



#### ISO 26262 Standards **Fault Models?**

- Several parts (each part is \$/page)
- 26262-11 Section 5.1.2: Fault Modes

Table 1: ISO 26262-11 Fault Modes

| $\mathrm{FMx}$         | Example                                 |
|------------------------|-----------------------------------------|
| Single Event Transient | A momentary voltage excursion (e.g.     |
| SET                    | a voltage spike) at a node in an        |
|                        | integrated circuit caused by the        |
|                        | passage of a single energetic particle. |
| Single Event Upset     | A soft error caused by the signal       |
| SEU                    | induced by the passage of a single      |
|                        | energetic particle.                     |
| Single Bit Upset       | A single storage location upset         |
| SBU                    | from a single event.                    |
| Multiple Cell Upset    | A single event that induces several     |
| MCU                    | bits in an IC to fail at the same       |
|                        | time. The error bits are usually,       |
|                        | but not always, physically adjacent     |
| Multiple Bit Upset     | Two or more single-event-induced        |
| MBU                    | bit errors occurring in the same        |
|                        | nibble, byte, or word.                  |

# ISO 26262 Standards Fault Models?

• 26262-11 Section 5.1.2"Failure Modes" & Application

Table 2: ISO 26262-11 Failure Modes

| $\mathbf{F}\mathbf{M}\mathbf{x}$ | Failure Mode | Example                                  |
|----------------------------------|--------------|------------------------------------------|
| FM1                              | Omission     | Function not delivered when needed       |
| FM2                              | Commission   | Function executed when not needed        |
| FM3                              | Timing       | Function delivered with incorrect timing |
| FM4                              | Value        | Function provides incorrect output       |

Table 3: Failure Modes applied to CPU Instruction Flow

| $\mathbf{F}\mathbf{M}\mathbf{x}$ | Result                                                  |
|----------------------------------|---------------------------------------------------------|
| FM1                              | Given instruction flow(s) not executed (total omission) |
| FM1.1                            | due to program counter hang up                          |
| FMl.2                            | due to instruction fetch hang up                        |
| FM2                              | Un-intended instruction(s) flow executed                |
| FM3                              | Incorrect instruction flow timing (too early /late)     |
| FM4                              | Incorrect instruction flow result                       |

C. OFlynn.

FDTC 2021.

Short Paper.





Fig. 3: Comparison of charge voltage and coils



6

#### Case Study: ECU in Toyota Corolla



Fig. 6: The test bench showing: ① the ECU under test, ② the throttle body, ③ the position sensor, ④ the ignition switch, ⑤ sensor simulator, ⑥ OBD-II reader, and ⑦ scope probes on PWM signal.

### Video Example – ECU on Bench



## Video Example – ECU in Car



#### Conclusions

 Fault models from safety can be recreated with "security focused" equipment.

Using black box fault attacks is possible for safety engineering.

 Considerable overlap where both safety & security can learn from relevant fields.

C. OFlynn. FDTC 2021. Short Paper. 10