Electronics Guide

Functional Safety Standards and Concepts

The functional safety flow is anchored in a small set of standards and the vocabulary they establish. Understanding these concepts is essential because every metric and activity in the flow derives from them.

• IEC 61508: The foundational standard for the functional safety of electrical, electronic, and programmable electronic safety-related systems. It defines the safety integrity level (SIL) on a scale from one to four and serves as the basis from which sector-specific standards are derived.
• ISO 26262: The automotive adaptation of IEC 61508, covering the safety lifecycle of road-vehicle electrical and electronic systems. It defines the Automotive Safety Integrity Level (ASIL), graded from A to D, with D representing the most stringent requirements.
• Hazard analysis and risk assessment: The process that assigns an integrity level based on the severity, exposure, and controllability of potential hazards, thereby setting the target rigor for the hardware that addresses them.
• Safety goals and requirements: Top-level objectives that flow down into technical safety requirements and ultimately into hardware safety requirements that the design must implement and the flow must verify.

These standards distinguish systematic faults, which stem from errors in specification or implementation, from random hardware faults, which arise from physical defects and environmental disturbances. Electronic design automation flows address systematic faults through disciplined process and verification, and random faults through the quantitative analyses described below.

The assigned integrity level sets numerical targets that the flow must meet. ISO 26262 specifies architectural-metric goals that tighten with each grade: ASIL B calls for a single-point fault metric of at least ninety percent and a latent-fault metric of at least sixty percent; ASIL C raises these to ninety-seven and eighty percent; and ASIL D, the most stringent grade, demands at least ninety-nine and ninety percent respectively. The probabilistic target follows the same pattern, with the highest grade allowing roughly an order of magnitude lower failure probability than the grades below it. Because the numbers leave little margin, the design must earn its diagnostic coverage rather than assume it, and the EDA flow exists to produce that evidence efficiently.

Failure Modes, Effects, and Diagnostic Analysis

Failure modes, effects, and diagnostic analysis (FMEDA) is the quantitative core of hardware functional safety. It systematically enumerates how each part of a design can fail and determines whether the safety mechanisms detect or control each failure.

• Failure-mode enumeration: Identifying the ways each element can fail, typically reduced to stuck-at and transient fault models at the gate level, and associating each with a portion of the element's failure rate.
• Base failure-rate estimation: Deriving raw failure rates from reliability handbooks or technology data, then distributing them across the gates and nets of the design in proportion to area or transistor count.
• Effect classification: Determining whether a given failure is safe, has the potential to violate a safety goal, or is detected by a safety mechanism, which sorts each fault into the categories the metrics require.
• Diagnostic-coverage attribution: Crediting each safety mechanism with the fraction of a failure mode it detects, supported by evidence from fault simulation rather than assumption alone.

Base failure rates are typically expressed in failures in time (FIT), where one FIT equals one failure per billion device-hours. Reliability handbooks such as IEC 62380, the Siemens norm SN 29500, and the historical MIL-HDBK-217 provide raw rates by component class, which the tool apportions across the netlist. Each apportioned failure is then sorted into a category the standard defines precisely: a safe fault that cannot violate a safety goal, a single-point fault that violates the goal with no mechanism to detect it, a residual fault that escapes an otherwise present mechanism, or a latent multiple-point fault that lies dormant until a second fault occurs. The diagnostic coverage credited to a mechanism is the fraction of a failure mode's rate it removes from the dangerous categories.

Modern tools automate much of this analysis by mapping the design netlist to failure modes, partitioning failure rates, and aggregating results across the safety-related and non-safety-related portions of the device. Spreadsheet-based FMEDA, once the norm, has given way to netlist-driven engines that keep the analysis synchronized with design changes and link credited coverage to the fault-campaign results that justify it. The output feeds directly into the hardware architectural metrics that gate the achievable integrity level.

Hardware Architectural Metrics

ISO 26262 requires that random hardware fault handling be demonstrated through specific quantitative metrics. These metrics summarize the FMEDA results and must meet defined thresholds for the target Automotive Safety Integrity Level.

• Single-point fault metric (SPFM): The fraction of the hardware failure rate that is not attributable to single-point or residual faults, reflecting how well the design avoids faults that alone can violate a safety goal.
• Latent-fault metric (LFM): The fraction of the failure rate that is not attributable to latent faults, those that escape detection and could combine with a later fault to cause a failure.
• Probabilistic metric for random hardware failures (PMHF): The average probability of a safety-goal violation per hour of operation, expressed in failures in time (FIT), where one FIT equals one failure per billion device-hours.
• Diagnostic coverage: The proportion of a failure mode's failure rate detected or controlled by a safety mechanism, which directly drives the single-point and latent-fault metrics.

