

#### Integration Verification of Safety Components in Automotive Chip Modules

Holger Busch

Infineon Technologies AG





1

2

3

4

5

6

- Introduction
- Formal-Property-Checking Approach
- Structural Analyses
- Automatic Integration Checks
- Experience

#### Summary

Questions





1

3

4

5

6

Introduction



Structural Analyses

Automatic Integration Checks

Experience

Summary

Questions





#### Introduction

- Safety requirements: prevent failure modes by random faults
  - Error detection: raise error flag
  - Alarm reaction: drive system into safe state
- HW and/or SW safety mechanisms
  - Redundancy + comparison
  - Read-back + comparison
  - Configurable alarm reaction
- Safety verification objective
  - Evidence that safety mechanism yields diagnostic coverage
     Automotive Safety Integrity Level D: detect 99% of all single point faults





### Introduction (1)

- Safety verification approaches
  - Fault simulation: specialized tool
  - Functional simulation: forcing signal to inverted or constant value
  - Formal-Property-Checking: formal fault injection by signal cutting + fault assumption





## Introduction (2)

- HW-safety mechanism for registers (SFF – Safety-Flip-Flop)
  - Highly configurable safety library components
- Integration in DP (Design Part)
  - Replacement of previously unprotected registers by library components and wiring of test and alarm signals
  - Insertion of safety controller and connection to Safety-Management Unit







1

Introduction

Formal-Property-Checking Approach 2 3 **Structural Analyses** 4 **Automatic Integration Checks** 5 Experience 6 Summary Questions





### Formal-Property-Checking Approach

- Instrument model: cut signals
- Provide pre-defined formal safety properties:
  - Error implies alarm
  - No error implies no alarm
  - Test activation causes alarm as expected
- Enhance functional properties:
  - Functional deviation implies alarm







# Formal-Property-Checking Approach (1)

- Benefit:
  - Exhaustive coverage of all potential faults
- Bottleneck:
  - Module complexity
  - Debugging of proof failures
    - Design familiarity
    - Tool expertise
- Experience:
  - Library components correct
  - Bugs by wrong integration: structural root cause

#### **Debugging:**

Tracing through deep instance-hierarchy







# Formal-Property-Checking Approach (2)

- New Approach:
  - 1. Exhaustive formal verification of library components in parameterizable test-architecture using actual configurations
  - Structural integration checks of library components in modules
     ➢No formal proofs required





1

3

Introduction



#### Structural Analyses

4 Automatic Integration Checks
5 Experience
6 Summary
7 Questions





#### Structural Analyses

• Clock and reset domains

| A B                         |       | С        | D   |        | E            | F         | G            |
|-----------------------------|-------|----------|-----|--------|--------------|-----------|--------------|
| no                          | clk   | par_clkL | sel |        | en           | clk0_diff | uctrl_clk_en |
| 0clocks_0/clk_gate_2/cl     | k_o   | 1        |     | clk_ga | ate_en_i(0)  | 0         | -1           |
| 1clocks_0/clk_gate_1/cl     | k_o   | 2        |     | (s_spl | o_dft_ctrl_i | 2         | -1           |
| 2 sx_clocks_clks_max_sp     | ob_i  | -1       |     |        |              | 2         | -1           |
|                             |       |          |     |        |              |           |              |
| A B                         |       | С        | D   | Е      |              |           |              |
| no                          | rst   | par_rstL | sel | en     |              |           |              |
| 0 sx_reset_application_rese | t_n_i | -1       |     |        |              |           |              |
| 1 sx_reset_system_reset_n   | i     | -1       |     |        |              |           |              |





