SPFM, LFM & PMHF Calculation Guide (ISO 26262 Hardware Metrics Explained)
Hello, automotive hardware safety engineers, FMEDA analysts, and functional safety professionals! If you develop safety-relevant automotive hardware – ECUs, sensor modules, actuator controllers, or semiconductor components – then you need to calculate the hardware architectural metrics defined in ISO 26262 Part 5: SPFM (Single Point Fault Metric), LFM (Latent Fault Metric), and PMHF (Probabilistic Metric for random Hardware Failures). These three metrics are the quantitative evidence that your hardware design achieves the required level of safety for the target ASIL.
In this comprehensive calculation guide at PiEmbSysTech, we will explain every concept you need – from the failure classification taxonomy, through the precise formulas, to a complete worked EPS (Electric Power Steering) FMEDA example with actual FIT numbers. Let us begin.
SPFM, LFM & PMHF Table of Contents
1. Why Hardware Metrics Exist – The Random Failure Problem
ISO 26262 distinguishes between systematic failures (design errors, process defects – addressed through rigorous development methods) and random hardware failures (component wear-out, parameter drift, transistor-level defects – which occur unpredictably even in perfectly designed hardware). The hardware architectural metrics – SPFM, LFM, and PMHF – provide quantitative evidence that the hardware design adequately handles random hardware failures through appropriate safety mechanisms (redundancy, monitoring, diagnostic coverage).
These metrics answer three fundamental questions: SPFM asks “what proportion of dangerous single failures are covered by safety mechanisms?”, LFM asks “what proportion of latent failures (hidden failures that could become dangerous later) are detected?”, and PMHF asks “what is the overall probability that a random hardware failure violates a safety goal?”
2. ASIL-Dependent Metric Target Values
| Metric | ASIL B | ASIL C | ASIL D |
|---|---|---|---|
| SPFM | ≥90% | ≥97% | ≥99% |
| LFM | ≥60% | ≥80% | ≥90% |
| PMHF | <100 FIT | <100 FIT | <10 FIT |
ASIL A has no explicit quantitative hardware metric targets – only qualitative requirements apply. ASIL B metrics are recommended (not mandatory). ASIL C and D metrics are required. These targets are evaluated at the item level (the complete system contributing to a safety goal), not at the individual component level.
3. The Failure Classification Taxonomy – Six Categories
Every failure mode of every hardware component must be classified into one of six categories, based on whether the failure can violate a safety goal and whether a safety mechanism detects it:
| Category | Symbol | Description | Contributes to |
|---|---|---|---|
| Safe Fault | λS | Does not contribute to violation of any safety goal (regardless of detection) | None (excluded from SPFM, LFM) |
| Single-Point Fault | λSPF | Can directly violate a safety goal; no safety mechanism exists | SPFM denominator, PMHF |
| Residual Fault | λRF | Can violate a safety goal; safety mechanism exists but does not cover this failure mode (undetected portion) | SPFM denominator, PMHF |
| Detected Multi-Point Fault | λMPF,D | Can violate a safety goal only in combination with another fault; detected by a safety mechanism | None (positive contribution) |
| Perceived Multi-Point Fault | λMPF,P | Can violate a safety goal in combination; perceived by the driver | None (positive contribution) |
| Latent Multi-Point Fault | λMPF,L | Can violate a safety goal in combination; neither detected nor perceived — remains hidden | LFM denominator, PMHF |
The total failure rate of safety-related hardware is: λ = λS + λSPF + λRF + λMPF,D + λMPF,P + λMPF,L
4. Failure Rate Sources – Where Do FIT Numbers Come From?
The failure rates (in FIT – Failures In Time, where 1 FIT = 1 failure per 10⁹ hours) come from several standardized sources:
IEC TR 62380: Reliability data handbook widely used in European automotive. Provides failure rate prediction models based on component technology, package type, and environmental conditions.
SN 29500 (Siemens standard): Another commonly used European failure rate prediction standard. Provides component-level failure rate data for semiconductors, passive components, and electromechanical parts.
FIDES: French reliability methodology that accounts for manufacturing process quality, operational stress profiles, and environment conditions.
Semiconductor manufacturer data: Companies like Infineon, NXP, Texas Instruments, and Renesas provide FIT data and failure mode distributions for their safety-qualified products through safety manuals and SEooC documentation.
