quick reference guide for future research on the similar
topics.

Acknowledgement
I would like to express my gratitude and sincere thanks to our Prof. Dr. -Ing. Ossmane Krini
for giving me the opportunity to write this report. Also, I would like to thank our professors from
the Functional Safety Engineering, Department of Electrical Engineering and Computer
Science Computer Architecture and System Programming, University of Kassel, for their
continuous support in providing information and clarification on the course material.
I truly appreciate their relentless guidance and motivation which helped me in writing this
report.
I would like to express my appreciations to authors of the various information sources without
which this report would not have been possible.
Also, I would like to express my sincere gratefulness towards my parents, family, friends, and
colleagues for being there for me throughout the time I was preparing this report.
Finally, thank you Anne for your patience, support, motivation and for your love.

i
Contents

ABSTRACT ........................................................................................................................... I
ACKNOWLEDGEMENT ........................................................................................................ I
LIST OF FIGURES................................................................................................................. III
LIST OF TABLES .................................................................................................................. III
LIST OF EQUATIONS ............................................................................................................ III
1 INTRODUCTION ........................................................................................................... 1
2 FAULT TREE ANALYSIS (FTA) ................................................................................... 2
2.1 DEFINITION............................................................................................................... 2
2.2 SYMBOLS OF FTA ..................................................................................................... 2
2.3 EXAMPLES OF FTA ................................................................................................... 3
2.3.1 Quantitative FTA Analysis ................................................................................... 3
2.3.1.1 A Simple automotive safety indicator circuit.................................................. 3
2.3.1.2 FTA for automotive safety indicator system .................................................. 4
2.3.1.3 Result & Comment ....................................................................................... 4
2.3.2 Qualitative FTA Analysis ..................................................................................... 5
3 FAILURE MODES, EFFECTS, AND DIAGNOSTIC ANALYSIS (FMEDA) .................... 6
3.1 DEFINITION............................................................................................................... 6
3.2 FMEDA & ISO 26262 .............................................................................................. 6
3.2.1 Inputs of FMEDA ................................................................................................. 6
3.2.2 Outputs of FMEDA .............................................................................................. 7
3.2.3 Interpretation of FMEDA data .............................................................................. 7
3.2.4 Hardware architectural metrics reference values ................................................. 8
3.3 EXAMPLE OF FMEDA FOR ISO 26262 ....................................................................... 8
3.3.1 Safety cooling system for vehicle......................................................................... 8
3.3.1.1 FMEDA Table for ISO 26262 ........................................................................ 9
3.3.1.2 Calculation & Formula .................................................................................. 9
3.3.1.3 FMEDA result and comment ...................................................................... 10
3.4 FMEDA & IEC 61508............................................................................................. 10
3.4.1 Application......................................................................................................... 10
3.4.2 Interpretation of FMEDA data ............................................................................ 10
3.4.2.1 Some useful parameters and their definitions ............................................. 10
3.4.3 Example of FMEDA for IEC 61508 .................................................................... 12
3.4.3.1 Submersible sensor LMK 307..................................................................... 12
3.4.3.2 Failure modes assumption ......................................................................... 13
3.4.3.3 FMEDA table for IEC 61508 ....................................................................... 13
3.4.3.4 FMEDA result and comment ...................................................................... 13
4 FTA OR FMEDA .......................................................................................................... 14
4.1 WHEN TO USE FTA ................................................................................................. 14
4.2 WHEN TO USE FMEDA ........................................................................................... 14
5 CONCLUSION............................................................................................................. 14
6 REFERENCES ............................................................................................................ 15

ii
List of Figures
Figure 1: Automotive safety indicator circuit [7] ..................................................................... 3
Figure 2: Quantitative FTA example on automotive safety indicator [7] ................................. 4
Figure 3: Example of a qualitative FTA on vehicle accident [8] .............................................. 5
Figure 4: FMEDA application flowchart for developing safety equipment [2] ......................... 6
Figure 5: Schematic diagram of a vehicle safety cooling system [16] .................................... 8
Figure 6: LMK 307 a submersible ceramic hydrostatic level sensor [23].............................. 12

List of Tables
Table 1: Some Common symbols of FTA [4] [6] .................................................................... 3
Table 2: ASIL rating and corresponding failure metrics [11] .................................................. 8
Table 3: Example of FMEDA on vehicle safety cooling system [16] ...................................... 9
Table 4: SIL values for Low demand mode of operation [19] ............................................... 10
Table 5: SIL values for High demand or continuous mode of operation [19] ........................ 11
Table 6: Maximum allowable SIL by type-A safety component [22] ..................................... 11
Table 7: Maximum allowable SIL by type-B safety component [22] ..................................... 12
Table 8: FMEDA analysis example on LMK 307 [23] [17] .................................................... 13

