作者 :Darren H. Chen
方向 :汽车芯片功能安全分析与故障注入实践
Demo :D13_fmeda_update
标签:汽车芯片、功能安全、FMEDA、FIT、Diagnostic Coverage、Measured DC、Residual FIT、故障注入、Failure Mode、安全机制、安全指标
1. 为什么这一篇重要?
上一篇文章中,我们已经从分类后的 fault campaign outcomes 计算了 measured diagnostic coverage。
D12 产生了以下证据:
text
measured_dc_overall.csv
measured_dc_by_endpoint.csv
measured_dc_by_failure_mode.csv
measured_dc_by_safety_mechanism.csv
measured_dc_by_part.csv
estimated_vs_measured_dc.csv
measured_residual_fit.csv
measurement_quality.csv这些结果很有价值,但它们还不是最终安全表。
下一个问题是:
如何把 measured DC、residual FIT、evidence links 和 review status 更新到 FMEDA rows 中?
本篇对应的 Demo 是:
text
D13_fmeda_update本篇引入的通用工具名是:
text
safeic-fmedasafeic-fmeda 的目标,是把设计层面的安全证据转换成可追溯的 FMEDA-style table,输入包括:
text
part/sub-part mapping
failure mode mapping
base FIT contribution
estimated DC
measured DC
measured residual FIT
fault campaign evidence
safety mechanism mapping
review policy并生成:
text
fmeda_table.csv
fmeda_delta.csv
fmeda_review_items.csv
safety_metric_summary.csv
fmeda_summary.md核心思想是:
FMEDA update 不是 spreadsheet formatting,而是把结构化设计对象、failure modes、FIT contribution、diagnostic coverage、residual FIT 和 validation evidence 连接成可评审安全论证的过程。
2. D13 在整体流程中的位置
D13 位于 measured DC computation 之后。
D03/D04 FIT Data
D13 FMEDA Update
D05 Structure and Part Map
D12 Measured DC and Residual FIT
D11 Fault Outcomes
FMEDA Table
Safety Metric Summary
Review Items
图 1:D13 把 FIT、结构、measured DC、residual FIT 和 evidence links 合并成 FMEDA-ready table。
前面的 Demo 已经回答了:
text
base failure-rate contribution 是多少?
结构是什么?
estimated DC 是多少?
fault injection 测到了什么?
还剩多少 residual FIT?D13 回答的是:
text
FMEDA rows 应该如何更新?
哪些 rows 有 measured evidence 支撑?
哪些 rows 仍然只是 assumption-based?
哪些 rows 需要 review?
哪些 residual FIT items 主导安全指标?这是整个流程开始变成 safety engineering deliverable 的关键节点。
3. 本 Demo 中的 FMEDA 是什么?
在本系列 Demo 中,FMEDA 被视为一种结构化表格,用来连接:
text
design part
sub-part
failure mode
base FIT
safety mechanism
diagnostic coverage
residual FIT
evidence source
review status一个简化 FMEDA row 可能如下:
csv
part,subpart,failure_mode,base_fit,safety_mechanism,dc,residual_fit,evidence,review_status
PART_COUNTER,SUBPART_COUNTER_STATE,FM_DATA_CORRUPTION,0.064,endpoint_parity,0.90,0.0064,D12 measured DC,reviewedFMEDA 的价值在于,它用一个可评审层级组织安全推理。
它把底层 implementation evidence 连接到高层 safety metrics。
RTL / Netlist Object
Part / Sub-part
Failure Mode
Base FIT
Safety Mechanism
Diagnostic Coverage
Residual FIT
Safety Metric Summary
图 2:FMEDA 连接 implementation objects、failure modes、FIT、mechanisms、coverage 和 residual risk。
D13 的目标不是替代认证级安全流程。
它的目标是建立一个工程级、可复现的桥梁,把 fault injection evidence 接入 FMEDA-style tables。
4. FMEDA 是一个 Integration Layer
FMEDA 不是安全分析第一次发生的地方。
它是一个 integration layer。
它整合:
text
failure-rate modeling
structural decomposition
failure mode analysis
diagnostic coverage estimation
fault campaign measurement
residual risk calculation
engineering review decisionsFIT Model
FMEDA
Structure Model
Failure Modes
Safety Mechanisms
Fault Campaign Evidence
Safety Metrics
Review Actions
图 3:FMEDA 把多种 evidence sources 整合成 safety review table。
这就是为什么 FMEDA generator 不能只是 spreadsheet writer。
它必须检查 referenced evidence 是否存在,以及每一行内部是否一致。
5. 核心 FMEDA Row 字段
一个实用 FMEDA row 至少应包含:
text
row_id
part_id
part_name
subpart_id
subpart_name
design_object
failure_mode
failure_effect
base_fit
safety_mechanism
estimated_dc
measured_dc
selected_dc
residual_fit
evidence_source
evidence_id
confidence
review_status
review_comment示例:
csv
row_id,part,subpart,failure_mode,base_fit,safety_mechanism,selected_dc,residual_fit,evidence_source,review_status
R001,PART_COUNTER,SUBPART_COUNTER_STATE,FM_DATA_CORRUPTION,0.064,endpoint_parity,0.90,0.0064,D12_measured_dc,review_required为什么需要同时保留 estimated DC 和 measured DC?