Field data: For proven-in-use components, actual field failure data can be used if statistically sufficient (typically requiring billions of device-hours of field experience).
5. Diagnostic Coverage (DC) – Low, Medium, High
Diagnostic Coverage is the fraction of a failure mode’s failure rate that is detected (or covered) by a safety mechanism. ISO 26262 Part 5 Table 14 defines three reference levels:
| DC Level | Coverage | Typical Safety Mechanisms |
|---|---|---|
| Low | 60% | Plausibility checks, range checks, voltage monitoring |
| Medium | 90% | Hardware redundancy with comparison, ECC on memory, CRC on communication |
| High | 99% | Lockstep CPU with comparator, dual-channel with cross-check, BIST with high coverage |
The DC value determines how a failure mode is classified: if a failure mode that could violate a safety goal has no safety mechanism, it is a single-point fault. If it has a safety mechanism with DC = 90%, then 90% of its failure rate becomes λMPF,D (detected multi-point) and 10% becomes λRF (residual fault).
6. The FMEDA Process – From Component to Metric
The FMEDA (Failure Mode, Effects, and Diagnostic Analysis) is the standard method for deriving hardware metrics. The process follows these steps:
Step 1: List every hardware component in the safety-relevant architecture.
Step 2: Determine the total failure rate (λ) for each component from failure rate databases.
Step 3: Identify all failure modes for each component and distribute λ across failure modes (failure mode distribution).
Step 4: For each failure mode, determine the effect: safe (no safety goal impact) or potentially unsafe (can contribute to safety goal violation).
Step 5: For each potentially unsafe failure mode, identify the safety mechanism and assign a DC value.
Step 6: Classify each failure mode into one of the six categories.
Step 7: Sum the failure rates in each category across all components.
Step 8: Calculate SPFM, LFM, and PMHF using the formulas.
7. SPFM Formula and Calculation
The Single Point Fault Metric (SPFM) measures the proportion of dangerous single-failure paths that are covered by safety mechanisms. A high SPFM means that very few dangerous failure modes can directly violate a safety goal without being detected.
SPFM = 1 − ( ΣλSPF + ΣλRF ) / ( ΣλSPF + ΣλRF + ΣλMPF,D + ΣλMPF,P + ΣλMPF,L )
Equivalently: SPFM = 1 − ( ΣλSPF + ΣλRF ) / Σλsafety-related, non-safe
The numerator of the subtracted fraction represents the “bad” failure rates – single-point faults and residual faults that can directly violate a safety goal. The denominator represents all non-safe, safety-related failure rates. Safe faults (λS) are excluded from both numerator and denominator.
8. LFM Formula and Calculation
The Latent Fault Metric (LFM) measures the proportion of multi-point faults that are detected or perceived, rather than remaining latent (hidden). A high LFM means that very few faults remain hidden in the system where they could combine with a second fault to violate a safety goal.
LFM = 1 − ΣλMPF,L / ( ΣλMPF,D + ΣλMPF,P + ΣλMPF,L )
The numerator of the subtracted fraction is the latent multi-point fault rate – the faults that remain hidden. The denominator is the total multi-point fault rate (detected + perceived + latent). Safe faults and single-point/residual faults are excluded from the LFM calculation.
9. PMHF Formula and Calculation
The PMHF (Probabilistic Metric for random Hardware Failures) is the estimated rate of safety goal violations due to random hardware failures. Unlike SPFM and LFM (which are dimensionless percentages), PMHF has units of failures per hour (or FIT).
The simplified PMHF formula (for single-point and residual faults) is:
PMHF ≈ ΣλSPF + ΣλRF + Σ(λMPF,L_i × λDPF_j × Tlifetime)
The first two terms represent the direct contribution of single-point and residual faults. The third term represents the contribution of dual-point faults – where a latent fault (λMPF,L) must coincide with a second independent fault (λDPF) during the vehicle lifetime (Tlifetime) to violate the safety goal. For dual-point faults with diagnostic test intervals shorter than the vehicle lifetime, the product uses the diagnostic test interval instead of Tlifetime.
In practice, for well-designed systems where SPFM is high (few single-point/residual faults), the PMHF is dominated by the single-point and residual fault contributions. The dual-point fault contribution is typically very small because the product of two small failure rates is extremely small.
