Safety critical technical systems may include a plurality of subsystems each including components. These components may include hardware and/or software components. Safety critical systems may include complex systems with distributed subsystems and/or system components. Some subsystems may be formed by embedded systems. For such a complex system, the consequences of potential failures on the functionality of the whole system are to be examined.
A Failure Mode and Effects Analysis (FMEA) may be used to examine the consequences of potential failures on the functionality of an investigated system. Different variations of FMEA analysis are currently used in most technical domains to analyze safety critical systems. Since safety critical systems normally include a high technical complexity, automations and tool support have a long history in research and industry. Whereas compact embedded systems may be analyzed using conventional FMEA in a manually maintained table, complex systems easily result in unmanageable long tables, especially if larger development teams for developing the specific system are involved. In conventional failure mode and effects analysis, a measure is typically described for documentary reasons textually and refers to the detection of a specific failure mode and its effect on the system. Such a conventional failure mode and effects analysis method has several drawbacks. The described measures refer to the detection of failure mode instead of describing a global system state of the investigated system. Sometimes it may be sufficient to document that a certain failure mode is sufficiently covered by a specific diagnostic measure (e.g., to document that all single point failures have been covered). However, for a system with high availability requirements (e.g., for a safety critical system), it is important to know how often a diagnostic measure brings the system in a degraded mode where the system is in a safe state but is not able to fulfill all its functions.
Further, textually described measures do not support the analysis of different degraded modes of the system. Since many different measures may exist to prevent single point failures, a fraction of the measures may result in the same degraded state, whereas a different fraction may result in another degraded state of the system. Textual descriptions do not provide a consistent analysis to distinguish multiple degraded modes for performing a complex FMEA analysis of a complex technical system. Typically, FMEA tables (e.g., spreadsheet tables) for complex systems are long and contain many different diagnostic measures. For example, for a component of an investigated system such as a capacitor in an electronic circuit, a failure mode such as “short circuit” may have the effect that “an amplification factor exceeds limitation.” Such an effect may be, for example, detected by a diagnostic measure “pulsed test will detect this failure.” This is a textual description of a measure to be taken, but there is no description of the state of the system that the system will be if this measure is active. Even an additional text field does not allow to analyze the availability of the system since it may occur multiple times spread over the entire FMEA analysis.
For the diagnostic measure “pulsed test will detect this failure” of a conventional FMEA analysis, no description may be given how the reaction of the system is if this measure is activated. It may be that the measure for the “short circuit” failure mode of the component capacitor results in a system state where no function is available until the investigated system is reset and the capacitor has been exchanged. Another failure mode such as “open circuit on pin2” on another component such as a transistor may also be detected by the diagnostic measure “pulsed test will detect this failure” but will result in a different degraded state of the investigated system (e.g., all functions of the system are still available but with a reduced speed). Again, an additional textual description does not enable the analysis of different modes that reduce availability if the investigated system is comparatively complex.