The process of creating separate design artifacts in different tools for specific purposes can be time-consuming and error-prone.
By Daniel Zhang and Claudius Jordan
Functional safety analysis is a crucial step in the development of safety-critical systems. It ensures that the system-under-development meets its defined safety requirements and functions safely under both nominal and fault conditions. In the event of a failure, the system must respond appropriately to mitigate the risk of safety hazards that could potentially endanger human health, human life, property, or the environment.
With safety-critical systems becoming increasingly complex, functional safety analysis has become a tedious, time-consuming, and expensive process. Safety analysis reports are often written in a natural language, which makes them imprecise and ambiguous, leading to varying interpretations among engineers and increasing the chance of human error.
This article proposes a workflow that seamlessly integrates system design and schematic capture, modeling and pre-layout functional simulation, and post-layout verification. The introduction of automated functional safety allows engineers to leverage even greater efficiencies.
To ensure functional safety, design engineers must identify potential failure modes within their designs and account for their causes and effects. One effective method for achieving this is Failure Modes, Effects, and Diagnostics Analysis (FMEDA), developed by the United States military in the 1940s.
Given the time and effort needed for traditional FMEDAs, they are typically performed after a design is completed, rather than being integrated into the design process. This often results in design flaws being identified late in the design process, where they are more expensive to fix, causing time-consuming rework and delays.
Tools that formalize and automate the functional safety process, such as Modelwise’s solution Paitron, can address many of these challenges. Manual methods are replaced with an automated approach that allows accurate and efficient computation of FMEDAs. In Paitron, the evaluation of failure is executed using circuit simulators and automated reasoning, significantly reducing the time and effort needed for comprehensive safety analysis. Consequently, this analysis can be performed early in the design process and repeated as needed during any design iteration.
In this workflow, the circuit simulator (Siemens HyperLynx AMS) is directly integrated with the schematic capture tool (Siemens Xpedition Designer), allowing simulation models to be assigned directly to symbols in the PCB schematic. This means that a single design is used for schematic capture, export to PCB layout, as well as modeling and simulation. Eliminating the need for duplicate schematics leads to reduced downtime in the engineering cycle and fewer opportunities for mistakes.
Fig. 1: Integration of schematic capture and circuit simulation.
HyperLynx AMS is compatible with various model formats, including SPICE, VHDL-AMS, Verilog-AMS, IBIS, S-Parameter, and C code functions. Thanks to compatibility with a large variety of model formats, a wide range of technologies and disciplines can be modeled and simulated, including analog electronics, digital electronics, mechanical systems, thermal systems, and more. Multidisciplinary systems (e.g., electromechanical, electromagnetic, thermal analysis) can be easily represented, and component models written by different vendors or in different formats can coexist in one design.
Additionally, a PCB board layout can be imported for parasitic extraction and post-layout analysis. Correctly accounting for board-level parasitic inductances, capacitances, and resistances in simulation requires an accurate model of board traces and their collective behavior. 3D electromagnetic field solvers are used to identify board parasitics and populate them into the SPICE netlist for simulation.
Designing PCBs involves various tools for different design stages, starting from early functional schematics to physical board assembly. This process of creating separate design artifacts in different tools for specific purposes can be time-consuming and error-prone, as it requires transferring information between tools and maintaining consistency. Compatibility issues may arise, and convenient processes for translation, import, and export may not be available.
Integration of PCB design capture with circuit simulation enables a single schematic to be used and streamlines the workflow. Additionally, the integration of circuit simulation with automated functional safety analysis enhances efficiency by adding automated functional safety analysis to the workflow.
An important benefit of interfacing schematic capture with functional safety analysis is that bills of materials (BOMs) can be generated by extracting component property information directly from the schematic database. This enables the functional safety tool to automatically map the components to the categories of the failure rate and modes databases, an otherwise tedious and time-consuming task for engineers.
The unified schematic design workflow facilitates component database maintenance and ensures consistency for all downstream tasks. For instance, voltage and current ratings can be directly incorporated in the functional safety analysis. This added value and efficiency is unique to this workflow.