List of Equations
Equation 1............................................................................................................................. 9
Equation 2............................................................................................................................. 9
Equation 3............................................................................................................................. 9
Equation 4........................................................................................................................... 11
Equation 5........................................................................................................................... 11

iii
1 Introduction
For designing a safety related device, component, system or sub-system in vehicles, it is
of utmost importance to make sure that there is no shortcomings in following the overall
functional safety requirements, procedures, or no safety goal violations because of the failure
or malfunction in a hardware, or in a software used in the safety instrumented function(SIF).
To avoid such catastrophic event, it is highly recommended to perform safety analysis, in order
to make sure, the safety critical system designed, is fail safe and appropriate for its intended
use.
The ISO 26262, the international standard for functional safety of electrical / electronic (E/E)
systems in series production of road vehicles published by the International Organization for
Standardization (ISO), recommends basically two methodologies for safety analysis; one is,
deductive analysis and the other is, inductive analysis. Where, deductive analysis is a top-
down method of safety analysis and the commonly used top-down analysis is Fault Tree
Analysis (FTA). On the other hand, inductive analysis is a bottom-up analysis method and the
commonly used approach is the Failure Modes and Effects Analysis (FMEA).
Usually, for a system failure FTA is used to examine the safety target failure and pinpoint the
hazard or the hazardous events down to the component level. Then the failure modes of the
system’s components are analyzed by bottom-up analysis using FMEA to make it safer by
implementing appropriate risk reduction methods. Considered as best practice by some
industries to use both methods in tandem, where FTA is initially executed in safety analysis to
locate the individual components that are contributing to the safety target failure. After
identifying the faulty items, FMEA is implemented to find a better solution to make the system
safer by examining the failure identified by FTA. On the other hand, FTA and FMEDA could
be use separately to identify potential failure of a safety equipment in a hazard and rate the
safety related items appropriately. [1]
FMEA has several types, in this report Failure Modes, Effects and Diagnostic Analysis
(FMEDA) version will be discussed primarily instead of FMEA. FMEDA is an expanded version
of FMEA which contains additional information regarding the failure modes that can be
identified by the automatic diagnostics. In other words, various failures rates, and the
diagnostic coverage calculations of the component is analyzed in accordance to ISO 26262
and IEC 61508. [1] [2]
In the following sections of this report, to get comprehensive understandings on both FTA and
FMEDA, each chapter is supported with definition, methodologies, and examples. A brief
comparison between the two methods is discussed towards the end of the report along with a
conclusion. Also, the references are available at the end of the report to provide further
information for any cited points discussed in the report. This report would be able to provide
sufficient information for answering the following questions for example, which method to use
in what areas, what are the advantages of each methods, and what factors or information
should be considered when using FTA or FMEDA.

1
2 Fault Tree Analysis (FTA)
2.1 Definition
A Fault Tree Analysis (FTA) is a graphical logic block illustration (or breakdown) of
different sources of a system failure in a top-down approach. The starting point of an
FTA is the failure itself, which is called the top-event, and follow a logical sequential
analysis to reach the basic event (causes) at the bottom. It is usually used in the fields
of safety and reliability engineering to identify all the potential ways a system could fail.
[3] [4]
Moreover, FTA is used for finding the most effective ways for reducing risk of a system
failure or in the event of a hazard. According to ISO 26262 standard series, FTA is not
recommended for items with Automotive Safety Integrity Level (ASIL) of A. For safety
items with ASIL B rating, FTA is recommended. And for safety items having ASIL ratings
of either C or D, FTA is required. [5] [3] [4]
FTA is highly used in industries where major hazards are part of the daily work like,
automotive, nuclear power, aerospace, chemical and process, petrochemical, onshore
oil & gas, energy production and distribution, explosive industries, pharmaceutical and
other highly hazardous industries. Not only that, FTA is also used in other sector of
business for risk factor analysis. It is commonly used in software engineering for finding
glitches in programs. This makes the FTA a versatile risk analysis tool. [3] [4]

2.2 Symbols of FTA

The following table 1, tabulates some of the common logic symbols and their
corresponding functions used in FTA.

Symbol Name Logic function

The output incidence occurs
AND gate only if all the input options are
available

The output incidence occurs, if

OR gate any one of the input situations is
given
An event about which
insufficient information is
Undeveloped event
available, or the information is of
no consequence
The output event happens only
if all input events occur in a
Priority AND gate
particular sequence specified by
a conditioning event
If exactly one input event is
XOR/ Exclusive OR gate given then the output event
occurs

These events are normally

House/ External event
expected to happen

The output event occurs only if

the input event happens through
Inhibit gate
an enabling condition specified
by a conditioning event
2
 Symbol Name Logic function
The output occurs only if at least
Voting gate K number of input events
happen

Conditions or requirements that

Conditional event
Top event/ Intermediate event
restrict or influence the output of
logic gates
These are usually used as the
primary event or intermediate
event