10. Complete Worked Example – EPS System FMEDA
Let us calculate SPFM, LFM, and PMHF for a simplified EPS (Electric Power Steering) system with the following major components:
| Component | λ Total (FIT) | λS | λSPF | λRF | λMPF,D | λMPF,P | λMPF,L |
|---|---|---|---|---|---|---|---|
| Primary MCU (TC397) | 100 | 30 | 0 | 0.70 | 64.30 | 0 | 5.00 |
| Secondary MCU (TC375) | 60 | 20 | 0 | 0.40 | 36.60 | 0 | 3.00 |
| Torque Sensor (primary) | 50 | 10 | 0 | 0.40 | 37.60 | 0 | 2.00 |
| Torque Sensor (redundant) | 50 | 10 | 0 | 0.40 | 37.60 | 0 | 2.00 |
| Motor Driver (H-bridge) | 80 | 15 | 0 | 0.65 | 60.35 | 2.00 | 2.00 |
| Safety Relay (K1) | 15 | 3 | 0 | 0.12 | 5.88 | 0 | 6.00 |
| Power Supply / Passives | 45 | 12 | 0 | 0.33 | 28.67 | 0 | 4.00 |
| TOTALS | 400 | 100 | 0 | 3.00 | 271.00 | 2.00 | 24.00 |
SPFM Calculation:
SPFM = 1 − (λSPF + λRF) / (λSPF + λRF + λMPF,D + λMPF,P + λMPF,L)
SPFM = 1 − (0 + 3.00) / (0 + 3.00 + 271.00 + 2.00 + 24.00)
SPFM = 1 − 3.00 / 300.00 = 1 − 0.01 = 99.0%
Result: Meets ASIL D target (≥99%) ✓
LFM Calculation:
LFM = 1 − λMPF,L / (λMPF,D + λMPF,P + λMPF,L)
LFM = 1 − 24.00 / (271.00 + 2.00 + 24.00)
LFM = 1 − 24.00 / 297.00 = 1 − 0.0808 = 91.9%
Result: Meets ASIL D target (≥90%) ✓
PMHF Calculation (simplified):
PMHF ≈ λSPF + λRF = 0 + 3.00 = 3.00 FIT
(Dual-point contribution is negligible for this well-designed system.)
Result: Meets ASIL D target (<10 FIT) ✓
11. Interpreting Results – Pass, Fail, and What to Do
If all three metrics meet their ASIL targets, the hardware design passes the quantitative evaluation. If any metric fails, the design must be modified. The most common failure scenarios and remedies are: SPFM too low – add or improve safety mechanisms to detect currently undetected single-point failure modes (increase DC for the most significant contributors), LFM too low – add periodic diagnostic tests (BIST, self-test routines) to detect currently latent multi-point faults, and PMHF too high – reduce the residual fault rate by improving DC of existing safety mechanisms or by replacing high-failure-rate components with more reliable alternatives.
12. Hardware Metric Budget Allocation Between Elements
For systems with multiple elements (e.g., MCU + sensor + actuator driver + power supply), the system-level PMHF target must be allocated as a budget across elements. For example, an ASIL D system with a 10 FIT PMHF budget might allocate 3 FIT to the MCU, 2 FIT to the sensor, 3 FIT to the actuator driver, and 2 FIT to the power supply. Each element’s FMEDA must demonstrate that its residual failure contribution stays within its allocated budget. For SEooC elements (like safety MCUs), the semiconductor supplier provides its PMHF contribution in the safety manual, and the integrator allocates the remaining budget to the other system elements.
13. How to Improve Metrics That Don’t Meet Targets
To improve SPFM: Identify the largest contributors to λSPF + λRF and add or improve safety mechanisms for those failure modes. Even changing DC from “Low” (60%) to “Medium” (90%) on a few high-FIT components can dramatically improve SPFM.
To improve LFM: Identify the largest contributors to λMPF,L and implement periodic diagnostic tests. On-chip BIST (for MCUs), periodic ADC self-test, communication alive monitoring, and relay functional test routines convert latent faults to detected faults.
To improve PMHF: Reduce single-point and residual fault contributions. This may require architectural changes – adding redundant paths, upgrading safety mechanisms, or replacing high-FIT components with lower-FIT alternatives.
