Post on 09-Sep-2020
Alex Grove
European Application Engineer
Bryan Ramirez
Strategic Marketing Manager
Automotive Functional Safety Professional
Sanjay Pillay
Functional Safety Technologist
Austemper Founder & CEO
November 2018
Mentor Safe ICISO 26262 & IEC 61508 Functional Safety
Restricted © 2018 Mentor Graphics Corporation
ISO 26262INTRODUCTION
Restricted © 2018 Mentor Graphics Corporation
ISO
26
26
2 &
IE
C 6
15
08
Systematic Faults
What is Functional Safety?Driving down risk of Electrical and Electronics malfunctioning due to failures
Random Faults Malicious Faults
• Incomplete Specs• Misinterpreted Specs• Bad RTL• HW/SW Interface Problems
Challenges• Process & requirements• IC complexity• Exhaustive & efficient
• EMI• Electro-migration• Permanent or transient• Latent
Challenges• Emerging requirement• Manual -> automation• Scale with IC complexity
• Encryption Vulnerabilities• Denial of Service• Untrusted IC• Hardware Trojan
Challenges• Exhaustive• Scalability
Mentor Safe IC for ISO 26262 : DVClub November 2018
Restricted © 2018 Mentor Graphics Corporation
Functional Safety Terms & Fault MetricsISO 26262 Part 5
Mentor Safe IC for ISO 26262 : DVClub November 2018
ASIL B ASIL C ASIL D
FIT Rate (PMHF) <10-7h-1 <10-7h-1 <10-8h-1
Single-point Fault Metric (SPFM) ≥90% ≥97% ≥99%
Latent Fault Metric (LFM) ≥60% ≥80% ≥90%
Failure In Time (FIT) is a unit for expressing the expected failure rate of semiconductors and other electronic devices. • One FIT equals one failure per billion (109) hours (once in about 114,155 years)
Single-point/latent fault metric (SPFM/LFM) is a hardware architectural metric that reveals whether or not the coverage
by the safety mechanisms is sufficient to prevent risk from single point/latent faults in the hardware architecture.
Diagnostic coverage (DC) is a measure of effectiveness of the diagnostics implemented in the system. Mathematically,
it is the ratio of the failures detected and/or controlled by a safety mechanism to the total failures in the element.
Restricted © 2018 Mentor Graphics Corporation
MENTOR SAFE IC
Restricted © 2018 Mentor Graphics Corporation
Developing Safe ICsICs must operate correctly & fail safely for ISO 26262 functional safety
Mentor Safe IC for ISO 26262 : DVClub November 2018
SystemSpecification
ArchitecturalDesign
Functional Design
Functional Verification
Circuit Design
Physical Design
Physical Verification
Fabrication
Requirements& Traceability
FMEDA
Safety Mechanisms
Fault Injection
SafetyPlanning
Compliance
IC D
eve
lop
me
nt
Pro
ce
ss
Opera
te C
orr
ect
ly
Fail
Safe
ly
Sa
fety
De
ve
lop
me
nt
Pro
ce
ss
SafetyVerification
SafetyAnalysis
DesignFor Safety
Lifecycle Management
Mentor Safe IC
Tool Q
ualif
ication
Systematic Faults Random HW Faults
Restricted © 2018 Mentor Graphics Corporation
• Safety Synthesis• Tessent BIST
• SafetyScopeTM
• KaleidoScopeTM
• Questa Formal• Veloce Fault App• Tessent DefectSim
• Siemens Polarion• Questa Verification
Management
Mentor Safe ICMost complete functional safety IC solution automating the path to compliance
Mentor Safe IC for ISO 26262 : DVClub November 2018
Understanding risks associated with design faults through FMEDA
analysis
Mitigating potential failures through the insertion of safety
mechanisms
Managing the complete functional safety lifecycle from planning to
compliance
Providing evidence for compliance through multi-domain fault
injection
z
Performance
Compliance
Pro
du
cti
vit
y
Flo
wMentorSafe IC
Lifecycle Management
Safety Verification
Safety Analysis
Design for Safety
Restricted © 2018 Mentor Graphics Corporation
LIFECYCLE MANAGEMENT
Restricted © 2018 Mentor Graphics Corporation
Polarion - Functional Safety Lifecycle ManagementManaging the complexities of development within the framework of functional safety
Siemens Polarion ALMIncre
ase
d e
ffic
ien
cy &
re
