The Three Hardware Safety Metrics
Before working through the calculation, it is important to understand what each metric measures and why it exists.
Single-Point Fault Metric (SPFM) measures the fraction of failure modes with safety impact whose effects are detected or prevented by safety mechanisms before they cause a safety violation. It targets failures that, on their own, could directly cause a safety goal violation — single-point faults. The SPFM requirement is: SPFM ≥ 90% for ASIL C, SPFM ≥ 99% for ASIL D.
Latent Fault Metric (LFM) measures the fraction of failure modes that are not immediately safety-critical but, combined with a subsequent fault, could cause a safety violation — latent faults. These faults are dangerous not because they immediately violate the safety goal but because they defeat a safety mechanism and leave the system vulnerable to the next fault. LFM ≥ 60% for ASIL B, ≥ 80% for ASIL C, ≥ 90% for ASIL D.
Probabilistic Metric for random Hardware Failures (PMHF) is the probability per vehicle operating hour that a random hardware failure causes a safety goal violation, integrated over the vehicle's lifetime. This is the metric that must meet the numerical targets: PMHF < 10 FIT (10 × 10⁻⁹ per hour) for ASIL D, < 100 FIT for ASIL C.
The relationship between the three metrics: SPFM and LFM are architectural metrics — they measure the fraction of failures that safety mechanisms handle. PMHF is a numerical metric — it integrates the failure rate of the hardware with the SPFM/LFM results to compute the residual risk in absolute terms.
The FMEDA Process
Step 1: Define the Hardware Element and Its Safety Goal
The FMEDA scope is a specific hardware element — an IC, a subsystem, a sensor — whose failure could contribute to a safety goal violation.
For this example: a motor position sensor (resolver) used in an electric power steering (EPS) system. The safety goal is SG-EPS-01: "The EPS system shall not apply steering torque in the unintended direction." This safety goal has ASIL D.
The sensor's contribution to the safety goal: the sensor provides the steering motor position signal that the EPS control algorithm uses to determine steering direction and magnitude. A sensor failure that provides incorrect position data could cause the algorithm to apply torque in the wrong direction.
For each internal component of the hardware element, list all relevant failure modes with their failure rates. Failure rates are sourced from:
- IEC 61709 / Siemens SN 29500 reliability data
- Supplier-specific failure rate data (preferred for IC components)
- MIL-HDBK-217F (for legacy components)
For the resolver, failure modes include: open circuit in the excitation winding, short circuit in the excitation winding, open circuit in sin/cos output winding, short circuit in sin/cos output winding, bearing failure (mechanical), magnetic material degradation (slow drift), and signal processing failure in the interface IC.
Each failure mode has a failure rate in FIT (failures per 10⁹ operating hours). Example values:
Total failure rate: 67 FIT.
Step 3: Classify Each Failure Mode
Each failure mode is classified into one of three categories:
Single-Point Fault (SPF): A failure that directly violates the safety goal without requiring a second fault. In our example, "output stuck high" on the interface IC is an SPF — the EPS system receives a fixed, incorrect position signal and may apply torque in the wrong direction.
Latent Fault (LF): A failure that does not immediately violate the safety goal but that, if undetected, leaves the system in a state where a subsequent failure could cause a safety goal violation. "Slow drift" in the magnetic core is a latent fault: the position signal degrades gradually, eventually causing a systematic error that causes incorrect torque application — but early in the drift process, the error may be within acceptable bounds.
Residual Fault (RF): The portion of a failure mode's failure rate that is not detected by any safety mechanism. For each failure mode where a safety mechanism provides partial coverage, the undetected fraction becomes the residual fault contribution.
Safe Fault: A failure that does not affect the safety goal — either because it affects only non-safety functions, or because its effect is inherently harmless. "Bearing excessive friction" that is immediately detectable by the driver through increased steering effort is arguably a safe fault from the perspective of the steering safety goal, if it does not cause incorrect torque direction.
Step 4: Assign Diagnostic Coverage
For each safety-relevant failure mode, determine what safety mechanisms exist that detect or prevent the failure, and estimate the Diagnostic Coverage (DC) — the fraction of that failure mode's failure rate that the safety mechanism covers.
