Safety-Related Timing: FTTI, FDTI & FHTI
10 chapters Treat time as a first-class safety property and learn how the ISO 26262 fault-handling intervals decide whether a fault is detected and controlled before a hazardous event, with a worked 100 ms brake-by-wire budget.
How You Learn
Video and text stay in sync. As you scroll through the chapter, the video jumps to the matching explanation automatically.
Learning Objectives
Distinguish the Intervals
Separate FTTI, FDTI, FRTI, and FHTI correctly and state which is fixed by hazard analysis and which is set by the safety mechanism.
Build a Timing Budget
Allocate detection and reaction budgets against an FTTI, hold an explicit margin, and check FDTI + FRTI < FTTI with confidence.
Specify DTI Requirements
Write diagnostic test interval requirements that bound detection latency and support latent fault coverage targets.
Design Safe-State Reactions
Lay out the reaction path, choose between full safe state and emergency operation, and keep degraded modes inside the deadline.
Chapters
Time Is a Safety Property
Detection that arrives after the hazard is worthless, so ISO 26262 treats the deadline by which a fault must be handled as a safety property in its own right.
FTTI, FHTI, FDTI
Precise ISO 26262-1:2018 vocabulary for each interval, with a labeled fault-to-safe-state timeline and the confusions that lead to under-specified requirements.
Diagnostic Test Interval
How the rate at which a periodic diagnostic runs sets a floor on detection latency, and how the Diagnostic Test Interval (DTI) ties into latent fault coverage.
The Timing Budget
Building a defensible timing budget around FHTI = FDTI + FRTI < FTTI, worked through a brake-by-wire pressure-control function with explicit millisecond allocations.
Safe-State Transition
Anatomy of the Fault Reaction Time Interval (FRTI), the definition of a safe state, and how emergency operation and degraded modes extend the available reaction options.
Multi-Point Detection
How latent multi-point faults carry different timing constraints from single-point faults, and how the Latent Fault Metric drives diagnostic test rates.
Worked Timing Diagram
An annotated timeline placing fault occurrence, diagnostic tick, detection, reaction, and safe state in sequence, with event-by-event commentary that keeps everything inside FTTI.
Allocating Timing to HW/SW
Splitting detection budget to hardware monitors and reaction budget to software, accounting for interrupt latency, scheduling jitter, and worst-case execution time at the interface.
Verifying Timing
Producing evidence that worst-case detection and reaction times hold, using fault injection, worst-case execution time analysis, and system-level timing tools for the safety case.
Pitfalls
The recurring mistakes in safety-related timing, from confusing the intervals to leaving zero margin, paired with a review checklist a practitioner can apply directly.
Diagrams & Visuals
Fault-to-Safe-State Timeline
Labeled axis showing fault occurrence, detection at FDTI, safe state at FHTI, and the hazard deadline at FTTI, with the reserved margin called out.
Safe-State Transition Sequence
State view of the reaction path from fault signal through software handler to actuator settling in the defined safe state.
Reaction State Machine
Transitions between nominal operation, fault detected, emergency operation, and full safe state across the FRTI window.
Degraded Mode and Emergency Operation
How limp-home and emergency operation extend reaction options when a full safe state cannot be reached inside FTTI.
HW/SW Timing Allocation
Architecture split assigning short detection budget to hardware monitors and reaction budget to scheduled software tasks across the interface.
Fault Injection Verification
Injection points and measured detection-to-reaction latency used to confirm worst-case timing against the budget.
Brake-by-Wire Pressure Control Timing Budget
A pressure-control function with an FTTI of 100 ms is worked end to end, allocating detection and reaction so the handling time lands comfortably under the deadline with margin to spare.
- FTTI of 100 ms from hazard analysis, reduced to an 80 ms working budget using a 0.8 factor
- Diagnostic runs on a 10 ms period, so FDTI is 10 ms plus 1 ms execution, giving 11 ms
- FRTI of 31 ms covers interrupt latency, task switch, command, and actuator settling
- FHTI = FDTI + FRTI = 11 ms + 31 ms = 42 ms total handling time
- 42 ms sits below the 80 ms working budget and well under the 100 ms FTTI
- Roughly 38 ms of spare margin absorbs jitter and worst-case stacking
Timing Budget Worksheet
Master Safety-Related Timing
Work through every fault-handling interval, build a defensible budget, and verify it for the safety case.
Start Learning Now