--- doc-id: SLM-EPB-FMEDA-001 version: 1.0 status: Released date: 2026-05-12 --- # Failure Mode Effects and Diagnostic Analysis (FMEDA) | Field | Value | |---------------|----------------------------------------| | Project | demo-epb | | Document ID | SLM-EPB-FMEDA-001 | | Version | 1.0 | | Status | Released | | Date | 2026-05-12 | | Standard | ISO 26262 Part 5 §8 + Part 10 | --- ## 1. Purpose Bottom-up analysis of EPB hardware and software failure modes, quantifying Diagnostic Coverage (DC) and computing the Single-Point Fault Metric (SPFM) and Latent Fault Metric (LFM). Required for hardware architecture metrics per ISO 26262-5. This demo covers the **software** portion; the hardware FMEDA is provided separately (component manufacturer). ## 2. Methodology For each software component, possible failure modes are listed, their effects described, detection mechanisms identified, and the diagnostic coverage estimated. DC classes per ISO 26262-5 §C.2: | DC class | DC % | Meaning | |-----------|-------|--------------------------------------| | Low | < 60% | Weak diagnostics | | Medium | 60-90%| Medium diagnostics | | High | > 90% | Strong diagnostics | ## 3. FMEDA table per component ### 3.1 SWA-002 Apply Controller (ASIL-D) | FM-ID | Failure mode | Effect | Detection | DC | Safe state reached? | |-------|---------------------------------------|--------------------------------------|---------------------------------|-------|----------------------| | FM-01 | State machine stuck in APPLYING | Brake never applied | Timeout 30×50ms → ERROR | High | Yes (ERROR state) | | FM-02 | Wrong state transition APPLIED → RELEASED without condition | Roll-away | Precondition check (`release_preconditions_ok`) | High | Yes | | FM-03 | Watchdog counter overflow | Watchdog fires false positive | Wrap-safe subtraction in watchdog (NC-001) | High | Yes (reset) | | FM-04 | Hold loop does not re-clamp | Clamping force loss undetected | Periodic check every 50ms + force tolerance | High | Yes (re-apply) | | FM-05 | NULL pointer dereference on input | Crash | Early-exit check | High | Yes (last state remains) | Aggregated DC for Apply Controller: **96%** (High). ### 3.2 SWA-003 Actuator Driver (ASIL-B) | FM-ID | Failure mode | Effect | Detection | DC | |-------|------------------------------------------|--------------------------------------|---------------------------------|-------| | FM-06 | PWM value outside 0..100 | Hardware damage | Parameter check, return EINVAL | High | | FM-07 | ISR measures continuously high current | Motor fire | Overcurrent cutoff > 8A > 100ms | High | | FM-08 | ISR measures too-low current (sensor fault) | Clamping force estimated wrong | Cross-check between actuators | Medium | | FM-09 | Both actuators simultaneous cutoff | EPB inoperative | DTC + service mode remains reachable | Medium | Aggregated DC for Actuator Driver: **85%** (Medium). ### 3.3 SWA-001 Safety Manager (ASIL-D) | FM-ID | Failure mode | Effect | Detection | DC | |-------|------------------------------------------|--------------------------------------|---------------------------------|-------| | FM-10 | Auto-apply timer does not fire | Vehicle rolls after engine off | Watchdog Safety Manager | High | | FM-11 | Hill-hold handover delayed | Roll-away on incline | Brake-pedal signal tracking | High | | FM-12 | False-positive hill-hold activation | Unnecessary apply | Low-pass filter inclinometer | Medium | | FM-13 | Grade filter saturation | Hill-hold missed | Plausibility range check | Medium | Aggregated DC for Safety Manager: **88%** (Medium-High). ### 3.4 SWA-004 Wheel Speed Plausibilisation (ASIL-B) | FM-ID | Failure mode | Effect | Detection | DC | |-------|------------------------------------------|--------------------------------------|---------------------------------|-------| | FM-14 | Stuck-at-zero on one wheel | False standstill detected | Spread > 3 km/h check + DTC | High | | FM-15 | All 4 sensors failed | Standstill undetected | Total-failure DTC + load assumption | High | DC: **95%** (High). ## 4. Aggregated metrics (software) | Metric | Value | ASIL-D requirement | |------------------------------|---------|--------------------------------------| | SPFM (Single-Point Fault) | 95% | ≥ 99% (software alone insufficient; HW required) | | LFM (Latent Fault) | 90% | ≥ 90% | | Aggregated DC | 92% | High | **Note:** The software DC values reported here are not the ASIL-D hardware metrics. ASIL-D-compliant SPFM/LFM require quantitative hardware FIT rates, which are computed at the HW level (Tier-1 actuators, ECU hardware). ## 5. Diagnostic measures (inventory) | Mechanism | Component | Trigger | |------------------------------|-----------------------|----------------------------------------| | Timeout watchdog | Apply Controller | 30×50ms in APPLYING | | Clamping force hold check | Apply Controller | every 50ms | | Overcurrent cutoff | Actuator Driver | 8A > 100ms | | Sensor spread check | Wheel Speed Plausi | every 10ms cycle | | Inclinometer range check | Inclinometer Filter | every 10ms | | Watchdog Safety Manager | Safety Manager | 100ms liveness | | Diagnostic Manager UDS DTCs | Diag Manager | call of `diag_set_dtc()` | ## 6. Revision history | Version | Date | Change | Author | |---------|-------------|---------------------|------------| | 0.1 | 2026-05-11 | Initial draft | S. Lohmaier| | 1.0 | 2026-05-12 | First release | S. Lohmaier|