因为 FMEDA row 必须解释当前 DC 是基于:
text
engineering assumption
library assumption
structural calculation
fault campaign measurement
reviewed measured update有 measured evidence 的 row 通常强于仅基于 assumption 的 row,但前提是 measured evidence 的 scope 和 confidence 足够。
6. Estimated DC、Measured DC 与 Selected DC
D13 不应该盲目使用 measured DC。
它应同时维护三个值:
text
estimated_dc
measured_dc
selected_dc6.1 Estimated DC
Estimated DC 来自 D06 或 safety mechanism assumptions。
6.2 Measured DC
Measured DC 来自 D12 fault campaign evidence。
6.3 Selected DC
Selected DC 是在应用 update policy 和 review rules 后,当前 FMEDA 中实际使用的 DC 值。
示例:
csv
failure_mode,estimated_dc,measured_dc,confidence,selected_dc,selection_reason
FM_DATA_CORRUPTION,0.90,1.00,LOW,0.90,keep estimated due to low sample size
FM_ALARM_NOT_ASSERTED,0.85,0.00,HIGH,0.00,use measured because measured lower than estimatedEstimated DC
Selection Policy
Measured DC
Confidence / Scope
Selected DC
FMEDA Residual FIT
图 4:FMEDA 应区分 estimated、measured 和 selected DC。
这种分离可以避免过度宣称,并让 review decisions 可追溯。
7. Residual FIT 计算
最简单的 residual FIT 公式是:
text
residual_fit = base_fit × (1 - selected_dc)示例:
text
base_fit = 0.064
selected_dc = 0.90
residual_fit = 0.064 × (1 - 0.90)
= 0.0064对应到一行:
csv
row_id,base_fit,selected_dc,residual_fit
R001,0.064,0.90,0.0064这是 diagnostic coverage 和 remaining risk 之间最基础的数量关系。
但是 selected DC 必须与 row scope 匹配。
不要把:
text
path-level measured DC用来更新:
text
endpoint-level FMEDA row除非 scope mapping 被明确声明。
D13 应检查 scope alignment。
8. Scope Alignment
FMEDA rows 可能按以下层级组织:
text
part
sub-part
design object
endpoint
failure mode
safety mechanismMeasured DC 可能按以下维度计算:
text
endpoint
failure mode
safety mechanism
part
campaign group只有当 scope 对齐时,更新才有效。
有效更新示例:
text
FMEDA row:
endpoint = toy_counter.count
failure_mode = FM_DATA_CORRUPTION
Measured DC:
group_type = endpoint
group_id = toy_counter.count
failure_mode = FM_DATA_CORRUPTION高风险更新示例:
text
FMEDA row:
failure_mode = FM_ALARM_NOT_ASSERTED
Measured DC:
group_type = overall
group_id = overall把 overall measured DC 用到具体 alarm failure mode 上,可能会掩盖 diagnostic-path weakness。
Yes
No
FMEDA Row Scope
Scope Match?
