Rethinking your approach to Safety Analysis · Rethinking your approach to Safety Analysis Dirk Hansen Functional Safety Field Specialist

Rethinking your approach to Safety Analysis

Dirk Hansen

Functional Safety Field Specialist

Restricted © 2020 Mentor Graphics Corporation

Agenda

Functional Safety Introduction

Safety Analysis— Failure rate calculation— Initial safety assessment— Safety architecture exploration

Analysis within larger FuSa workflow

Conclusion

Mentor Confidential2


Systematic FaultsDoes my product operate correctly?

Random FaultsDoes my product fail safely?

Malicious FaultsIs my product secure from hacking?

Systematic Faults• Incomplete specs• Design bugs• Manufacturing defects

Random Faults• EMI or electro-migration• Permanent or transient

Malicious Faults• Encryption Vulnerabilities• Denial of Service• Untrusted IC

What is Functional Safety?Driving down risk of malfunctioning due to failures

System Faults• Environmental• External causes• V2X

System FaultsDoes my system operate safely?

E/E Safety - ISO 26262 E/E Safety - ISO 26262 SOTIF – ISO 21448 Cyber Security - ISO 21434


Developing Safe ICsAutomotive ICs must operate correctly & fail safely


IC Development Workflows

Opera

te C

orr

ect

ly

Fail

Safe

ly

SystemSpecification

Architecture & Modeling

Circuit Design and Verification

Functional Verification

Fabrication

Physical Design and Verification

Functional Design

Safety Analysis

Safety Insertion

Safety Verification

Compliance

SafetyPlanning

ISO 26262 Safety Lifecycle

ISO 26262 V-model


Safety Analysis : The BasicsUnderstanding current safeness achieved and enhancement required to meet safety targets


Goals

Identifying the optimal safety architecture which meets power, performance, and area targets

Validate expert driven estimation of safety metrics

Fault metric data management

Eliminate inaccurate results and late changes

FMEDA

FITRate

SafetyExplore

Safety Analysis

Fail

Safe

ly


BFR

Safety Analysis: Failure Rate CalculationCalculating Base Failure Rate (BFR) with SafetyScope™


Safety Analysis

Fail

Safe

ly

BFR Computation— User configurable profile— Structural analysis— IEC 62380 BFR Model— Hierarchical analysis and roll-up— Die and package BFR

BFR Contribution— BFR metrics and reporting— Contribution reports & hot-spot

analysis— Systematically address safety

architecture— Uncovered nodes

IEC 62380 BFR Model

Design Structural Analysis

Package Materials

Package Specification

Target technology

Mission Profile

Instance Name Perm% Trans%

top 100 100

top.instA 10 15

top.instA.EP1 10 15

top.instB 90 85

top.instB.EP2 10 15

top.instB.EP3 10 15

top.instB.EP4 10 15

top.instB.EP5 60 45

BFR Metrics Contribution Reports

Biggest Contributor


Startpoints (SP), Endpoints (EP), and ConesSafetyScope™ uses SPs, EPs, and Cones as structural building blocks to calculate FIT, D.C, and more

Black BoxOut_2

EndPoints• Inputs to black box• State Element Inputs• Primary Outputs

In_1

In_2

In_3

Out_1

Cones• Gates between Startpoints and

Endpoints• Cones may intersect and overlap

Startpoints• Outputs of black box• State Element Outputs• Primary Inputs



SafetyScope™ FIT Computation (λdie)IEC62380 is used to calculate Failure In Time (FIT)

IEC 62380 FIT Equation

LambdaFile (input file)

Temperature Profile (input file)

SafetyScope™ Analysis

(next slide)

Mission Profile (input file)

SafetyScope™ requires a series of input files defining — Technology node— Operating profile,— Temperature profile

SafetyScope™ uses input files plus design analysis to calculate FIT score



SafetyScope™ FIT Rate ComputationFailure in Time (FIT) is calculated using IEC 62380 model

