In a significant advancement for the automotive semiconductor industry, researchers at Robert Bosch GmbH have introduced a rigorous mathematical framework to address one of the most persistent challenges in functional safety: the inherent uncertainty in safety metric calculations. The newly published technical paper, authored by Antonino Armato, Christian Kehl, and Sebastian Fischer, presents a methodology for applying error propagation theory to Failure Modes, Effects, and Diagnostic Analysis (FMEDA). By moving beyond static, subjective estimations and toward a quantified, confidence-interval-based approach, the research aims to fundamentally change how Application-Specific Integrated Circuits (ASICs) are verified for compliance with the ISO 26262 international standard.
The Evolution of Functional Safety Verification
The automotive industry has undergone a radical transformation over the last decade, transitioning from mechanical-centric designs to software-defined vehicles. At the heart of this transition are ASICs—highly complex chips that manage everything from engine control units (ECUs) to advanced driver-assistance systems (ADAS) and autonomous driving stacks. As these systems take on more critical roles in vehicle operation, the reliability of the underlying hardware becomes a matter of life and death.
Functional safety, governed by the ISO 26262 standard, requires that hardware components meet specific safety targets. These targets are measured through metrics such as the Single Point Fault Metric (SPFM) and the Latent Fault Metric (LFM). Historically, calculating these metrics has been a labor-intensive process involving the FMEDA. Engineers must estimate the failure rate of various components, determine how those failures manifest (Failure Mode Distribution, or FMD), and assess the effectiveness of safety mechanisms in detecting those failures (Diagnostic Coverage, or DC).
However, the industry has long grappled with a "credibility gap" in these calculations. Because FMD and DC values are often based on historical data, expert judgment, or generic industry databases, they carry a level of uncertainty that is rarely quantified. The Bosch paper addresses this gap by treating these inputs not as absolute truths, but as variables with associated error margins.
Technical Breakdown: Error Propagation in FMEDA
The core innovation presented by Armato, Kehl, and Fischer is the application of error propagation theory to the standard FMEDA equations. Error propagation is a mathematical principle used to determine the uncertainty of a function based on the uncertainties of its individual variables. By applying this to SPFM and LFM calculations, the researchers have created a way to calculate the "maximum deviation" of a safety metric.
The paper introduces the concept of confidence intervals for safety metrics. Instead of stating that an ASIC has an SPFM of 99.2%, the Bosch methodology allows engineers to state that the SPFM is 99.2% with a 95% confidence interval of ±0.5%. This level of transparency is crucial for Tier 1 suppliers and Original Equipment Manufacturers (OEMs) who must prove to regulatory bodies that their systems are robust even under "worst-case" estimation scenarios.
Furthermore, the research introduces a novel tool called the Error Importance Identifier (EII). The EII acts as a diagnostic tool for the safety analysis itself. It identifies which specific input—whether it be the failure rate of a specific logic gate or the diagnostic coverage of a memory parity check—is contributing most to the overall uncertainty of the safety metric. This allows engineering teams to prioritize their verification efforts, focusing on refining the data points that have the highest impact on the chip’s safety profile.
A Chronology of Functional Safety Standards
To understand the impact of the Bosch paper, one must look at the timeline of automotive safety standards and the increasing pressure on semiconductor verification:
- 2011: The Inception of ISO 26262. The first edition of the standard was released, establishing the Automotive Safety Integrity Level (ASIL) risk classification system. This created the initial demand for FMEDA in the automotive sector.
- 2018: ISO 26262 Second Edition. The standard was expanded to include specific guidelines for semiconductors (Part 11). This increased the complexity of ASIC verification, requiring more granular analysis of hardware faults.
- 2020–2024: The Rise of Autonomous Driving. As Level 2+ and Level 3 autonomous systems entered the market, the sheer volume of transistors in automotive chips exploded. Traditional manual FMEDA processes began to struggle with the scale of modern SoC (System on Chip) designs.
- 2025: Industry-Wide Push for Automation. EDA (Electronic Design Automation) tool providers began integrating more automated FMEDA features, but the underlying problem of "garbage in, garbage out" regarding input data remained.