DC estimation is the most judgment-intensive part of FMEDA. ISO 26262-5 Annex D provides DC estimation guidance, and IEC 61508-2 Annex D provides additional reference values. But actual DC values must be justified for the specific safety mechanism in the specific application.
For our resolver:
Plausibility check (sin²+cos²=1 check): The resolver output satisfies sin²+cos²=1 when the sensor is healthy. Deviations from this relationship indicate winding damage or interface IC faults. DC for "open circuit in sin/cos winding" with respect to this check: 97% (some failure patterns produce outputs that satisfy the equation approximately even when faulty).
Periodic test (null position check at startup): At startup, the known mechanical null position is compared to the sensor output. This detects stuck-at failures in the interface IC. DC: 95%. But: this test only runs at startup, not during operation. The DC applies only to the startup interval, not to failures that develop during operation.
Step 5: Calculate SPFM and LFM
For each failure mode:
- Detected SPF fraction: failure rate × DC (the portion detected by safety mechanisms)
- Residual SPF fraction: failure rate × (1 - DC) (the undetected portion)
- Detected LF fraction: similarly calculated for latent faults
SPFM = Σ(Detected SPF failure rates) / Σ(All SPF and Residual SPF failure rates)
LFM = Σ(Detected LF failure rates) / Σ(All LF and Residual LF failure rates)
For our example (using simplified numbers):
Total SPF failure rate: 42 FIT (sum of single-point fault failure rates)
Total detected SPF failure rate: 40.4 FIT (applying DCs from above)
SPFM = 40.4 / 42 = 96.2%
This meets ASIL C (≥90%) but does not meet ASIL D (≥99%). The architecture needs an additional safety mechanism, or the failure mode analysis needs to identify additional diagnostic coverage.
Step 6: Calculate PMHF
PMHF = Σ(Residual failure rate contributions) for all safety-relevant failure modes
For failure modes with partial diagnostic coverage, the residual contribution is:
Residual contribution = failure rate × (1 - DC) × fraction of vehicle life during which failure could cause harm
The total PMHF must be compared against the target from ISO 26262-5 Table 4:
- ASIL B: < 1000 FIT (10⁻⁶ per hour)
- ASIL C: < 100 FIT (10⁻⁷ per hour)
- ASIL D: < 10 FIT (10⁻⁸ per hour)
For our example, the residual PMHF from the 96.2% SPFM result is approximately 1.6 FIT from single-point faults alone — below the ASIL D threshold. However, the latent fault contributions (slow drift, bearing wear) must also be included. With latent fault contributions included, total PMHF for this element is approximately 5.8 FIT — still below the 10 FIT ASIL D threshold.
Whether the overall system meets the ASIL D PMHF target depends on the PMHF contributions of all other hardware elements in the safety-relevant signal path — the interface IC, the analog-to-digital converter, the processing SoC, and the communications path.
FMEDA in Context: What It Does Not Cover
FMEDA addresses random hardware failures — failures that occur stochastically based on the component failure rates. It does not address:
Systematic failures: Design errors, manufacturing defects, and software bugs that are not random. These are addressed by the ISO 26262 software and hardware development process requirements, not by FMEDA.
Common cause failures: A shared supply voltage failure that defeats both channels simultaneously is not captured in a per-element FMEDA. This is the domain of Dependent Failure Analysis (DFA), which must be performed separately.
How ISO WIZ Manages FMEDA
ISO WIZ maintains FMEDA work products as live, traceable documents linked to the safety mechanism list in the functional safety concept.
When the hardware architecture changes — a component is replaced, a diagnostic function is added — ISO WIZ identifies which FMEDA entries reference the changed component and flags them for update. When the FMEDA results change (because components or DCs changed), the impact on SPFM, LFM, and PMHF targets is recalculated automatically, and the gap to the ASIL targets is displayed.
The DFA connection is live: if a DFA finding identifies a common cause that invalidates an independence claim, ISO WIZ flags the FMEDA entries that assumed that independence in their diagnostic coverage calculations. The safety engineer sees the DFA finding and its implications for FMEDA simultaneously — rather than discovering six months later that the FMEDA was built on an assumption that the DFA invalidated.