A common cause failure risk metric method for vehicle functional safety

Abstract

This invention relates to a method for measuring the risk of common-cause failures for vehicle functional safety. The method includes: identifying components in a first system containing multiple components that are affected by common-cause failures; for each component affected by common-cause failures, determining the probability of a single point of failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement; and obtaining a quantified ASIL level requirement considering common-cause failures based on the relationship between a random hardware failure probability metric and the probabilities of single point of failure or residual failure and multi-point failure. This method can quantitatively analyze whether a system meets a given ASIL level considering common-cause failures, thereby making a corresponding judgment.

Description

Technical Field

[0001] This invention relates to the field of vehicle functional safety measurement technology, and in particular to a method for measuring the risk of common cause failures in vehicle functional safety. Background Technology

[0002] Recently, with the continuous research and development of automobiles, automakers and parts suppliers are adjusting their systems, improving regulations, and establishing specification-based production processes to ensure their products comply with the ISO 26262 standard, which serves as a functional safety standard for automobiles. The ISO 26262 standard defines the Safety Integrity Level (ASIL) for automobiles, with four levels: A, B, C, and D, where A is the lowest and D is the highest. Against the backdrop of the increasing prevalence of autonomous driving, ISO 21448, known as the Standard for Intended Functional Safety (SOTIF), is also becoming a focus of attention. Summary of the Invention

[0003] (a) Technical problems to be solved

[0004] The ISO 26262 standard lacks guidance on quantifying the risk of common-cause failures. ISO 26262 requires that for functional safety concepts decomposed using ASIL, the independence of the decomposed related elements must be demonstrated through Dependent Failure Analysis (DFA). However, in practical applications, systems containing components affected by common-cause failures are encountered. How to analyze whether the reliability of a system meets a given ASIL level while considering common-cause failures, and thus make an appropriate judgment, is a problem that urgently needs to be solved.

[0005] (II) Technical Solution

[0006] To address the aforementioned technical problems, this invention provides a common-cause failure risk measurement method for vehicle functional safety, comprising: identifying components in a first system containing multiple components that are affected by common-cause failure; for each component affected by common-cause failure, determining the probability of a single point of failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement; and obtaining a quantified ASIL level requirement considering common-cause failure based on the relationship between a random hardware failure probability metric and the probabilities of a single point of failure or residual failure and the probabilities of a multi-point failure.

[0007] According to one embodiment of the present invention, the method further includes: obtaining a reliability expression for the second system containing common cause information through analysis; comparing the result of the reliability expression with the quantified ASIL level requirement considering common cause failures to obtain the analysis result.

[0008] According to one embodiment of the present invention, determining the probability of a single point of failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement for each of the components affected by common cause failure includes determining the probability of a single point of failure or residual failure and the probability of a multi-point failure based on the probability distribution associated with common cause failure.

[0009] According to one embodiment of the present invention, obtaining the reliability expression of the second system containing common cause information through analysis includes obtaining the reliability expression of the second system containing common cause information through fault tree analysis.

[0010] The present invention also provides a common cause failure risk measurement system for vehicle functional safety, comprising:

[0011] The component identification module is used to identify components in a first system containing multiple components that are affected by common cause failure.

[0012] The probability determination module is used to determine, for each component affected by common cause failure, the probability of a single point of failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement.

[0013] The quantification requirement acquisition module is used to obtain the quantified ASIL level requirement considering common cause failures based on the relationship between the random hardware failure probability metric and the probability of single-point failure or residual failure and the probability of multi-point failure.

[0014] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the common cause failure risk measurement method for vehicle functional safety provided in the above embodiments.

[0015] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the common cause failure risk measurement method for vehicle functional safety provided in the above embodiments.

[0016] The present invention also provides a vehicle including a common cause failure risk measurement system for vehicle functional safety provided in the above embodiments.

