Book a demo

Cut patent&paper research from weeks to hours with PatSnap Eureka AI!

Try now

ASIL-D Chiplet SoC for ADAS — PatSnap Eureka

ASIL-D Chiplet SoC for ADAS — PatSnap Eureka
ASIL-D · ISO 26262 · Chiplet SoC

How to Design an ASIL-D Compliant Chiplet SoC for ADAS

Safety island architecture, dual-die redundancy, dynamically reconfigurable BIST, and PMIC cross-monitoring — the complete patent-backed blueprint for meeting ISO 26262's most demanding functional safety tier in automotive SoC design.

Explore ASIL-D Patent Intelligence Read the Architecture Guide
ASIL-D Fault Coverage Thresholds: Single-Point ≥99%, Latent ≥90%, Hardware Failure Rate <10⁻⁸/hour ISO 26262 ASIL-D mandates three quantitative thresholds that drive every architectural decision in a chiplet SoC for ADAS: single-point fault coverage ≥99%, latent fault coverage ≥90%, and hardware random failure rate <10⁻⁸/hour. Source: Beijing Huixi Intelligent Technology patent, 2024, via PatSnap Eureka. ISO 26262 ASIL-D Quantitative Thresholds 100% 80% 60% 40% 20% ≥99% Single-Point Fault Coverage ≥90% Latent Fault Coverage <10⁻⁸/hr HW Failure Rate Target Source: Beijing Huixi Intelligent Technology, 2024 · PatSnap Eureka
By PatSnap Intelligence Team · · 14 min read
Verified by PatSnap Eureka Data
≥99%
Single-point fault coverage required by ASIL-D
≥90%
Latent fault coverage mandated by ISO 26262
<10⁻⁸
Hardware random failure rate target (per hour)
60+
Relevant ASIL-D chiplet SoC patents in dataset
Core Architecture

Safety Island (SAIL) Architecture for ASIL-D SoC Design

The safety island (SAIL) architecture is the central organizing principle for ASIL-D chiplet SoC design in ADAS. As described in Qualcomm's 2025 patent, the processor-based system partitions the SoC into a main domain (MD) and a safety island domain (SD). The main domain handles the full ADAS compute pipeline — perception, sensor fusion, path planning — while the safety island contains a leaner hardware configuration that checkpoints vehicle information processed by both domains and monitors errors originating in either domain.

Upon detection of a safety-critical fault in the main domain, ASIL-D requires the SoC to transition the vehicle to a minimum risk condition — for example, a controlled safe stop. The safety island must operate independently enough to enforce this transition even if the main domain has fully crashed. This separation also enables ASIL decomposition: the main domain may carry ASIL-B or ASIL-C rated processing while the safety island achieves the residual ASIL-D requirement.

Fault propagation from the main SoC region to the isolated safety island must be managed carefully. NVIDIA's 2023 patent discloses a mechanism where the first SoC section starts a timer upon sending an error signal to the second section. If the fault data is not cleared within a prescribed interval, a timeout error is transmitted — preventing fault queue saturation from silently blocking safety responses. This is a subtle but critical compliance requirement for ASIL-D diagnostics. Learn more about IP analytics for automotive semiconductor R&D on the PatSnap platform.

Domain isolation must also be enforced at the hardware level — through memory protection units, bus firewalls, and separate clock trees — to prevent a fault in the main ADAS compute domain from corrupting the safety island's ability to respond. ISO 26262 mandates this independence as a prerequisite for ASIL decomposition claims.

MD + SD
Main Domain + Safety Island Domain — mandatory partition for ASIL-D
3 paths
Redundant error notification: CAN bus, Ethernet bus, and PMIC path
FTTI
Fault-tolerant time interval — state transfer must complete within ISO 26262 FTTI
HARA
Hazard Analysis and Risk Assessment drives ASIL level assignment per function
  • Independent fault management module in every SoC subsystem
  • Fault collection modules in CPU, arithmetic cores, clock/reset, memory, and interface controllers
  • Direct connection from fault collection modules to fault management module
  • Timer-based fault propagation timeout prevents silent queue saturation
  • Separate circuit regions for ASIL-D and ASIL-B domains
Chiplet Architecture

Die-to-Die Redundancy and Multi-SoC Fault Management

Chiplet-based multi-die architectures provide fail-operational behavior — not merely fail-safe — through physical redundancy across independent clock and power domains.

