The Top 35 ISO 26262 acronyms and abbreviations
, 2015年01月05日
A glossary of ISO 26262 abbreviations and acronyms can be a great help to understanding functional safety standards.
INTRODUCTION:
Over the last one-and-a-half years that I have been elbow-deep working on the FlexNoC Resilience Package, I’ve been keeping a running list of ISO abbreviations and acronyms that reoccurred in my work, and kept confusing me whenever I performed a “context switch” from working on different projects to working on my functional safety products.
I’ve received feedback that my list is helpful, so I’m publishing it in the hope that it helps you, too. I’ve attempted to explain everything in “plain English” and have referred to the specific “chapter and verse” in the ISO 26262 specification where the term is officially explained (kind of like Bible Study notes!).
Also, for a short explanation of ISO 26262 functional safety certification, please see my article, “A Primer On ISO 26262 Certification.”
ISO 26262 FUNCTIONAL SAFETY ACRONYM AND ABBREVIATION TABLE:
Please let me know if there are other terms that should be on this list, or if you have better explanations than the ones I currently use in my “ISO 26262 cheat sheet”.
Abbreviation | Meaning | Description | ISO Reference(s) |
---|---|---|---|
ASIL | Automotive Safety Integrity Level | One of four levels to specify the item’s (1.69) or element’s (1.32) necessary requirements of ISO 26262 and safety measures (1.110) to apply for avoiding an unreasonable residual risk (1.97), with D representing the most stringent and A the least stringent level.
ISO 26262-9 describes ASIL analyses in detail! |
ISO 26262-1 1.6 ISO 26262-9 |
ASIL Decomposition | Automotive Safety Integrity Level Decomposition | Also called, “ASIL Tailoring.” Apportioning of safety requirements redundantly to sufficiently independent elements (1.32), with the objective of reducing the ASIL (1.6) of the redundant safety requirements that are allocated to the corresponding elements.
“How to” example chart is in ISO26262-9 5.4.10 |
ISO 26262-1 1.7 ISO 26262-9 5 |
AUTOSAR | AUTomotive Open System Architecture | Not in ISO 26262, “is an open and standardized automotive software architecture, jointly developed by automobile manufacturers, suppliers and tool developers.” [Wikipedia] | http://www.autosar.org http://en.wikipedia.org/wiki/ AUTOSAR |
CCF | Common Cause Failures | Failure (1.39) of two or more elements (1.32) of an item (1.69) resulting from a single specific event or root cause.
Common cause failures are dependent failures (DF) (1.22) that are not cascading failures (CF) (1.13). |
ISO 26262-1 1.14 |
CF | Cascading Failure | Failure (1.39) of an element (1.32) of an item (1.69) causing another element or elements of the same item to fail.
Cascading failures are dependent failures (DF) (1.22) that are not common cause failures (CCF) (1.14). |
ISO 26262-1 1.13 |
CMF | Common Mode Failure | A type of common cause failure (CCF) where multiple items fail in the same mode. Analyze it using fault tree analysis (FTA). | ISO 26262-10 B.3.2 |
DC | Diagnostic Coverage | Proportion of the hardware element (1.32) failure rate (1.41) that is detected or controlled by the implemented safety mechanisms (1.111). | ISO 26262-1 1.25 ISO 26262-5 D |
DCLS | Dual Core Lockstep | Processing system that runs the same set of operations at the same time in parallel. [Wikipedia]
For ISO 26262 applications, the second “checker” core usually executes 1 or 2 clock ticks after the primary “reference” core to help ensure that power glitches will not simultaneously effect both cores, resulting in no detection of an error. |
http://en.wikipedia.org/wiki/ Lockstep_(computing) |
DF | Dependent Failure | Failures (1.39) whose probability of simultaneous or successive occurrence cannot be expressed as the simple product of the unconditional probabilities of each of them.