du
ce
d r
isk
thro
ugh c
olla
bora
tion &
auto
mation
Requirements management & traceability
Change & configuration management
Safety Planning
Functional safety workflows & governance
Audit & review management
Cross-project collaboration & visibility
Mentor Safe IC for ISO 26262 : DVClub November 2018
Restricted © 2018 Mentor Graphics Corporation
Polarion & Questa Verification ManagementAutomatic requirement driven verification with full traceability through development flow
Higher Level Requirements
Verification Requirements
“Derived from” relationship
“Verified by” relationship
Higher Level Requirements
Assertions, Directives,
Coverpoints
Higher Level RequirementsDirected Tests
Testplan
Enterprise Level
Requirements Management
Automatic TestplanCreation
Questa®
merge
Questasim
Questa®Testplan Tracker
Questa®HTML/Text Reporting
Testplan
UCDB
Engine
UCDBs
Results UCDB
Integrated Traceability
Mentor Safe IC for ISO 26262 : DVClub November 2018
Restricted © 2018 Mentor Graphics Corporation
SAFETY ANALYSIS
Restricted © 2018 Mentor Graphics Corporation
AustemperTM SafetyScopeTM
Safety analysis solution
Mentor Safe IC for ISO 26262 : DVClub November 2018
Mission Profile
Design Files
Diagnostic Coverage Mechanism
CoverageContribution Report
FMEDA FIT Rate& Diagnostic Coverage
Fault Injection List
FMEDA FIT Rate& Diagnostic Coverage
Computation
LifecycleManagement
LifecycleManagement
ICDevelopment
Designfor Safety
SafetyAnalysis
SafetyVerification
Restricted © 2018 Mentor Graphics Corporation
SafetyScope™ FIT ComputationIEC62380 is used to calculate Failure In Time (FIT)
Mentor Safe IC for ISO 26262 : DVClub November 2018
IEC 62380 FIT EquationLambdaFile (input file)
Temperature Profile (input file)
Mission Profile (input file)
EP
Default # Transistors = 62
Default # Transistors = 6
Default # Transistors = 2
FITDesign = ∑ FITEndpoints
#Transistors for Endpoint (EP)=
#TransistorsCone + #TransistorsEndpoint
MissionProfilePhase (input file)
Package Material (input file)
Package Spec (input file)
Restricted © 2018 Mentor Graphics Corporation
DESIGN FOR SAFETY
Restricted © 2018 Mentor Graphics Corporation
AustemperTM Safety SynthesisAutomatic safety mechanism insertion in RTL
Unsafe Design
Resilience Check
Safe Design
Equivalency Check
Macro List
Automated and Verifiable Safety
MechanismInsertion
Mentor Safe IC for ISO 26262 : DVClub November 2018
ICDevelopment
SafetyAnalysis
SafetyVerification
ICDevelopment
ICDevelopment
Safety Mechanism Verification
Safety Mechanism Verification
Restricted © 2018 Mentor Graphics Corporation
Austemper Safety Synthesis AdvantageIndustry’s only automated safety mechanism insertion solution
Features AnnealerTM RadioScopeTM
Error Detection & Correction
Hamming code based n-bit detect/m-bit correct✓ ✓
Structures supported RAM, ROM, Reg Files, FIFOs, Stacks Flip-Flop Banks
User-defined structure selection✓ ✓
Auto-grouping of structures ✓
User selectable protection (Parity, EDC, ECC)✓ ✓
Multi-pass w/ incremental safety insertion mode✓ ✓
Fault Tolerance
Redundancy Macro/Module Level Localized Logic Cones
Duplication/Triplication✓ ✓
Multi clock designs✓ ✓
Auto-identification Memories State Machines
Protocol Checks
Covered Items Interface parity/protocol, FIFO overflow/underrun FSM valid states and transitions
Mentor Safe IC for ISO 26262 : DVClub November 2018
Restricted © 2018 Mentor Graphics Corporation
Tessent BIST & MissionModeSystem-controlled diagnostic testing for detection of permanent faults
Mentor Safe IC for ISO 26262 : DVClub November 2018
MBIST & LBIST
engines
MissonMode
Controller
Key Off
Online
Key On TessentBIST & MissionMode
BIST
Efficient fault detection mechanismPermanent faults
Long detection interval
Complements Safety Synthesis
Latent faultsSecondary checking
Restricted © 2018 Mentor Graphics Corporation
SAFETY VERIFICATION
