Mentor Safe IC - T&VS€¦ · Mission Profile Design Files Diagnostic Coverage Mechanism Coverage Contribution Report FMEDA FIT Rate & Diagnostic Coverage Fault Injection List FMEDA

Alex Grove

European Application Engineer

Bryan Ramirez

Strategic Marketing Manager

Automotive Functional Safety Professional

Sanjay Pillay

Functional Safety Technologist

Austemper Founder & CEO

November 2018

Mentor Safe ICISO 26262 & IEC 61508 Functional Safety

Restricted © 2018 Mentor Graphics Corporation

ISO 26262INTRODUCTION


ISO

26

26

2 &

IE

C 6

15

08

Systematic Faults

What is Functional Safety?Driving down risk of Electrical and Electronics malfunctioning due to failures

Random Faults Malicious Faults

• Incomplete Specs• Misinterpreted Specs• Bad RTL• HW/SW Interface Problems

Challenges• Process & requirements• IC complexity• Exhaustive & efficient

• EMI• Electro-migration• Permanent or transient• Latent

Challenges• Emerging requirement• Manual -> automation• Scale with IC complexity

• Encryption Vulnerabilities• Denial of Service• Untrusted IC• Hardware Trojan

Challenges• Exhaustive• Scalability

Mentor Safe IC for ISO 26262 : DVClub November 2018


Functional Safety Terms & Fault MetricsISO 26262 Part 5


ASIL B ASIL C ASIL D

FIT Rate (PMHF) <10-7h-1 <10-7h-1 <10-8h-1

Single-point Fault Metric (SPFM) ≥90% ≥97% ≥99%

Latent Fault Metric (LFM) ≥60% ≥80% ≥90%

Failure In Time (FIT) is a unit for expressing the expected failure rate of semiconductors and other electronic devices. • One FIT equals one failure per billion (109) hours (once in about 114,155 years)

Single-point/latent fault metric (SPFM/LFM) is a hardware architectural metric that reveals whether or not the coverage

by the safety mechanisms is sufficient to prevent risk from single point/latent faults in the hardware architecture.

Diagnostic coverage (DC) is a measure of effectiveness of the diagnostics implemented in the system. Mathematically,

it is the ratio of the failures detected and/or controlled by a safety mechanism to the total failures in the element.


MENTOR SAFE IC


Developing Safe ICsICs must operate correctly & fail safely for ISO 26262 functional safety


SystemSpecification

ArchitecturalDesign

Functional Design

Functional Verification

Circuit Design

Physical Design

Physical Verification

Fabrication

Requirements& Traceability

FMEDA

Safety Mechanisms

Fault Injection

SafetyPlanning

Compliance

IC D

eve

lop

me

nt

Pro

ce

ss

Opera

te C

orr

ect

ly

Fail

Safe

ly

Sa

fety

De

ve

lop

me

nt

Pro

ce

ss

SafetyVerification

SafetyAnalysis

DesignFor Safety

Lifecycle Management

Mentor Safe IC

Tool Q

ualif

ication

Systematic Faults Random HW Faults


• Safety Synthesis• Tessent BIST

• SafetyScopeTM

• KaleidoScopeTM

• Questa Formal• Veloce Fault App• Tessent DefectSim

• Siemens Polarion• Questa Verification

Management

Mentor Safe ICMost complete functional safety IC solution automating the path to compliance


Understanding risks associated with design faults through FMEDA

analysis

Mitigating potential failures through the insertion of safety

mechanisms

Managing the complete functional safety lifecycle from planning to

compliance

Providing evidence for compliance through multi-domain fault

injection

z

Performance

Compliance

Pro

du

cti

vit

y

Flo

wMentorSafe IC

Lifecycle Management

Safety Verification

Safety Analysis

Design for Safety


LIFECYCLE MANAGEMENT


Polarion - Functional Safety Lifecycle ManagementManaging the complexities of development within the framework of functional safety

Siemens Polarion ALMIncre

ase

d e

ffic

ien

cy &

re

du

ce

d r

isk

thro

ugh c

olla

bora

tion &

auto

mation

Requirements management & traceability

Change & configuration management

Safety Planning

Functional safety workflows & governance

Audit & review management

Cross-project collaboration & visibility



Polarion & Questa Verification ManagementAutomatic requirement driven verification with full traceability through development flow

Higher Level Requirements

Verification Requirements

“Derived from” relationship

“Verified by” relationship

Higher Level Requirements

Assertions, Directives,

Coverpoints

Higher Level RequirementsDirected Tests

Testplan

Enterprise Level

Requirements Management

Automatic TestplanCreation

Questa®

merge

Questasim

Questa®Testplan Tracker

Questa®HTML/Text Reporting

Testplan

UCDB

Engine

UCDBs

Results UCDB

Integrated Traceability



SAFETY ANALYSIS


AustemperTM SafetyScopeTM

Safety analysis solution


Mission Profile

Design Files

Diagnostic Coverage Mechanism

CoverageContribution Report

FMEDA FIT Rate& Diagnostic Coverage

Fault Injection List

FMEDA FIT Rate& Diagnostic Coverage

Computation

LifecycleManagement

LifecycleManagement

ICDevelopment

Designfor Safety

SafetyAnalysis

SafetyVerification


SafetyScope™ FIT ComputationIEC62380 is used to calculate Failure In Time (FIT)


IEC 62380 FIT EquationLambdaFile (input file)

Temperature Profile (input file)

Mission Profile (input file)

EP

Default # Transistors = 62



FITDesign = ∑ FITEndpoints

#Transistors for Endpoint (EP)=

#TransistorsCone + #TransistorsEndpoint

MissionProfilePhase (input file)