- March 2026: The Bosch Breakthrough. The publication of "Quantifying Uncertainty in FMEDA Safety Metrics" provides the theoretical foundation needed to move from deterministic safety metrics to probabilistic, uncertainty-aware safety verification.
Supporting Data: The Cost of Uncertainty
The necessity for this research is highlighted by the increasing complexity of modern automotive electronics. A typical high-end vehicle in 2026 may contain over 3,000 semiconductor components. For an ASIL D system—the highest safety rating—the SPFM must be greater than or equal to 99%.
In a traditional FMEDA, if an engineer estimates the diagnostic coverage of a safety mechanism at 90% when it is actually 88% due to unforeseen architectural bottlenecks, the resulting SPFM might appear to meet the 99% threshold while actually falling short. This 2% discrepancy, while seemingly small, represents a doubling of the residual risk (from 1% to 2% of faults remaining undetected).
By implementing the Bosch error propagation approach, the researchers demonstrated that uncertainty in diagnostic coverage can lead to a variance in SPFM that exceeds the safety margins typically used in the industry. Their data suggests that without quantifying uncertainty, a chip that passes a safety audit on paper could still possess a significant "hidden" risk profile.
Official Responses and Industry Implications
While the paper originated within Robert Bosch GmbH, its implications have resonated across the broader semiconductor ecosystem. Though official corporate statements from competitors are rare regarding academic papers, industry analysts and functional safety experts have noted the potential for this methodology to become a new best practice.
"The industry has relied on ‘expert judgment’ for too long," noted a senior safety consultant familiar with the research. "Bosch’s approach brings the rigor of classical physics and metrology into the world of digital safety. It forces engineers to be honest about what they don’t know."
Leading EDA tool providers, such as Synopsys, Cadence, and Siemens EDA, are expected to evaluate these findings for potential integration into their safety verification suites. If the EII and error propagation calculations can be automated, it would significantly reduce the time required for ASIL D certification, which currently can take months of manual labor and peer review.
Analysis of Broader Impacts
The shift toward quantified uncertainty in safety metrics has several far-reaching implications for the automotive and semiconductor sectors:
1. Enhanced Regulatory Compliance
As governments worldwide scrutinize autonomous driving technologies more closely, the "trust me" era of safety engineering is ending. Regulators are likely to demand more transparent verification artifacts. The ability to provide confidence intervals for safety metrics gives manufacturers a mathematically defensible position during safety audits and potential litigation.
2. Reduction in Over-Engineering
Conversely, quantifying uncertainty can also prevent over-engineering. Currently, many engineers use extremely conservative estimates to ensure they meet ISO 26262 targets, which can lead to unnecessary hardware redundancy, increased chip size, and higher costs. By knowing the exact range of uncertainty, designers can optimize their safety mechanisms more effectively, potentially reducing the cost of ASIL-compliant hardware.
3. Accelerated Time-to-Market
The Error Importance Identifier (EII) is perhaps the most practical contribution of the paper. By telling engineers exactly where to focus their data-gathering efforts, it eliminates the "scattergun" approach to verification. Instead of refining every failure mode, teams can focus on the 5% of failure modes that contribute to 90% of the uncertainty, dramatically streamlining the path to production.
4. Integration with Machine Learning
As machine learning (ML) begins to play a role in predicting failure rates and diagnostic coverage, the Bosch framework provides a necessary guardrail. Since ML models are themselves probabilistic, the error propagation approach offers a natural way to integrate AI-driven predictions into a formal safety framework without compromising the integrity of the ISO 26262 process.
Conclusion
The publication of "Quantifying Uncertainty in FMEDA Safety Metrics: An Error Propagation Approach for Enhanced ASIC Verification" marks a pivotal moment in the history of automotive functional safety. By acknowledging that uncertainty is an inherent part of the design process and providing the tools to measure it, Robert Bosch GmbH has provided a roadmap for more reliable, transparent, and efficient ASIC verification. As the industry moves toward 2030 and the widespread adoption of fully autonomous vehicles, the methodologies laid out by Armato, Kehl, and Fischer will likely serve as a cornerstone for the next generation of safe electronic systems. The transition from "estimated safety" to "quantified safety" is no longer a theoretical goal; it is now a mathematical reality.