Restricted © 2018 Mentor Graphics Corporation
SafetyScopeTM
QuestaSafeCheck
KaleidoScopeTM
Veloce Fault App
KaleidoScopeTM
HSE & VPS
Dig
ita
l IC
Fa
ult
In
jec
tio
n
Digital IC Safety VerificationSuccessive refinement to optimize fault injection campaign and maximize results
Mentor Safe IC for ISO 26262 : DVClub November 2018
Safety
Analysis
Formal
Analysis
Simulation
• Fault list generation
• Initial fault list pruning
Emulation
FPGA
Prototyping
• Formally optimized & prioritized fault list to improve efficiency downstream
• Exhaustively prove stimulus dependent results
• High performance, concurrent fault simulation
• Smart fault campaign management
• Accelerate fault injection of large, complex SOCs or long testcases
• Only approach to understand how SW safety mechanisms react to HW faults
• Accelerate fault injection on FPGA prototypes
• Test fault injection within system context
Restricted © 2018 Mentor Graphics Corporation
Austemper KaleidoScopeTM
Concurrent fault simulation
Mentor Safe IC for ISO 26262 : DVClub November 2018
SafeDesign
Managed, high performance safety
verification
RTLSims
SafetyAlarms
FaultList
Credit DiagnosticCoverage
Designfor Safety
SafetyAnalysis
ICDevelopment
SafetyAnalysis
Alarm Triggered
Error Masked
Not Resolved
SafetyVerification
SafetyAnalysis
SafetyAnalysis
SafeFault
KscopeHSE
Further analysis…
AlarmNot
Triggered
UnsafeFault
SafetyAnalysis
Restricted © 2018 Mentor Graphics Corporation
Austemper KaleidoScopeTM HSEHybrid Simulation Extension for guaranteed fault resolution
Mentor Safe IC for ISO 26262 : DVClub November 2018
RTLDesign
Files
NetlistDesign
Files
Credit DiagnosticCoverageIC
Development
Alarm Triggered
ErrorMasked
AlarmNot
Triggered
SafetyAnalysis
SafetyAnalysis
SafeFault
Loss ofDiagnosticCoverage
SafetyAnalysis
ICDevelopment
KaleidoScopeTM HSEFault injection to resolve any fault
AutomaticFault Embedding
SimulatorQuesta
Mixed-SignalQuesta ADMS
EmulationVeloce
FPGAVPS
InjectedFault
TestCase
ICDevelopment
SafetyVerification
Restricted © 2018 Mentor Graphics Corporation
CONCLUSION
Restricted © 2018 Mentor Graphics Corporation
Top Functional Safety IC ChallengesHow Mentor + Siemens can accelerate your path to compliance
Mentor Safe IC for ISO 26262 : DVClub November 2018
Use qualified tools to ensure a safe development tool chain
Establish a safety culture and practices
Adopt requirements driven development
Deliver ISO26262 & IEC61508 fault metrics
Enhance designs to mitigate affects of random hardware faults
Prove designs are sufficiently safe from random hardware faults
Mentor Safe Tool QualificationMost extensive EDA tool qualification program
Mentor Consulting and Siemens PolarionExtensive safety critical experience and software to guide the adoption
Siemens + Mentor Requirements ManagementOnly requirements management solution w/ traceability to EDA
Mentor Safety AnalysisMost accurate automated metric computation and safety exploration
Mentor Design for SafetyOnly automated safety mechanism insertion to increase design safety
Mentor Safety VerificationMost extensive fault injection platform to validate metrics
CHALLENGE HOW MENTOR CAN HELP
Restricted © 2018 Mentor Graphics Corporation
Q&A
Restricted © 2018 Mentor Graphics Corporation
Mentor Safe - Tool QualificationISO 26262 report certification that streamlines the compliance process
◼ Mentor Safe— Certified qualification reports for the Mentor tool portfolio— Broadest portfolio of qualified tools— https://www.mentor.com/solutions/automotive/subsystem
s-technology/functional-safety-iso26262
◼ TUEV-Saar ISO 26262
Mentor Safe IC for ISO 26262 : DVClub November 2018
• Questa Sim & Verification Management• Questa CDC & Formal• Questa Visualizer• Analog / Mixed-Signal Simulation• Veloce StratoOS• Calypto• Tessent• Calibre
Restricted © 2018 Mentor Graphics Corporationwww.mentor.com