Achieving An ASIL-C Safety Architecture

By Ann Keffer, Jyothy Melaedavattil Jaganathan, and Arun Gogineni

The ISO 26262 standard offers a structured framework for managing functional safety across the entire development lifecycle of automotive electronic systems—from specification and design to implementation, integration, verification, validation, and production release. It emphasizes the importance of meeting specific random hardware failure rate (RHFR) targets for each of the three automotive safety integrity levels (ASIL) and provides a comprehensive methodology for evaluating, mitigating, and validating random hardware failures. By addressing all development phases, ISO 26262 ensures a rigorous and systematic approach to functional safety.

Its impact on the automotive industry has been both beneficial and challenging. While it has led to safer, more reliable products, it has also increased development costs, created market entry barriers for smaller IP vendors, and reshaped relationships among Tier 1 and Tier 2 suppliers and OEMs. From an engineering perspective, designing ICs/SoCs for automotive applications now involves greater complexity, stricter safety architecture requirements, more intensive verification, cross-disciplinary coordination, extended development timelines, and extensive documentation for certification.

For ASIL-D, diagnostic coverage (DC) is often achieved through duplication techniques like CPU lock-step, which, while effective, significantly increases area and cost. In contrast, ASIL-C targets can be met with less area overhead using a variety of safety mechanisms. ASIL-C requires achieving at least 97% single point fault metric (SPFM) and 80% latent fault metric (LFM), as outlined in Table 1. Development processes must also be fully traceable—from architecture through implementation to test results. Ultimately, ASIL-C is about ensuring the chip is safe, and demonstrably so, through robust architecture, disciplined processes, and thorough validation.

Solution overview

Siemens provides an integrated set of functional safety (FuSa) tools to address challenges for each part of the safety workflow and for each engineering role.

• Polarion and Jama: These tools facilitate the creation of work products necessary for ISO 26262 certification, ensuring all documentation and safety analysis are properly managed and integrated into the workflow.
• Questa One VIQ Compliance Advisor (Compliance Advisor): This tool is used to create or import detailed failure mode effects and diagnostic analysis (FMEDA), which helps identify critical areas that need attention during the design and verification stages.
• Questa One Safety Analyzer (Safety Analyzer): Invoked from the VIQ Compliance Advisor or in batch mode, this tool calculates early-stage ASIL metrics and generates optimized fault lists for fault campaigns, streamlining the certification process.
• Questa One Sim FX (Questa FX): Questa FX is a powerful fault simulator that injects faults and simulates their effects to ensure designs meet the rigorous requirements outlined in the ISO 26262 standard.
• FuSa Database: All data from the safety tools are stored in the FuSa database, ensuring consistency and integrity across the entire safety workflow. This central repository allows for efficient tracking and management of safety-related information throughout the chip development process.
• Visualizer Debug: This advanced tool debugs multiple undetected unobserved faults simultaneously rather than debugging each one separately, improving metrics and saving engineering costs.

The Questa One safety workflow proceeds as follows:

1. Initial Analysis: Use Safety Analyzer to perform what-if analysis and explore the base failure in time (FIT) rate and initial safety metrics.
2. Architecture Optimization: Iterate with Safety Analyzer to refine the safety architecture and identify the optimal path to meet ASIL-C requirements.
3. Fault List Generation: Generate targeted fault lists using Safety Analyzer for use in fault injection campaigns.
4. Fault Injection and Simulation: Use Questa FX to inject faults and run simulations based on the optimized fault lists.
5. Metric Validation: Feed the fault simulation results back into Safety Analyzer to compute validated safety metrics.
6. ASIL-C Compliance Check: Confirm that the IP meets ASIL-C targets, including required diagnostic coverage and traceability from architecture to test results.

This flow ensures a disciplined, metrics-driven approach to achieving and validating ASIL-C safety levels.

Summary

Achieving ASIL-C compliance can be particularly challenging for large, complex designs. However, various optimizations and methodologies can streamline this process. An integrated safety workflow—from lifecycle management to FMEDA and analysis to validation—offers significant efficiency gains. By leveraging Safety Analyzer, which performs structural analysis of RTL and GLS designs and delivers early, accurate safety metrics, teams can reduce costly iterations around fault simulation. Siemens EDA software provides a comprehensive FuSa solution that accelerates ISO 26262 certification by enabling engineers to work more efficiently and effectively.

To gain deeper insights (including a step-by-step case study with results) into how the Siemens Questa One FuSa flow will help your engineering team achieve ISO 26262 safety standard compliance through an integrated platform and safety-aware AI-powered verification engines, please read our new whitepaper, Siemens EDA FuSa flow for achieving an ASIL-C safety architecture.

Jyothy Melaedavattil Jaganathan is a lead functional safety product engineer at Siemens EDA.

Arun Gogineni is an IC functional safety architect at Siemens EDA.