Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
1Copyright © 2019 Arm TechCon, All rights reserved.Copyright © 2019 Arm TechCon, All rights reserved.
#ArmTechCon
Product Manager Functional SafetyMentor, a Siemen’s CompanyAnn Keffer
Mentor Safe IC – End-to-end Functional Safety Flow
2Copyright © 2019 Arm TechCon, All rights reserved.
Agenda
• Mentor Safe IC Overview
• Lifecycle Management
• Safety Analysis
• Design for Safety
• Safety Verification
• Summary
• Q&A
Random Failures: ISO 26262
3Copyright © 2019 Arm TechCon, All rights reserved.
Mentor Safe IC Overview
4Copyright © 2019 Arm TechCon, All rights reserved.
Systematic FaultsDoes my product operate correctly?
Random FaultsDoes my product fail safely?
Malicious FaultsIs my product secure from hacking?
Systematic Faults•Incomplete specs•Design bugs•Manufacturing defects
Random Faults•EMI or electro-migration•Permanent or transient
Malicious Faults•Encryption Vulnerabilities•Denial of Service•Untrusted IC
What is Functional Safety?Driving down risk of malfunctioning due to failures
System FaultsDoes my system operate safely?
E/E Safety - ISO 26262 E/E Safety - ISO 26262 SOTIF – ISO 21448 Cyber Security - ISO 21434
System Faults•Environmental•External•V2X
5Copyright © 2019 Arm TechCon, All rights reserved.
Developing Safe ICsAutomotive ICs must operate correctly & fail safely
IC Development Workflows
Op
erat
e C
orr
ectl
y
Fail
Safe
ly
SystemSpecification
Architecture & Modeling
Circuit Design and Verification
Functional Verification
Fabrication
Physical Design and Verification
Functional Design
Safety Analysis
Safety Insertion
Safety Verification
Compliance
SafetyPlanning
ISO 26262 Safety Lifecycle
ISO 26262 V-model
6Copyright © 2019 Arm TechCon, All rights reserved.
Siemens Acquires Austemper Design SystemsLeading provider of ISO 26262 functional safety technology
1. Safety AnalysisUnderstanding the failure modes resulting from random HW faults to guide insertion
of safety mechanisms
2. Design for SafetyMitigating potential failures through the
insertion of safety mechanisms that detect or correct failures
3. Safety VerificationMulti-domain fault injection providing
evidence to achieve compliance
7Copyright © 2019 Arm TechCon, All rights reserved.
• Safety Synthesis• Tessent BIST
• SafetyScopeTM
• KaleidoScopeTM
• Questa Formal• Veloce Fault App• Tessent DefectSim
• Siemens Polarion• Questa Verification
Management
Mentor Safe ICMost complete functional safety IC solution automating the path to compliance
Calculating FMEDA metrics to quantify risk and providing early
safety architectural guidance
Mitigating potential failures through the automatic insertion
of safety mechanisms
Managing the complete functional safety lifecycle from planning to
compliance
Providing evidence for compliance through high-performance, multi-
domain fault injection
z
Performance
Compliance
Pro
du
cti
vit
y
Flo
wMentorSafe IC
Lifecycle Managem
ent
Safety Verificatio
n
Safety Analysis
Design for Safety
8Copyright © 2019 Arm TechCon, All rights reserved.
First Time Right Safe IC with Mentor Safe ICClosed-loop functional safety flow for random hardware faults
Design for Safety
Safety Synthesis |Tessent BIST
Safety MechanismInsertion
Runtime BIST Insertion
Safety AnalysisSafetyScope | Questa
Safecheck
FIT RateComputatio
n
SafetyExploratio
n
Fault ListGeneration
DCEstimation
Safety VerificationKaleidoScope | Veloce Fault App | Tessent DefectSim |
Questa Safecheck
FormalAnalysis
FaultSimulation
FaultEmulation
FMEDA
Calculation & validation of FMEDA metrics and providing
early safety architectural guidance
Creation of safe designs to mitigate the effects
random hardware faults
Proving design safeness that achieves target ASIL levels
through fault campaigns
9Copyright © 2019 Arm TechCon, All rights reserved.