Basic initiating failure or error of

Basic event
a system or item

Indicates a transfer continuation

to a sub- fault trees or to a
Transfer symbols
related fault trees, i.e. to
connect the i/o
Table 1: Some Common symbols of FTA [4] [6]

2.3 Examples of FTA

2.3.1 Quantitative FTA Analysis

For the following example on quantitative analysis for an automotive safety

indicator system, the assumed safety target violation is, the failure of the alarm
lights to alert the driver or the vehicle operator of the imminent hazard. In other
words, alarm lights not working when demanded. Thus, the safety requirement
is to prevent the alarm lights’ failure in the event of a hazard. The common or
presumed failures for the automotive safety indicator system could be opened
resistor R1, shorted capacitor C1, or burned out light emitting diodes (LEDs) X
and Y, as shown in the circuit figure 1 below. In figure 2, the graphical FTA
analysis for the vehicle safety indicator system is illustrated. Note: the failure
rates, λ, for each component is obtained from IEC TR 62380: 2004 (A reliability
data handbook). [7]

2.3.1.1 A Simple automotive safety indicator circuit

X
R1
V+

C1
Y

Figure 1: Automotive safety indicator circuit [7]

3
 2.3.1.2 FTA for automotive safety indicator system

Top-event PFD01= PDF02 + PDF03 + PDF04

E01: Safety indicator
-5 -5
system not working =2.85 ×10 + 1.9 ×10 + 5.8×10-7
-5
= 4.808 ×10
PMHF= λR + λC + λ = (3 + 2 + 0.06) FIT
04
= 5.1 FIT
≥1

PFD04= PDF05 × PDF06

Basic events = (7.6×10-4)2 = 5.8×10-7
λ04= 0.06 FIT
E04: LEDs failure:
E02: R1 E03: C1 both Burned-out
failure: opened failure: short
circuit circuit

λR= 3 FIT λC= 2 FIT

-5
&
PDF02=2.85 ×10 -5
PDF03=1.9 ×10

Basic events

E05: LED X, E06: LED Y,

fails fails

λY= 80 FIT
λX= 80 FIT -4
PDF05=7.6×10-4 PDF06=7.6×10

Note: The system’s lifetime, for which the PMHF* is valid and the components are defined is assumed to be 9500
hours for this example. Also, failure rate for each component, λ, is calculated by dividing PDF** by system’s lifetime
i.e. 9500 and is expressed in FIT***.
*Please see section 3.2.2 for details
**Please see table 5 in section 3.4.2.1
***Please see section 3.2.3 for details.

Figure 2: Quantitative FTA example on automotive safety indicator [7]

2.3.1.3 Result & Comment

By assigning failure rates in all the events from basic to top, FTA could be used
as a quantitative analysis and the total failure rate and the PMHF for the top-
event could be estimated. As shown in above example in figure 2, the
quantitative FTA analysis on automotive safety indicator, the total failure rate
of the top-event i.e. failure of the safety indicator is estimated as 4.808 ×10-5,
and the corresponding PMHF is 5.1 FIT. Comparing with the tabulated
reference values given in table 2 in section 3.2.4 of this report. It can be
concluded that, the automotive safety indicator system is ASIL D rated.

4
 2.3.2 Qualitative FTA Analysis

The figure 3 below, illustrates an example of a qualitative FTA on vehicle

collision accident.

Top-event Vehicle collision at

Highway access
junction

&

High speed vehicle-A Vehicle-B failed to slow

on Highway before entering highway
via access junction

≥1

Driver of vehicle-B
Driver of vehicle-B failed to slow
did not slow

≥1
≥1

Basic events
Did not see Access
Did not notice Driver was Vehicle
vehicle-A on Brake failure junction road
vehicle-B was distracted overloaded
the highway too slippery
driving too fast

Figure 3: Example of a qualitative FTA on vehicle accident [8]

5
3 Failure Modes, Effects, and Diagnostic Analysis (FMEDA)
3.1 Definition
FMEDA is a quantitative investigation of random hardware failures that could occur
either due to the component architecture’s limitation or safety target violation or both.
FMEDA is an inductive analysis method i.e. it is a bottom up approach analysis, where
safety engineers first examine a defect or faulty item in a safety related system and then
scrutinize its impact on the safety system. According to ISO 26262 standard series
FMEDA is recommended for all four ASIL rated items (i.e. ASIL-A to ASIL-D). It is one
of the criteria to get a safety related item certified by IEC 61508 or ISO 26262,
accordingly. For example, ball bearing, various sensors, transmitters, resistors,
capacitors, mechanical components, emergency shutdown system and Advanced
Driver Assistance Systems (ADAS) etc. needs to be certified as a reliable functional
safety equipment before they are used, or mass produced. The figure 4 illustrates the
flowchart for general FMEDA application during developing safety equipment. [9] [5] [10]

