An Integrated Failure and Threat Mode and Effect Analysis (FTMEA) Framework with Quantified Cross-Domain Correlation Factors for Automotive Semiconductors

Imagine you are building a high-tech, self-driving car. To make sure this car is safe, you have two different teams of experts working on it:

The Safety Team: Their job is to make sure the car doesn't break down on its own. They worry about things like a wire fraying, a sensor getting dusty, or a computer chip overheating. They use a checklist called FMEA (Failure Mode and Effects Analysis) to ask, "What if this part breaks?"
The Security Team: Their job is to make sure hackers can't take over the car. They worry about someone hacking the Wi-Fi, sending fake commands, or stealing data. They use a different checklist called TARA (Threat Analysis and Risk Assessment) to ask, "What if a bad guy attacks this?"

The Problem: Two Teams, One Car, No Conversation

In the past, these two teams worked in separate silos. The Safety Team checked for broken wires, and the Security Team checked for hackers. They rarely talked to each other.

Here is the danger: What if a hacker pretends to be a broken wire? Or what if a safety feature (like an automatic brake) accidentally creates a backdoor for a hacker?

If the teams don't talk, they might miss these "cross-domain" risks. They might think a risk is low because the Safety Team says "it's hard to break," while the Security Team says "it's hard to hack," but they don't realize that combining a specific hack with a specific hardware glitch creates a disaster.

The Solution: The "FTMEA" Framework

This paper introduces a new method called FTMEA (Integrated Failure and Threat Mode and Effect Analysis). Think of it as a universal translator that forces the Safety and Security teams to speak the same language and look at the car as one single, connected system.

Here is how it works, using simple analogies:

1. The "Correlation Factor" (The Overlap Map)

Imagine you have a Venn diagram.

Circle A is "Things that break on their own."
Circle B is "Things a hacker can break."

Usually, people just look at the circles separately. This paper introduces a Cross-Domain Correlation Factor (CDCF). This is like a heat map that shows exactly where the circles overlap.

Low Overlap (0%): A hacker can't easily cause a hardware wire to snap.
High Overlap (100%): A hacker sending a specific signal can trick a safety sensor into thinking it's broken.

The authors don't just guess this overlap; they use math and computer simulations (looking at the "blueprints" of the chip) to calculate a precise number for how much these two worlds influence each other.

2. The "Super Score" (The New Risk Calculator)

Traditionally, teams calculate a Risk Priority Number (RPN). It's like a school grade for risk:

Severity: How bad is the crash? (1 to 10)
Occurrence: How likely is it to happen? (1 to 10)
Detection: How likely are we to catch it before it happens? (1 to 10)
RPN = Severity × Occurrence × Detection

The Problem: If the Safety Team says "Occurrence is low" and the Security Team says "Detection is high," the RPN looks safe. But they missed the fact that a hacker could make the occurrence high.

The Fix: The FTMEA framework adds a multiplier to the Occurrence and Detection scores based on the "Heat Map" (the CDCF).

If a security measure accidentally makes a safety sensor harder to detect a fault, the "Detection" score goes down (worse).
If a security lock makes it harder for a hacker to cause a glitch, the "Occurrence" score goes down (better).

This creates a New, Honest Score that reflects the reality of a connected world.

3. The Real-World Test: The "Configuration Register"

To prove this works, the authors tested it on a specific part of a car chip called a Configuration Register.

What it does: It holds the settings for the car's sensors (like how sensitive the brakes are).
The Risk: If a hacker changes these settings, the car might think it's driving at 10 mph when it's actually doing 100 mph.
The Result: Using their new method, they found that a specific security lock (a "key" to prevent changes) actually helped the safety team detect errors faster. Because of this, they realized they didn't need to build extra safety sensors. They saved money and time because they understood how the security lock helped the safety system.

Why This Matters

Before this paper, companies were like two people trying to build a house: one was checking the roof for rain, and the other was checking the locks for burglars. They didn't realize that a burglar could use a rain leak to climb in.

This new framework:

Connects the dots: It shows exactly how a cyberattack can cause a physical crash, and vice versa.
Saves money: It stops teams from building unnecessary safety features because they realize a security feature already covers that risk.
Makes cars safer: It ensures that the "Safety" and "Security" teams are working together to stop the real threats, not just the ones they can see from their own isolated viewpoints.

In short, it's about realizing that in a modern car, a broken wire and a hacked computer are often the same problem, and we need a single, smart way to solve them both.

Here is a detailed technical summary of the paper "An Integrated Failure and Threat Mode and Effect Analysis (FTMEA) Framework with Quantified Cross-Domain Correlation Factors for Automotive Semiconductors."

1. Problem Statement

The automotive industry faces a critical challenge in managing the convergence of Functional Safety (FuSa) and Cybersecurity.

The Silo Problem: Traditionally, FuSa (governed by ISO 26262) and Cybersecurity (governed by ISO/SAE 21434) are analyzed in isolation using distinct methodologies (e.g., FMEA for safety, TARA for security).
The Gap: This separation fails to capture synergistic vulnerabilities where a cyberattack compromises safety, or a safety mechanism inadvertently creates a security vulnerability.
Limitations of Existing Methods: Current co-analysis approaches (e.g., FMVEA, FVMEARA) are largely qualitative, relying on expert judgment without rigorous mathematical quantification. They lack a traceable, reproducible mechanism to model the bidirectional influence between failure modes and threat modes, leading to suboptimal risk prioritization and overlooked cross-domain hazards.