Dependent failures include common cause failures (CCF) (1.14) and cascading failures (CF) (1.13). ISO 26262-9 7 explains dependent failure analysis (DFA). |
ISO 26262-1 1.22 ISO 26262-9 7 |
DFA | Dependent Failure Analysis | Aims to identify the single events or single causes that could bypass or invalidate a required independence or freedom from interference between given elements and violate a safety requirement or a safety goal. | ISO 26262-9 7 |
DIA | Development Interface Agreement | Agreement between customer and supplier in which the responsibilities for activities, evidence or work products to be exchanged by each party are specified.
An example DIA is at ISO 26262-5 B. |
ISO 26262 1.24 ISO 26262-8 5 |
DTI | Diagnostic Test Interval | Amount of time between the executions of online diagnostic tests by a safety mechanism.
Use ISO 26262-5 Table D.1 for analysis. |
ISO 26262-1 1.26 ISO 26262-5 D |
E/E/PE | Electrical, Electronics, and Programmable Electronic | IEC 61508-4 3.2.6 defines this as based on electrical and/or electronic and/or programmable electronic technology (see examples). | IEC 61508- 3.2.6 |
EMI | Electromagnetic Interference | Disturbance that affects an electrical circuit due to either electromagnetic induction or electromagnetic radiation emitted from an external source. [Wikipedia] | ISO 26262-2 http://en.wikipedia.org/wiki/ Electromagnetic_interference |
EOS | Electrical Overstress | Electrical overstress failures can be classified as thermally-induced, electromigration-related and electric field-related failures. Can result in a latchup short circuit. [Wikipedia]
Example of failure rate resulting from EOS is in ISO 26262-10 A.3.4.2.4. Calculation methods are in IEC TR 62380, “Reliability data handbook – Universal model for reliability prediction of electronics components, PCBs and equipment” |
ISO 26262-10 A.3.4.2.4 IEC TR 62380 http://en.wikipedia.org/wiki/ Failure_modes_of_electronics |
ESD | Electrostatic Discharge | A subclass of Electrical Overstress (EOS). The sudden flow of electricity between two electrically charged objects caused by contact, an electrical short, or dielectric breakdown. [Wikipedia]
See ISO 26262-5 E for example of SPFM and LFM calculations with ESD. |
ISO 26262-2 http://en.wikipedia.org/wiki/ Electrostatic_discharge |
FIT | Failure In Time | The number of failures that can be expected in one billion (1×10^9) device-hours of operation. [Wikipedia] Mean time between failures (MTBF) = 1,000,000,000 x 1/FIT. |
ISO 26262-2 https://en.wikipedia.org/wiki/Failure_rate |
FMEA | Failure Mode and Effects Analysis | As opposed to fault tree analysis (FTA), failure mode and effects analysis (FMEA) is an inductive (bottom-up, see Figure B.1) approach focusing on the individual parts of the system, how they can fail and the impact of these failures on the system. Analysis starts at faults, which can lead to errors and then failures.
Can be qualitative or quantitative. |
ISO 26262-10 B http://en.wikipedia.org/wiki/ Failure_mode_and_ effects_analysis |
FMEDA | Failure Mode Effects and Diagnostic Analysis | A procedure for the detailed determination of error causes and their impact on the system and can be very efficiently used in the early stages of systems development for the purpose of early identification of weaknesses. [TUV website] | https://www.tuev-nord.de/en/functional-safety/our-services/hazard-and-risk-analysis/fmeda/ |
FTA | Fault Tree Analysis | As opposed to failure mode and effects analysis (FMEA), fault tree analysis (FTA) is a deductive (top down, see Figure B.2) approach starting with the undesired system behavior and determining the possible causes of this behavior.
Can be qualitative or quantitative. |
ISO 26262-10 B |
FTTI | Fault Tolerant Time Interval | The time between when a fault occurs and the system can transition to a safe state and be ready to experience another possible hazard.