Failure Compare
Reference Updated Perform
rate from the failure
failure rate product FMEDA
field use rates
failure rate

Industrial Yes
failure rate Any Update/Modify
database inconsistency component
? design

No

Component certified

Figure 4: FMEDA application flowchart for developing safety equipment [2]

3.2 FMEDA & ISO 26262

As mentioned earlier FMEDA is a structured methodology to define failure modes, rates,
and diagnostic abilities of a hardware or software component. Depending on the
intended functionality of the component, in FMEDA analysis the item under analysis is
structured in a hierarchical order of items/sub-items/basic sub-items/failure modes etc.
Every failure mode is classified according to whether it violates the safety goal or not.
[11]

3.2.1 Inputs of FMEDA

For every failure mode identified and violating the safety goals requires the
following basic information:

6
 ▪ Failure rate: The specific rate of the component when a failure occurs.
▪ Safety Mechanism (SM): In the safety system whether there is any safety
mechanism available to detect the failure.
▪ Diagnostic Coverage (DC): This measures the effectiveness of the SM in
detecting the failure. [11]

3.2.2 Outputs of FMEDA

The evaluation result of a FMEDA analysis is used for the assessment of an

item’s functional safety capability according to its ASIL ratings. This is assessed
with the use of the following hardware architectural metrics (specifically for ISO
26262 compliance) estimated from the FMEDA analysis:

▪ Single-point fault metric (SPFM): It is a percentage value that shows the

safety ability of an item against the single-point failures or residual failures
caused either by component’s design or failure coverage of the safety
functions.
▪ Latent fault metric (LFM): It is also expressed in percentage that shows the
safety strength of an item against the latent faults caused either by
component’s design, coverage of safety mechanisms, or by the inadequate
diagnostic capability of the safety system.
▪ Probabilistic metric of hardware failures (PMHF): Is expressed in absolute
value that provides a quantitative information which is compared with a
safety target value to indicate when the component violates the safety goal
due to random hardware failures. [11] [12]

3.2.3 Interpretation of FMEDA data

The failure metrics estimated from a FMEDA analysis, show the reliability of
the safety item and the reliability of the safety function in detecting the failure
and the safety function’s effectiveness in reducing the risk to a safe state.

The failure rate of a safety component or item is expressed in failure in time

(FIT). A FIT rate of a safety item is the number of failures expected to occur in
one billion (109) hours of operation and is commonly written as; 1 FIT= 10 -9 h.
In other words, a safety equipment with a rating of 1 FIT means it has a mean
time to failure (MTTF) of 1 billion hours. [11]

As recommended by both IEC 61508 and ISO 26262 standard series, the
estimated failure rates for hardware should be compiled from the following
sources:

▪ IEC/TR62380
▪ SN29500
▪ FIDES Guide
▪ exida electrical & mechanical component reliability handbook
▪ RAC FMD-91 & RAC FMD-97
▪ Bellcore (Telcordia)
▪ MIL HDBK 217F
▪ NSWC-98/LE1
▪ Proven-in-use [13] [14]

7
 3.2.4 Hardware architectural metrics reference values

For a quick reference and understanding on how to interpret a FMEDA’s

analysis (for random hardware failures in compliance with ISO 26262), in table
2, the tabulated information on ASIL ratings, their corresponding failure rates
and failure metrics could come in handy. [11]

ASIL PMHF SPFM LFM

A <1000 FIT N/A N/A
B <100 FIT ≥90% ≥60%
C <100 FIT ≥97% ≥80%
D <10FIT ≥99% ≥90%
Table 2: ASIL rating and corresponding failure metrics [11]

3.3 Example of FMEDA for ISO 26262

3.3.1 Safety cooling system for vehicle

The following example of FMEDA analysis was conducted on a vehicle safety

cooling system with a safety goal of preventing overheating of the engine. The
ASIL rating of the safety equipment would be determined after the FMEDA
analysis as shown in table 3, which would provide the relevant hardware
architectural metrics. Those values would be compared with the reference
values given in table 2. The vehicle safety cooling system is equipped with a
light emitting diode (LED) for warning the driver, two cooling fans for
redundancy purpose and a safety watchdog (SWD) as the safety mechanism
(SM) (Note: a safety watchdog monitors the microcontroller units used in safety
embedded systems and also provides additional features for detecting
common cause failures in microcontrollers like; clock, power supply and
temperature related faults [15]) as shown in the schematic diagram in figure 5.
The functional safety requirement of the vehicle safety cooling system is to
activate the warning light and the cooling fan when the temperature of the
engine rises above the critical level. [16]

LED

Fan 1

Temperature Microcontroller
Sensor (TS) Unit (MCU)

Fan 2
Safety
Watchdog
(SWD)

Figure 5: Schematic diagram of a vehicle safety cooling system [16]