Measured DC Scope
Allow Update
Review Required
图 5:FMEDA update 应先检查 scope alignment,再决定是否应用 measured DC。
D13 应标记 scope mismatch,而不是静默更新 rows。
9. Evidence Source Tracking
每个 FMEDA row 都应引用其 evidence。
Evidence sources 可以包括:
text
estimated_dc.csv
measured_dc_by_endpoint.csv
measured_dc_by_failure_mode.csv
fault_outcomes.csv
safety_mechanism_library.yaml
part_subpart_map.yaml
manual_review_note
supplier_safety_manual示例:
csv
row_id,evidence_source,evidence_id,evidence_file,confidence
R001,D12_MEASURED_DC,endpoint:toy_counter.count,measured_dc_by_endpoint.csv,LOW
R002,D06_ESTIMATED_DC,failure_mode:FM_ALARM_NOT_ASSERTED,estimated_dc.csv,MEDIUM
R003,D11_FAULT_OUTCOME,F004,fault_outcomes.csv,HIGHEvidence tracking 很重要,因为 FMEDA 经常需要被 review、challenge 和 revision。
如果一个值无法追溯,它就是弱证据。
10. Review Status
不是每一行都有同样成熟度。
建议 review statuses:
text
draft
auto_generated
review_required
reviewed
blocked
evidence_missing
scope_mismatch
low_confidence示例:
csv
row_id,review_status,review_comment
R001,low_confidence,measured DC sample size is too small
R002,scope_mismatch,overall measured DC cannot update failure-mode row
R003,review_required,unsafe fault found in alarm path
R004,reviewed,estimated DC retained after reviewReview status 让 FMEDA 从静态表格变成工程工作流。
11. FMEDA Delta
D13 应生成 delta report,用来比较 old 和 new FMEDA rows。
为什么?
因为 safety tables 会随时间演进。
我们需要知道:
text
哪些 DC values 变了?
哪些 residual FIT values 变了?
哪些 rows 变成 evidence-backed?
哪些 rows 变成 unsafe 或 review-required?
哪些 rows 被新增或删除?示例:
csv
row_id,field,old_value,new_value,change_reason
R001,selected_dc,0.80,0.90,updated from reviewed measured evidence
R001,residual_fit,0.0128,0.0064,selected DC changed
R004,review_status,draft,review_required,unsafe fault foundPrevious FMEDA
Delta
Updated FMEDA
Review Items
图 6:FMEDA delta 展示了什么发生变化,以及为什么变化。
当 safety evidence 多轮迭代时,delta report 特别有价值。
12. Safety Metric Summary
FMEDA rows 更新后,D13 可以计算简化 safety metric summaries。
例如:
text
total_base_fit
total_residual_fit
residual_fit_by_failure_mode
residual_fit_by_part
unsafe_residual_fit
diagnostic_residual_fit
review_required_residual_fit示例:
csv
metric,value
total_base_fit,0.078
total_residual_fit,0.0204
total_selected_dc_weighted,0.738
rows_review_required,2
rows_low_confidence,3更详细的 summary:
csv
part,total_base_fit,total_residual_fit,weighted_selected_dc,review_required_rows
PART_COUNTER,0.078,0.0204,0.738,2这些不一定是最终 ISO 26262 指标。
它们是工程指标,用于帮助确定 design 和 evidence work 的优先级。
13. Residual FIT by Failure Mode
一个有用的 FMEDA 输出是按 failure mode 汇总 residual FIT。
示例:
csv
failure_mode,base_fit,selected_dc,residual_fit,review_status
FM_DATA_CORRUPTION,0.064,0.90,0.0064,review_required
FM_DIAGNOSTIC_STATE_CORRUPTION,0.004,0.00,0.0040,review_required
FM_ALARM_NOT_ASSERTED,0.010,0.00,0.0100,review_required这会立刻显示:
text
alarm-not-asserted 主导剩余风险
