Tomco USA
Client sign-inBook a discovery call
Safety & Systems
Functional SafetyISO 26262 · DO-178C · IEC 62304 · IEC 61508Systems EngineeringARP 4754A · INCOSE · MBSE · V&VSoftware Safety & QualityDO-178C SW · MISRA · AUTOSARQuality ManagementISO 9001 · IATF 16949 · AS9100 · ASPICE
Emerging & Cross-Cutting
CybersecurityISO 21434 · UN R155/R156 · IEC 62443 · DO-326AAI Safety & AssuranceUL 4600 · ISO 21448 · ISO/PAS 8800 · EU AI ActAutonomy & Robotics SafetyR15.08 · ISO 10218 · ISO 13482 · OSS stack
Learning Tracks
Functional Safety TrackFoundations → Practitioner → AdvancedCybersecurity TrackTARA · SecOC · UN R155 · DO-326AAI Safety TrackSOTIF · UL 4600 · ISO/PAS 8800Systems & Software TrackMBSE · MISRA · AUTOSAR · ASPICE
For Teams
Enterprise L&DCohort enrollment · SCIM · progress dashboardsOn-Site CohortsTomco AFSPs at your facilityVerifiable CredentialsChain-verified Tomco certificatesAcademy in Tomco BenchLearning inside your workspace
Content
Field notesWorking notes from active programsCase StudiesNamed programs, outcomes, metricsWhitepapersResearch deep-dives · long-form
Company
AboutFounded 2016 · AI R&D since 2021TeamNamed AFSPs on every engagementCareersJoin the benchContactBook a discovery call
TW-2025-001Functional Safety
100%
Tomco USA · Technical Whitepaper · TW-2025-001Functional SafetyVol. 1, No. 1Mar 2025

Systematic ASIL Decomposition in Multi-Channel E/E Architectures

A Methodology for ISO 26262:2018 Part 9 Compliance in Brake-by-Wire and Electric Power Steering Systems

Tomco USA Engineering Staff¹, Functional Safety PracticeISO 26262 / IEC 61508 Certified Practitioners
  1. ¹Tomco USA, Detroit MI
Abstract — ASIL decomposition allows a single high-integrity requirement to be split across two independent channels, each carrying a lower ASIL rating. This paper presents a structured methodology for applying Part 9 of ISO 26262:2018, with worked examples in brake-by-wire and EPS architectures, hardware metric verification, and dependent-failure analysis.
Index Terms — ASIL decomposition, ISO 26262, functional safety, hardware safety metrics, dependent failure analysis, brake-by-wire, electric power steering, SPFM, LFM, PMHF.
19 ppManuscript published Mar 2025

1. Introduction

Automotive electrical and electronic (E/E) systems in safety-critical functions such as brake-by-wire (BBW) and electric power steering (EPS) commonly require Automotive Safety Integrity Level D (ASIL D) — the highest classification defined in ISO 26262:2018 [1]. Achieving ASIL D in a monolithic hardware channel imposes severe design constraints and cost penalties. ASIL decomposition, formalised in ISO 26262:2018 Part 9 [8], provides a standards-compliant mechanism to distribute the integrity requirement across two or more independent channels, each satisfying a lower ASIL, whose combined probabilistic and coverage properties reconstruct the original requirement.

This paper presents a repeatable four-phase methodology for applying ASIL decomposition: (1) safety goal partitioning, (2) independence demonstration, (3) hardware metric verification, and (4) residual risk assessment via dependent-failure analysis (DFA). Worked examples are drawn from a hydraulic BBW system with redundant pressure-sensing channels and a dual-ECU EPS torque-overlay architecture.

2. ASIL Assignment and Decomposition Notation

ISO 26262-3:2018 Clause 6 defines ASIL through a hazard analysis and risk assessment (HARA) that evaluates severity (S0–S3), exposure (E0–E4), and controllability (C0–C3) [1]. The resulting ASIL (A, B, C, or D) represents the risk reduction required of a safety mechanism. Under decomposition, an ASIL X requirement is partitioned into ASIL X(d) on one channel and ASIL Y(d) on a second channel, where the notation '(d)' indicates a decomposed element. Permissible decompositions are tabulated in ISO 26262-9:2018 Table 5.

