Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Rethinking your approach to Safety Analysis
Dirk Hansen
Functional Safety Field Specialist
Restricted © 2020 Mentor Graphics Corporation
Agenda
Functional Safety Introduction
Safety Analysis— Failure rate calculation— Initial safety assessment— Safety architecture exploration
Analysis within larger FuSa workflow
Conclusion
Mentor Confidential2
Restricted © 2020 Mentor Graphics Corporation
Systematic FaultsDoes my product operate correctly?
Random FaultsDoes my product fail safely?
Malicious FaultsIs my product secure from hacking?
Systematic Faults• Incomplete specs• Design bugs• Manufacturing defects
Random Faults• EMI or electro-migration• Permanent or transient
Malicious Faults• Encryption Vulnerabilities• Denial of Service• Untrusted IC
What is Functional Safety?Driving down risk of malfunctioning due to failures
System Faults• Environmental• External causes• V2X
System FaultsDoes my system operate safely?
E/E Safety - ISO 26262 E/E Safety - ISO 26262 SOTIF – ISO 21448 Cyber Security - ISO 21434
Restricted © 2020 Mentor Graphics Corporation
Developing Safe ICsAutomotive ICs must operate correctly & fail safely
Mentor Confidential4
IC Development Workflows
Opera
te C
orr
ect
ly
Fail
Safe
ly
SystemSpecification
Architecture & Modeling
Circuit Design and Verification
Functional Verification
Fabrication
Physical Design and Verification
Functional Design
Safety Analysis
Safety Insertion
Safety Verification
Compliance
SafetyPlanning
ISO 26262 Safety Lifecycle
ISO 26262 V-model
Restricted © 2020 Mentor Graphics Corporation
Safety Analysis : The BasicsUnderstanding current safeness achieved and enhancement required to meet safety targets
Mentor Confidential5
Goals
Identifying the optimal safety architecture which meets power, performance, and area targets
Validate expert driven estimation of safety metrics
Fault metric data management
Eliminate inaccurate results and late changes
FMEDA
FITRate
SafetyExplore
Safety Analysis
Fail
Safe
ly
Restricted © 2020 Mentor Graphics Corporation
BFR
Safety Analysis: Failure Rate CalculationCalculating Base Failure Rate (BFR) with SafetyScope™
Mentor Confidential6
Safety Analysis
Fail
Safe
ly
BFR Computation— User configurable profile— Structural analysis— IEC 62380 BFR Model— Hierarchical analysis and roll-up— Die and package BFR
BFR Contribution— BFR metrics and reporting— Contribution reports & hot-spot
analysis— Systematically address safety
architecture— Uncovered nodes
IEC 62380 BFR Model
Design Structural Analysis
Package Materials
Package Specification
Target technology
Mission Profile
Instance Name Perm% Trans%
top 100 100
top.instA 10 15
top.instA.EP1 10 15
top.instB 90 85
top.instB.EP2 10 15
top.instB.EP3 10 15
top.instB.EP4 10 15
top.instB.EP5 60 45
BFR Metrics Contribution Reports
Biggest Contributor
Restricted © 2020 Mentor Graphics Corporation
Startpoints (SP), Endpoints (EP), and ConesSafetyScope™ uses SPs, EPs, and Cones as structural building blocks to calculate FIT, D.C, and more
Black BoxOut_2
EndPoints• Inputs to black box• State Element Inputs• Primary Outputs
In_1
In_2
In_3
Out_1
Cones• Gates between Startpoints and
Endpoints• Cones may intersect and overlap
Startpoints• Outputs of black box• State Element Outputs• Primary Inputs
Mentor Confidential7
Restricted © 2020 Mentor Graphics Corporation
SafetyScope™ FIT Computation (λdie)IEC62380 is used to calculate Failure In Time (FIT)
IEC 62380 FIT Equation
LambdaFile (input file)
Temperature Profile (input file)
SafetyScope™ Analysis
(next slide)
Mission Profile (input file)
SafetyScope™ requires a series of input files defining — Technology node— Operating profile,— Temperature profile
SafetyScope™ uses input files plus design analysis to calculate FIT score
Mentor Confidential8
Restricted © 2020 Mentor Graphics Corporation
SafetyScope™ FIT Rate ComputationFailure in Time (FIT) is calculated using IEC 62380 model
EP
Default # Transistors = 62
Default # Transistors = 6
Default # Transistors = 2
+ #TransistorsEndpoint#TransistorsCone
FIT is calculated on a per endpoint (EP) basis
FITDesign = ∑ FITEndpoints
SafetyScope™ performs internal synthesis to get gate representation
Final FIT must be calculated on synthesized design
Overlapping Transistors will only be counted once towards FIT
IEC 62380 FIT Rate Computation Model
SafetyScope™ provides #Transistors argument to FIT computation
#Transistors for Endpoint (EP)=
Mentor Confidential9
Restricted © 2020 Mentor Graphics Corporation
SafetyScope™ FIT Computation (λpackage)IEC62380 is used to calculate Failure In Time (FIT)
IEC 62380 FIT Equation
MissionProfilePhase (input file) Package Material (input file)
Package Spec (input file)
Mentor Confidential10
Restricted © 2020 Mentor Graphics Corporation
Diagnostic CoverageDefinition
• DC is the effectiveness of a safety mechanism to detect a fault. • DC is a percentage calculated from the structural building blocks,
startpoints (SPs), endpoints (EPs), and cones. • Mathematically, it is the ratio of the failures detected and/or controlled
by a Safety mechanism to the total failures in the element.
Mentor Confidential11
Restricted © 2020 Mentor Graphics Corporation
BFR
FMEDA
Safety Analysis: FMEDA ValidationProving FMEDA tops down estimations with SafetyScope™
Mentor Confidential12
Safety Analysis
Fail
Safe
ly
Perform diagnostic coverage gap analysis to identify “hot spots”
Calculate diagnostic coverage on existing safety mechanisms
FIFODMA Interface
Routing
Direct Access Routing
Control & Status
ECC
APB
DoorbellPacket
Processor
Cache Controller
SM’s Achievable Diagnostic Coverage
45%ECC
Top Module Sub-Module Technology Lambda Perm Lambda Tran DC Perm DC Tran Safety Mechanism(s)
dbr_top 5.31825 1.0799406 0.45 0.87
dbr_fifo CUST.STD.SRAM 0.002694 0.8651861 0.99 0.99 CUST_SM_MEM_ECC
dbr_ctrl_stat CUST.STD.STDCELL 0.0675991 0.0874085 - - -
dbr_cache_ctrl CUST.STD.STDCELL 0.0531754 0.0202821 - -
dbr_pkt_proc CUST.STD.STDCELL 5.065515 0.102304 - - -
dbr_dma_router CUST.STD.STDCELL 0.131793 0.0070639 - - -
dbr_dir_acc CUST.STD.STDCELL 0.0600261 0.0572787 - - -
Restricted © 2020 Mentor Graphics Corporation
Safety Exploration WorkflowEstimate achievable DC early on to guide and measure effectiveness of proposed SMs
SM Estimated Diagnostic Coverage
DC MechanismDiagnostic Coverage Resource
UtilizationDescription
Permanent Transient
Endpoint Parity 99 99 ↑ Parity added to Flip Flops
Endpoint/Cone Duplication 99 99 ↑↑ Logic Cone and EP Replication
Endpoint/Cone Triplication 99 99 ↑↑↑ Logic Cone and EP Replication
Endpoint ECC 99 99 ↑ ECC For Registers
Logic BIST 99 0 ↑ LBIST : RunTime
Memory ECC 99 99 ↑Memory ECC with control coverage
Review FIT Contribution Reports
Meets Safety Target?
No
YesAnalyze and Estimate DC
Propose SMsRTL
Enhancement
Mentor Confidential13
Restricted © 2020 Mentor Graphics Corporation
Top Module Sub-Module Technology Lambda Perm Lambda Tran DC Perm DC Tran Safety Mechanism(s)
dbr_top 5.31825 1.0799406 0.45 0.87
dbr_fifo CUST.STD.SRAM 0.002694 0.8651861 0.99 0.99 CUST_SM_MEM_ECC
dbr_ctrl_stat CUST.STD.STDCELL 0.0675991 0.0874085 0.90 0.90 CUST_SM_REG_PAR
dbr_cache_ctrl CUST.STD.STDCELL 0.0531754 0.0202821 0.99 0.99 CUST_SM_INST_DUP
dbr_pkt_proc CUST.STD.STDCELL 5.065515 0.102304 0.78 0.78 CUST_SM_DP_CRC
dbr_dma_router CUST.STD.STDCELL 0.131793 0.0070639 0.81 0.81 CUST_SM_DP_CRC
dbr_dir_acc CUST.STD.STDCELL 0.0600261 0.0572787 - - -
BFR
FMEDA
Exploration
Safety Analysis: Architecture Exploration Establishing the optimal safety architecture with SafetyScope™
Mentor Confidential14
Safety Analysis
Fail
Safe
ly
FIFODMA Interface
Routing
Direct Access Routing
Control & Status
ECC
APB
DoorbellPacket
Processor
Reg Parity
PacketCRCGen
PacketCRC
Check
LockstepCache ControllerSM’s Achievable
Diagnostic Coverage
45%ECC
Reg Parity
Lockstep
Packet CRC
Close fault coverage holes by proposing additional safety mechanisms and estimating DC
Evaluate different safety architectures given Power, Performance, and Area targets
70%
83%
91%
New SMs achieve safety
Restricted © 2020 Mentor Graphics Corporation
BFR
FMEDA
Exploration
Safety Analysis: Diagnostic Coverage AnalysisEndpoint and end-to-end diagnostic coverage analysis
Mentor Confidential15
Safety Analysis
Fail
Safe
ly
Endpoint Coverage Analysis End-to-End Coverage Analysis
EP
EP
EP
D port Parity Calculation
Q port Parity Calculation
Alarm
Cone not covered by Parity (ATD-EPAR) safety mechanism
Input DC (sourced from ISO26262)
Analyzes end to end SM’s such as parity, CRC, ECC, etc..