Package Material (input file)

Package Spec (input file)


DESIGN FOR SAFETY


AustemperTM Safety SynthesisAutomatic safety mechanism insertion in RTL

Unsafe Design

Resilience Check

Safe Design

Equivalency Check

Macro List

Automated and Verifiable Safety

MechanismInsertion


ICDevelopment

SafetyAnalysis

SafetyVerification

ICDevelopment

ICDevelopment

Safety Mechanism Verification

Safety Mechanism Verification


Austemper Safety Synthesis AdvantageIndustry’s only automated safety mechanism insertion solution

Features AnnealerTM RadioScopeTM

Error Detection & Correction

Hamming code based n-bit detect/m-bit correct✓ ✓

Structures supported RAM, ROM, Reg Files, FIFOs, Stacks Flip-Flop Banks

User-defined structure selection✓ ✓

Auto-grouping of structures ✓

User selectable protection (Parity, EDC, ECC)✓ ✓

Multi-pass w/ incremental safety insertion mode✓ ✓

Fault Tolerance

Redundancy Macro/Module Level Localized Logic Cones

Duplication/Triplication✓ ✓

Multi clock designs✓ ✓

Auto-identification Memories State Machines

Protocol Checks

Covered Items Interface parity/protocol, FIFO overflow/underrun FSM valid states and transitions



Tessent BIST & MissionModeSystem-controlled diagnostic testing for detection of permanent faults


MBIST & LBIST

engines

MissonMode

Controller

Key Off

Online

Key On TessentBIST & MissionMode

BIST

Efficient fault detection mechanismPermanent faults

Long detection interval

Complements Safety Synthesis

Latent faultsSecondary checking


SAFETY VERIFICATION


SafetyScopeTM

QuestaSafeCheck

KaleidoScopeTM

Veloce Fault App

KaleidoScopeTM

HSE & VPS

Dig

ita

l IC

Fa

ult

In

jec

tio

n

Digital IC Safety VerificationSuccessive refinement to optimize fault injection campaign and maximize results


Safety

Analysis

Formal

Analysis

Simulation

• Fault list generation

• Initial fault list pruning

Emulation

FPGA

Prototyping

• Formally optimized & prioritized fault list to improve efficiency downstream

• Exhaustively prove stimulus dependent results

• High performance, concurrent fault simulation

• Smart fault campaign management

• Accelerate fault injection of large, complex SOCs or long testcases

• Only approach to understand how SW safety mechanisms react to HW faults

• Accelerate fault injection on FPGA prototypes

• Test fault injection within system context


Austemper KaleidoScopeTM

Concurrent fault simulation


SafeDesign

Managed, high performance safety

verification

RTLSims

SafetyAlarms

FaultList

Credit DiagnosticCoverage

Designfor Safety

SafetyAnalysis

ICDevelopment

SafetyAnalysis

Alarm Triggered

Error Masked

Not Resolved

SafetyVerification

SafetyAnalysis

SafetyAnalysis

SafeFault

KscopeHSE

Further analysis…

AlarmNot

Triggered

UnsafeFault

SafetyAnalysis


Austemper KaleidoScopeTM HSEHybrid Simulation Extension for guaranteed fault resolution


RTLDesign

Files

NetlistDesign

Files

Credit DiagnosticCoverageIC

Development

Alarm Triggered

ErrorMasked

AlarmNot

Triggered

SafetyAnalysis

SafetyAnalysis

SafeFault

Loss ofDiagnosticCoverage

SafetyAnalysis

ICDevelopment

KaleidoScopeTM HSEFault injection to resolve any fault

AutomaticFault Embedding

SimulatorQuesta

Mixed-SignalQuesta ADMS

EmulationVeloce

FPGAVPS

InjectedFault

TestCase

ICDevelopment

SafetyVerification


CONCLUSION


Top Functional Safety IC ChallengesHow Mentor + Siemens can accelerate your path to compliance


Use qualified tools to ensure a safe development tool chain

Establish a safety culture and practices

Adopt requirements driven development

Deliver ISO26262 & IEC61508 fault metrics

Enhance designs to mitigate affects of random hardware faults

Prove designs are sufficiently safe from random hardware faults

Mentor Safe Tool QualificationMost extensive EDA tool qualification program

Mentor Consulting and Siemens PolarionExtensive safety critical experience and software to guide the adoption

Siemens + Mentor Requirements ManagementOnly requirements management solution w/ traceability to EDA

Mentor Safety AnalysisMost accurate automated metric computation and safety exploration

Mentor Design for SafetyOnly automated safety mechanism insertion to increase design safety

Mentor Safety VerificationMost extensive fault injection platform to validate metrics

CHALLENGE HOW MENTOR CAN HELP


Q&A


Mentor Safe - Tool QualificationISO 26262 report certification that streamlines the compliance process

◼ Mentor Safe— Certified qualification reports for the Mentor tool portfolio— Broadest portfolio of qualified tools— https://www.mentor.com/solutions/automotive/subsystem

s-technology/functional-safety-iso26262

◼ TUEV-Saar ISO 26262


• Questa Sim & Verification Management• Questa CDC & Formal• Questa Visualizer• Analog / Mixed-Signal Simulation• Veloce StratoOS• Calypto• Tessent• Calibre

https://www.mentor.com/solutions/automotive/subsystems-technology/functional-safety-iso26262

Restricted © 2018 Mentor Graphics Corporationwww.mentor.com

Documents

Mentor Safe IC - T&VS€¦ · Mission Profile Design Files Diagnostic Coverage Mechanism Coverage Contribution Report FMEDA FIT Rate & Diagnostic Coverage Fault Injection List FMEDA