AM2634-Q1: why safety mechanism- program sequence monitoring is optional but not primary?

R5F-CPU1E is "optional" because this is a "high bar" for the system integrator to meet. Please refer to Table D.8 in ISO 26262-5:2018 (copy/pasted below) for reference. The typical coverage achievable is "medium" i.e., >/= 90% and it only provides coverage for certain types of fails. All of these are addressed by R5F.CPU1A (i.e., lock step compare) which is listed as the "primary" safety mechanism to provide high (i.e., >/= 99% DC) for the R5F CPU sub-system.

Question:

And they want to know the logic behind terms of 'primary', 'dominant', 'supplementary' and 'optional', i.e. what is the DC for each types and how you divide one safety mechanism into the above 4 types?

Answer: Please refer to Table 5.1 in the AM2634-Q1 Functional Safety Manual. The rationale for "Primary", "dominant", "supplementary" and "optional" is outlined.

• When an IP has a "primary" safety mechanism - it should be used, as it provided the majority of the DC
• If an IP doesn't have a "primary" safety mechanism, then the "dominant" and applicable "supplementary" safety mechanisms should be used, as they will provide the majority of the DC
  • For IPs that have a "primary" and "dominant" safety mechanism, then the system integrator may apply their judgement to invoke the "primary" safety mechanism and not the "dominant".
• "optional" safety mechanisms are the only ones that the system integrator has the flexibility to choose to implement based on their system level HARA criteria.