The workflow is demonstrated by a functional safety analysis of a (simple) voltage monitor circuit. The circuit schematic is shown in the Xpedition Designer environment in Figure 2. Each symbol in the schematic is assigned a SPICE or VHDL-AMS model from the HyperLynx AMS standard library, enabling the simulation of circuit behavior. To verify nominal performance, a simulation is conducted with the input voltage Vin ramping slowly from 0 V to 20 V over time.
Fig. 2: Voltage monitor schematic in Xpedition Designer.
Figure 3 displays the simulation results in the Waveform Analyzer. Within the Waveform Analyzer detailed measurements and post-processing on waveforms can be performed. These results indicate that in a properly functioning circuit, the “valid” input ranges from about 6.8 V to 13.4 V. If Vin lies outside this range, the voltage monitor “trips.”
Fig. 3: Simulation results for nominal performance.
The voltage range is determined by the resistance values of the voltage divider R3, R4, and R5. Consider a failure mode in which resistor R4 experiences an increase in resistance. In real-world circuits, it is common for carbon composition resistors, for example, to drift by 5–20% or more over years. A circuit analysis reveals that the voltage monitor will deliver a “valid” output for a wider-than-expected window of input voltages due to increased voltage drop across R4. In other words, the monitor becomes less effective in detecting overvoltage and undervoltage conditions. This is considered dangerous behavior as it eventually leads to a safety goal violation.
The increase of resistance is only one out of four failure modes to be analyzed for a simple component like a resistor. Likewise, for each other component in the circuit, a set of failure modes needs to be investigated. Even for a relatively small circuit like the voltage monitor, performing an FMEDA by hand is time-consuming.
The FMEDA is performed by interfacing the HyperLynx AMS simulation with Paitron. Variables and their domains are specified to describe the system’s behavior. In the voltage monitor example, one input variable, Vin, and one output variable, Vout, are defined.
A domain is assigned to each variable. In the voltage monitor example, the domain for Vin consists of three qualitative values: undervoltage, valid, and overvoltage. Vout is expected to be either “tripped” (0 V) or “valid” (1 V) and hence, two qualitative values are distinguished. The model variables and domains are summarized in Table 1.
| Variable | Type | Partition | Value |
| Vin | Input | [0.1, 6.7) | undervoltage |
| [6.8, 13.4] | valid | ||
| [13.5, 20) | overvoltage | ||
| Vout | Output | (-inf, 0.5] | tripped |
| (0.5, inf) | valid |
Table 1: Defined model variables and domains.
With the variables and domains defined, the system behavior can then be formalized into “system effects.” For instance, overall system requirements may define normal operating ranges and conditions, and the system effects could include violations of these requirements. Component datasheets may indicate overstress thresholds or undesired set up conditions. In addition, Paitron allows the addition of “deviation effects.” Those effects represent system behavior where the output is different from its expected value, when the design parameters deviate from their nominal value.
In Paitron, effects are formalized using constraint expressions. An added benefit of formalizing the effects is ensuring an objective, traceable formulation, preventing ambiguity. Some exemplary effects are listed in Table 2.
| Effect | Description |
| Monitor stuck valid | Vout is always HIGH |
| Monitor stuck tripped | Vout is always LOW |
| Missing overvoltage | Vout is HIGH for some overvolted input and LOW for others |
| Missing undervoltage | Vout is HIGH for some undervolted input and LOW for others |
| Tripped valid | Vout is LOW for some valid input voltages and HIGH for others |
Table 2: Exemplary system effects.
To compute the quantitative safety metrics the failure rate and failure mode distributions for each component need to be known. This data may be obtained from field or manufacturer data or industry databases. In addition, custom failure modes, rates, and distributions can be included in the analysis as well as component ratings, operating conditions, and mission profiles. In this example, the industry standards SN 29500 and IEC 61709 are used as the failure rate and mode sources.