14. Using FTA for PMHF Calculation
While FMEDA is the most common method, Quantitative FTA can also be used to calculate PMHF. The FTA approach models the safety goal violation as the top event and calculates its probability using the failure rates of basic events (component failures) and the logical structure (AND/OR gates) of the fault tree. FTA is particularly valuable for complex architectures where the interaction between multiple failure paths is important, and for verifying the FMEDA results through an independent calculation method. For ASIL D systems, using both FMEDA and FTA provides the strongest evidence.
15. The EEC Method – Alternative to PMHF
ISO 26262 Part 5 provides an alternative to PMHF called EEC (Evaluation of Each Cause). Instead of calculating a single aggregate probability, EEC evaluates each individual failure cause separately against failure rate targets. Each single-point fault, each residual fault, and each dual-point fault combination is individually assessed. EEC can be useful when the system has a small number of dominant failure contributors, but for most automotive systems, PMHF is the more commonly used method.
16. Common Mistakes and How to Avoid Them
Mistake 1: Evaluating metrics per-component instead of per-safety-goal. SPFM, LFM, and PMHF must be evaluated at the item level for each safety goal. A component contributes to the system metrics, but “component SPFM” alone is not meaningful for ISO 26262 compliance.
Mistake 2: Claiming high DC without evidence. Diagnostic coverage values must be justified – not assumed. Each DC claim requires documented evidence (analysis, simulation, or test) of the safety mechanism’s effectiveness.
Mistake 3: Ignoring safe faults in the total failure rate accounting. Safe faults (λS) are correctly excluded from the SPFM and LFM calculations. Failing to identify safe faults inflates the denominator and artificially depresses the metrics.
Mistake 4: Using optimistic failure rates. Using failure rates that are too low produces artificially good metrics that do not reflect real-world reliability. Use credible sources and apply appropriate derating factors.
Mistake 5: Not accounting for failure modes of safety mechanisms. The safety mechanism hardware itself can fail. These failure modes must be included in the FMEDA – the safety mechanism’s failure typically appears as a latent multi-point fault.
Mistake 6: After ASIL decomposition, using decomposed ASIL metric targets. Hardware metrics use the original (pre-decomposition) ASIL targets. ASIL B(D) still requires 99% SPFM at the system level.
17. Frequently Asked Questions
Q1: What is a FIT?
FIT = Failures In Time = 1 failure per 10⁹ (one billion) device-hours. Equivalently, 1 FIT = 1 failure per 114,155 years. A component with 100 FIT has a 0.01% probability of failure per year.
Q2: Are SPFM, LFM, and PMHF required for ASIL A?
No. ASIL A has no explicit quantitative hardware metric targets. Only qualitative hardware development requirements apply. Hardware metrics become applicable (recommended) at ASIL B and required at ASIL C and D.
Q3: Can software failures contribute to PMHF?
No. PMHF is exclusively for random hardware failures. Software failures are systematic (not random) and are addressed through the Part 6 software development methods, not through probabilistic metrics. However, if a software safety mechanism is relied upon to detect hardware faults (contributing to DC), the software must be developed to the appropriate ASIL to be credible.
Q4: What is a typical failure rate for a modern automotive MCU?
Typical failure rates for automotive-grade MCUs range from 50 to 200 FIT depending on the device complexity, package type, and die size. Safety MCU suppliers provide specific FIT values and failure mode distributions in their safety manuals.
Q5: How does ASIL decomposition affect hardware metrics?
It does not change the metric targets. As explained in our ASIL Decomposition guide, the hardware metric targets remain at the original (pre-decomposition) ASIL. The metrics are evaluated for the complete system architecture.
18. Conclusion
The three hardware architectural metrics – SPFM, LFM, and PMHF – provide the quantitative backbone of ISO 26262 hardware safety evaluation. SPFM ensures that single-point failures are adequately covered by safety mechanisms. LFM ensures that latent faults (which could combine with future faults to create danger) are detected. PMHF ensures that the overall probability of a safety goal violation due to random hardware failures is acceptably low. Together with the qualitative FMEA/FTA analysis, these metrics form the complete hardware safety evidence for the safety case.
This article is part of our comprehensive ISO 26262 series at PiEmbSysTech. For Part 5 coverage, see Part 5 – Hardware Development. For ASIL fundamentals, see ASIL Levels Explained.
Stay safe. Stay quantitative. Keep engineering the future.
— The PiEmbSysTech Team
Discover more from PiEmbSysTech - Embedded Systems & VLSI Lab
Subscribe to get the latest posts sent to your email.
