Demystifying PMHF: A Guide to Hardware Metrics and FMEDA

The Critical Need for Quantifiable Hardware Safety

Imagine you are designing the control unit for an Advanced Driver Assistance System, specifically an Automatic Emergency Braking (AEB) module. Your software might be perfectly architected, but what happens if a single hardware capacitor fails or a microcontroller bit flips unexpectedly due to environmental radiation? If the hardware fault goes undetected, the vehicle might fail to brake in a critical situation, leading to catastrophic consequences. How do you prove mathematically that your hardware design is robust enough to prevent such failures? This is where rigorous hardware safety metrics come into play.

To meet the stringent requirements of ISO 26262, automotive engineers must quantify the risk of random hardware failures. At the core of this quantification is the PMHF (Probabilistic Metric for Random Hardware Failures). Calculating PMHF is not merely a compliance exercise; it is a fundamental engineering practice that ensures your electronic components will perform safely over the entire lifespan of the vehicle. By mastering PMHF and its companion metrics using the FMEDA technique, you can confidently validate your safety-critical automotive hardware.

What Are Hardware Safety Metrics? (PMHF, SPFM, and LFM)

ASIL	SPFM Target	LFM Target	PMHF Target (approx)
A	No Specific Target	No Specific Target	No Specific Target
B	≥ 90%	≥ 60%	< 1000 FIT
C	≥ 97%	≥ 80%	< 100 FIT
D	≥ 99%	≥ 90%	< 10 FIT

In the realm of functional safety, qualitative analysis is only the beginning. As addressed in ISO 26262 Part 5, dealing with random hardware failures requires a highly quantitative approach. Hardware components degrade over time, and random faults are an inevitable reality of physics. To manage this reality, the standard defines three primary hardware metrics.

The Probabilistic Metric for Random Hardware Failures (PMHF)

PMHF is the ultimate quantitative target for your hardware design. It represents the average probability of a violation of a safety goal per hour due to random hardware failures. It is typically expressed in FIT (Failures In Time), where one FIT equals one failure per billion operating hours. Depending on the Automotive Safety Integrity Level (ASIL) assigned to your safety goal, your system must achieve a specific PMHF target. For example, highly critical ASIL D systems require an extremely low PMHF, dictating highly reliable components and robust safety mechanisms.

Single-Point Fault Metric (SPFM)

While PMHF looks at the overall probability of failure, SPFM evaluates the robustness of your design against single-point faults. A single-point fault is a hardware failure that leads directly to a safety goal violation without the involvement of any other faults. SPFM measures the percentage of these potentially dangerous faults that are either inherently safe by design or safely mitigated by your diagnostic safety mechanisms. A higher SPFM percentage indicates a safer, more resilient hardware architecture.

Latent Fault Metric (LFM)

Latent faults are sneaky. They are faults that do not violate a safety goal on their own but can become dangerous if a second fault occurs. For instance, if your primary safety mechanism fails silently, you have a latent fault. LFM measures the effectiveness of your diagnostics in detecting these hidden failures before a second, independent fault can combine with them to cause a critical system failure. Like SPFM, LFM is expressed as a percentage, and achieving the required ASIL target demands comprehensive diagnostic coverage.

The Role of FMEDA in PMHF Calculation

To calculate PMHF, SPFM, and LFM, safety engineers rely on a structured analytical technique known as FMEDA (Failure Modes, Effects, and Diagnostic Analysis). If you are familiar with a standard FMEA, you can think of FMEDA as its mathematically rigorous sibling.

A standard FMEA qualitatively identifies what might go wrong and the severity of the consequences. FMEDA takes this a massive step forward by assigning precise failure rates to every component and quantifying the ability of the system to detect those failures. It is the engine that drives hardware metrics calculation.

In an FMEDA, every single resistor, capacitor, microcontroller, and sensor in your safety-critical path is cataloged. Engineers assign a base failure rate to each component using established industry databases. Then, they break down how that component can fail (its failure modes), determine the effect of each failure mode on the safety goal, and apply safety mechanisms to see how many faults can be safely caught and mitigated.