Qualcomm · 2025

Dual-Die ASIL Domain Circuit with D2D Interface

Each chiplet die hosts an independent instance of the ASIL domain circuit, independently processing automotive sensor signals from cameras, radar, lidar, and HD map inputs. A fault monitoring system continuously monitors the first chiplet die; when a fault is detected, a selector circuit automatically outputs the second chiplet die's signal to the vehicle motion control system. The first and second dies operate in independent clock and power domains — a requirement that cannot be met in a single-domain monolithic design.

Fail-operational, not merely fail-safe
Mercedes-Benz Group AG · 2024

Primary/Secondary SoC with UCIe Interconnect

A primary SoC posts task state information to a shared memory accessible by a secondary SoC. The secondary SoC keeps a subset of its computational components in a low-power state during normal operation. When the secondary SoC detects a trigger condition indicating a primary failure, it instantly powers up the dormant compute subset and takes over the task set. This patent explicitly references Universal Chiplet Interconnect Express (UCIe) as the interconnect standard, and the state-transfer mechanism must operate within the fault-tolerant time interval (FTTI) imposed by ISO 26262.

UCIe-referenced chiplet interconnect
Mercedes-Benz Group AG · 2026

Per-Runnable Safety Rating and Graceful Degradation

A central chiplet contains a sensor data input chiplet, a set of workload processing chiplets, and a shared memory with a scheduling program. Each runnable in the software structure — and each connection between runnables — carries an associated safety rating. Limited execution can be enforced at a granular per-runnable level based on the runtime ASIL context, enabling the system to degrade gracefully from full ADAS functionality to a safety-limited minimal risk mode without a full system reset.

Granular per-runnable ASIL enforcement
Qualcomm · 2026

Domain Isolation via Dedicated Communication Interface

Upon detecting an error in a first domain, the second domain is isolated and continues operating. The second domain then transmits notifications to an external controller via a dedicated first communication interface, bypassing the compromised first domain entirely. If domain isolation is not enforced at the hardware level through memory protection units, bus firewalls, and separate clock trees, a fault in the main ADAS compute domain can corrupt the safety island's ability to respond. See how PatSnap supports safety-critical IP strategies across regulated industries.

Hardware-enforced domain bypass
Patent Intelligence

Map the full ASIL-D chiplet SoC patent landscape

60+ relevant results across Qualcomm, NVIDIA, Mercedes-Benz, and Chinese semiconductor companies

Search ASIL-D Patents on Eureka
Data Insights

ASIL-D Chiplet SoC: Key Metrics and Patent Landscape

Quantitative thresholds, architectural distribution, and assignee activity derived from 60+ patent filings analyzed via PatSnap Eureka.

ASIL-D Fault Coverage Requirements vs. Lower ASIL Tiers

Single-point and latent fault coverage thresholds escalate sharply at ASIL-D, driving the safety island architecture requirement.

ASIL Fault Coverage Requirements: ASIL-A Single-Point 60%, ASIL-B 90%, ASIL-C 97%, ASIL-D ≥99%; Latent: ASIL-A 60%, ASIL-B 60%, ASIL-C 80%, ASIL-D ≥90% Comparison of single-point and latent fault coverage thresholds across ASIL tiers A through D, showing the step-change at ASIL-D that mandates dedicated safety island architecture. Source: ISO 26262 and Beijing Huixi Intelligent Technology patent 2024, via PatSnap Eureka. 100% 80% 60% 40% 20% 60% 90% 97% ≥99% 60% 60% 80% ≥90% ASIL-A ASIL-B ASIL-C ASIL-D Single-Point Coverage Latent Fault Coverage

ASIL-D Chiplet SoC Patent Activity by Assignee

Qualcomm leads with the broadest multi-jurisdictional portfolio; NVIDIA, Mercedes-Benz, and Chinese SoC firms round out the landscape.