[0017] (III) Beneficial Effects

[0018] The above-described technical solution of the present invention has the following advantages:

[0019] This invention provides a method for measuring the risk of common-cause failures in vehicle functional safety. This method establishes a model that considers common-cause failures, obtaining a quantitative failure rate index corresponding to ASIL level requirements. This allows for quantitative analysis and corresponding judgments when analyzing a system where the risk of common-cause failures needs to be emphasized. By implementing this invention, the ISO 26262 standard can be conveniently and effectively applied in the automotive industry and other fields to solve related problems. Attached Figure Description

[0020] Figure 1 This is a schematic diagram illustrating a common-cause failure according to an embodiment of the present invention;

[0021] Figure 2 This is a schematic diagram illustrating the relevant failure requirements in the ISO 26262 standard according to an embodiment of the present invention;

[0022] Figure 3 This is a flowchart of a quantitative common-cause failure analysis according to an embodiment of the present invention;

[0023] Figure 4 This is a reliability block diagram of a bridge structure according to an embodiment of the present invention;

[0024] Figure 5 This is a block diagram of fault tree analysis according to an embodiment of the present invention. Detailed Implementation

[0025] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0026] refer to Figure 1 , Figure 1 This is a schematic diagram illustrating a common-cause failure according to an embodiment of the present invention. A common-cause failure refers to the failure of two or more elements in a related category caused by a single specific event or root cause, which can originate from within or outside all of these elements.

[0027] Common-cause failures can be addressed by combining the β-factor model and the basic parameter model, as follows:

[0028] Suppose a system consists of n components, numbered 1, 2, ..., n. If a specific component fails alone, while the other n-1 components remain intact, the corresponding failure rate is λ1. We call this failure process a failure sequence. In this system, two components fail simultaneously. One is a specified component, such as component 1, and the other can be any one of the other n-1 components. The number of possible combinations is: The corresponding failure rate is λ², and we call this failure process λ². Similarly, the simultaneous failure of j components constitutes failure process Z. j(1) The number of possible combinations is The type corresponds to a failure rate of λ. j In a system of n components, what is the probability that a specific component (e.g., component 1) will still be functioning normally at time t? The probability that none of the above failure processes will occur:

[0029]

[0030] The corresponding failure probability formula is:

[0031] The probability that both component 1 and component 2 are intact at a given time t can be expressed as:

[0032] Pr{S1∩S2;t}=Pr{S1,t}·Pr{S2|S1;t},Pr{S1∩S2;t}=Pr{S1,t}·Pr{S2|S1;t},where Pr{S2|S1;t} represents the probability that component 2 is intact given that component 1 is intact at a certain time t. Therefore, the probability that all m components in this system containing n components are intact can be expressed as:

[0033]

[0034] The corresponding failure probability formula is:

[0035] To describe the method for calculating system reliability when considering common cause failure, we take a simple 1 / 2(G) system as an example. Let A and B represent two normal operation events of components, and the probabilities of the two events are the same, i.e., Pr(A) = Pr(B) = P(t). Then the system reliability expression is Pr(A∪B) = Pr(A) + Pr(B) - Pr(A∩B). Then, (1) under independent failure conditions, since Pr(A∩B) = Pr(A) × Pr(B) = {P(t)}^2, the system reliability expression is: Pr(A∪B) = Rs(t) = 2P(t) - {P(t)}^2. (2) When considering common cause failure, At this point, the system reliability expression is: In summary, the method for calculating common cause failure mainly includes the following steps. Therefore, based on formulas (1) and (2), we can calculate the failure rates when n = 1, 2, 3, 45. Some values:

[0036] When n=1,

[0037] When n=2,

[0038] When n=3

[0039]

[0040]

[0041]

[0042] When n=4

[0043]

[0044]

[0045]

[0046]

[0047] When n=5

[0048]

[0049]

[0050]

[0051]

[0052]

