Vehicle Fails to Stop — Brake System Fault Tree
A reference fault tree for a passenger vehicle failing to stop within the required distance due to brake system failure. Aligned to ISO 26262 ASIL-D and the type-approval requirements of ECE Regulation 13.
The scenario
A passenger vehicle in service braking is required to decelerate at the rate prescribed by ECE R13 / FMVSS 135. The top event of this fault tree is insufficient stopping performance leading to a collision the driver could otherwise have avoided. Brakes are an ASIL-D function under ISO 26262 because the severity (S3), exposure (E4) and controllability (C3) combine to the highest classification — failures must be vanishingly rare and at minimum must always degrade safely.
Top event and decomposition
The top OR gate captures three independent failure pathways:
- Service brake hydraulic failure — master cylinder leak, line rupture, dual-circuit cross-failure (modelled as the AND of two independent circuits, since either alone retains partial braking).
- ABS/ESC intervention failure — wheel-speed sensor loss, hydraulic modulator stuck-closed, or ECU fault that surrenders ABS arbitration to a wheel-locked state.
- Secondary brake loss — electronic parking brake (EPB) actuator failure when commanded as emergency backup, or driver brake-pedal input not routed (brake-by-wire variants).
Each branch decomposes to leaf failure modes with λ rates from SN 29500 / IEC 62380 component data. The dual-circuit AND gate is critical: it's why a single hose burst doesn't immediately become a top event.
Standards alignment
ISO 26262-9 Clause 8 requires that ASIL-D safety goals be supported by inductive (FMEA) and deductive (FTA) analyses showing the architecture has no single point of failure that could defeat the goal. ECE R13 imposes a separate type-approval requirement for redundant braking. This template's two-circuit AND structure on the hydraulic branch is the canonical way of demonstrating both at once.
Use this template
Open the tree in FTA Studio (browser-only, no install), tune failure rates to your own component-test data, run MOCUS to find minimal cut sets, and verify against the ASIL-D PMHF target of ~10⁻⁸ /h. Export to IEC JSON or printable PDF for your hardware safety case.