8
 3.3.1.1 FMEDA Table for ISO 26262
Any Safety
Does Any
Failure Mechanism Latent
failure possibility
rate of Is the Failure (SM) Diagnostic Residual Any MPF,
of the for DC for
the item Failure Mode available Coverage Fault, SM λMPF
Item Effect item Multiple Latent
item, safety Modes [17] Distribution for Single (DC) for λRF, (in for latent,
violate Point MPF
λ, (in related? (FMD) [18] Point SPF FIT) MPF? (in
safety Failures
FIT) Failures FIT)
goal? (MPF)?
(SPF)?
Erratic output Sensor output
TS 1 Yes 100% Yes No - 1 - - - -
is zero
Memory stack Inaccurate
50% Yes SWD 99% 0.5 - No 100% 0
overflow operation
MCU 100 Yes
Unstable Zero/low
50% No N/A - - - - - -
voltage output
Rotor failure 50% No No - - Yes No 0% 5
Fan 1 10 Yes
Degraded 50% Engine No - - - - - - -
Rotor failure 50% overheated No No - - Yes No 0% 5
Fan 2 10 Yes
Degraded 50% No - - - - - - -
Timer failure No automatic
SWD 10 Yes 100% No - - - Yes No 0% 10
diagnostic
LED 1 No Shorted 100% No alarm No - - - No - - -
Total 132 1.5 20
Note: ‘-‘, indicates blank.
Table 3: Example of FMEDA on vehicle safety cooling system [16]

3.3.1.2 Calculation & Formula

To calculate SPFM, LFM, and PMHF using the estimated data (λ=132 FIT, λRF = 1.5 FIT, λMPF latent = 20 FIT, and λSPF = 0 FIT)
obtained from table 3 after conducting FMEDA analysis, the following formula are used:
∑ (λSPF + λRF ) 1.5 Equation 1
1. SPFM = 1 - =1- = 0.9886 = 98.9%
∑λ 132

∑ λMPF latent 20 Equation 2

2. LFM = 1 - =1- = 0.8467 = 84.7%
∑(λ−λSPF − λRF ) (132−1.5)

3. PMHF = ∑ λSPF + ∑ λRF + ∑ λMPF latent = 0 + 1.5 + 20 = 21.5 FIT [12] Equation 3

9
 3.3.1.3 FMEDA result and comment

By comparing the estimated hardware architectural metrics (SPFM = 98.9%,

LFM = 84.7% and PMHF = 21.5 FIT) of the vehicle safety cooling system
obtained from the FMEDA analysis with the reference tabulated values in table
2, it can be concluded that the vehicle safety cooling system has a functional
safety capability of ASIL C as per ISO 26262.

Note: the minimum required hardware architectural metrics for any safety
equipment with an ASIL C rated capability of functional safety is: SPFM of at
least 97%, LFM more than or equal to 80%, and PMHF should be less than
100 FIT.

3.4 FMEDA & IEC 61508

3.4.1 Application

FMEDA analysis for certifying safety equipment in accordance to IEC 61508

functional safety standard series, uses different parameters unlike FMEDA
analysis conducted for ISO 26262 certification as described earlier in this
report. For IEC 61508 functional safety certification the FMEDA estimates
various failure rates, for example dangerous detected (λDD), dangerous
undetected (λDU), safe detected (λSD), and safe undetected (λSU). Subsequently,
estimates the total failure rate of the safety equipment, the Diagnostic
Coverage (DC), and Safe Failure Fraction (SFF) of the investigated item. The
average Probability of Failure on Demand (PFDavg) of the safety equipment is
also calculated and finally, by analyzing all these values, the Safety Integrity
Level (SIL) of the safety item is determined and get certified in accordance to
IEC 61508 functional safety standard.

3.4.2 Interpretation of FMEDA data

3.4.2.1 Some useful parameters and their definitions

▪ Safety Integrity Level (SIL): Are discrete levels of risk reduction. There
are four SIL levels as defined by the IEC 61508, where SIL 1 has the
lowest level of risk reduction and SIL 4 has the highest level of risk
reduction. SILs are specified by their mode of operations, as shown in the
following table 4 and table 5.