EP

Default # Transistors = 62



+ #TransistorsEndpoint#TransistorsCone

FIT is calculated on a per endpoint (EP) basis

FITDesign = ∑ FITEndpoints

SafetyScope™ performs internal synthesis to get gate representation

Final FIT must be calculated on synthesized design

Overlapping Transistors will only be counted once towards FIT

IEC 62380 FIT Rate Computation Model

SafetyScope™ provides #Transistors argument to FIT computation

#Transistors for Endpoint (EP)=



SafetyScope™ FIT Computation (λpackage)IEC62380 is used to calculate Failure In Time (FIT)

IEC 62380 FIT Equation

MissionProfilePhase (input file) Package Material (input file)

Package Spec (input file)



Diagnostic CoverageDefinition

• DC is the effectiveness of a safety mechanism to detect a fault. • DC is a percentage calculated from the structural building blocks,

startpoints (SPs), endpoints (EPs), and cones. • Mathematically, it is the ratio of the failures detected and/or controlled

by a Safety mechanism to the total failures in the element.



BFR

FMEDA

Safety Analysis: FMEDA ValidationProving FMEDA tops down estimations with SafetyScope™


Safety Analysis

Fail

Safe

ly

Perform diagnostic coverage gap analysis to identify “hot spots”

Calculate diagnostic coverage on existing safety mechanisms

FIFODMA Interface

Routing

Direct Access Routing

Control & Status

ECC

APB

DoorbellPacket

Processor

Cache Controller

SM’s Achievable Diagnostic Coverage

45%ECC

Top Module Sub-Module Technology Lambda Perm Lambda Tran DC Perm DC Tran Safety Mechanism(s)

dbr_top 5.31825 1.0799406 0.45 0.87

dbr_fifo CUST.STD.SRAM 0.002694 0.8651861 0.99 0.99 CUST_SM_MEM_ECC

dbr_ctrl_stat CUST.STD.STDCELL 0.0675991 0.0874085 - - -

dbr_cache_ctrl CUST.STD.STDCELL 0.0531754 0.0202821 - -

dbr_pkt_proc CUST.STD.STDCELL 5.065515 0.102304 - - -

dbr_dma_router CUST.STD.STDCELL 0.131793 0.0070639 - - -

dbr_dir_acc CUST.STD.STDCELL 0.0600261 0.0572787 - - -


Safety Exploration WorkflowEstimate achievable DC early on to guide and measure effectiveness of proposed SMs

SM Estimated Diagnostic Coverage

DC MechanismDiagnostic Coverage Resource

UtilizationDescription

Permanent Transient

Endpoint Parity 99 99 ↑ Parity added to Flip Flops

Endpoint/Cone Duplication 99 99 ↑↑ Logic Cone and EP Replication

Endpoint/Cone Triplication 99 99 ↑↑↑ Logic Cone and EP Replication

Endpoint ECC 99 99 ↑ ECC For Registers

Logic BIST 99 0 ↑ LBIST : RunTime

Memory ECC 99 99 ↑Memory ECC with control coverage

Review FIT Contribution Reports

Meets Safety Target?

No

YesAnalyze and Estimate DC

Propose SMsRTL

Enhancement



Top Module Sub-Module Technology Lambda Perm Lambda Tran DC Perm DC Tran Safety Mechanism(s)

dbr_top 5.31825 1.0799406 0.45 0.87

dbr_fifo CUST.STD.SRAM 0.002694 0.8651861 0.99 0.99 CUST_SM_MEM_ECC

dbr_ctrl_stat CUST.STD.STDCELL 0.0675991 0.0874085 0.90 0.90 CUST_SM_REG_PAR

dbr_cache_ctrl CUST.STD.STDCELL 0.0531754 0.0202821 0.99 0.99 CUST_SM_INST_DUP

dbr_pkt_proc CUST.STD.STDCELL 5.065515 0.102304 0.78 0.78 CUST_SM_DP_CRC

dbr_dma_router CUST.STD.STDCELL 0.131793 0.0070639 0.81 0.81 CUST_SM_DP_CRC

dbr_dir_acc CUST.STD.STDCELL 0.0600261 0.0572787 - - -

BFR

FMEDA

Exploration

Safety Analysis: Architecture Exploration Establishing the optimal safety architecture with SafetyScope™


