Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Adam Sherer, Cadence Product Management Group Director ISO-26262 Practitioners Workshop MIRA, Nuneaton, UK March 11, 2015
Safety Alchemy: Transforming ISO26262 Compliance Into a Competitive Advantage
2 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automotive electronics and verification
• ISO 26262 tests our mettle
• Refining our verification processes
• But wait, there’s more
• Call to action
Agenda
3 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Dependable designs work properly and fail predictably ─ Safety is the freedom from
unacceptable risk of physical injury or damage due to unplanned or undesired events
• Compliance required from system down to ICs
• Dependable transmission, brakes,
steering, ADAS, navigation • Dependable general and
application-specific ICs
Automotive electronics driven by applications
Autonomous driving
Energy efficiency E-mobility
Intra-/inter- Vehicle
Cloud Communications
4 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Directed test - specific sequence of signal input – Best for connectivity verification and corner cases – Typically Verilog/VHDL behavioral, C/C++, data files
• Assertion based – properties verify behavior – Best for automating design checks and protocol verification – Typically SystemVerilog but also PSL and OVL (Verilog) code
• Constrained random – coverage driven verification – Best for comprehensive IP verification including configurations – Requires object oriented programming knowledge – Typically SystemVerilog or e code using a base class library (UVM)
• Mixed-signal – analog and digital using methods above – Transistor models only support connectivity and limited functionality – Verilog/VHDL AMS models support functional verification – Digital Mixed Signal (SystemVerilog) supports coverage driven
Verification Measures System Dependability Increasing Functional Aw
areness
5 © 2015 Cadence Design Systems, Inc. All rights reserved..
Example FPGA/ASIC Verification Process
Allegro Confidential Information
Flow Diagram
Specification vPlan
Incisive
Virtuoso DFII
vPlanner
vManager
Schematic Design
Simulation
Simulation RNM
Verification Planning
Model Creation
Testbench & Design Creation
vPlan vPlan(s)
Objects: Tools:
Processes: Data:
Logical: Command:
MS Sim
amsDmv
SMG
Requirements
Source: CDNLive Sept 2014
In-house + 3rd party IP
Digital & Analog Sim
Enterprise System
Analog Capture / Layout
Analog Behavioral Model Creation
6 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automotive electronics and verification
• ISO 26262 tests our mettle
• Refining our verification processes
• But wait, there’s more
• Call to action
Agenda
7 © 2015 Cadence Design Systems, Inc. All rights reserved..
1. Safety culture ─ Requirements tracing from
system to component ─ Prevents problems from arising
2. Quality measurement ─ Functional verification at all levels of
abstraction and for all system elements ─ Safety verification measures response
of systems to undesired/unplanned events
3. Documentation ─ Document confidence that tools did not inject or fail to detect problems (TCL) ─ Document complete compliance (Safety Manual) per product (semi or ECU)
ISO 26262 / 61508 / 16949
ISO 26262 standard documents functional safety Builds on dependability established with functional verification
Functional Verification
Safety Verification
Req
uire
men
ts
TCL
Safety Manual
1
2
3
8 © 2015 Cadence Design Systems, Inc. All rights reserved..
ISO 26262
Functional Verification
Safety Verification
Req
uire
men
ts
TCL
Safety Manual
SDS Suite
ADE Suite
Safety verification has been labor intensive
Excel spreadsheets
Observation and manual
documentation
Safety engineer research
Rewriting verification environment to fit traditional tool flow
Custom scripts to extract safety data
Advanced Verification
SDS = Cadence System Development Suite™ or similar ADE = Cadence Virtuoso Analog Design Environment™ or similar
9 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automotive electronics and verification
• ISO 26262 tests our mettle
• Refining our verification processes
• But wait, there’s more
• Call to action
Agenda
10 © 2015 Cadence Design Systems, Inc. All rights reserved..
• A codified verification methodology utilizing metrics, versus estimates, to define release criteria and thus verification signoff
• Key Enablers of MDV for Silicon & Systems Suppliers – Empowers management with clear visibility to progress, gaps, owners and issues
– Is proven and scalable verification process, an industry standard – Drives quality improvements, as ‘you can only improve what you can clearly measure’ – Returns greater productivity and resource utilization
What is Metric Driven Verification (MDV)
Bug Data
Verification Data
Source Code Data
Project Data
11 © 2015 Cadence Design Systems, Inc. All rights reserved..
Schedule Predictability: Plan to Closure Process
1M Gate Design 30,000 Line of Verilog Code
2000 Register Bits 22000 Verification States
Functional Closure Impossible …But Structural Closure Is Possible
RTL Code Coverage Toggle Coverage
FSM Coverage Expression Coverage
10 Key Features
Functional Closure Possible
10 Sub-Functions Per Feature 100 Functional Plan Elements
1M Gate Design
Functional Coverage Use Case Coverage
Plan Coverage Specification Coverage
With MDV
Structural Coverage
12 © 2015 Cadence Design Systems, Inc. All rights reserved..
Case Study: MDV Value Calculation / ROI
Deployment Costs: Training, Licenses, Computers, People - $650,000 ROI: 6x
13 © 2015 Cadence Design Systems, Inc. All rights reserved..