Step-by-Step PMHF Calculation using FMEDA

Flowchart showing the logical progression of fault classification in an FMEDA.

Calculating PMHF is a methodical process. While the exact mathematical formulas can be complex and are detailed deeply within ISO 26262 Part 5, the conceptual workflow remains consistent across all automotive safety projects. Here is how you construct an FMEDA to arrive at your final metrics.

Step 1: Determine Base Failure Rates

The foundation of any FMEDA is the base failure rate of your hardware components. Engineers typically source these rates from recognized reliability handbooks, such as IEC 62380 or SN 29500. These handbooks provide FIT rates based on the component type, technology, operating temperature, and mission profile of the vehicle. A precise mission profile is critical, as a component mounted on the engine block will experience a vastly different thermal stress compared to one inside the climate-controlled cabin.

Step 2: Define Component Failure Modes and Distribution

A component rarely fails in only one way. A resistor might fail open, fail short, or experience a drift in resistance. During the FMEDA process, you must distribute the base failure rate across these different failure modes. For example, you might determine that 70 percent of a resistor's failures will be open circuits, while 30 percent will be short circuits. This distribution allows you to analyze the specific effect of each unique failure mode.

Step 3: Fault Classification

This is the heart of the FMEDA. Every failure mode must be traced to its effect on the system and classified into a specific fault category:

Safe Faults: Faults that have no potential to violate the safety goal, regardless of operational conditions.
Single-Point Faults: Faults that directly violate the safety goal without any safety mechanism to stop them.
Residual Faults: Faults that are covered by a safety mechanism, but the mechanism is not 100 percent effective. The portion of the fault that escapes detection is the residual fault.
Multiple-Point Faults: Faults that only cause a hazard when combined with another independent fault. These are further evaluated to see if they are perceived by the driver, detected by diagnostics, or remain latent.

Step 4: Assess Diagnostic Coverage (DC)

For faults that have the potential to be dangerous, you must evaluate the effectiveness of your safety mechanisms. Diagnostic Coverage (DC) is the percentage of the failure rate that your safety mechanism successfully detects and mitigates. If a microcontroller has a memory parity check, you must determine what percentage of memory corruption faults that check will catch. Higher diagnostic coverage reduces your residual and latent fault rates, directly improving your PMHF, SPFM, and LFM.

Step 5: Compute Final Hardware Metrics

Once every component is analyzed and classified, the FMEDA aggregates the data. SPFM is calculated by comparing the safe and detected faults against the total pool of potentially dangerous faults. LFM is calculated similarly for the latent fault pool. Finally, PMHF is computed by summing the residual fault rates with a specific calculation of the latent fault rates over the expected lifetime of the vehicle.

Practical Example: Evaluating an EPS Microcontroller

Let us ground this theory in a practical automotive application. Consider an Electronic Power Steering (EPS) system. The safety goal is to prevent unintended self-steering of the vehicle, which is a highly critical ASIL D hazard.

In our FMEDA, we are analyzing the primary microcontroller of the EPS system. Let us assume the microcontroller has a base failure rate of 100 FIT. One of the failure modes is a failure of the internal clock, which we estimate accounts for 10 percent of the total failure rate (10 FIT).

If the internal clock fails, the microcontroller stops processing steering commands correctly, leading directly to an unintended steering event. If we have no safety mechanisms, this entire 10 FIT becomes a Single-Point Fault. Because ASIL D requires a very strict SPFM and an extremely low PMHF, this unmitigated 10 FIT alone might cause our entire system to fail the PMHF target.

To fix this, we introduce a safety mechanism: an external Watchdog Timer with its own independent clock. The watchdog continuously monitors the microcontroller. If the microcontroller clock fails, the watchdog detects the lack of activity within milliseconds and safely transitions the EPS system into a fail-safe state (e.g., smoothly disabling power assist to prevent sudden jerks).

We evaluate the Diagnostic Coverage of this watchdog for the clock failure mode at 99 percent. Now, out of our original 10 FIT failure rate, 9.9 FIT is safely detected and mitigated. Only 0.1 FIT remains as a Residual Fault. By implementing this safety mechanism, we have drastically improved our SPFM and significantly lowered our PMHF, bringing us much closer to our ASIL D compliance goals.