Safety Analysis

Fail

Safe

ly

FIFODMA Interface

Routing

Direct Access Routing

Control & Status

ECC

APB

DoorbellPacket

Processor

Reg Parity

PacketCRCGen

PacketCRC

Check

LockstepCache ControllerSM’s Achievable

Diagnostic Coverage

45%ECC

Reg Parity

Lockstep

Packet CRC

Close fault coverage holes by proposing additional safety mechanisms and estimating DC

Evaluate different safety architectures given Power, Performance, and Area targets

70%

83%

91%

New SMs achieve safety


BFR

FMEDA

Exploration

Safety Analysis: Diagnostic Coverage AnalysisEndpoint and end-to-end diagnostic coverage analysis


Safety Analysis

Fail

Safe

ly

Endpoint Coverage Analysis End-to-End Coverage Analysis

EP

EP

EP

D port Parity Calculation

Q port Parity Calculation

Alarm

Cone not covered by Parity (ATD-EPAR) safety mechanism

Input DC (sourced from ISO26262)

Analyzes end to end SM’s such as parity, CRC, ECC, etc..

NOCs, packet interfaces, transport mechanisms

Analyzes COIs and DC between generation and check points

Identifies and differentiates control vs. data path for DC

Generation point [8:0]

{parity, [7:0] data}

Logic

Parity Check

Routing logic not covered by parity and filtered out of analysis

End to End Parity

Datapath covered by parity

Endpoints covered by parity

Compare


SafetyScopeTM Impact on Safety WorkflowSafetyScope shifts left safety development to make smarter decisions earlier with less iterations


SystemRequirements

Functional Design


Safety Insertion

Fault Campaign

Functional Verification after SM

Expert Judgement

Safety goals met?

N

SystemRequirements

Functional Design


SafetyAnalysis

SafetyInsertion

FaultCampaign

Functional Verificationafter SM

Final Metric Reporting

Exploration guides enhancement

Exploration to systematically achieve safety goals

Safety Requirements and FMEDA Validated

The Safety Scope™ Advantage

Typical Safety Workflow

Iter 1

Automated

Each Iteration (Iter #)• Update Requirements• Perform Impact Analysis• Add SMs• Re-close DV• Re-run fault campaign

Costly

?

?

?

Iter 2

Iter 3

Iteration N-1

Iter NFinal

Metric ReportingTime

Y

BFR

FMEDA

Exploration

Safety Analysis

Fail

Safe

ly


First Time Right Safe IC with Mentor Safe ICSafety Analysis is an early activity in the larger random fault workflow

Design for Safety

Safety MechanismInsertion

Safety MechanismVerification

Safety Analysis

FIT RateComputation

SafetyExploration

Fault ListGeneration

DCEstimation

Safety Verification

Fault ListOptimization

FaultSimulation

FaultEmulation

Validated Metrics

Fault List

Safety Mechanism Guidance

FMEDAFMEA



CONCLUSION


Meeting Functional Safety RequirementsMentor + Siemens delivers the most complete ISO 26262 solution to accelerate path to compliance

Mentor SafeTool Qualification

Most extensive EDA toolqualification program

Siemens + Mentor Requirements Mgmt

Only requirements management solution w/ traceability to EDA

Use qualified toolsAdopt requirements driven development

Mentor Safety Analysis

Automated metric computation and safety exploration to make smarter

safety decisions earlier

Mentor Safety Verification

Most extensive fault injection platform to validate metrics across

entire SOC

Mentor Design for Safety

Only automated safety mechanism insertion to increase design safety

to achieve ASIL targets faster

Prove design meets safety requirements

Deliver ISO26262 & IEC61508 fault

metrics

Enhance designs to mitigate faults

Eliminate Systematic

Faultsfrom

development

Tolerate Random Faults

and fail safely


Mentor Consulting

Extensive safety critical experience

and software to guide the adoption

Safety Expertise

Mentor EVP + TessentBIST

Industry leading verification and DFT technologies

Verification & DFT


Q&A

Restricted © 2020 Mentor Graphics Corporationwww.mentor.com

Documents

Rethinking your approach to Safety Analysis · Rethinking your approach to Safety Analysis Dirk Hansen Functional Safety Field Specialist