ASIL-D Chiplet SoC Patent Assignees: Qualcomm (most prolific, US/JP/KR/CN), NVIDIA (safety island fault propagation), Mercedes-Benz (UCIe multi-SoC), Beijing Huixi (domestic ASIL-D), Tier-1 Suppliers (VALEO, VEONEER, TTTech, Infineon) Distribution of ASIL-D compliant chiplet SoC patent activity across key assignees in the ADAS domain, based on PatSnap Eureka analysis of 60+ relevant filings. Qualcomm is the most prolific single assignee with active patents in US, JP, KR, and CN jurisdictions. Qualcomm US·JP·KR·CN NVIDIA US·CN·JP Mercedes-Benz US·KR·CN Beijing Huixi CN Tier-1 Suppliers VALEO·VEONEER·TTTech·Infineon Source: PatSnap Eureka · 60+ ASIL-D chiplet SoC patents analyzed

Dynamically Reconfigurable BIST: Test Phase Distribution

ASIL-D diagnostic coverage requires BIST across all three phases — PON, POFF, and runtime — with maximum parallelism to avoid ADAS latency violations.

BIST Test Phases for ASIL-D: Power-On (PON), Power-Off (POFF), Runtime — all three required for ≥90% latent fault coverage Dynamically reconfigurable BIST must cover power-on, power-off, and runtime phases simultaneously. Maximum parallelism across phases is critical to avoid violating ADAS latency budgets while still achieving ASIL-D latent fault coverage targets. Source: Qualcomm BIST patent portfolio 2023–2024, via PatSnap Eureka. PON Power-On Self-Test Boot phase RUNTIME In-Field Self-Test Max parallelism required Latency-aware POFF Power-Off Self-Test Shutdown phase All three phases required for ASIL-D ≥90% latent fault coverage Source: Qualcomm BIST patents JP/KR/CN 2023–2024 · PatSnap Eureka

PMIC Cross-Monitoring Architecture: Eliminating Power Chain SPFs

Mutual cross-monitoring between MD PMIC and SD PMIC eliminates single points of failure in the power monitoring chain without external circuits.

PMIC Cross-Monitoring: MD PMIC monitors SD PMIC rail, SD PMIC monitors MD PMIC rail — no external monitoring circuits required, eliminating single points of failure In Qualcomm's 2025 PMIC power monitoring patent, the main domain PMIC and safety domain PMIC mutually monitor each other's power rails without any external monitoring circuits. This eliminates single points of failure in the power monitoring chain itself, a critical ASIL-D requirement. Source: Qualcomm 无外部监测电路的PMIC电源监测, 2025, via PatSnap Eureka. Main Domain (MD) MD PMIC Monitors SD rail → ADAS/IVI compute Safety Domain (SD) SD PMIC ← Monitors MD rail Safety Island (SAIL) MD monitors SD rail SD monitors MD rail No External Circuits Source: Qualcomm PMIC patent CN 2025 · PatSnap Eureka Eliminates single points of failure in power monitoring chain

Explore the full ASIL-D patent dataset with AI-powered claim analysis on PatSnap Eureka

Analyze ASIL-D Patent Claims Now
Safety Verification

BIST Strategy, Power Monitoring, and Runtime Safety Verification

Achieving ASIL-D diagnostic coverage demands fault detection across power-on, power-off, and runtime phases — with independent power rails and triple-path error notification.

Safety Mechanism Coverage Phase ASIL Target Key Patent Key Requirement
Dynamically Reconfigurable BIST PON + POFF + Runtime ASIL-D Qualcomm JP/KR 2023–2024 Maximum parallelism; per-subsystem coverage level; must not violate ADAS latency budgets
PMIC Cross-Monitoring (MD ↔ SD) Runtime (continuous) ASIL-D Qualcomm CN 2025 No external monitoring circuits; mutual rail monitoring eliminates power chain SPF
Triple-Path Error Notification Runtime (fault event) ASIL-D Qualcomm SoC Safety Monitoring 2025 CAN bus + Ethernet bus + PMIC path — three independent channels to downstream ECU
Fault Propagation Timeout Timer Runtime (fault event) ASIL-D NVIDIA CN 2023 Timer started on error signal; timeout triggers external system notification if not cleared
Mixed Safety System Opportunistic BIST State-transition ASIL-D Qualcomm CN 2025 Tests executed when ECU transitions to non-primary state; accumulates latent fault coverage over time
Hypervisor ASIL Partition Protection Runtime (continuous) ASIL-D VALEO 2024 Hardware-enforced memory access restriction isolates Linux/QM OS from ASIL application partition
🔒
Unlock the Full Safety Mechanism Comparison
See lockstep MCU supervision, safety state trigger circuits, ASIL decomposition strategies, and per-assignee IP coverage mapped to each mechanism.
Lockstep MCU supervision ASIL decomposition table Safety state trigger + more
Explore Full Analysis on Eureka →

Need to benchmark your ASIL-D safety architecture against active patents?

PatSnap Eureka's AI maps claim scope across 60+ ASIL-D chiplet SoC filings in seconds.

Run Patent Claim Analysis
Software & System Level

ASIL Decomposition, Lockstep Monitoring, and Software Partitioning

ASIL-D compliance extends beyond hardware to software execution environments, lockstep CPU architecture, and system-level ASIL level determination via HARA methodology.

🔀

ASIL-B SoC + ASIL-D MCU Decomposition

An ASIL-B SoC handles perception, and an ASIL-D MCU applies safety mechanisms to the SoC's obstacle recognition output, together satisfying overall ASIL-D requirements for emergency steering functions — without adding a new ECU, reducing BOM cost. This approach is validated in production-oriented patents from Chongqing Changan Automobile (2025) and Magneti Marelli (2015). The supervisory MCU adjacent to the ADAS SoC in a chiplet system must also be independently ASIL-D qualified, as confirmed by Infineon's safety state trigger patent (2025).

🔒

Hypervisor-Based ASIL Partition Protection

VALEO's 2024 ECU architecture employs a hypervisor to partition memory resources into an OS partition (running Linux and QM applications) and a separate ASIL partition. The ASIL partition is protected from access by the OS partition, and an inter-partition communication manager handles cross-partition messaging. This enables integration of non-safety-critical compute on the same hardware platform as ASIL-D ADAS functions without compromising the ASIL partition's integrity — a key goal of merged ADAS/IVI SoC designs. See PatSnap's approach to safety-critical IP analysis across regulated domains.

🔒
Unlock Lockstep & HARA Deep-Dives
Access lockstep CPU architecture details, HARA methodology mapping, and TTTech's safety monitor for under-development ADAS software.
Lockstep architecture HARA S/E/C mapping TTTech safety monitor
Access Full Analysis on Eureka →
Innovation Landscape

Key Players in ASIL-D Chiplet SoC for ADAS

Four primary clusters of innovation dominate the 60+ patent dataset, spanning chip companies and Tier-1 automotive suppliers.

Most Prolific Assignee · US, JP, KR, CN

Qualcomm

The most prolific single assignee in this domain, with active patents covering safety island architecture, PMIC cross-monitoring, dynamically reconfigurable BIST, SoC error propagation via dual bus and PMIC paths, domain isolation, and hybrid safety system testing. Patents span US, JP, KR, and CN jurisdictions. Qualcomm's portfolio collectively defines a comprehensive ASIL-D SoC IP position. Explore PatSnap Analytics to map Qualcomm's full automotive safety IP landscape.

Safety island · BIST · PMIC · Domain isolation
Safety Island Fault Propagation · US, CN, JP

NVIDIA Corporation

Contributes critical architectural patents on fault propagation to isolated safety regions and end-to-end ASIL-D autonomous driving platform design. NVIDIA's fault-propagation protocol — including the timeout timer mechanism for fault queue saturation prevention — is a foundational reference for safety island designs. NVIDIA's autonomous vehicle platform patents are tracked by NHTSA as part of AV safety framework analysis.

Fault propagation protocol · Timeout timer
Multi-SoC UCIe Architecture · US, KR, CN

Mercedes-Benz Group AG

Drives innovation in multi-SoC and chiplet-level redundancy, with UCIe-referenced interconnect architectures for vehicle computing. The primary/secondary SoC state-transfer patent and the per-runnable safety rating scheduling patent represent a systems integration approach to ASIL-D compliance. Mercedes-Benz's approach aligns with UNECE WP.29 cybersecurity and software update regulations for automated driving systems.

UCIe interconnect · Per-runnable ASIL · State transfer
Chinese Domestic SoC Ecosystem · CN

Beijing Huixi + Tier-1 Suppliers

Beijing Huixi Intelligent Technology (北京辉羲智能科技) provides the most detailed published specification of ASIL-D quantitative fault coverage targets for a domestic chiplet SoC design. Tier-1 suppliers including VALEO, VEONEER, TTTech Automotive, and Infineon round out the landscape with ECU-level software partitioning, lockstep monitoring, and safety state trigger patents that complement SoC-level architecture patents. Explore how automotive OEMs use PatSnap for competitive IP intelligence.

ASIL-D quantitative spec · ECU-level safety
Competitive Intelligence

Track ASIL-D chiplet SoC filings across all jurisdictions in real time

PatSnap Eureka monitors new patent publications from Qualcomm, NVIDIA, Mercedes-Benz, and Chinese SoC companies automatically.

Set Up Patent Monitoring on Eureka
Frequently asked questions

ASIL-D Chiplet SoC for ADAS — key questions answered

Still have questions about ASIL-D chiplet SoC design? Let PatSnap Eureka answer them with patent-backed intelligence.

Ask PatSnap Eureka Your ASIL-D Question
PatSnap Eureka

Design ASIL-D Compliant Chiplet SoCs Faster with Patent Intelligence

Join 18,000+ innovators already using PatSnap Eureka to accelerate their R&D — from safety island architecture to BIST strategy and PMIC design.

References

  1. 一种满足ISO26262标准最高汽车安全完整性等级的片上系统芯片 — 北京辉羲智能科技有限公司, 2024
  2. 采用安全岛架构以用于失效安全操作的基于处理器的系统 — 高通股份有限公司 (Qualcomm), 2025
  3. 汽车故障检测系统和方法 — 高通股份有限公司 (Qualcomm), 2025
  4. 无外部监测电路的电源管理集成电路(PMIC)电源监测 — 高通股份有限公司 (Qualcomm), 2025
  5. 片上系统的安全监测 — 高通股份有限公司 (Qualcomm), 2025
  6. Dynamically Reconfigurable In-Field Self-Test Capability for Automotive Systems — Qualcomm, 2024 (JP)
  7. Dynamically reconfigurable in-field self-test capability for automotive systems — Qualcomm, 2023 (KR)
  8. Dynamically re-configurable in-field self-test capability for automotive systems — Qualcomm, 2023 (KR)
  9. Domain Isolation in Automotive Automated Driving Systems — Qualcomm, 2026 (KR)
  10. 测试混合安全系统 — 高通股份有限公司 (Qualcomm), 2025
  11. 将故障传送至片上系统的隔离安全区 — 辉达公司 (NVIDIA), 2023
  12. Systems and methods for safe and reliable autonomous vehicles — NVIDIA Corporation, 2023 (US)
  13. Multiple system-on-chip arrangement for vehicle computing systems — Mercedes-Benz Group AG, 2024 (US)
  14. Adaptation of runnable performance level based on safety rating — Mercedes-Benz Group AG, 2026 (KR)
  15. ASIL-B compatible automotive safety function via high-diagnostic QM-compatible IC — Magneti Marelli, 2015
  16. 辅助驾驶方法、装置、控制器和车辆 — 重庆长安汽车股份有限公司 (Chongqing Changan Automobile), 2025
  17. 安全状态触发器 — Infineon Technologies AG, 2025
  18. 自动驾驶车辆的ASIL等级信息确定方法、装置及电子设备 — Apollo Intelligent Technology, 2025
  19. Vehicle Safety Electronic Control System — VEONEER, 2019
  20. 高级驾驶员辅助系统的安全监测器 — TTTech Automotive, 2024
  21. ISO 26262: Road vehicles — Functional safety — International Organization for Standardization
  22. NHTSA: Automated Vehicles for Safety — National Highway Traffic Safety Administration
  23. UNECE WP.29: Automated/Autonomous and Connected Vehicles — United Nations Economic Commission for Europe
  24. Infineon Technologies AG — Automotive Safety ICs and ASIL-D Solutions

All data and statistics on this page are sourced from the references above and from PatSnap's proprietary innovation intelligence platform.

Ask PatSnap Eureka
Ask PatSnap Eureka
AI innovation intelligence · always on
Ask anything about ASIL-D chiplet SoC design for ADAS.
PatSnap Eureka searches patents and research to answer instantly.
Try asking
Powered by PatSnap Eureka

© 2026 PatSnap. All rights reserved. Legal | Privacy Policy | Do Not Sell or Share My Personal Information | Modern Slavery Act Transparency Statement