LifeCycleManagement
10Copyright © 2019 Arm TechCon, All rights reserved.
Polarion & Questa Verification ManagementAutomatic requirement driven verification with full traceability through development flow
Higher Level Requirements
Verification Requirements
“Derived from” relationship
“Verified by” relationship
Higher Level Requirements
Assertions, Directives,
Coverpoints
Higher Level RequirementsDirected Tests
Testplan
Enterprise Level
Requirements Management
Automatic Testplan Creation
Questa®
merge
Questasim
Questa®Testplan Tracker
Questa®HTML/Text Reporting
Testplan UCDB
Engine UCDBs
Results UCDB
Integrated Traceability
11Copyright © 2019 Arm TechCon, All rights reserved.
Safety Analysis
12Copyright © 2019 Arm TechCon, All rights reserved.
Safety Analysis : The BasicsUnderstanding current level of safety and enhancement required to meet safety targets
Goals• Identifying the optimal safety architecture
which meets power, performance, and area targets
• Expert driven estimation of safety metrics• Fault metric data management• Inaccurate results and late changes
FMEDA
FITRate
SafetyExplore
Safety Analysis
Fail
Safe
ly
13Copyright © 2019 Arm TechCon, All rights reserved.
Impact of Analysis Early in the Safety WorkflowShift-left safety development to make smarter decisions earlier with less iterations
SystemRequirements
Functional Design
Functional Verification
Safety InsertionFault
Campaign
Functional Verification
after SM
Expert Judgement
Safety goals met?
N
SystemRequirements
Functional Design
Functional Verification
SafetyAnalysis
SafetyInsertion
FaultCampaign
Functional Verification
after SM
Final Metric Reporting
Safety Exploration
Optimized Fault List
FMEDA Validation
Typical Safety
Workflow
Iter 1
Automated
Each Iteration (Iter #)• Update Requirements• Perform Impact Analysis• Add SMs• Re-close DV• Re-run fault campaign
Costly
?
?
?
Iter2
Iter3
Iteration N-1
IterN
Final Metric Reporting
Time Y
Optimized Workflow
14Copyright © 2019 Arm TechCon, All rights reserved.
BFR
Safety Analysis: Failure Rate CalculationCalculating Base Failure Rate (BFR)
Safety Analysis
Fail
Safe
ly
BFR Computation• User configurable profile• Structural analysis• IEC 62380 BFR Model• Hierarchical analysis and roll-up• Die and package BFR
BFR Contribution• BFR metrics and reporting• Contribution reports & hot-spot
analysis• Systematically address safety
architecture
IEC 62380 BFR Model
Design Structural Analysis
Package Materials
Package Specification
Target technology
Mission Profile
Instance Name Perm% Trans%
top 100 100
top.instA 10 15
top.instA.EP1 10 15
top.instB 90 85
top.instB.EP2 10 15
top.instB.EP3 10 15
top.instB.EP4 10 15
top.instB.EP5 60 45
BFR Metrics Contribution Reports
Biggest Contributor
15Copyright © 2019 Arm TechCon, All rights reserved.
BFR
FMEDA
Safety Analysis: FMEDA ValidationProving FMEDA tops down estimations
Safety Analysis
Fail
Safe
ly
• Perform diagnostic coverage gap analysis to identify “hot spots”• Calculate BFR & diagnostic coverage on existing safety mechanisms Structural analysis
SM’s Achievable Diagnostic Coverage
8%N/A
Example FMEDA
Safety Mechanism on control registers only
ICACHE
CPU
IMMU
DCACHE
DMMU
PMPIC rf ma lsu
ctrlsprs fr
Parity
16Copyright © 2019 Arm TechCon, All rights reserved.
