Fault Injection & Safety-Mechanism Verification
10 chapters Learn how to turn a Diagnostic Coverage (DC) claim into demonstrated evidence by injecting faults and proving safety mechanisms detect and react within the Fault-Tolerant Time Interval (FTTI) across hardware, software, and system levels.
How You Learn
Video and text stay in sync. As you scroll through the chapter, the video jumps to the matching explanation automatically.
Learning Objectives
Justify DC claims with evidence
Trace each FMEDA Diagnostic Coverage value to a fault injection test that demonstrates the mechanism rather than asserting it.
Verify reaction within FTTI
Measure detection latency and fault reaction time, confirming the safe state is reached inside the Fault-Tolerant Time Interval.
Build a representative fault list
Derive injection cases from all FMEDA fault classes and review them so coverage is not systematically optimistic.
Choose the right technique
Match pin forcing, glitching, JTAG, EMFI, laser, RTL simulation, or HIL to the fault model, access, and budget at hand.
Chapters
Why Fault Injection
Fault injection converts an analytical Diagnostic Coverage (DC) claim in the FMEDA into demonstrated evidence for the safety case, proving mechanisms fire inside the Fault-Tolerant Time Interval (FTTI).
Fault Models
A fault model bridges physical failure mechanisms to the stimuli a test engineer can apply, spanning stuck-at, bridging, open, bit-flip/SEU, and the information-exchange fault classes of ISO 26262-6 Annex D.
Where in the Lifecycle
Fault injection appears on multiple right-side V-model nodes because the relevant faults, observation points, and claims differ at software unit, integration, hardware, and system levels.
Hardware Fault Injection
Physical techniques inject faults into real silicon and boards, ranging from safe non-invasive JTAG register writes to spatially precise but destructive laser and heavy-ion methods.
Software Fault Injection
Source-level and binary-level injection verifies software safety monitors cheaply and repeatably, exercising range checks, flow monitors, and exception handlers without specialised hardware.
Simulation & Model-Based FI
Simulation-based campaigns validate coverage before hardware exists, from RTL/gate-level fault simulation feeding ISO 26262-11 analysis to Model, Software, and Hardware-in-the-Loop saboteur techniques.
Campaign Planning
The fault list is derived from the FMEDA and architecture, then run as an exhaustive or statistically sampled campaign against a golden run with predefined observation points and pass/fail criteria.
Measuring Coverage
Every injected fault is classified into exactly one outcome, achieved DC is computed from detected over detected plus undetected, and sampled campaigns report a Wilson or Clopper-Pearson confidence bound.
Tools & Standards
Four tool categories cover the V-model, results package into formal work products, tools need ISO 26262-8 qualification, and ISO 26262-11 gives semiconductor-specific fault injection guidance.
Worked Example & Pitfalls
A complete ASIL D Electric Power Steering (EPS) torque watchdog example runs 500 stuck-at-high injections to 98.2% DC, exposing a timing non-conformance, plus five pitfalls that invalidate campaigns.
Diagrams & Visuals
Fault Model Explorer
Interactive map of stuck-at, bridging, open, SEU, and communication fault classes with automotive failure examples.
Fault Injection Across the V-Model
Where injection sits at software unit, software integration, hardware integration, and system levels with the relevant clauses.
Hardware, Software, and Simulation Comparison
Side-by-side view of injection environments by realism, cost, repeatability, and the evidence each produces.
Campaign Timeline and FTTI
Fault-at-T=0 timeline tracing detection latency and reaction time against the Fault-Tolerant Time Interval budget.
Fault Classification Decision Tree
Branching logic that sorts each injected fault into detected, silent, late, masked, false-alarm, or inconclusive.
Diagnostic Coverage Gauge
Achieved DC visualised against the claimed target with the statistical confidence lower bound for sampled runs.
ASIL D EPS Torque Watchdog: Stuck-at-High Injection
A dual-channel SENT torque sensor on an Infineon AURIX TC397 is injected with a stuck-at-high fault (0xFFFF) at ten program phases to verify the cross-channel plausibility monitor and 10 ms watchdog window against a 25 ms FTTI.
- FMEDA-EPS-HW-017 claims 97% DC for the plausibility monitor at ASIL D
- JTAG (Lauterbach TRACE32) overwrites the decoded channel A torque register, 500 injections total
- Observation spans the PLAUS_FAULT flag, relay coil, motor current, and DTC E0017
- Results: 487 detected, 9 FTTI-exceeded, 4 masked, achieved DC = 98.2%
- NCR-EPS-FI-003: interrupt preemption pushed 9 cases to 28 ms, fixed by raising task priority
- Re-test passed within 18 ms; assessor accepted FI-TR-EPS-017-v2 with 95% lower bound of 96.7%
Campaign Result Summary
Prove Your Safety Mechanisms Actually Work
Work through fault models, injection techniques, campaign planning, and coverage measurement to build fault injection evidence an ISO 26262 assessor will accept.
Start Learning Now