Low demand mode of

operation (Average probability
SIL of failure to perform its
intended function on demand)
PFDAvg(λ)
4 ≥10-5 to < 10-4
3 ≥10-4 to < 10-3
2 ≥10-3 to < 10-2
1 ≥10-2 to < 10-1
Table 4: SIL values for Low demand mode of operation [19]

10
 High demand or continuous mode of
SIL operation (Probability of a dangerous failure
per hour) PFH(λ)
4 ≥10-9 to < 10-8
3 ≥10-8 to < 10-7
2 ≥10-7 to < 10-6
1 ≥10-6 to < 10-5
Table 5: SIL values for High demand or continuous mode of operation [19]

▪ Hardware Fault Tolerance (HFT): Is the ability of a safety-related system

to execute the required safety instrumented function in the presence of
one or more critical fault in the hardware. A hardware fault tolerance of
N=1 means, the presence of more than one critical failure in the hardware
architecture will compromise the functionality of the safety-related system
▪ Type-A component: These are simple safety-related components with
well-defined failure rates and failure modes. Also, sufficient field failure
data are available to justify the failure rates and modes. Example of type-
A components are metal film resistors, transistors, and relays etc.
▪ Type-B component: These are complex safety-related components with
unknown failure rates and failure modes, for example microprocessors
and semi-conductors, etc. [19]
▪ Diagnostic Coverage (DC): Is a measure of the effectiveness of a SIF in
detecting dangerous failures. It is expressed as a percentage as shown
in equation 4.
λDD
DC = [20] Equation 4
λDD +λDU

▪ Safe Failure Fraction (SFF): It is defined as the ratio of sum of safe fails
plus dangerous detected fails of the safety-related system to total failures
of the safety-related system. It is expressed in percentage and it shows
the possibility of having a dangerous failure that is not detected by
automatic diagnostics. It is particularly defined for a 1oo1 sub-system
without redundancy. The equation for calculating SSF is shown in
equation 5 below.

λSD +λSU + λDD

SFF = [21] Equation 5
λSD +λSU + λDD +λDU

▪ IEC 61508 defines the maximum allowable SIL for a safety-related

component based on its HFT, SSF, and the type of the component used
as shown in the following table 6 and table 7.

Safe failure
Hardware Fault Tolerance (HFT)
fraction (SFF)
0 1 2
< 60% SIL 1 SIL 2 SIL 3
60% to < 90% SIL 2 SIL 3 SIL 4
90% to < 99% SIL 3 SIL 4 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Note 1: A hardware fault tolerance of N means that, N+1 fault could cause a loss of the
safety function.
Table 6: Maximum allowable SIL by type-A safety component [22]

11
 Safe failure
Hardware Fault Tolerance (HFT)
fraction (SFF)
0 1 2
< 60% Not Allowed SIL 1 SIL 2
60% to < 90% SIL 1 SIL 2 SIL 3
90% to < 99% SIL 2 SIL 3 SIL 4
≥ 99% SIL 3 SIL 4 SIL 4
Note 1: A hardware fault tolerance of N means that, N+1 fault could cause a loss of the
safety function.
Table 7: Maximum allowable SIL by type-B safety component [22]

3.4.3 Example of FMEDA for IEC 61508

3.4.3.1 Submersible sensor LMK 307

To certify as a functional safety equipment and to assign an appropriate SIL

rating to this submersible ceramic sensor LMK 307 as illustrated in figure 6,
an FMEDA is conducted. The application of this sensor is to continuously
measure the hazardous liquid level. Therefore, the failure rates are
considered for high demand or continuous mode of operation as referenced
in table 5. From the FMEDA analysis conducted in table 8, failure rates will
be found and using those values, DC, SFF will be calculated and compared
with the reference tabulated values in table 6. As provided by the
manufacturer data sheet, the LMK307 is a type-A safety component with
HFT=0.

Figure 6: LMK 307 a submersible ceramic hydrostatic level sensor [23]

12
 3.4.3.2 Failure modes assumption

Since FMEDA analysis’ correctness depends on the application of the investigated safety item. Here for this example, it is
assumed that a high output from the LMK 307 is considered as hazard for the system. Therefore, a failure mode that prevents
the accurate indication of the hazard would be considered as dangerous failure and the failure mode that causes the sensor
output to go high would be considered as safe failure in table 8. [22]

3.4.3.3 FMEDA table for IEC 61508

SFF, DC,
Is it Safe Safe Dangerous Dangerous
calculated calculated
safety- Failure undetected detected detected undetected
Item Function FMD Effect using using
related modes failure failure rate, failure rate, failure rate,
equation equation
item? rate, λSU λSD λDD λDU
(5) (4)
Sensor reads
Stuck at
59% zero/low output - - 3.66×10-8 3.28×10-8
Measures Low
signal
LMK 307 hazardous Yes 67.4% 52.7%
Sensor reads
fluid level Stuck at -8
59% one/ high output 3.13×10 0 - -
High
signal
Note: “-“, indicates blank.
Table 8: FMEDA analysis example on LMK 307 [23] [17]

3.4.3.4 FMEDA result and comment

By comparing the values obtained from the FMEDA analysis from table 8 (i.e. SFF= 67.4%) with the reference tabulated values
in the table 6 (note: it is already declared by the safety item’s manufacturer that, it is a type-A component with HFT= 0). It can be
concluded that the safety sensor LMK 307 can be considered as a SIL 2 rated functional safety equipment with a low diagnostic
coverage of DC = 52.7% (as mentioned in Table C.2, of IEC 61508-6: 2010 [24]) as per IEC 61508 compliance.