BFR
FMEDA
Exploration
Safety Analysis: Architecture Exploration Establishing the optimal safety architecture
Safety Analysis
Fail
Safe
ly
SM’s Achievable Diagnostic Coverage
8%Parity
Parity
Duplication
ECC
• Close fault coverage holes by proposing additional safety mechanisms and estimating DC• Evaluate different safety architectures given Power, Performance, and Area targets
70%
83%
91%
New SMs achieve higher coverage
ICACHE
CPU
IMMU
DCACHE
DMMU
PMPIC
ECCECC
rf ma lsu
ctrlsprs fr
DuplicationDuplication
Parity
Parity Parity
Duplication
Example
FMEDA
17Copyright © 2019 Arm TechCon, All rights reserved.
Design For Safety
18Copyright © 2019 Arm TechCon, All rights reserved.
Safety Insertion
Safety Insertion : The BasicsEnhancing the design with safety mechanisms to protect against random HW faults
Fail
Safe
ly
Challenges• Achieving sufficient safeness• Balancing safety, performance, cost, power• Designers that know how to design for safety• Converting legacy IP to be safe• Enhancing 3rd party IP with safety
Safety Mechanism InsertionAutomatic fail safe & fail operational
design hardening
Run-time
Diagnostics
LogicBIST
MemoryBIST
SoftwareTest Library
Duplication
ECC
CRC &Parity
Redundancy
Run-time BIST
19Copyright © 2019 Arm TechCon, All rights reserved.
Safety Insertion : HW Safety MechanismsMicro -level Safety Insertion using Austemper RadioScope™
Safety Insertion
Fail
Safe
ly
Features for Micro-Level SMs• Insertion at the Flip-Flop level• Support CDC• Built-in diagnostic interface• Supported Safety Mechanisms
• FF Duplication• FF Triplication• FSM Protocol Monitor• FF Parity
Micro
ICACHE
CPU
IMMU
DCACHE
DMMU
PMPIC rf ma lsu
ctrlsprs fr
DuplicationDuplication
Parity
Parity Parity
20Copyright © 2019 Arm TechCon, All rights reserved.
Safety Insertion : HW Safety MechanismsMacro-level Safety Insertion using Austemper Annealer™
Safety Insertion
Fail
Safe
ly
Features For Macro-Level SMs• Insertion at the Instance level• Support CDC• Support multi-cycle offset• Built-in diagnostic interface• Supported Safety Mechanisms
• Instance Duplication• Instance Triplication• End2End Datapath• Memory Parity• Memory ECC
Micro
MacroICACHE
CPU
IMMU
DCACHE
DMMU
PMPIC
ECCECC
rf ma lsu
ctrlsprs fr
DuplicationDuplication
Parity
Parity
Duplication
Safety Mechanism Library
Automate ASIL Enhancements
Detection & Correction
Parity
21Copyright © 2019 Arm TechCon, All rights reserved.
Safety Insertion : Logic and Memory BIST Tessent BIST - enabling system-controlled field test necessary for automotive and ISO 26262
Safety Insertion
Fail
Safe
ly
MBIST
LBIST
MissionMode
Run-time BIST insertion
BIST Insertion• PPA efficient permanent fault
identification• Low Power Controllers• Low Area Implementation• Full In-System operation via
MissionMode• IEEE 1687 common test
architecture, also used for manufacturing test
• Full diagnostics capability
Micro
Macro
ICACHE
CPU
IMMU
DCACHE
DMMU
PMPIC
ECCECC
rf ma lsu
ctrlsprs fr
DuplicationDuplication
Parity
Parity Parity
Duplication Logic BISTLogic BIST
Memory BIST Memory BIST
Logic BIST
Logic BIST
MissionMode
Controller
22Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification
23Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification
Safety Verification : Introduction to DigitalRandom HW fault injection to classify faults and generate safety metrics
Fail
Safe
ly
Challenges• Classifying all faults
• Exhaustive and efficient fault injection
• Fault injection setup to classify in the most efficient way possible.