Maximum FTTI = DTI + Fault Reaction Time + Safe State |
ISO 26262 1.44 |
HSI | Hardware-Software Interface | Use ISO 26262-4 B for a detailed explanation. | ISO 26262-2 ISO 26262-4 B |
LFM | Latent Fault Metric | Latent faults are multiple-point faults (1.77) whose presence are not detected by a safety mechanism (1.111) nor perceived by the driver within the multiple-point fault detection interval (MPFDI) (1.78). The latent fault metric (LFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from latent faults in the hardware architecture, is sufficient.
Single point fault metric (SPFM) is the other hardware architectural metric.
|
ISO 26262-1 1.71 ISO 26262-4 6.4.3 ISO 26262-5 8 ISO 26262-5 C ISO 26262-5 E |
MBU | Multiple Bit Upset | When two or more error bits occur in the same word. Cannot be corrected by simple single-bit ECC. | JESD89A |
MPFDI | Multiple Point Fault Detection Interval | The time span to detect a multiple-point fault (1.77) before it can contribute to a multiple-point failure (1.76). | ISO 26262-1 1.78 ISO 26262-4 6.4.4 |
PMHF | Probabilistic Metric for (Random) Hardware Failures | Is the sum of the single point, residual and multipoint fault metrics. Is expressed in FITs.
Calculation methods are described in ISO 26262-5 F. |
ISO 26262-5 9.2 ISO 26262-5 F |
SEL | Single Event Latch-up | A type of single event effect (SEE) caused by a single event upset (SEU) that causes a transient fault. This transient fault is “hard” and can only be corrected by cycling the power.
Causes include cosmic rays and electrostatic discharge (ESD). [Wikipedia] |
http://en.wikipedia.org/wiki/ Latchup |
SEooC | Safety Element out of Context | A safety-related element which is not developed for a specific item. This means it is not developed in the context of a particular vehicle. | ISO 26262-10 9 |
SEE | Single Event Effect | A “soft error” caused by a single, energetic particle, and can take on many forms. Causes “transient faults” like single event upsets (SEU), single event transients (SET) and single event latch-ups (SEL).
Use ISO 26262-5 Table D.1 for analysis. |
ISO 26262-5 D |
SET | Single Event Transient | A “glitch” that happens when the charge collected from an ionization event discharges in the form of a spurious signal traveling through the circuit. This is de facto the effect of an electrostatic discharge (ESD). It is a “soft error” transient fault and is a type of single event effect (SEE). If a SET propagates through digital circuitry and results in an incorrect value being latched in a sequential logic unit, it is then considered a single event upset (SEU). [Wikipedia] | http://en.wikipedia.org/wiki/ Single_event_upset |
SEU | Single Event Upset | Single Event Upsets (SEUs) are soft errors, and non-destructive. Is a “bit flip” or change of state caused by cosmic rays. It is a type of a type of single event effect (SEE). [Wikipedia] | http://en.wikipedia.org/wiki/ Single_event_upset |
SPFM | Single Point Fault Metric | Single point faults are faults (1.42) in an element (1.32) that are not covered by a safety mechanism (1.111) and that lead directly to the violation of a safety goal (1.108). The single point fault metric (SPFM) is a hardware architectural metric that reveals whether or not the coverage by the safety mechanisms, to prevent risk from single point faults in the hardware architecture, is sufficient.
Latent fault metric (LFM) is the other hardware architectural metric.
|
ISO 26262-1 1.122 ISO 26262-5 8 ISO 26262-5 C ISO 26262-5 E |
TCL | Tool Confidence Level | Use ISO 26262-8 11.4.5.5 Table 3 to calculate based on tool impact (TI) and tool error detection (TD).
Values are TCL1, TCL2 and TCL3. |
ISO 26262-8 11.4.5.5 |
TD | Tool Error Detection | The confidence in measures that prevent the software tool from malfunctioning and producing corresponding erroneous output, or in measures that detect that the software tool has malfunctioned and has produced corresponding erroneous output.
Values are TD1, TD2 and TD3. |
ISO 26262-8 11.4.5.2 |
TI | Tool Impact | The possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed.
Values are TD1, TD2 and TD3. |
ISO 26262-8 11.4.5.2 |