13
4 FTA or FMEDA
4.1 When to use FTA
▪ FTA is a Top-down technique and is an Effect → Cause model. It is focused on finding
component failures and their relationship with one another, in other words the
conditions between the failures that lead to the single top-event failure.
▪ It is recommended to use FTA when there is only one or just a few system conditions
to consider that lead to failure.
▪ FTA is very effective at revealing how resilient a safety system will be to one or more
initiating failures. Therefore, FTA is appropriate for safety systems with high
redundancy and/ or diversity, or with majority voting logic.
▪ When it is preferred or necessary to represent failure or fault logic within a safety
system in a diagram.
▪ FTA identifies combinations of conditions and item failures leading up to a single top-
event.

4.2 When to use FMEDA

▪ FMEDA is a Bottom-up technique and is a Cause → Effect model. It is focused on
analyzing the failure modes of a safety relevant item within a safety system and
consider its potential effects on the overall safety function.
▪ It is recommended to use FMEDA when there is a huge number of separate failure
conditions to consider that cause a failure.
▪ FMEDA is appropriate for analyzing safety systems that have few or no redundancy,
and do not require to examine the results of multiple failures or faults at system level
except for common cause failures.
▪ FMEDA is more suitable for safety systems that contain latest or fledgling safety
technology and the effects of failure of these safety components require a
comprehensive understanding.
▪ FMEDA is recommended for certifying safety equipment in accordance to ISO 26262
or IEC 61508.
▪ FMEDA is recommended for establishing proper levels of redundancy within the
design of a safety system, to ensure fail safe outputs, to reduce the number of
components while designing effectively, or to enhance the design of the overall safety
system.
▪ FMEDA considers all individual component failures and identifies their failure modes,
the range of their effects on the whole system, automatic diagnostics, and their relevant
hardware metrics. [25]

5 Conclusion
Both FMEDA and FTA can be used for identifying failure causes and give the safety related
items the appropriate safety integrity levels as shown in this report. The FMEDA basically
tabulates all the possible failures, their modes, and their effects on the system. On the other
hand, FTA can perform a detailed analysis on the logical relationships between different
failures in safety components that root down from the single top-event. It varies from industries
to industries depending on their safety products, safety requirements, and budget to decide
which of the methods to use. As a best practice it is usually recommended to use both FTA &
FMEDA in tandem for manufacturing a safety related component. [26]

14
6 References
[1] Texas Instruments, "Basics of FMEDA and how it is useful in system level safety
analysis - Part 1," Texas Instruments, 22 June 2018. [Online]. Available:
https://training.ti.com/basics-fmeda-and-how-it-useful-system-level-safety-analysis-part-
1. [Accessed 18 January 2021].
[2] exida, "FMEDA - Methods and Data," exida, 11 December 2013. [Online]. Available:
https://www.youtube.com/watch?v=hhMXi2IYBXI&t=176s. [Accessed 26 January 2021].
[3] INFRASPEAK, "Maintenance Fault Tree Analysis (FTA): Definition, Applications and
Benefits," INFRASPEAK, [Online]. Available: https://blog.infraspeak.com/fault-tree-
analysis-fta/. [Accessed 22 January 2021].
[4] ConceptDraw, "Fault Tree Analysis Diagrams," ConceptDraw, [Online]. Available:
https://www.conceptdraw.com/solution-park/engineering-fault-tree-analysis-diagrams.
[Accessed 22 January 2021].
[5] Embitel, "Safety Analysis Activities (FMEA, FMEDA, DFA, FTA) For ISO 26262
Compliant Solution Development," Embitel, [Online]. Available:
https://www.embitel.com//safety-analysis-activities-for-iso-26262-compliant-solution-
development#1590989449440-04ea43da-4959. [Accessed 26 January 2021].
[6] National Aeronautics and Space Administration (NASA), "Fault Tree Handbook with
Aerospace Applications," August 2002. [Online]. Available:
http://dl.icdst.org/pdfs/files/316569310a4c5794fde2162bb026e85d.pdf. [Accessed 23
January 2021].
[7] N. D. a. W. Taylor, "Quantified Fault Tree Techniques for Calculating Hardware Fault
Metrics According to ISO 26262," In Compliance, 28 April 2017. [Online]. Available:
https://incompliancemag.com/article/quantified-fault-tree-techniques-for-calculating-
hardware-fault-metrics-according-to-iso-26262/. [Accessed 13 February 2021].
[8] T. A. B. G. A. B. B. Alper Pahsa, "Fault tree analysis of a fire hazard of a power
distribution cabinet with Petri Nets," 2010. [Online]. Available:
https://www.semanticscholar.org/paper/Fault-tree-analysis-of-a-fire-hazard-of-a-power-
Pahsa-Bayazit/820cfe6e3aba70b3c255a4c7a0b231f884515e05. [Accessed 24 January
2021].
[9] Embitel Technologies, "How to Evaluate PMHF, SPFM & LFM, for Automotive ECUs,
Using FMEDA," 17 June 2019. [Online]. Available:
https://www.youtube.com/watch?v=ndG1Kcc89hs. [Accessed 26 January 2021].
[10] Exida, "Explaining the differences in Mechanical Failure Rates: FMEDA predictions and
OREDA estimations," Exida, July 2015. [Online]. Available:
https://www.exida.com/articles/FMEDAvsOREDA_Sept142015.pdf. [Accessed 04
February 2021].
[11] Cadence, "Functional Safety Methodologies for Automotive Applications," 2019. [Online].
Available: https://www.cadence.com/content/dam/cadence-
www/global/en_US/documents/solutions/automotive-functional-safety-wp.pdf. [Accessed
6 February 2021].
[12] ISO 26262, Road vehicles functional safety part 5: Product development at the hardware
level, Geneva: ISO, 2018.
[13] W. G. a. D. Hammerschmidt, "Calculation of Failure Detection Probability on Safety
Mechanisms of Correlated Sensor Signals According to ISO 26262," 03 May 2017.
[Online]. Available: http://www.iosense.eu/wp-content/uploads/2018/04/2017-01-
0015.pdf. [Accessed 06 February 2021].
[14] S. Aschenbrenner, "IEC 61508- Where do the lambda values originate?," 20 April 2007.
[Online]. Available: https://docplayer.net/3093850-Iec-61508-where-do-the-lambda-
values-originate.html. [Accessed 08 February 2021].