Allegro Success With MDV for Mixed-Signal
Allegro Confidential Information
More effort for the digital team, but guaranteed success and faster TTM � Some headcount adjustment is required Analog designers now appreciate the value of RNM and MDV Effective communication throughout the project life cycle Reduced duplicate of efforts across the different teams Eliminated connectivity/interconnect bug escapes Found more bugs earlier in the design cycle, reduced costs Significantly faster system level simulations
Results
Costs Efficiency
14 © 2015 Cadence Design Systems, Inc. All rights reserved..
Safety Requirements Tracing
ü Test Management ü vPlan Traceability ü Flexible Metric Linking (many to many) ü Change Management ü Specification Linkage ü Closed Loop Feedback
§ Incisive vManager supports the safety requirements tracing − vManager is flexible planning
technology enabling management by features, requirements, and/or technical functions
− Tracing and tracking is provided with external requirements management tools
§ Used in production by several US and European automotive IC suppliers
§ For more information − webinar from 2012 − Freescale paper CDNLive 2013
Any Requirements Management Tool
Incisive vManager
Design Specification
15 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automate fault simulation execution – Eliminate testbench refactoring
• Safety requirements tracing – Integrate regression throughout for
compliance metrics – Integrate permanent and transient
fault simulation
• High performance/capacity – Gate-level, Verilog, and VHDL – Digital / mixed-signal simulation – Verify with IEEE languages
Functional Safety Verification Flow Requirements
Verification Plan
Fault Injector
Metric Drive Verification
Fault collection
Safety Reporting
Simulation Engine
Faul
t E
ngin
e
…
Faul
t E
ngin
e …
Safety Verification
Plan
16 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Identify safety-critical from non-critical systems – May not be simply hierarchical
• Identify safety systems – May require careful examination of gate-level netlist
• Create triple lists of fault injection points, strobe (detection), and safety output
Establishing a Safety Verification Plan
MCU1
MCU2
Logic
Analog
Lockstep Comparator
Error Correction (ECC)
Fault Strobe Point
Safety System Output Fault Injection Points
17 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Brute force – all fault types on all faults insertion points – Becomes computationally impossible after 10^6 gates
• Constrained random – sampling within safety critical area – Combines randomized fault injection with coverage analysis
• Formal guided – reduce fault list without simulation – Operates on subset of overall design and does not support analog
Identification of fault program
Generate Fault List
Strobe Points and Safety Systems
Brute Force
Choose Verification Approach
Constrained Random
Formal Guided
Analyze Simulation
Results
18 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Each fault run reports combination of type and condition • “Dangerous Detected” faults are detected ON_TIME, DELAYED, or PREMATURE • All others are dangerous unless they can be classified via further study
– Did the fault fail to propagate due to logic masking (not dangerous)? – Did the fault fail to propagate due to lack of controllability (not dangerous)? – Did the fault fail to propagate due to incorrect stimulus (potentially dangerous)?
Reporting Semantics Enable Safety Analysis
0 1 X Z 0 U D P P 1 D U P P X U U U U Z U U U U
Bad Machine
Good Machine
Key: D = Detected P = Potentially Detected U = Undetected
Type Fault Run Finished… ON_TIME At same time as good run
DELAYED After good run PREMATURE Before good run TIMEOUT When specified timeout
was reached STOPPED Due to the simulator
stopping the run
Fault Simulation Finish Types Fault Detection Conditions
19 © 2015 Cadence Design Systems, Inc. All rights reserved..
Functional Safety Solution Details
Multiple fault types for 26262 • Single event upset (SEU) • Stuck at 0 or 1 (SA0/SA1) • Single event transient (SET)
Simulates unaltered DUT • Fault identification during elaboration • Faults injected during simulation • Support Verilog/VHDL for gates/RTL • Faults can propagate through mixed-
signal, low-power, assertions, etc.
Automates safety verification • Efficiently executed fault simulations in
modern regression environments • Highlights potentially detected and
undetected faults runs for further debug
Verification environment reuse • Supports SystemVerilog/UVM, SystemC, e
20 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automotive electronics and verification
• ISO 26262 tests our mettle
• Refining our verification processes
• But wait, there’s more
• Call to action
Agenda
21 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Safety is not a whole subset of DFT – Transient faults typically are not part of manufacturing-oriented DFT
• Safety implementation sometimes supplanted by BIST – LBIST and MBSIT provide in-device safety checks – Cost is area and performance
• ATPG methods generate more faults than safety needs – Comprehensive nature can fault all device inputs – ATPG engines are fast for stuck-at faults
• Bottom-line – both safety and DFT are required
Functional Safety and DFT are Related
22 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Defined by untimed transaction-based design – Targeted to hardware/software co-design – May include algorithmic models for analog
• Enables early analysis of safety systems – Analyze failure reporting response time – Identify safety-critical systems
• Challenges: new fault models – Abstract data types do not have simple bit-faults – Ex. enum – how do you fault “orange”? – Ex. struct – Do you fault individual data fields?
System Level Design Fault Considerations
23 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Automotive electronics and verification
• ISO 26262 tests our mettle
• Refining our verification processes
• But wait, there’s more
• Call to action
Agenda
24 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Seek higher quality verification – Functional quality is a business advantage
• Implement safety verification – Automated process can save millions per year
• Look to the future – Safety and dependable design will be pervasive – Skills developed for automotive will go beyond safety critical markets – Industry collaboration on automation and higher abstraction
Call to Action
25 © 2015 Cadence Design Systems, Inc. All rights reserved..
• Enhance core technology – quality, performance, integration
• Innovate technology and methodology – application focused
• Connect design chain – technology, standards, collaboration
Automotive Systems Engineering Automation