Common Pitfalls in PMHF and Hardware Metrics Calculation

Even experienced engineering teams can stumble when executing complex FMEDAs. Being aware of common pitfalls can save thousands of hours of rework.

One major mistake is overly optimistic Diagnostic Coverage. It is tempting to claim 99 percent DC for every software-based diagnostic, but ISO 26262 requires rigorous justification. If you claim high coverage, you must have the fault injection testing or architectural proof to back it up.

Another common error is ignoring the mission profile. Taking a base failure rate intended for a temperate, ground-fixed server and applying it to a sensor mounted near an exhaust manifold will result in a wildly inaccurate PMHF. Temperature cycling and vibration drastically accelerate hardware failure rates.

Finally, engineers often struggle with Latent Faults. It is easy to focus entirely on immediate, single-point failures. However, neglecting to test the safety mechanisms themselves (for instance, not checking if the watchdog timer is actually working upon vehicle startup) leaves massive latent fault vulnerabilities that will ruin your LFM calculations.

Key Takeaways for Hardware Metrics Calculation

Successfully navigating hardware metrics requires discipline, accurate data, and a deep understanding of your system architecture. Keep these strategic takeaways in mind:

Start Early: Do not wait until the hardware design is finished to start your FMEDA. Use preliminary calculations to guide component selection and safety mechanism design.
Document Assumptions: Every base failure rate, failure mode distribution, and diagnostic coverage claim must be thoroughly documented and justified in your safety case.
Focus on Residual Faults: Even a tiny residual fault rate on a highly complex component can bloat your PMHF. Target your most complex parts for the highest diagnostic coverage.
Iterate Constantly: FMEDA is a living document. As testing reveals new failure modes or as component choices change, your hardware metrics must be recalculated.

"Calculating PMHF is not a standalone mathematical chore; it is the quantitative proof that your safety architecture is resilient enough to protect human lives against the inevitability of hardware degradation."

Advancing Your Hardware Safety Expertise

Mastering the calculation of hardware metrics using the FMEDA technique is a defining skill for top-tier functional safety engineers. While the concepts of PMHF, SPFM, and LFM provide a clear framework, the true challenge lies in accurately modeling complex modern automotive architectures. Understanding the nuances of fault classification and diagnostic coverage justification separates adequate safety designs from world-class systems.

If you are ready to move beyond the fundamentals and master the intricate details of hardware metrics, we invite you to dive deeper with our specialized resources. Explore our comprehensive concept pages, test your knowledge with our free practice exams, or accelerate your career with our advanced Hardware Metrics courses on the ISO 26262 Academy platform. Equip yourself with the exact skills needed to build safer, fully compliant automotive technologies.

Abbreviations & Key Definitions

AEB - Automatic Emergency Braking, an advanced driver assistance system designed to prevent collisions
ASIL - Automotive Safety Integrity Level, a risk classification scheme defined by ISO 26262
DC - Diagnostic Coverage, the proportion of the hardware element failure rate that is detected or controlled by a safety mechanism
EPS - Electronic Power Steering, a system that uses an electric motor to assist the driver in steering the vehicle
FIT - Failures In Time, a unit of measure for failure rates, defined as one failure per one billion device hours
FMEDA - Failure Modes, Effects, and Diagnostic Analysis, a systematic analysis technique to determine causes of failures and calculate hardware metrics
FMEA - Failure Mode and Effects Analysis, a qualitative systematic method for evaluating potential system failures
HARA - Hazard Analysis and Risk Assessment, the process to identify and categorize hazardous events
LFM - Latent Fault Metric, a hardware architectural metric that assesses the effectiveness of safety mechanisms in covering latent faults
PMHF - Probabilistic Metric for Random Hardware Failures, the target metric representing the average probability of a safety goal violation per hour
SPFM - Single-Point Fault Metric, a hardware architectural metric that assesses the robustness of the design to single-point faults