2. Methodology: The FTMEA Framework

The authors propose the Integrated Failure and Threat Mode and Effect Analysis (FTMEA) framework, which systematically co-analyzes FuSa and cybersecurity through a structured, quantitative process.

A. Core Concept: Cross-Domain Correlation Factors (CDCFs)

The cornerstone of the framework is the introduction of CDCFs, which quantify the interdependencies between:

Functional Safety Failure Modes (FMs).
Cybersecurity Threat Modes (TMs).
Their respective countermeasures (Prevention and Detection).

Derivation of CDCFs:
CDCFs are not arbitrary; they are derived via a three-pronged approach:

Structured Expert Elicitation: Leveraging domain knowledge.
Static Structural Analysis: Using metrics like Cone of Influence (COI) and Controllability/Observability (derived from gate-level netlists using techniques like SCOAP).
- Example: If a security lock mechanism reduces the controllability of a register from an attack vector, it positively impacts safety by reducing fault propagation.
Empirical Validation: Validating derived values against data from fault/attack injection campaigns.

The CDCF values range from -1 (negative impact) to 1 (positive impact), representing the degree to which a measure in one domain influences the other.

B. Modified Risk Priority Number (RPN) Calculation

The framework enhances the traditional RPN ( $RPN = O \times S \times D$ ) by integrating CDCFs into the Occurrence (O) and Detection (D) ratings.

Mathematical Formulation:
The corrected Occurrence ( $O_{corr}$ ) and Detection ( $D_{corr}$ ) are calculated by adjusting the baseline values based on the sum of correlation factors ( $C_{ij}$ ) from relevant countermeasures:
$O_{corr} = \text{floor}(O - \sum C_{ij}) \quad \text{and} \quad D_{corr} = \text{floor}(D - \sum C_{ij})$
(Values are clamped between 1 and 10 to maintain the standard FMEA ordinal scale.)
Rescaling: A systematic rescaling procedure maps the continuous calculated values back to the discrete 1–10 FMEA scale, ensuring the results remain compatible with existing industry workflows while eliminating the ambiguity of arbitrary truncation.

C. Operational Workflow

Initiate: Define system boundaries and critical functions.
Identify: List FMs and TMs and their common adverse effects.
Derive CDCFs: Calculate correlation factors using structural analysis and expert input.
Calculate: Compute the modified RPN using the enhanced $O_{corr}$ and $D_{corr}$ .
Prioritize: Rank risks and develop integrated mitigation strategies.

3. Key Contributions

Quantified CDCFs: The paper introduces a rigorous, mathematically defined method to quantify cross-domain correlations, moving beyond qualitative "expert judgment" to verifiable numerical values based on structural metrics (e.g., gate counts, logic overlap).
Mathematically Robust RPN Enhancement: A new calculation method that integrates CDCFs into Occurrence and Detection, featuring a transparent rescaling mechanism to the 1–10 scale.
Operationalized Methodology: Clear definitions and steps for integrating FuSa and security throughout the analysis lifecycle.
Empirical Validation: The framework is tested against a baseline FMEA/TARA using a real-world case study, providing explicit mapping tables and quantitative justification for the derived values.

4. Case Study Results

The framework was applied to an Automotive Application Specific Integrated Circuit (ASIC) configuration register, a critical component storing calibration parameters.

Scenario: The register is susceptible to "Unintended write operations" (Safety FM) and "Unauthorized modification" (Security TM).
Analysis:
- A security countermeasure (Register Lock) was analyzed for its impact on safety.
- Structural Analysis: Using SCOAP, the authors quantified how the lock mechanism reduces the controllability of the register from an attack vector, thereby also reducing the probability of random fault propagation.
- CDCF Derivation: The lock mechanism was assigned a positive CDCF value because it simultaneously prevents the threat and reduces the occurrence of the safety failure.
Outcome:
- Revised RPN: The modified RPN for specific failure modes (FM2, FM3) decreased significantly due to the synergistic benefit of the security measure on safety detection/occurrence.
- Resource Optimization: The analysis revealed that certain risks were overestimated in traditional siloed analyses. The integrated view allowed the team to reduce unnecessary mitigation efforts on risks that were already effectively covered by cross-domain countermeasures.
- Quantitative Evidence: The shift in RPN was directly traceable to the structural analysis metrics, validating the framework's ability to model real-world interactions.

5. Significance and Impact

Unified Risk Assessment: Provides a single, traceable methodology for assessing risks that span both safety and security domains, overcoming the fragmentation of current practices.
Optimized Design: Enables engineers to identify "win-win" countermeasures that satisfy both safety and security requirements, reducing development costs and complexity.
Standard Alignment: Facilitates compliance with both ISO 26262 and ISO/SAE 21434 by providing a structured way to handle their interactions, addressing a known gap in current standards.
Future-Proofing: The framework supports distributed development across disciplines by offering a common quantitative language for risk, essential for complex, autonomous vehicle systems.

Limitations & Future Work:
The authors acknowledge that deriving accurate CDCFs requires significant resources (expert time, structural analysis tools, and injection campaigns). Future work aims to apply the method to more complex use cases, compare structural analysis results with dynamic simulations, and explore the use of AI/ML to automate the derivation of correlation factors.