diagnostic state corruption 仍未覆盖
data corruption 部分被覆盖这些信息可以驱动下一轮 safety mechanism selection。
14. Residual FIT by Part and Sub-Part
Part/sub-part roll-up 支持设计评审。
示例:
csv
part,subpart,base_fit,residual_fit,weighted_selected_dc,dominant_failure_mode
PART_COUNTER,SUBPART_COUNTER_STATE,0.064,0.0064,0.900,FM_DATA_CORRUPTION
PART_COUNTER,SUBPART_COUNTER_DIAG,0.014,0.0140,0.000,FM_ALARM_NOT_ASSERTED这告诉工程师应该关注哪里:
text
counter diagnostic sub-part 主导 residual FIT
alarm path 需要 mechanism improvement
diagnostic state 不应被忽视FMEDA Rows
Roll Up by Part
Roll Up by Sub-part
Design Review Priority
图 7:Part/sub-part residual FIT roll-up 识别设计改进重点。
15. 在 FMEDA 中处理 Unsafe Faults
D11 中的 unsafe faults 应链接到 FMEDA rows。
示例:
csv
fault_id,outcome,endpoint,failure_mode,linked_fmeda_row
F004,unsafe,toy_counter.alarm,FM_ALARM_NOT_ASSERTED,R003
F003,unsafe,toy_counter.count_parity,FM_DIAGNOSTIC_STATE_CORRUPTION,R002FMEDA row 可以包含:
text
unsafe_fault_count
unsafe_fault_ids
unsafe_evidence_file
review_action示例:
csv
row_id,failure_mode,unsafe_fault_count,unsafe_fault_ids,review_action
R003,FM_ALARM_NOT_ASSERTED,1,F004,add alarm path protection or justify residual riskUnsafe faults 不应只埋在 campaign report 中。
它们应在 FMEDA update 中显式可见。
16. 处理 Unresolved Evidence
Unresolved faults 也应影响 FMEDA review status。
示例:
csv
row_id,unresolved_fault_count,review_status,review_comment
R010,5,evidence_missing,missing observe points prevent confident DC updateUnresolved evidence 不一定会在数学上增加 residual FIT。
但它会降低 confidence。
当 unresolved evidence 很高时,D13 不应自动使用较高 measured DC。
Policy 可以规定:
yaml
fmeda_update_policy:
max_unresolved_ratio_for_update: 0.10
if_unresolved_too_high: keep_estimated_and_flag这样 FMEDA update 会保持保守。
17. 处理 Low Confidence Measured DC
低 confidence 的 measured DC 通常不应自动替换 estimated value。
示例:
csv
row_id,estimated_dc,measured_dc,confidence,selected_dc,reason
R001,0.90,1.00,LOW,0.90,sample size too small这不是忽略证据。
而是保持安全表有纪律。
Measured result 仍作为 evidence 出现,但在证据强度不足前,不作为 selected DC 使用。
18. 处理 Measured DC Lower Than Estimated DC
当 measured DC 低于 estimated DC 时,D13 应强烈标记。
示例:
csv
row_id,estimated_dc,measured_dc,selected_dc,status
R005,0.85,0.40,0.40,measured_lower_than_estimated可能 actions:
text
use measured DC
request mechanism improvement
request campaign review
request failure-mode review
mark row review_requiredMeasured result 低于 estimate 可能意味着:
text
safety mechanism assumption was too optimistic
fault campaign found a real diagnostic gap
fault model targets a different scope
alarm path is not working
testbench response does not match architecture assumption这是整个流程最有价值的输出之一。
19. 处理 Measured DC Higher Than Estimated DC
Measured DC 高于 estimated DC 时,也不应自动提高 FMEDA value。
示例:
csv
row_id,estimated_dc,measured_dc,selected_dc,status
R001,0.90,1.00,0.90,measured_higher_requires_review为什么要保守?
