Safety Alchemy: Transforming ISO26262 Compliance Into a ... · Adam Sherer, Cadence Product Management Group Director ISO-26262 Practitioners Workshop MIRA, Nuneaton, UK March 11,

Adam Sherer, Cadence Product Management Group Director ISO-26262 Practitioners Workshop MIRA, Nuneaton, UK March 11, 2015

Safety Alchemy: Transforming ISO26262 Compliance Into a Competitive Advantage

2 © 2015 Cadence Design Systems, Inc. All rights reserved..

•  Automotive electronics and verification

•  ISO 26262 tests our mettle

•  Refining our verification processes

•  But wait, there’s more

•  Call to action

Agenda


•  Dependable designs work properly and fail predictably ─  Safety is the freedom from

unacceptable risk of physical injury or damage due to unplanned or undesired events

•  Compliance required from system down to ICs

•  Dependable transmission, brakes,

steering, ADAS, navigation •  Dependable general and

application-specific ICs

Automotive electronics driven by applications

Autonomous driving

Energy efficiency E-mobility

Intra-/inter- Vehicle

Cloud Communications


•  Directed test - specific sequence of signal input –  Best for connectivity verification and corner cases –  Typically Verilog/VHDL behavioral, C/C++, data files

•  Assertion based – properties verify behavior –  Best for automating design checks and protocol verification –  Typically SystemVerilog but also PSL and OVL (Verilog) code

•  Constrained random – coverage driven verification –  Best for comprehensive IP verification including configurations –  Requires object oriented programming knowledge –  Typically SystemVerilog or e code using a base class library (UVM)

•  Mixed-signal – analog and digital using methods above –  Transistor models only support connectivity and limited functionality –  Verilog/VHDL AMS models support functional verification –  Digital Mixed Signal (SystemVerilog) supports coverage driven

Verification Measures System Dependability Increasing Functional Aw

areness


Example FPGA/ASIC Verification Process

Allegro Confidential Information

Flow Diagram

Specification vPlan

Incisive

Virtuoso DFII

vPlanner

vManager

Schematic Design

Simulation

Simulation RNM

Verification Planning

Model Creation

Testbench & Design Creation

vPlan vPlan(s)

Objects: Tools:

Processes: Data:

Logical: Command:

MS Sim

amsDmv

SMG

Requirements

Source: CDNLive Sept 2014

In-house + 3rd party IP

Digital & Analog Sim

Enterprise System

Analog Capture / Layout

Analog Behavioral Model Creation







Agenda


1. Safety culture ─  Requirements tracing from

system to component ─  Prevents problems from arising

2. Quality measurement ─  Functional verification at all levels of

abstraction and for all system elements ─  Safety verification measures response

of systems to undesired/unplanned events

3. Documentation ─  Document confidence that tools did not inject or fail to detect problems (TCL) ─  Document complete compliance (Safety Manual) per product (semi or ECU)

ISO 26262 / 61508 / 16949

ISO 26262 standard documents functional safety Builds on dependability established with functional verification

Functional Verification

Safety Verification

Req

uire

men

ts

TCL

Safety Manual

1

2

3


ISO 26262

Functional Verification

Safety Verification

Req

uire

men

ts

TCL

Safety Manual

SDS Suite

ADE Suite

Safety verification has been labor intensive

Excel spreadsheets

Observation and manual

documentation

Safety engineer research

Rewriting verification environment to fit traditional tool flow

Custom scripts to extract safety data

Advanced Verification

SDS = Cadence System Development Suite™ or similar ADE = Cadence Virtuoso Analog Design Environment™ or similar







Agenda


•  A codified verification methodology utilizing metrics, versus estimates, to define release criteria and thus verification signoff

•  Key Enablers of MDV for Silicon & Systems Suppliers –  Empowers management with clear visibility to progress, gaps, owners and issues

–  Is proven and scalable verification process, an industry standard –  Drives quality improvements, as ‘you can only improve what you can clearly measure’ –  Returns greater productivity and resource utilization

What is Metric Driven Verification (MDV)

Bug Data

Verification Data

Source Code Data

Project Data


Schedule Predictability: Plan to Closure Process

1M Gate Design 30,000 Line of Verilog Code

2000 Register Bits 22000 Verification States

Functional Closure Impossible …But Structural Closure Is Possible

RTL Code Coverage Toggle Coverage

FSM Coverage Expression Coverage

10 Key Features

Functional Closure Possible

10 Sub-Functions Per Feature 100 Functional Plan Elements

1M Gate Design

Functional Coverage Use Case Coverage

Plan Coverage Specification Coverage

With MDV

Structural Coverage


Case Study: MDV Value Calculation / ROI

Deployment Costs: Training, Licenses, Computers, People - $650,000 ROI: 6x


Allegro Success With MDV for Mixed-Signal

Allegro Confidential Information

More effort for the digital team, but guaranteed success and faster TTM � Some headcount adjustment is required Analog designers now appreciate the value of RNM and MDV Effective communication throughout the project life cycle Reduced duplicate of efforts across the different teams Eliminated connectivity/interconnect bug escapes Found more bugs earlier in the design cycle, reduced costs Significantly faster system level simulations