The thresholds are concrete. For ASIL D, ISO 26262-5 sets the single-point fault metric at no less than ninety-nine percent and the latent-fault metric at no less than ninety percent, with the probabilistic metric below ten FIT, equivalent to a safety-goal-violation probability under ten to the minus eight per hour. ASIL C relaxes these to ninety-seven percent, eighty percent, and one hundred FIT, while ASIL B requires ninety percent, sixty percent, and one hundred FIT. IEC 61508 frames the same idea through the safe failure fraction, the proportion of failures that are either inherently safe or detected, combined with the hardware fault tolerance of the architecture.

Tools compute these metrics from the annotated netlist and the credited diagnostic coverage, allowing architects to explore where additional safety mechanisms most efficiently raise the metrics. Because a few percentage points of coverage can decide whether an architecture reaches ASIL D, this what-if exploration is a core part of the flow: it shows whether a target is met by adding error correction to a memory, by duplicating a control path, or by accepting a lower grade. The metrics provide the objective pass criteria for hardware safety sign-off.

Fault Campaigns and Fault Simulation

Claimed diagnostic coverage must be substantiated by evidence, and fault campaigns supply that evidence. A fault campaign injects faults into a model of the design and observes whether the safety mechanisms detect them within the required time.

• Fault-list generation and collapsing: Enumerating candidate fault sites, typically stuck-at and single-event-transient faults, and collapsing equivalent faults to reduce the simulation effort without loss of accuracy.
• Fault classification: Sorting each injected fault as detected, safe, or dangerous-undetected, based on whether it reaches an observable output and whether a safety mechanism flags it in time. The timing budget is the fault-tolerant time interval, the span from a fault's occurrence to a possible hazardous event if no mechanism intervenes; it is consumed by the fault-detection time interval and the fault-reaction time interval, so a mechanism that detects a fault too late is treated as ineffective.
• Statistical sampling: Simulating a representative random sample of the fault population to estimate coverage with a quantified confidence interval when exhaustive injection is impractical.
• Formal and structural pruning: Applying formal analysis to prove that certain faults are undetectable or cannot propagate, reducing the campaign size and improving the precision of the coverage estimate.

Hardware-accelerated simulation and emulation make large campaigns tractable for complex designs, where millions of fault sites would otherwise overwhelm software simulation. A campaign on a modern automotive system-on-chip may inject faults at tens of millions of sites; concurrent fault simulation, in which many faults propagate through a single timing-accurate run, and emulation on dedicated hardware reduce a months-long software task to days. The measured coverage replaces assumed values in the FMEDA, tightening the credibility of the architectural metrics. Where coverage falls short, the same data localizes the unprotected logic, guiding the insertion of additional safety mechanisms before the next campaign.

Safety Mechanisms and Safety-Aware Synthesis

Diagnostic coverage comes from safety mechanisms deliberately built into the design. Safety-aware synthesis inserts and verifies these structures while preserving the functional intent of the original description.

• Error-detection and correction codes: Parity, single-error-correcting and double-error-detecting codes, and stronger schemes that protect memories and data paths against bit corruption.
• Redundancy and lockstep: Duplicated logic with comparison, or triple modular redundancy with voting, including dual-core lockstep processors in which two cores execute identically and a checker flags divergence.
• Built-in self-test and monitors: Logic and memory self-test executed at startup or periodically, together with online monitors such as watchdogs, range checks, and control-flow checks that catch faults during operation.
• Safety-flag preservation: Synthesis constraints that prevent optimization from merging or removing redundant logic, so that duplicated and checking structures survive to the gate level intact.

The choice of mechanism trades coverage against area, power, and latency. Error-correcting codes are inexpensive for regular structures such as memories and buses, where a single-error-correcting, double-error-detecting code adds a handful of bits per word. Dual-core lockstep, by contrast, roughly doubles the area of the protected processor and adds the comparison logic, but it covers a broad class of faults that codes cannot reach; it underlies the safety islands of widely used automotive microcontroller families. Triple modular redundancy, with majority voting among three copies, tolerates a fault rather than merely detecting it, at triple the area, and is reserved for the most critical paths.

Because conventional logic synthesis aggressively eliminates apparent redundancy, safety-aware flows mark protected structures so that equivalence and redundancy are retained. The tools then confirm, through formal checks, that the inserted mechanisms remain functionally isolated from the logic they protect, since a fault that propagates from monitored logic into its own checker would defeat the protection.