因为 higher measured DC 可能来自:
text
small sample size
easy fault selection
limited fault model
insufficient structural scope
overfitted testbench
missing hard-to-detect scenariosD13 通常应要求 review 后再提高 selected DC。
20. FMEDA Update Policy
D13 应由 policy file 控制。
示例:
yaml
fmeda_update_policy:
dc_selection:
if_measured_lower_than_estimated: use_measured
if_measured_higher_than_estimated: require_review
if_measured_confidence_low: keep_estimated_and_flag
if_no_measured_data: use_estimated
confidence:
min_confidence_for_auto_update: medium
max_unresolved_ratio_for_auto_update: 0.10
scope:
require_scope_match: true
allow_overall_to_update_specific_row: false
review:
flag_unsafe_faults: true
flag_unresolved_faults: true
flag_missing_evidence: true
flag_low_confidence: true这个 policy 让 FMEDA update 可复现、可评审。
21. D13 输入文件
建议输入:
text
inputs/
fmeda_seed.csv
part_subpart_map.yaml
failure_modes.yaml
estimated_dc.csv
measured_dc_by_endpoint.csv
measured_dc_by_failure_mode.csv
measured_dc_by_safety_mechanism.csv
measured_residual_fit.csv
estimated_vs_measured_dc.csv
fault_outcomes.csv
fmeda_update_policy.yamlfmeda_seed.csv 可以是手工整理或自动生成的初始 FMEDA table。
示例:
csv
row_id,part,subpart,design_object,failure_mode,base_fit,safety_mechanism,estimated_dc
R001,PART_COUNTER,SUBPART_COUNTER_STATE,toy_counter.count,FM_DATA_CORRUPTION,0.064,endpoint_parity,0.90
R002,PART_COUNTER,SUBPART_COUNTER_DIAG,toy_counter.count_parity,FM_DIAGNOSTIC_STATE_CORRUPTION,0.004,none,0.00
R003,PART_COUNTER,SUBPART_COUNTER_DIAG,toy_counter.alarm,FM_ALARM_NOT_ASSERTED,0.010,none,0.00D13 会用 measured evidence 和 policy decisions 更新这个 seed table。
22. 主输出:fmeda_table.csv
示例:
csv
row_id,part,subpart,design_object,failure_mode,base_fit,safety_mechanism,estimated_dc,measured_dc,selected_dc,residual_fit,evidence_source,confidence,review_status
R001,PART_COUNTER,SUBPART_COUNTER_STATE,toy_counter.count,FM_DATA_CORRUPTION,0.064,endpoint_parity,0.90,1.00,0.90,0.0064,D12_MEASURED_DC,LOW,low_confidence
R002,PART_COUNTER,SUBPART_COUNTER_DIAG,toy_counter.count_parity,FM_DIAGNOSTIC_STATE_CORRUPTION,0.004,none,0.00,0.00,0.00,0.0040,D11_UNSAFE_FAULT,HIGH,review_required
R003,PART_COUNTER,SUBPART_COUNTER_DIAG,toy_counter.alarm,FM_ALARM_NOT_ASSERTED,0.010,none,0.00,0.00,0.00,0.0100,D11_UNSAFE_FAULT,HIGH,review_required这个表是 D13 的核心交付物。
23. 输出:fmeda_delta.csv
示例:
csv
row_id,field,old_value,new_value,reason
R001,measured_dc,,1.00,measured DC added from D12
R001,review_status,draft,low_confidence,measured sample size too small
R002,review_status,draft,review_required,unsafe diagnostic state fault found
R003,review_status,draft,review_required,unsafe alarm path fault foundDelta 让变化显式化。
24. 输出:fmeda_review_items.csv
示例:
csv
item_id,row_id,severity,issue,recommended_action
I001,R003,HIGH,alarm path has unsafe fault,add redundant alarm or alarm path monitor
I002,R002,MEDIUM,diagnostic state unprotected,add protection or justify residual risk
I003,R001,LOW,measured DC confidence low,increase campaign sample size before updating DC这是 FMEDA update 产生的实际 action list。
好的安全流程不应该只产生 metrics,还应该产生下一步行动。
25. 输出:safety_metric_summary.csv
示例:
csv
metric,value
total_base_fit,0.078
total_residual_fit,0.0204
weighted_selected_dc,0.738
rows_total,3
rows_review_required,2
rows_low_confidence,1
rows_evidence_missing,0这个 summary 可以用于跟踪整体进展。
26. 输出:residual_fit_by_failure_mode.csv
示例:
csv
failure_mode,base_fit,residual_fit,weighted_selected_dc,review_status
FM_DATA_CORRUPTION,0.064,0.0064,0.900,low_confidence
FM_DIAGNOSTIC_STATE_CORRUPTION,0.004,0.0040,0.000,review_required
FM_ALARM_NOT_ASSERTED,0.010,0.0100,0.000,review_required它可以识别主导 residual risk 的区域。
27. 输出:fmeda_summary.md
示例:
md
# D13 FMEDA Update Summary
Project: automotive_safeic_practice
Demo: D13_fmeda_update
Top: toy_counter
## Overall Metrics
Total base FIT: 0.078
Total residual FIT: 0.0204
Weighted selected DC: 0.738
## Updated Rows
Rows total: 3
Review required: 2
Low confidence: 1
## Key Review Items
1. Alarm path fault remains unsafe.
- Row: R003
- Failure mode: FM_ALARM_NOT_ASSERTED
- Recommended action: add alarm path protection or justify residual risk.
2. Diagnostic state fault remains unsafe.
- Row: R002
- Failure mode: FM_DIAGNOSTIC_STATE_CORRUPTION
- Recommended action: protect diagnostic state.
3. Counter state measured DC is higher than estimated, but sample size is low.
- Row: R001
- Recommended action: keep estimated DC and expand campaign.
## Next Step
Use D14 to generate a consolidated safety evidence package and review report.这个报告帮助工程师快速理解当前 safety argument 的状态。
28. 工具架构
通用工具 safeic-fmeda 可以实现为分阶段 pipeline。
manifest.yaml
safeic-fmeda
fmeda_seed.csv
estimated_dc.csv
measured_dc outputs
fault_outcomes.csv
part/sub-part map
fmeda_update_policy.yaml
Validate Rows
Join Evidence
Select DC
Compute Residual FIT
Generate Delta
Generate Review Items
Generate FMEDA Table and Summary
图 8:safeic-fmeda 通过校验 rows、连接 evidence、选择 DC、计算 residual FIT 并生成 review items 来更新 FMEDA。
建议内部模块:
text
safeic_fmeda/
cli.py
manifest.py
load_seed.py
load_evidence.py
validate_rows.py
evidence_join.py
dc_selection.py
residual_fit.py
delta.py
review_items.py
rollup.py
report.py职责划分:
| 模块 | 职责 |
|---|---|
load_seed.py |
Load initial FMEDA table |
load_evidence.py |
Load estimated/measured DC and fault outcomes |
validate_rows.py |
Check row IDs, fields, scopes, FIT values |
evidence_join.py |
Link evidence to FMEDA rows |
dc_selection.py |
Apply selected DC policy |
residual_fit.py |
Compute residual FIT |
delta.py |
Compare previous and updated rows |
review_items.py |
Generate action items |
rollup.py |
Generate metric summaries |
report.py |
Generate CSV and Markdown outputs |
29. D13 目录结构
建议目录:
text
D13_fmeda_update/
README.md
run_demo.sh
run_demo.csh
manifest.yaml
inputs/
fmeda_seed.csv
part_subpart_map.yaml
failure_modes.yaml
estimated_dc.csv
measured_dc_by_endpoint.csv
measured_dc_by_failure_mode.csv
measured_dc_by_safety_mechanism.csv
measured_residual_fit.csv
estimated_vs_measured_dc.csv
fault_outcomes.csv
fmeda_update_policy.yaml
outputs/
fmeda_table.csv
fmeda_delta.csv
fmeda_review_items.csv
safety_metric_summary.csv
residual_fit_by_failure_mode.csv
residual_fit_by_part.csv