Results

Costs Efficiency


Safety Requirements Tracing

ü  Test Management ü  vPlan Traceability ü  Flexible Metric Linking (many to many) ü  Change Management ü  Specification Linkage ü  Closed Loop Feedback

§  Incisive vManager supports the safety requirements tracing −  vManager is flexible planning

technology enabling management by features, requirements, and/or technical functions

−  Tracing and tracking is provided with external requirements management tools

§  Used in production by several US and European automotive IC suppliers

§  For more information −  webinar from 2012 −  Freescale paper CDNLive 2013

Any Requirements Management Tool

Incisive vManager

Design Specification


•  Automate fault simulation execution –  Eliminate testbench refactoring

•  Safety requirements tracing –  Integrate regression throughout for

compliance metrics –  Integrate permanent and transient

fault simulation

•  High performance/capacity – Gate-level, Verilog, and VHDL – Digital / mixed-signal simulation –  Verify with IEEE languages

Functional Safety Verification Flow Requirements

Verification Plan

Fault Injector

Metric Drive Verification

Fault collection

Safety Reporting

Simulation Engine

Faul

t E

ngin

e

…

Faul

t E

ngin

e …

Safety Verification

Plan


•  Identify safety-critical from non-critical systems –  May not be simply hierarchical

•  Identify safety systems –  May require careful examination of gate-level netlist

•  Create triple lists of fault injection points, strobe (detection), and safety output

Establishing a Safety Verification Plan

MCU1

MCU2

Logic

Analog

Lockstep Comparator

Error Correction (ECC)

Fault Strobe Point

Safety System Output Fault Injection Points


•  Brute force – all fault types on all faults insertion points –  Becomes computationally impossible after 10^6 gates

•  Constrained random – sampling within safety critical area – Combines randomized fault injection with coverage analysis

•  Formal guided – reduce fault list without simulation – Operates on subset of overall design and does not support analog

Identification of fault program

Generate Fault List

Strobe Points and Safety Systems

Brute Force

Choose Verification Approach

Constrained Random

Formal Guided

Analyze Simulation

Results


•  Each fault run reports combination of type and condition •  “Dangerous Detected” faults are detected ON_TIME, DELAYED, or PREMATURE •  All others are dangerous unless they can be classified via further study

–  Did the fault fail to propagate due to logic masking (not dangerous)? –  Did the fault fail to propagate due to lack of controllability (not dangerous)? –  Did the fault fail to propagate due to incorrect stimulus (potentially dangerous)?

Reporting Semantics Enable Safety Analysis

0 1 X Z 0 U D P P 1 D U P P X U U U U Z U U U U

Bad Machine

Good Machine

Key: D = Detected P = Potentially Detected U = Undetected

Type Fault Run Finished… ON_TIME At same time as good run

DELAYED After good run PREMATURE Before good run TIMEOUT When specified timeout

was reached STOPPED Due to the simulator

stopping the run

Fault Simulation Finish Types Fault Detection Conditions


Functional Safety Solution Details

Multiple fault types for 26262 •  Single event upset (SEU) •  Stuck at 0 or 1 (SA0/SA1) •  Single event transient (SET)

Simulates unaltered DUT •  Fault identification during elaboration •  Faults injected during simulation •  Support Verilog/VHDL for gates/RTL •  Faults can propagate through mixed-

signal, low-power, assertions, etc.

Automates safety verification •  Efficiently executed fault simulations in

modern regression environments •  Highlights potentially detected and

undetected faults runs for further debug

Verification environment reuse •  Supports SystemVerilog/UVM, SystemC, e







Agenda


•  Safety is not a whole subset of DFT –  Transient faults typically are not part of manufacturing-oriented DFT

•  Safety implementation sometimes supplanted by BIST –  LBIST and MBSIT provide in-device safety checks – Cost is area and performance

•  ATPG methods generate more faults than safety needs – Comprehensive nature can fault all device inputs –  ATPG engines are fast for stuck-at faults

•  Bottom-line – both safety and DFT are required

Functional Safety and DFT are Related


•  Defined by untimed transaction-based design –  Targeted to hardware/software co-design – May include algorithmic models for analog

•  Enables early analysis of safety systems –  Analyze failure reporting response time –  Identify safety-critical systems

•  Challenges: new fault models –  Abstract data types do not have simple bit-faults –  Ex. enum – how do you fault “orange”? –  Ex. struct – Do you fault individual data fields?

System Level Design Fault Considerations







Agenda


•  Seek higher quality verification –  Functional quality is a business advantage

•  Implement safety verification –  Automated process can save millions per year

•  Look to the future –  Safety and dependable design will be pervasive –  Skills developed for automotive will go beyond safety critical markets –  Industry collaboration on automation and higher abstraction

Call to Action


•  Enhance core technology – quality, performance, integration

•  Innovate technology and methodology – application focused

•  Connect design chain – technology, standards, collaboration

Automotive Systems Engineering Automation

Documents

Safety Alchemy: Transforming ISO26262 Compliance Into a ... · Adam Sherer, Cadence Product Management Group Director ISO-26262 Practitioners Workshop MIRA, Nuneaton, UK March 11,