Fault InjectionHigh performance, multi-domain fault classification for
fault metric validation
Analog
Mixed-Signal
Digital
Fault Emulation
Fault Simulation
FaultFPGA
Fault Simulation
Fault Simulation
Fault Classification State Space
Fault Campaign Progress
100K’s nodes
24Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification : Digital Fault ReductionOptimize your fault campaign using Questa® Formal Safecheck and SafetyScope™
Safety Verification
Fail
Safe
ly
Reduction
Objective
Reduce the scope of the fault campaign through automated node reduction capabilities
Unclassified Undetected Detected Safe (NA)
Classified
To-do
Reduction
Fault Campaign Progress
Static AnalysisSafety-Critical
Safety Mechanism Aware
Fault CollapsingShallow Node
Deep Node
Fault SamplingLikelihood weighted random
sampling
Reduction
Fault State Space
25Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification : Formal Fault AnalysisFault classification using Questa® Formal Safecheck
Objective
Use formal engines and classify faults as Safe, Unsafe, Detected, Undetected
Formal
Unclassified
Undetected
Detected
Safe (NA)
Classified
To-do
Reduction
Fault Campaign Progress
Minimal SetupNo testbench required
Robust & High QualityExhaustive classification
Single and Multi-Point Fault
Fault ManagementFault classification
Unified fault Metrics
Platform Interoperability
Fault State SpaceSafety Verification
Fail
Safe
ly
Reduction
26Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification : Digital Fault SimulationFault classification using KaleidoScope™
Objective
Inject faults in simulation and classify faults as Safe, Unsafe, Detected, Undetected Unclassified
Undetected
Detected
Safe (NA)
Classified
To-do
Reduction
Fault Campaign Progress
High PerformanceConcurrent & Distributed
Hybrid RTL and Gate Level
Intelligent Injection
Optimized SimulationStimulus Grading
Simulation Costing
Fault ManagementFault classification
Unified fault Metrics
Platform Interoperability
Fault State Space
Simulation
Safety Verification
Fail
Safe
ly
Reduction
Formal
27Copyright © 2019 Arm TechCon, All rights reserved.
Safety Verification : Digital Fault Injection in EmulationFault classification using the Veloce® Fault App
Objective
Inject faults w/ hardware acceleration and classify faults as Safe, Unsafe, Detected, Undetected Unclassified
Undetected
Detected
Safe (NA)
Classified
To-do
Reduction
Fault Campaign Progress
High PerformanceHW acceleration
Concurrent fault injection
Full SystemSoC level capacity
SoC level fault injection
SW safety mechanism support
Fault ManagementFault classification
Unified fault Metrics
Platform Interoperability
Fault State Space
Emulation
Simulation
Safety Verification
Fail
Safe
ly
Reduction
Formal
28Copyright © 2019 Arm TechCon, All rights reserved.
Summary
29Copyright © 2019 Arm TechCon, All rights reserved.
Mentor Consulting
Extensive safety critical experience and software to guide the adoption
Meeting Functional Safety RequirementsMentor + Siemens delivers the most complete ISO 26262 solution to accelerate path to compliance
Mentor SafeTool Qualification
Most extensive EDA toolqualification program
Siemens + Mentor Requirements Management
Only requirements management solution w/ traceability to EDA
Use qualified tools Safety ExpertiseAdopt requirements driven development
Mentor Safety Analysis
Most accurate automated metric computation and safety exploration to make smarter safety decisions earlier
Mentor Safety Verification
Most extensive fault injection platform to validate metrics across entire SOC for
increased confidence
Mentor Design for Safety
Only automated safety mechanism insertion to increase design safety to
achieve ASIL targets faster
Prove design meets safety requirements
Deliver ISO26262 & IEC61508 fault metrics
Enhance designs to mitigate faults
Eliminate Systematic Faultsfrom development
Tolerate Random Faults and fail safely
AK Mentor Safe IC End-to-End Functional Safety Solution addressing ISO-26262 08 2019
30Copyright © 2019 Arm TechCon, All rights reserved.
Q&A
31Copyright © 2019 Arm TechCon, All rights reserved.
Trademark and copyright statementThe trademarks featured in this presentation are registered and/or unregistered trademarks of Mentor, a Siemen’s Corporation in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.
Copyright © 2019
Thank You!
#ArmTechCon