Siemens EDA FuSa Flow for Achieving an ASIL-C Safety Architecture

ISO 26262, titled “Road vehicles – Functional safety,” is an international standard for the functional safety of electrical and electronic systems in road vehicles. First published in 2011 and revised in 2018, ISO 26262 adapts the broader IEC 61508 standard for automotive applications. The ISO 26262 standard underscores the importance of achieving specific random hardware failure rate targets for each automotive safety integrity level (ASIL) and provides a comprehensive framework for assessing, mitigating, and validating random hardware failures throughout the lifecycle of automotive electronic and electrical system development. Covering various phases, ISO 26262 ensures a thorough approach to ensuring the functional safety of auto­motive electronic systems.

ISO 26262 addresses both systematic and random faults to ensure the safety of automotive systems. Systematic faults are predictable and repeatable issues due to bugs in the design, development, or manufac­turing processes. Random faults are unpredictable and occur because of variability in hardware components over time. Siemens EDA provides a complete set of tools that applies to both systematic and random faults, however this paper focuses on the tools, tool flows, and methodologies for mitigating random faults to ensure ISO 26262 ASIL compliance and is targeted at developers of automotive ICs/SoCs that need an opti­mized tool flow to automate their safety workflow to achieve a successful ISO 26262 certification.

This paper details the Siemens functional safety (FuSa) tools — categorized as safety analysis or safety validation tools — that mitigate random faults. The Siemens safety analysis tools include Questa™ One VIQ Compliance Advisor and Questa One Safety Analyzer, which support ISO 26262 compliance by providing early-stage ASIL metrics, optimized fault lists, and comprehensive failure mode effects and diagnostic anal­ysis (FMEDA). Questa One Sim Fault Acceleration (aka Questa One Sim FX) is a high-performance fault simulator that efficiently closes fault campaigns to validate the safety level of ICs/SoCs. All these tools are interconnected through a common FuSa database, facilitating a cohesive safety workflow. Integration with Siemens Polarion and Jama lifecycle management tools ensures efficient tracking and management of the safety-related information required for certification.

Challenges

The impact of ISO 26262 on the automotive industry has been positive as well as challenging. Product quality has improved by becoming safer and more reliable, but it has also increased costs, inserted market barriers for smaller IP vendors, and forced new relationships between Tier 1 and Tier 2 suppliers and OEMs, to name a few. From the engineering point of view, developing ICs/SoCs for the automotive market has inserted new technical challenges, including increased design complexity, safety architectural constraints, rigorous verification expectations, cross disciplinary alignment, longer development cycles, and additional documentation for design certification.

ASIL-D diagnostic coverage (DC) is achieved by duplication, such as lock-step for CPUs, but it’s costly because it doubles the footprint (area). For example, achieving ASIL-C can be achieved with a lower area impact using a variety of safety mechanisms (SM). It must reach 97% single point fault metric (SPFM) and 80% latent fault metric (LFM) and its probabilistic metric for hardware failures (PMHF) must be fewer than 10, as shown in Table 1. The development processes must also be traceable from architecture to implementation to test results. ASIL-C is about ensuring the chip is safe and being able to prove it with a solid architecture, disciplined processes, and thorough validation.