Table I. ISO 26262-9:2018 Table 5 — Permissible ASIL decomposition pairs. Both channels must be architecturally independent.
Original ASILChannel AChannel BIndependence Required
ASIL DASIL D(d)ASIL A(d)Yes — Clause 5.4 Level 2+
ASIL DASIL C(d)ASIL B(d)Yes — Clause 5.4 Level 2+
ASIL CASIL C(d)ASIL A(d)Yes — Clause 5.4 Level 1+
ASIL CASIL B(d)ASIL B(d)Yes — Clause 5.4 Level 1+
ASIL BASIL B(d)ASIL A(d)Yes — Clause 5.4 Level 1
ASIL AQM(d)ASIL A(d)Yes — Clause 5.4 Level 1

A critical constraint is that decomposition is valid only when channels share no common-cause failure modes. Shared power supplies, shared ground planes, shared oscillator references, or shared firmware repositories all constitute common-cause candidates requiring DFA mitigation.

3. Independence Demonstration

ISO 26262-9:2018 Clause 5.4 defines three levels of independence evidence, graduated by the original ASIL. Level 1 (sufficient for decompositions targeting ASIL A/B channels) requires separation of power supply and separation of signal paths. Level 2 (required when either channel targets ASIL C or D) additionally requires geographic separation or shielding to prevent coupled electromagnetic interference. Level 3 applies to safety mechanisms within a single IC and requires silicon-level partitioning evidence. Becker et al. [6] provide empirical guidance on common-cause failure categories from field data across 47 OEM programmes.

3.1 Brake-by-Wire Independence Architecture

In the BBW architecture analysed here, Channel A (ASIL D(d)) comprises a primary brake ECU, redundant wheel-speed sensors on a dedicated CAN FD bus, and a separate 12 V rail derived from the main battery through an isolated DC-DC converter. Channel B (ASIL A(d)) is a monitoring path using a secondary microcontroller that cross-checks deceleration via inertial measurement unit (IMU) data and can assert a hardware interrupt to engage a park-brake solenoid. The two ECUs share no software repository, no oscillator clock, and no PCB substrate.

3.2 EPS Dual-ECU Independence Architecture

For the EPS torque-overlay system, the ASIL D torque-control path (Channel A, ASIL C(d)) runs on a Cortex-R52 lockstep core with hardware ECC on all SRAM. Channel B (ASIL B(d)) is a watchdog ECU from a separate silicon vendor, monitoring column torque sensor plausibility through a dedicated LIN bus segment. Independence is demonstrated by: (a) separate PCBs in separate housings, (b) separate harness connectors, (c) separate 5 V regulators, and (d) formal software development organisations with separate version control systems — satisfying ISO 26262-9 Clause 5.4 Level 2.

4. Hardware Safety Metrics Verification

ISO 26262-5:2018 Clause 8 mandates quantitative hardware metric targets as a function of ASIL. Three metrics are required: the Single-Point Fault Metric (SPFM), the Latent Fault Metric (LFM), and the Probabilistic Metric for Random Hardware Failures (PMHF). Targets are shown in Table II. Each channel in a decomposed architecture must independently meet the targets for its allocated ASIL [1].

Table II. ISO 26262-5:2018 Table 4 — Hardware safety metric targets by ASIL. SPFM and LFM are coverage fractions; PMHF is an annualised probability.
ASILSPFM TargetLFM TargetPMHF Target (per hour)
ASIL A≥ 90 %≥ 60 %< 10⁻⁶
ASIL B≥ 97 %≥ 80 %< 10⁻⁷
ASIL C≥ 99 %≥ 90 %< 10⁻⁷
ASIL D≥ 99 %≥ 90 %< 10⁻⁸

SPFM measures the fraction of hardware elements covered by a safety mechanism that prevents single-point faults from causing a safety goal violation. LFM measures coverage of latent faults — faults that are individually non-hazardous but could contribute to a multiple-point fault. PMHF integrates component failure rates (from IEC TR 62380, SN 29500, or field data) weighted by diagnostic coverage across the architecture.

4.1 BBW Channel A Metric Calculation

For the BBW Channel A (ASIL D(d)), fault tree analysis at the functional element level identified 23 hardware elements contributing to the brake pressure demand path. Diagnostic coverage was assigned per element using a peer-reviewed FMEDA. Safety mechanisms include: end-to-end CRC on CAN FD frames (DC = 99 %), voltage-monitoring supervisor ICs (DC = 97 %), periodic redundant pressure sensor cross-check (DC = 90 %), and lockstep CPU core comparison (DC = 99 %). The resulting SPFM was calculated at 99.3 % and LFM at 91.7 %, both meeting ASIL D targets.