With the analysis set up, the automated FMEDA is performed in which Paitron determines the resulting effects for each failure mode. Once the analysis is complete, a detailed safety report is generated containing the safety metrics according to the selected standard. Figure 4 shows the analysis summary with the main safety key performance indicators (KPI) according to IEC 61508, such as safe failure fraction, safety function failure rate, mean time between failure, and probability of failure per hour.
Fig. 4: Safety report generated from FMEDA results.
In most design projects, PCB layouts involve significantly more than just a voltage monitor. Usually, a PCB comprises several pages of schematics organized into functional blocks.
The following example presents a PCB system composed of five blocks (rectifier, controller, 2x DCDC, and voltage monitor), as illustrated in Figure 5, each exhibiting a complexity level comparable to or greater than that of the voltage monitor.
Fig. 5: Top-level view on the PCB system consisting of five blocks.
Following a divide-and-conquer approach, a detailed analysis of each block is conducted according to the following workflow: (1) preparing the Xpedition design, setting up the HyperLynx AMS simulation, (2) exporting the BOM from Xpedition, (3) creating a Paitron project, (4) specifying variables, domains, and effects, (5) selecting the sources for failure rate and mode, and (6) running the automated analysis.
In Table 3, the computed safety KPIs for the individual blocks are listed. With the architecture provided, these individual KPIs can be aggregated into system-level KPIs.
This structured approach streamlines the analysis process and allows engineers to consider how block interactions impact the overall system performance and reliability. The integration of schematic capture, circuit simulation, and FMEDA reduces the analysis time from months of dedicated manual effort to hours, while achieving finer-grained analysis. In total, the analysis of the exemplary five-block PCB took two working days. Simply put, the larger and more complex the system is, the higher the gain.
| Block | Dangerous Undetected (λDU) |
Dangerous Detected (λDD) |
Dangerous Faults (λD) |
Safety-Related Faults (λSR) |
Safe Failure Fraction |
| Controller | 1.008E-7 | 4.53222E-8 | 1.461E-7 | 1.461E-7 | 0.3102 |
| DCDC-12V | 3.875E-8 | 0 | 3.875E-8 | 3.875E-8 | 0 |
| DCDC-5V | 3.875E-8 | 0 | 3.875E-8 | 3.875E-8 | 0 |
| Rectifier | 3.826E-8 | 0 | 3.826E-8 | 3.826E-8 | 0 |
| Voltage monitor | 4.62E-9 | 0 | 4.62E-9 | 1.056E-8 | 0.5625 |
Table 3: Key performance indicators from FMEDA of a complex multiple-block design.
FMEDA itself is a cumbersome and time-consuming task. A common side-effect is that it takes time and focus away from system design and, due to a limitation in accuracy and insights, results in overengineered designs. Automating FMEDA helps users to shift their focus back on design optimization.
One user found that several redundant blocks initially deemed essential for meeting their safety KPIs were unnecessary. They identified that a simplified 1oo1 (one-out-of-one) safety architecture could replace their 1oo3 architecture while maintaining the required safety KPIs. As a result, they could reduce the complexity of their system and, more importantly, achieve significant cost savings on hardware components.
In another case, an aerospace OEM identified single points of failure in their designs at an early design stage. Without this analysis, it would have remained undiscovered until at least a year later during the design freeze review. The automation enabled them to perform the analysis during the design time, meaning issues were identified well before they could impact the project timeline.
These case studies showcase the impact of applying the integrated workflow described in this article. They highlight how systematic analysis can lead to smarter design decisions that enhance both safety and efficiency, ultimately driving higher performance within complex systems.
Experience the integrated workflow via a guided demonstration here. To learn more about this proposed workflow, download our new white paper, Integration of Xpedition, HyperLynx AMS and Modelwise Paitron for automated functional safety analysis, here.
Claudius Jordan is a senior engineer at Modelwise GmbH. He holds a Master of Science in Mechatronics and Information Technology from the Technical University of Munich. He works on advancing functional safety analyses in hardware engineering.
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply