Mentor Safe IC End-to-end Functional Safety Flow

1Copyright © 2019 Arm TechCon, All rights reserved.Copyright © 2019 Arm TechCon, All rights reserved.

#ArmTechCon

Product Manager Functional SafetyMentor, a Siemen’s CompanyAnn Keffer

Mentor Safe IC – End-to-end Functional Safety Flow

2Copyright © 2019 Arm TechCon, All rights reserved.

Agenda

• Mentor Safe IC Overview

• Lifecycle Management

• Safety Analysis

• Design for Safety

• Safety Verification

• Summary

• Q&A

Random Failures: ISO 26262


Mentor Safe IC Overview


Systematic FaultsDoes my product operate correctly?

Random FaultsDoes my product fail safely?

Malicious FaultsIs my product secure from hacking?

Systematic Faults•Incomplete specs•Design bugs•Manufacturing defects

Random Faults•EMI or electro-migration•Permanent or transient

Malicious Faults•Encryption Vulnerabilities•Denial of Service•Untrusted IC

What is Functional Safety?Driving down risk of malfunctioning due to failures

System FaultsDoes my system operate safely?

E/E Safety - ISO 26262 E/E Safety - ISO 26262 SOTIF – ISO 21448 Cyber Security - ISO 21434

System Faults•Environmental•External•V2X


Developing Safe ICsAutomotive ICs must operate correctly & fail safely

IC Development Workflows

Op

erat

e C

orr

ectl

y

Fail

Safe

ly

SystemSpecification

Architecture & Modeling

Circuit Design and Verification

Functional Verification

Fabrication

Physical Design and Verification

Functional Design

Safety Analysis

Safety Insertion

Safety Verification

Compliance

SafetyPlanning

ISO 26262 Safety Lifecycle

ISO 26262 V-model


Siemens Acquires Austemper Design SystemsLeading provider of ISO 26262 functional safety technology

1. Safety AnalysisUnderstanding the failure modes resulting from random HW faults to guide insertion

of safety mechanisms

2. Design for SafetyMitigating potential failures through the

insertion of safety mechanisms that detect or correct failures

3. Safety VerificationMulti-domain fault injection providing

evidence to achieve compliance


• Safety Synthesis• Tessent BIST

• SafetyScopeTM

• KaleidoScopeTM

• Questa Formal• Veloce Fault App• Tessent DefectSim

• Siemens Polarion• Questa Verification

Management

Mentor Safe ICMost complete functional safety IC solution automating the path to compliance

Calculating FMEDA metrics to quantify risk and providing early

safety architectural guidance

Mitigating potential failures through the automatic insertion

of safety mechanisms

Managing the complete functional safety lifecycle from planning to

compliance

Providing evidence for compliance through high-performance, multi-

domain fault injection

z

Performance

Compliance

Pro

du

cti

vit

y

Flo

wMentorSafe IC

Lifecycle Managem

ent

Safety Verificatio

n

Safety Analysis

Design for Safety


First Time Right Safe IC with Mentor Safe ICClosed-loop functional safety flow for random hardware faults

Design for Safety

Safety Synthesis |Tessent BIST

Safety MechanismInsertion

Runtime BIST Insertion

Safety AnalysisSafetyScope | Questa

Safecheck

FIT RateComputatio

n

SafetyExploratio

n

Fault ListGeneration

DCEstimation

Safety VerificationKaleidoScope | Veloce Fault App | Tessent DefectSim |

Questa Safecheck

FormalAnalysis

FaultSimulation

FaultEmulation

FMEDA

Calculation & validation of FMEDA metrics and providing

early safety architectural guidance

Creation of safe designs to mitigate the effects

random hardware faults

Proving design safeness that achieves target ASIL levels

through fault campaigns


LifeCycleManagement


Polarion & Questa Verification ManagementAutomatic requirement driven verification with full traceability through development flow

Higher Level Requirements

Verification Requirements

“Derived from” relationship

“Verified by” relationship

Higher Level Requirements

Assertions, Directives,

Coverpoints

Higher Level RequirementsDirected Tests

Testplan

Enterprise Level

Requirements Management

Automatic Testplan Creation

Questa®

merge

Questasim

Questa®Testplan Tracker

Questa®HTML/Text Reporting

Testplan UCDB

Engine UCDBs

Results UCDB

Integrated Traceability


Safety Analysis


Safety Analysis : The BasicsUnderstanding current level of safety and enhancement required to meet safety targets

Goals• Identifying the optimal safety architecture

which meets power, performance, and area targets

• Expert driven estimation of safety metrics• Fault metric data management• Inaccurate results and late changes

FMEDA

FITRate

SafetyExplore

Safety Analysis

Fail

Safe

ly


Impact of Analysis Early in the Safety WorkflowShift-left safety development to make smarter decisions earlier with less iterations

SystemRequirements

Functional Design


Safety InsertionFault

Campaign


after SM

Expert Judgement

Safety goals met?

N

SystemRequirements

Functional Design


SafetyAnalysis

SafetyInsertion

FaultCampaign


after SM

Final Metric Reporting

Safety Exploration

Optimized Fault List

FMEDA Validation

Typical Safety

Workflow

Iter 1

Automated

Each Iteration (Iter #)• Update Requirements• Perform Impact Analysis• Add SMs• Re-close DV• Re-run fault campaign

Costly

?

?

?

Iter2

Iter3

Iteration N-1

IterN

Final Metric Reporting

Time Y

Optimized Workflow


BFR

Safety Analysis: Failure Rate CalculationCalculating Base Failure Rate (BFR)

Safety Analysis

Fail

Safe

ly

BFR Computation• User configurable profile• Structural analysis• IEC 62380 BFR Model• Hierarchical analysis and roll-up• Die and package BFR

BFR Contribution• BFR metrics and reporting• Contribution reports & hot-spot

analysis• Systematically address safety

architecture

IEC 62380 BFR Model

Design Structural Analysis

Package Materials

Package Specification

Target technology

Mission Profile

Instance Name Perm% Trans%

top 100 100

top.instA 10 15

top.instA.EP1 10 15

top.instB 90 85

top.instB.EP2 10 15

top.instB.EP3 10 15

top.instB.EP4 10 15

top.instB.EP5 60 45

BFR Metrics Contribution Reports

Biggest Contributor


BFR

FMEDA

Safety Analysis: FMEDA ValidationProving FMEDA tops down estimations

Safety Analysis

Fail

Safe

ly

• Perform diagnostic coverage gap analysis to identify “hot spots”• Calculate BFR & diagnostic coverage on existing safety mechanisms Structural analysis

SM’s Achievable Diagnostic Coverage

8%N/A

Example FMEDA

Safety Mechanism on control registers only

ICACHE

CPU

IMMU

DCACHE

DMMU

PMPIC rf ma lsu

ctrlsprs fr

Parity


BFR

FMEDA

Exploration

Safety Analysis: Architecture Exploration Establishing the optimal safety architecture

Safety Analysis

Fail

Safe

ly

SM’s Achievable Diagnostic Coverage

8%Parity

Parity

Duplication

ECC

• Close fault coverage holes by proposing additional safety mechanisms and estimating DC• Evaluate different safety architectures given Power, Performance, and Area targets

70%

83%

91%

New SMs achieve higher coverage

ICACHE

CPU

IMMU

DCACHE

DMMU

PMPIC

ECCECC

rf ma lsu

ctrlsprs fr

DuplicationDuplication

Parity

Parity Parity

Duplication

Example

FMEDA


Design For Safety


Safety Insertion

Safety Insertion : The BasicsEnhancing the design with safety mechanisms to protect against random HW faults

Fail

Safe

ly

Challenges• Achieving sufficient safeness• Balancing safety, performance, cost, power• Designers that know how to design for safety• Converting legacy IP to be safe• Enhancing 3rd party IP with safety

Safety Mechanism InsertionAutomatic fail safe & fail operational

design hardening

Run-time

Diagnostics

LogicBIST

MemoryBIST

SoftwareTest Library

Duplication

ECC

CRC &Parity

Redundancy

Run-time BIST


Safety Insertion : HW Safety MechanismsMicro -level Safety Insertion using Austemper RadioScope™

Safety Insertion

Fail

Safe

ly

Features for Micro-Level SMs• Insertion at the Flip-Flop level• Support CDC• Built-in diagnostic interface• Supported Safety Mechanisms

• FF Duplication• FF Triplication• FSM Protocol Monitor• FF Parity

Micro

ICACHE

CPU

IMMU

DCACHE

DMMU

PMPIC rf ma lsu

ctrlsprs fr


Parity

Parity Parity


Safety Insertion : HW Safety MechanismsMacro-level Safety Insertion using Austemper Annealer™

Safety Insertion

Fail

Safe

ly

Features For Macro-Level SMs• Insertion at the Instance level• Support CDC• Support multi-cycle offset• Built-in diagnostic interface• Supported Safety Mechanisms

• Instance Duplication• Instance Triplication• End2End Datapath• Memory Parity• Memory ECC

Micro

MacroICACHE

CPU

IMMU

DCACHE

DMMU

PMPIC

ECCECC

rf ma lsu

ctrlsprs fr


Parity

Parity

Duplication

Safety Mechanism Library

Automate ASIL Enhancements

Detection & Correction

Parity


Safety Insertion : Logic and Memory BIST Tessent BIST - enabling system-controlled field test necessary for automotive and ISO 26262

Safety Insertion

Fail

Safe

ly

MBIST

LBIST

MissionMode

Run-time BIST insertion

BIST Insertion• PPA efficient permanent fault

identification• Low Power Controllers• Low Area Implementation• Full In-System operation via

MissionMode• IEEE 1687 common test

architecture, also used for manufacturing test

• Full diagnostics capability

Micro

Macro

ICACHE

CPU

IMMU

DCACHE

DMMU

PMPIC

ECCECC

rf ma lsu

ctrlsprs fr


Parity

Parity Parity

Duplication Logic BISTLogic BIST

Memory BIST Memory BIST

Logic BIST

Logic BIST

MissionMode

Controller


Safety Verification


Safety Verification

Safety Verification : Introduction to DigitalRandom HW fault injection to classify faults and generate safety metrics

Fail

Safe

ly

Challenges• Classifying all faults

• Exhaustive and efficient fault injection

• Fault injection setup to classify in the most efficient way possible.

Fault InjectionHigh performance, multi-domain fault classification for

fault metric validation

Analog

Mixed-Signal

Digital

Fault Emulation

Fault Simulation

FaultFPGA

Fault Simulation

Fault Simulation

Fault Classification State Space

Fault Campaign Progress

100K’s nodes


Safety Verification : Digital Fault ReductionOptimize your fault campaign using Questa® Formal Safecheck and SafetyScope™

Safety Verification

Fail

Safe

ly

Reduction

Objective

Reduce the scope of the fault campaign through automated node reduction capabilities

Unclassified Undetected Detected Safe (NA)

Classified

To-do

Reduction


Static AnalysisSafety-Critical

Safety Mechanism Aware

Fault CollapsingShallow Node

Deep Node

Fault SamplingLikelihood weighted random

sampling

Reduction

Fault State Space


Safety Verification : Formal Fault AnalysisFault classification using Questa® Formal Safecheck

Objective

Use formal engines and classify faults as Safe, Unsafe, Detected, Undetected

Formal

Unclassified

Undetected

Detected

Safe (NA)

Classified

To-do

Reduction


Minimal SetupNo testbench required

Robust & High QualityExhaustive classification

Single and Multi-Point Fault

Fault ManagementFault classification

Unified fault Metrics

Platform Interoperability

Fault State SpaceSafety Verification

Fail

Safe

ly

Reduction


Safety Verification : Digital Fault SimulationFault classification using KaleidoScope™

Objective

Inject faults in simulation and classify faults as Safe, Unsafe, Detected, Undetected Unclassified

Undetected

Detected

Safe (NA)

Classified

To-do

Reduction


High PerformanceConcurrent & Distributed

Hybrid RTL and Gate Level

Intelligent Injection

Optimized SimulationStimulus Grading

Simulation Costing




Fault State Space

Simulation

Safety Verification

Fail

Safe

ly

Reduction

Formal


Safety Verification : Digital Fault Injection in EmulationFault classification using the Veloce® Fault App

Objective

Inject faults w/ hardware acceleration and classify faults as Safe, Unsafe, Detected, Undetected Unclassified

Undetected

Detected

Safe (NA)

Classified

To-do

Reduction


High PerformanceHW acceleration

Concurrent fault injection

Full SystemSoC level capacity

SoC level fault injection

SW safety mechanism support




Fault State Space

Emulation

Simulation

Safety Verification

Fail

Safe

ly

Reduction

Formal


Summary


Mentor Consulting

Extensive safety critical experience and software to guide the adoption

Meeting Functional Safety RequirementsMentor + Siemens delivers the most complete ISO 26262 solution to accelerate path to compliance

Mentor SafeTool Qualification

Most extensive EDA toolqualification program

Siemens + Mentor Requirements Management

Only requirements management solution w/ traceability to EDA

Use qualified tools Safety ExpertiseAdopt requirements driven development

Mentor Safety Analysis

Most accurate automated metric computation and safety exploration to make smarter safety decisions earlier

Mentor Safety Verification

Most extensive fault injection platform to validate metrics across entire SOC for

increased confidence

Mentor Design for Safety

Only automated safety mechanism insertion to increase design safety to

achieve ASIL targets faster

Prove design meets safety requirements

Deliver ISO26262 & IEC61508 fault metrics

Enhance designs to mitigate faults

Eliminate Systematic Faultsfrom development

Tolerate Random Faults and fail safely

AK Mentor Safe IC End-to-End Functional Safety Solution addressing ISO-26262 08 2019


Q&A


Trademark and copyright statementThe trademarks featured in this presentation are registered and/or unregistered trademarks of Mentor, a Siemen’s Corporation in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.

Copyright © 2019

Thank You!

#ArmTechCon

Documents

Mentor Safe IC End-to-end Functional Safety Flow