[0053] refer to Figure 2 , Figure 2This is a schematic diagram illustrating the requirements for related failures in the ISO 26262 standard, according to an embodiment of the present invention. Based on the ISO 26262 standard, related failures refer to failures whose probabilities of simultaneous or successive occurrence cannot be expressed as a simple product of the unconditional probabilities of each failure. Related failures include common-cause failures and cascading failures. Independence is demonstrated using undisturbed and non-existent common-cause failures. When performing ASIL decomposition, independence is threatened by both common-cause and cascading failures, while undisturbedness is threatened only by cascading failures. Each potential possibility of a related failure is evaluated to determine its causal relationship, i.e., whether there is a reasonably foreseeable cause that leads to the related failure and thus violates the required independence or undisturbedness between given components. Note that when it is necessary to quantify random hardware failures, for assessing the violation of safety objectives due to random hardware failures (see ISO 26262-5), the contribution of common-cause and cascading failures is estimated qualitatively, as there is no general and sufficiently reliable method for quantifying such failures. Measures to address reasonable related failures should include preventing their root causes, controlling their effects, or reducing coupling factors. Example diversity refers to measures that can be used to prevent, reduce, or detect common-cause failures. 8.4.9 Qualitative security analysis includes:

[0054] d) Identify or support the identification of potential security concept weaknesses, including the ineffectiveness of security mechanisms in handling anomalies such as potential failures, multi-point failures, common-cause failures, and cascading failures.

[0055] Appendix C: The independence between two or more components is determined by the absence of related failures, i.e., the absence of cascading failures and common-cause failures.

[0056] Based on ISO 26262 standard, Annex C.2.2, for single-point failure metrics: this requirement applies to safety objectives ASIL(B), C, and D. The calculations in the following equation will be used to determine the single-point failure metric:

[0057]

[0058] in It is the λ of the security-related hardware components that need to be considered in the project. x Summation of .

[0059] Based on ISO 26262 standard, Annex C.3.2, for potential failure metrics: this requirement applies to safety objectives ASIL(B), C, and D. The calculations in the following equation will be used to determine the potential failure metrics:

[0060]

[0061] in It is the λ of the security-related hardware components that need to be considered in the project. x The summation. For each safety ASIL level, the single point of failure metric requirements are as follows:

[0062] Table 1

[0063] ASIL B ASIL C ASIL D Single point of failure measurement ≥90％ ≥97％ ≥99％

[0064] The requirements for potential failure measurement are as follows:

[0065] Table 2

[0066] ASIL B ASIL C ASIL D Potential Fault Measurement ≥60％ ≥80％ ≥90％

[0067] Therefore, the failure rate for each safety-related hardware component can be expressed according to the formula in ISO 26262 itself (assuming all failures are independent and follow an exponential distribution), as follows:

[0068] λ=λ SPF +λ RF +λ MPF +λ S , λ MPF =λ MPF,DP +λ MPF.L

[0069] Where λ SPF It is the failure rate associated with single points of failure in hardware components; λ RF It is the failure rate associated with residual faults in hardware components; λ MPF It is the failure rate associated with multiple points of failure in hardware components; λ S This refers to the failure rate associated with multiple points of failure in hardware components. Assuming a system has n components, we take:

[0070]

[0071]

[0072]

[0073]

[0074]

[0075] Based on best practices from ISO 26262: Single point of failure and residual failure mean that a single failure mode in a system directly leads to a violation of safety objectives, or means that a failure has occurred. Multipoint of failure means that two failure modes, either present or occurring simultaneously, in a system will lead to a violation of safety objectives, or means that a failure has occurred. Safety failure means that three or more failure modes, either present or occurring simultaneously, in a system will lead to a violation of safety objectives, or means that a failure has occurred; we will generally not consider this scenario.

[0076] To compare with the basic reliability approach we discussed earlier, we will calculate the relevant common-cause failures, and here we will perform a preliminary analysis:

[0077] (1) Common-cause faults may lead to single-point faults or residual faults.

[0078] (2) Common-cause failures will also potentially lead to multi-point failures, but only in the potential failure portion, because the portion of the multi-point failures that are detected or detected will not violate safety objectives;

[0079] (3) Common cause failures may also potentially lead to safety failures, but if so, there is no possibility of violating safety objectives.

[0080] Reference Figure 3 , Figure 3 This is a flowchart of a quantitative common-cause failure analysis according to an embodiment of the present invention. Step 1: Identify the components affected by common-cause failure in a first system containing multiple components. Assuming a system has n components, we assume that i components are affected by common-cause failure, and the corresponding other (n-1) components are affected by other failure modes. For each component itself, we assume a 50% probability of single-point failure or residual failure and a 50% probability of multi-point failure or safety failure. The probabilities of single-point failure or residual failure, multi-point failure or safety failure can vary depending on the embodiment and are specifically based on the failure occurrence principle. From this, we can obtain the following table:

[0081] Table 3

[0082] Component number Single point of failure or residual failure Multiple failures or security failures 1,2,…,i 50％ 50％ i+1,…,n 50%*(ni) 50%*(ni)

[0083] We continue our analysis by analyzing the probability distribution for each failure mode. Note that we assume common-cause failure leads to ASIL D single-point failure, residual failure, or multi-point failure, or safety failure. We assume the probability distribution to be uniform. This probability distribution can vary depending on the specific implementation and the failure mechanism. From this, we obtain the following table:

[0084] Table 4

[0085]

[0086] Step 2: For each component affected by common-cause failure, determine the probability of a single-point failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement. Next, combining the methods and analyses described in the above embodiments, we will determine the probability that a specified component i will still be functioning normally at time t. Substitute into the above table, note: Ignoring safety faults, the following table is obtained:

[0087] Table 5

[0088]

[0089] Then, after allocating according to the functional safety principles in the safety mechanism allocation described in the above embodiments, for each safety ASIL level, combining the requirements for single-point failure measurement in Table 1 and the requirements for potential failure measurement in Table 2, and substituting them into Table 5, we obtain the probability of single-point failure or residual failure and the probability of multi-point failure corresponding to the requirements of each ASIL level, taking into account the impact of common cause failure.

[0090] Table 6

[0091]

[0092] Step 3: Based on the relationship between the random hardware failure probability metric and the probability of single-point or residual failure and the probability of multi-point failure, a quantified ASIL level requirement considering common-cause failure is obtained. Based on the analysis in the above embodiments, we can calculate:

[0093] M PMHF =λ SPF +λ RF +λ SM1，DPF ×λ IF，DPF ×T lifetime (3)

[0094] Furthermore, based on equation (3) and Table 6, we can derive the common cause failure metric, i.e., the ASIL level requirement considering common cause failure:

[0095] Table 7

[0096]

[0097] Here, "fit" (failure rate) refers to the rate at which one unit of product experiences one failure (or malfunction) within 1*10^9 hours. More precisely:

[0098] Table 8

[0099]

[0100] Or, in a more concise form:

[0101] Table 9

[0102]

[0103]

[0104] Therefore, we can conclude from this embodiment that, for each ASIL level, the common cause failure metric is:

[0105] Table 10

[0106]

[0107] Notice, The method proposed in this embodiment can be applied to the automotive industry to quantify common cause failure metrics and make corresponding judgments. For the required ASIL level, if the probability of common cause failure meets the corresponding failure rate index, then the functional safety requirements are met; if the probability of common cause failure does not meet the corresponding failure rate index, then further safety measures or system safety measures are required.

[0108] Reference Figure 4 , Figure 4 This is a reliability block diagram of a bridge structure according to an embodiment of the present invention. Figure 4 Based on the reliability block diagram of the bridge structure shown, we performed fault tree analysis, referring to... Figure 5 , Figure 5 This is a block diagram of fault tree analysis according to an embodiment of the present invention. In this embodiment, we need to obtain the reliability expression of the system with the reliability block diagram of the bridge structure through analysis, and compare the result of the reliability expression with the quantified ASIL level requirement considering common cause failures to obtain the analysis result. Assume p1, p2, p3, p4, p5 are respectively... Figure 4 The reliability of the five components under independent failure conditions is given, satisfying p1=p2=p3=p4=p0=P(t). λ i Let i be the probability that all i (i = 1, 2, 3, 4, 5) components fail simultaneously. Using traditional methods, the minimum path set of the system is calculated to be {1, 3}, {2, 4}, {1, 5, 4}, {2, 5, 3}. Then:

[0109] R0=p0(p1+p2-p1p2)(p3+p4-p3p4)+(1-p0)(p1p3+p2p4-p1p3p2p4)=p1p3+p2p4+p 1p4p0+p2p3p0-p1p2p3p4-p1p2p3p0-p1p2p4p0-p1p3p4p0-p2p3p4p0+2p1p2p3p4p0

[0110] Since p1 = p2 = p3 = p4 = p0 = P(t), then R s Simplified to:

[0111] R S (t)=2P 2 (t)+2P 3 (t)-5P 4 (t)+2P 5 (t)

[0112]

[0113] according to Figure 5 In the fault tree analysis, the AND gate is related to components 1-5, so we take n=5. Therefore, for this embodiment, the common cause failure i=5. Next, based on the common cause failure metric corresponding to the ASIL level proposed in the above embodiments of this application, we can make the following judgment:

[0114] if If it meets the requirements of ASIL Level A, which considers common cause failure metrics, then appropriate risk control measures must be taken. If it meets the requirements of ASIL Level B or ASIL Level C considering common cause failure metrics, then appropriate risk control measures must be taken. If the ASIL level D requirement is met, considering common cause failure metrics, then appropriate risk control measures must be taken.

[0115] According to embodiments of the present invention, by considering components affected by common-cause failures and deriving a quantified ASIL level requirement considering common-cause failures, we can determine whether the risk of a vehicle functional safety system being affected by common-cause failures meets design requirements and take further measures. The method proposed in these embodiments can also be applied to advanced driver assistance systems, quantifying the risk of being affected by common-cause failures to make judgments and take further measures to reduce the risk.

[0116] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A method for measuring the risk of common-cause failures in vehicle functional safety, characterized in that, include: Identify the components in a first system containing multiple components that are affected by common cause failure; For each component affected by common cause failure, determine the probability of a single point of failure or residual failure and the probability of a multi-point failure, corresponding to each ASIL level requirement. Based on the relationship between the random hardware failure probability metric and the probability of single-point or residual failure and the probability of multi-point failure, a quantified ASIL level requirement considering common-cause failure is obtained.

2. The method for measuring common cause failure risk for vehicle functional safety according to claim 1, characterized in that, Also includes: The reliability expression of the second system, which includes common cause information, was obtained through analysis. The results of the reliability expression are compared with the quantified ASIL level requirements considering common cause failures to obtain the analysis results.

3. The method for measuring common cause failure risk for vehicle functional safety according to claim 1, characterized in that, For each component affected by common-cause failure, determining the probability of a single-point failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement includes: Based on the probability distribution associated with common cause failure, the probability of single-point failure or residual failure and the probability of multi-point failure are determined.

4. The method for measuring common cause failure risk for vehicle functional safety according to claim 2, characterized in that, The process of obtaining the reliability expression of the second system, which includes common cause information, through analysis includes: The reliability expression of the second system, which includes common cause information, is obtained through fault tree analysis.

5. A common-cause failure risk measurement system for vehicle functional safety, characterized in that, include: The component identification module is used to identify components in a first system containing multiple components that are affected by common cause failure. The probability determination module is used to determine, for each component affected by common cause failure, the probability of a single point of failure or residual failure and the probability of a multi-point failure corresponding to each ASIL level requirement. The quantification requirement acquisition module is used to obtain the quantified ASIL level requirement considering common cause failures based on the relationship between the random hardware failure probability metric and the probability of single-point failure or residual failure and the probability of multi-point failure.

6. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the common cause failure risk measurement method for vehicle functional safety as described in any one of claims 1 to 4.

7. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When executed by a processor, the computer program implements the steps of the common cause failure risk measurement method for vehicle functional safety as described in any one of claims 1 to 4.

8. A vehicle, characterized in that, Includes the common cause failure risk measurement system for vehicle functional safety as described in claim 5.

Images