Safety-Aware Place-and-Route and Physical Implementation

Physical implementation can inadvertently undermine safety if redundant elements share a common physical weakness. Safety-aware place-and-route enforces separation so that a single physical event cannot defeat redundancy.

• Physical separation of redundancy: Spacing duplicated or lockstep logic and their interconnect so that a localized defect, particle strike, or thermal event cannot corrupt both copies simultaneously.
• Common-cause-failure mitigation: Diversifying placement and routing of redundant channels to reduce the probability that one root cause affects multiple channels, addressing dependent-failure concerns the standards require.
• Isolation of safety and non-safety domains: Maintaining boundaries between safety-related and non-safety-related logic, including freedom from interference for shared resources and power domains.
• Test-structure insertion: Placing scan chains, built-in self-test controllers, and observation points to maximize the controllability and observability that fault campaigns and in-field diagnostics depend upon.

These constraints integrate with the timing-driven and congestion-driven objectives of ordinary place-and-route, so the tools must balance safety separation against area and performance. Verification then confirms that the implemented layout still satisfies the separation rules and that extracted parasitics do not invalidate the safety analysis.

Verification, Traceability, and Diagnostic Coverage Closure

Functional safety demands that every requirement be verified and that the evidence be traceable end to end. Verification in a safety flow therefore couples functional correctness with explicit closure of the safety metrics.

• Requirements traceability: Linking each hardware safety requirement to the design element that implements it and to the test or analysis that verifies it, producing an auditable matrix from goals to evidence.
• Coverage closure: Demonstrating that functional and fault coverage targets are met, and that the achieved diagnostic coverage in the campaign supports the claimed architectural metrics.
• Formal property verification: Proving safety-relevant properties, such as the correct behavior of comparators and the absence of unintended interference paths, where simulation cannot guarantee exhaustiveness.
• Independence and review: Conducting verification with the degree of independence the integrity level requires, and recording reviews and confirmation measures as part of the safety case.

The assembled evidence forms the hardware portion of the safety case, the structured argument that the design meets its safety goals. Consistency between the FMEDA assumptions, the measured coverage, and the implemented mechanisms is the central obligation of safety closure.

Tool Qualification and Confidence

If a tool can introduce or fail to detect an error in a safety-related design, the standards require justified confidence in that tool. Tool qualification provides the argument that the flow itself does not undermine safety.

• Tool classification: Determining a tool confidence level (TCL) from two factors. Tool impact captures whether a malfunction could introduce or fail to detect an error in the safety-related output, and tool error detection captures the likelihood that such an error would be prevented or caught downstream. A tool that cannot affect the output, or whose errors are reliably caught, reaches the lowest confidence level and needs no further qualification; otherwise the combination sets the required rigor.
• Qualification methods: Establishing confidence by one or more of the methods the standard names: increased confidence from prior use, evaluation of the tool development process, validation of the tool against its requirements, or development of the tool in accordance with a safety standard, chosen according to the classification.
• Tool-qualification kits: Vendor-supplied packages of test suites, safety manuals, and documentation that demonstrate a tool detects or avoids the error modes relevant to its use case.
• Error-detection measures: Independent checks within the flow, such as equivalence checking between stages, that catch tool-induced errors and thereby lower the confidence burden on any single tool.

By qualifying the synthesis, place-and-route, simulation, and analysis tools, or by demonstrating downstream checks that would catch their errors, the flow closes the final gap in the safety argument. The result is a development environment whose outputs can be trusted in the safety case alongside the design evidence itself.

Summary

Functional safety electronic design automation flows transform the abstract requirements of ISO 26262 and IEC 61508 into concrete, quantified engineering activities. Through failure modes, effects, and diagnostic analysis, fault campaigns, safety-aware synthesis and place-and-route, traceable verification, and qualified tools, these flows produce the evidence that random and systematic hardware faults are controlled to the level the application demands. The discipline they impose, in which every safety goal traces to an implemented mechanism and a measured coverage figure, is what allows integrated circuits to be entrusted with functions on which human safety depends.

Related Topics

• Automotive Electronics Design Tools - ISO 26262 compliance checking and functional safety analysis for vehicle systems.
• Reliability Analysis Software - Failure-mode analysis and fault-tree methods underlying FMEDA.
• Verification and Validation Tools - Formal verification and coverage analysis that close the safety case.
• Test and Testability Software - Fault simulation, ATPG, and built-in self-test that supply diagnostic coverage.
• Place and Route Automation - Physical implementation where redundancy separation and isolation are enforced.
• Logic Synthesis Tools - Synthesis whose optimizations safety-aware flows constrain to preserve redundancy.
• Electronic Design Automation and CAD Tools - The broader category of EDA and CAD software.