NOCs, packet interfaces, transport mechanisms
Analyzes COIs and DC between generation and check points
Identifies and differentiates control vs. data path for DC
Generation point [8:0]
{parity, [7:0] data}
Logic
Parity Check
Routing logic not covered by parity and filtered out of analysis
End to End Parity
Datapath covered by parity
Endpoints covered by parity
Compare
Restricted © 2020 Mentor Graphics Corporation
SafetyScopeTM Impact on Safety WorkflowSafetyScope shifts left safety development to make smarter decisions earlier with less iterations
Mentor Confidential16
SystemRequirements
Functional Design
Functional Verification
Safety Insertion
Fault Campaign
Functional Verification after SM
Expert Judgement
Safety goals met?
N
SystemRequirements
Functional Design
Functional Verification
SafetyAnalysis
SafetyInsertion
FaultCampaign
Functional Verificationafter SM
Final Metric Reporting
Exploration guides enhancement
Exploration to systematically achieve safety goals
Safety Requirements and FMEDA Validated
The Safety Scope™ Advantage
Typical Safety Workflow
Iter 1
Automated
Each Iteration (Iter #)• Update Requirements• Perform Impact Analysis• Add SMs• Re-close DV• Re-run fault campaign
Costly
?
?
?
Iter 2
Iter 3
Iteration N-1
Iter NFinal
Metric ReportingTime
Y
BFR
FMEDA
Exploration
Safety Analysis
Fail
Safe
ly
Restricted © 2020 Mentor Graphics Corporation
First Time Right Safe IC with Mentor Safe ICSafety Analysis is an early activity in the larger random fault workflow
Design for Safety
Safety MechanismInsertion
Safety MechanismVerification
Safety Analysis
FIT RateComputation
SafetyExploration
Fault ListGeneration
DCEstimation
Safety Verification
Fault ListOptimization
FaultSimulation
FaultEmulation
Validated Metrics
Fault List
Safety Mechanism Guidance
FMEDAFMEA
Mentor Confidential17
Restricted © 2020 Mentor Graphics Corporation
CONCLUSION
Restricted © 2020 Mentor Graphics Corporation
Meeting Functional Safety RequirementsMentor + Siemens delivers the most complete ISO 26262 solution to accelerate path to compliance
Mentor SafeTool Qualification
Most extensive EDA toolqualification program
Siemens + Mentor Requirements Mgmt
Only requirements management solution w/ traceability to EDA
Use qualified toolsAdopt requirements driven development
Mentor Safety Analysis
Automated metric computation and safety exploration to make smarter
safety decisions earlier
Mentor Safety Verification
Most extensive fault injection platform to validate metrics across
entire SOC
Mentor Design for Safety
Only automated safety mechanism insertion to increase design safety
to achieve ASIL targets faster
Prove design meets safety requirements
Deliver ISO26262 & IEC61508 fault
metrics
Enhance designs to mitigate faults
Eliminate Systematic
Faultsfrom
development
Tolerate Random Faults
and fail safely
Mentor Confidential19
Mentor Consulting
Extensive safety critical experience
and software to guide the adoption
Safety Expertise
Mentor EVP + TessentBIST
Industry leading verification and DFT technologies
Verification & DFT
Restricted © 2020 Mentor Graphics Corporation
Q&A
Restricted © 2020 Mentor Graphics Corporationwww.mentor.com