fmeda_summary.md
fmeda_warnings.csvD13 是 table integration 和 safety review preparation。
它不应重新运行 fault campaigns。
30. D13 Manifest
示例:
yaml
project:
name: automotive_safeic_practice
demo: D13_fmeda_update
top_module: toy_counter
inputs:
fmeda_seed: inputs/fmeda_seed.csv
part_subpart_map: inputs/part_subpart_map.yaml
failure_modes: inputs/failure_modes.yaml
estimated_dc: inputs/estimated_dc.csv
measured_dc_by_endpoint: inputs/measured_dc_by_endpoint.csv
measured_dc_by_failure_mode: inputs/measured_dc_by_failure_mode.csv
measured_dc_by_safety_mechanism: inputs/measured_dc_by_safety_mechanism.csv
measured_residual_fit: inputs/measured_residual_fit.csv
estimated_vs_measured_dc: inputs/estimated_vs_measured_dc.csv
fault_outcomes: inputs/fault_outcomes.csv
update_policy: inputs/fmeda_update_policy.yaml
outputs:
fmeda_table: outputs/fmeda_table.csv
fmeda_delta: outputs/fmeda_delta.csv
review_items: outputs/fmeda_review_items.csv
metric_summary: outputs/safety_metric_summary.csv
residual_by_failure_mode: outputs/residual_fit_by_failure_mode.csv
residual_by_part: outputs/residual_fit_by_part.csv
summary: outputs/fmeda_summary.mdManifest 让 FMEDA update 可复现。
31. D13 执行流程
Load Manifest
Load FMEDA Seed
Load Estimated and Measured DC
Load Fault Outcomes
Load Part/Sub-part and Failure Modes
Load Update Policy
Validate Row Scope and Evidence
Join Evidence to Rows
Select DC for Each Row
Compute Residual FIT
Generate Delta
Generate Review Items
Roll Up Safety Metrics
Generate Reports
图 9:D13 执行流程:加载、校验、连接 evidence、选择 DC、计算 residual FIT 并生成 FMEDA outputs。
示例 bash 脚本:
bash
#!/usr/bin/env bash
set -euo pipefail
safeic-fmeda \
--manifest manifest.yaml \
--output-dir outputs示例 csh 脚本:
csh
#!/bin/csh -f
set DEMO = D13_fmeda_update
echo "Running $DEMO"
safeic-fmeda \
--manifest manifest.yaml \
--output-dir outputs预期输出:
text
outputs/fmeda_table.csv
outputs/fmeda_delta.csv
outputs/fmeda_review_items.csv
outputs/safety_metric_summary.csv
outputs/residual_fit_by_failure_mode.csv
outputs/residual_fit_by_part.csv
outputs/fmeda_summary.md
outputs/fmeda_warnings.csv32. 校验规则
safeic-fmeda 应校验:
text
fmeda_seed.csv exists
row IDs are unique
base FIT values are non-negative
estimated DC values are within 0..1
measured DC values are within 0..1
selected DC values are within 0..1
part and sub-part IDs exist
failure modes exist
safety mechanisms exist or are explicitly none
scope alignment is checked
unsafe fault links are valid
review status values are valid
residual FIT denominator is valid示例信息:
text
[PASS] FMEDA seed loaded: 3 rows
[PASS] row R001 base FIT is valid
[PASS] row R001 evidence joined from measured_dc_by_endpoint.csv
[WARN] row R001 measured DC confidence is LOW; selected DC kept as estimated
[WARN] row R003 has unsafe fault F004 linked
[ERROR] row R010 references unknown failure mode FM_UNKNOWN
[ERROR] selected_dc 1.20 is out of range当 evidence 缺失或 scope 不匹配时,工具应保持保守。
33. 常见错误
33.1 把 FMEDA 当成纯表格
FMEDA 不只是格式化。
它是 assumptions、measurements 和 review decisions 的整合。
33.2 盲目用 Measured Results 更新 DC
只有 scope 和 confidence 可接受时,measured DC 才能更新 FMEDA。
33.3 丢失 Evidence Traceability
每个 selected DC 都应能追溯到 estimate、measurement 或 review decision。
33.4 隐藏 Unsafe Faults
Unsafe fault IDs 应在 row 或 linked review item 中可见。
33.5 忽略 Unresolved Evidence
高 unresolved evidence 应降低 confidence 并触发 review。
33.6 混合不同 Scope
不要在未明确 review 的情况下,用更宽或不相关 scope 的 measured DC 更新具体 row。
33.7 只报告 Metrics 不报告 Review Status
没有 review status 的 metric 容易看起来像最终结果,即使它仍是 draft。
34. D13 如何连接到后续 Demo?
D13 生成 updated FMEDA table 和 review items。
后续 Demo 可以生成 reports、evidence packages 和 comparison dashboards。
D13 FMEDA Update
D14 Safety Evidence Package
D15 Report Generation
D16 Regression / Iteration Tracking
Review Package
图 10:D13 为 consolidated reporting 和 evidence packaging 准备 updated safety table。
D13 是一个重要 checkpoint。
D13 之后,流程可以产生:
text
summary reports
evidence traceability package
metric trend reports
design improvement action list
review-ready tables35. 推荐实现阶段
D13 可以分阶段实现。
Stage 1:Seed FMEDA Table Update
读取 fmeda_seed.csv,并使用 estimated DC 计算 residual FIT。
交付物:
text
fmeda_table.csv
fmeda_summary.mdStage 2:Measured DC Join
将 D12 measured DC outputs 连接到 FMEDA rows。
交付物:
text
fmeda_table.csv
fmeda_warnings.csvStage 3:Selected DC Policy
应用 update policy 选择 selected DC。
交付物:
text
fmeda_delta.csvStage 4:Unsafe and Unresolved Evidence Links
把 D11 unsafe 和 unresolved faults 链接到 FMEDA rows。
交付物:
text
fmeda_review_items.csvStage 5:Safety Metric Roll-Up
按 failure mode 和 part 汇总 residual FIT。
交付物:
text
safety_metric_summary.csv
residual_fit_by_failure_mode.csv
residual_fit_by_part.csv这个分阶段方法让 D13 从第一版就有用,并且后续可扩展。
36. 总结
FMEDA update 是前面所有安全分析 artifacts 汇聚成可追溯安全表的步骤。
D13 Demo:
text
D13_fmeda_update引入通用工具:
text
safeic-fmeda该工具消费:
text
fmeda_seed.csv
part_subpart_map.yaml
failure_modes.yaml
estimated_dc.csv
measured DC outputs
measured_residual_fit.csv
estimated_vs_measured_dc.csv
fault_outcomes.csv
fmeda_update_policy.yaml并生成:
text
fmeda_table.csv
fmeda_delta.csv
fmeda_review_items.csv
safety_metric_summary.csv
residual_fit_by_failure_mode.csv
residual_fit_by_part.csv
fmeda_summary.md
fmeda_warnings.csv核心结论是:
FMEDA 是 assumptions、measurements、residual FIT、failure modes、design structure 和 review decisions 汇聚的地方。好的 FMEDA update 必须可追溯、保守、scope-aware,并且有 evidence 支撑。
D13 将 fault injection workflow 转换成可评审的 safety engineering table。
37. D13 Demo Checklist
对于 D13_fmeda_update,预期交付物如下:
text
[ ] README.md
[ ] run_demo.sh
[ ] run_demo.csh
[ ] manifest.yaml
[ ] inputs/fmeda_seed.csv
[ ] inputs/part_subpart_map.yaml
[ ] inputs/failure_modes.yaml
[ ] inputs/estimated_dc.csv
[ ] inputs/measured_dc_by_endpoint.csv
[ ] inputs/measured_dc_by_failure_mode.csv
[ ] inputs/measured_dc_by_safety_mechanism.csv
[ ] inputs/measured_residual_fit.csv
[ ] inputs/estimated_vs_measured_dc.csv
[ ] inputs/fault_outcomes.csv
[ ] inputs/fmeda_update_policy.yaml
[ ] outputs/fmeda_table.csv
[ ] outputs/fmeda_delta.csv
[ ] outputs/fmeda_review_items.csv
[ ] outputs/safety_metric_summary.csv
[ ] outputs/residual_fit_by_failure_mode.csv
[ ] outputs/residual_fit_by_part.csv
[ ] outputs/fmeda_summary.md
[ ] outputs/fmeda_warnings.csv一次成功的 D13 运行应该回答:
text
哪些 FMEDA rows 被生成或更新?
哪些 rows 使用 estimated DC?
哪些 rows 使用 measured DC?
哪些 rows 因 low confidence 保留 estimated DC?
哪些 rows 包含 unsafe fault evidence?
哪些 rows 需要 review?
每个 row 的 selected DC 是多少?
还剩多少 residual FIT?
哪些 failure modes 主导 residual FIT?
哪些 parts 或 sub-parts 主导 residual FIT?
updated table 是否可以用于 safety evidence package?