15
[15] C. Hammerschmidt, "Infineon CIC61508 safety watchdog for microcontrollers," EE
Times, 04 April 2011. [Online]. Available: https://www.eetimes.com/infineon-cic61508-
safety-watchdog-for-microcontrollers/. [Accessed 07 February 2021].
[16] T. Urban, "Texas Instruments," [Online]. Available:
https://www.ti.com/lit/ml/slyp685/slyp685.pdf?ts=1612510521792&ref_url=https%253A%
252F%252Fwww.google.com%252F. [Accessed 07 February 2021].
[17] Reliability Analysis Center, Failure Mode/Mechanism Distributions, New York: Reliability
Analysis Center, 1991.
[18] Texas Instruments, "Application Report: Functional Safety FIT Rate, FMD and Pin FMA
TLV7041-Q1," May 2020. [Online]. Available:
https://www.ti.com/lit/fs/snoaa54/snoaa54.pdf?ts=1612709716333&ref_url=https%253A
%252F%252Fwww.google.com%252F. [Accessed 07 February 2021].
[19] Endress + Hauser, "Functional Safety - SIL," [Online]. Available:
https://portal.endress.com/wa001/dla/5000639/2936/000/01/CP01008Z11EN_0313_SIL-
Brochure_X4_.pdf. [Accessed 09 February 2021].
[20] AUTOMATION PRODUCTS & SYSTEMS, "Diagnostic Coverage," AUTOMATION
PRODUCTS & SYSTEMS, [Online]. Available:
https://automationproductsandsystems.com/dc-diagnostic-coverage/. [Accessed 11
February 2021].
[21] Exida, "Back to Basics 20- Safe Failure Fraction, SFF," Exida, 14 January 2020.
[Online]. Available: https://www.exida.com/Blog/back-to-the-basics-20-safe-failure-
fraction-sff. [Accessed 09 February 2021].
[22] IEC 61508 Functional Safety Standards, Part 2: Requirements for
electrical/electronic/programmable electronic safety-related systems, Geneva:
International Electrotechnical Commission (IEC), 2010.
[23] BD|SENSORS GmbH, "Submersible probes | level probes," BD|SENSORS GmbH,
[Online]. Available: https://www.bdsensors.de/en/level/submersible-probes/. [Accessed
11 February 2021].
[24] IEC 61508-6, Part 6:Guidelines on the application of IEC 61508-2 and IEC 61508-3,
Geneva: IEC, 2010.
[25] Egerton Consulting, "Choosing between Failure Modes and Effects Analysis (FMEA) and
Fault Tree Analysis (FTA)," Egerton Consulting, 20 February 2015. [Online]. Available:
https://egertonconsulting.com/fmea-v-
fta/?doing_wp_cron=1613311524.4477319717407226562500#:~:text=FTA%20will%20i
dentify%20combinations%20of,their%20effects%20on%20the%20system.. [Accessed
14 February 2021].
[26] G Cristea and DM Constantinescu, "A comparative critical study between FMEA and
FTA risk analysis methods," 2017. [Online]. Available:
https://iopscience.iop.org/article/10.1088/1757-899X/252/1/012046/pdf. [Accessed 14
February 2021].

16