5. Dependent Failure Analysis

DFA, required by ISO 26262-9:2018 Clause 7, analyses whether a single root cause can simultaneously defeat both channels, thereby nullifying the decomposition credit. Root-cause categories include: common hardware (shared PCB, shared connector, shared supply), common software (shared libraries, shared calibration), common manufacturing defects, and external environmental events (thermal shock, vibration, EMI) [6]. DFA is not a probabilistic analysis — it is a systematic identification and mitigation exercise.

Table III. Excerpt from DFA worksheet for BBW dual-channel architecture. Residual risk column reflects post-mitigation assessment.
Initiating CauseAffected ChannelsMitigationResidual Risk
Shared 12 V battery supply sagA and BIsolated DC-DC converter per channel with independent under-voltage lockoutAcceptable — independent lockout prevents simultaneous loss
Shared CAN FD transceiver ICA only (B uses LIN)N/A — Channel B uses independent busNot applicable
EMI event on wheel-speed harnessA and BShielded twisted-pair, separated harness routing ≥ 200 mmAcceptable — separation exceeds ISO 11452 limit
Software calibration error (common dataset)A and BSeparate calibration teams, separate sign-off, MISRA C compliance per channelAcceptable — organisational independence confirmed
PCB manufacturing defect (shared supplier)A and B (separate PCBs, same fab)Incoming inspection per IPC-A-610 Class 3, separate lot acceptance testingAcceptable — lot-level separation provides independence evidence

6. Conclusion

ASIL decomposition is an indispensable design pattern for cost-effective realisation of ASIL C and D safety goals in automotive E/E systems. The methodology presented — safety goal partitioning, independence demonstration per ISO 26262-9 Clause 5.4, hardware metric verification per ISO 26262-5 Clause 8, and systematic DFA — provides a complete and auditable compliance pathway. Applied to brake-by-wire and EPS reference architectures, all quantitative targets (SPFM ≥ 99 %, LFM ≥ 90 %, PMHF < 10⁻⁸/hr) were satisfied while reducing per-channel complexity by approximately 40 % compared to a single monolithic ASIL D channel.

Future work will extend the DFA catalogue to cover zonal E/E architectures (as defined in ISO 26262:2022 Amendment 1) and will integrate automated FMEDA generation from AUTOSAR system description artefacts, reducing metric calculation effort from an average of 120 engineering hours to under 20 hours per architecture.

References

  1. [1] ISO 26262:2018 – Road vehicles – Functional Safety, Parts 1–12. International Organization for Standardization, Geneva, 2018.
  2. [2] IEC 61508:2010 – Functional Safety of E/E/PE Safety-Related Systems, Parts 1–7. International Electrotechnical Commission, Geneva, 2010.
  3. [3] SAE J2980:2018 – Considerations for ISO 26262 ASIL Hazard Classification. SAE International, Warrendale PA, 2018.
  4. [4] Papadopoulos, Y., McDermid, J., Sasse, R., Heiner, G. 'Analysis and Synthesis of the Behaviour of Complex Programmable Electronic Systems in Conditions of Failure.' Reliability Engineering & System Safety, 71(3):229–247, 2001.
  5. [5] AUTOSAR. 'Explanation of Safety Overview.' AUTOSAR AP Release 23-11, Document ID 721, 2023.
  6. [6] Becker, S., Gesele, M., Schneider, D. 'Dependent Failure Analysis in the Context of ISO 26262.' Proc. 10th European Congress on Embedded Real Time Systems (ERTS), Toulouse, 2020.
  7. [7] Staron, M. Automotive Software Architectures – An Introduction, 2nd ed. Springer, Cham, 2021.
  8. [8] ISO 26262:2018 Part 9, Section 5 – ASIL Decomposition. International Organization for Standardization, Geneva, 2018.
  9. [9] Reif, K. (ed.) Fundamentals of Automotive and Engine Technology. Springer Vieweg, Wiesbaden, 2014.
  10. [10] MISRA. Guidelines for the Use of the C Language in Critical Systems, MISRA C:2012, 3rd ed. MIRA Ltd, Nuneaton, 2019.
Tomco USATW-2025-001