### Structural Analyses (1)

- Safety registers
  - Protection method
  - Data width
  - Testability
  - Alarm connectivity



| А  | В         | С      | D    | F     | Н               |
|----|-----------|--------|------|-------|-----------------|
| no | signal    | wrp_no | type | width | sfr_bf          |
| 5  | _oven5_s  | 6      | DED  | 1     | OVCENABLE.OVEN5 |
| 6  | ble_god_s | 6      | DED  | 1     | OVCENABLE.GOD   |
| 7  | 0_edav_s  | 7      | DED  | 1     | PRDCFG0.EDAV    |

| А  | В          | С           | D      | Е      | F       | G       | Н     | I       | J       | U  | V   | Х   |
|----|------------|-------------|--------|--------|---------|---------|-------|---------|---------|----|-----|-----|
| no | wrp        | par_comp    | clk_no | rst_no | ctrl_fo | ctrl_fi | ar_fo | pmeth_g | sff_ste | dw | rcw | pdw |
| 6  |            | int_ubs_sfr |        | 0      | 3       | 3       | 5     | 2       | true    | 7  | 4   | 7   |
| 71 | et_prdcfg0 | int_ubs_sfr | 0      | 0      | 3       | 3       | 5     | 2       | true    | 32 | 6   | 32  |





### Structural Analyses (2)

- Alarm reductors
  - Protection method
  - Alarm connectivity



| А  | В            | С           | D       | Е     | F     |  |
|----|--------------|-------------|---------|-------|-------|--|
| no | ar           | par_comp    | ctrl_fo | ar_fo | pmeth |  |
| 4  | r_sfr/sffar1 | int_ubs_sfr | 2       | -1    | 2     |  |
| 5  | r_sfr/sffar2 | int_ubs_sfr | 3       | -1    | 2     |  |





### Structural Analyses (3)

- Controller
  - Test support
  - Domains
  - Clock relations
  - Test connectivity
  - Alarm connectivity
  - Interface to SMU



| А  | В        |        | С      |        | D      | Е        |    | F     | G      | Н         |        | M       |
|----|----------|--------|--------|--------|--------|----------|----|-------|--------|-----------|--------|---------|
| no | u        | ctrl p | ar_co  | mp c   | lk_no  | rst_no   | pm | eth_g | ste_g  | top_g     | clks_  | diff_g  |
| 0  | st_sff_u | ctrl p | wr_uc  | W      | 0      | 0        |    | 2     | true   | true      |        | 8'h0    |
| Α  | В        | (      | С      | D      | Е      | F        |    | G     | 1      |           | J      | K       |
| no | ctrl     | par_   | comp o | clk_no | rst_no | o uctrl_ | no | dom_n | o clk_ | _diff f_p | ometh_ | g ste_g |
| 1  | dom_ctrl | sff_u  | ictrl  | 0      | ) (    | C        | 0  |       | 1      | 0         |        | 2 true  |
| 2  | dom_ctrl | sff_u  | ıctrl  | 0      | ) ·    | 1        | 0  |       | 2      | 0         |        | 2 true  |





# Structural Analyses(4)

- Connectivity of library components
  - Clock domains
  - Reset domains
  - Test control
  - Alarms
- Data connectivity
  - Localization of registers specified to be protected
- ➢ Base technology
  - Efficient functions for transitive fan-in determination







1

2

3

Introduction

- Formal-Property-Checking Approach
  - Structural Analyses

Automatic Integration Checks
Experience
Summary
Questions





### Automatic Integration Checks

- "Just" evaluation of extracted structural data
- Compatibility of configuration parameters of connected components
  - Protection
  - Self-testability
  - Domain-controllers
  - Synchronization
- Connectivity
  - Clock and reset inputs
  - Test enabling
  - Alarms in domains and global





# Automatic Integration Checks (1)

- Automatic integration verification flow
  - Collection of RTL libraries
  - Design compilation
  - Location of library components
  - Extraction SFF-data
- Result tables
  - Extraction data
  - Check results •
- Report Generation •







1

2

3

4

5

6

Introduction

- Formal-Property-Checking Approach
  - Structural Analyses
  - Automatic Integration Checks

#### Experience

#### Summary

Questions





#### Experience

- More than 100 module instances of MC product automatically verified
- Automatic compilation works for almost all modules
  - Manual set-up adjustment in few very specific cases
- Automatic integration checks in few seconds to minutes
- Integration bugs caused by manual wiring or configuration
- In case of findings:
  - No debugging required: Result tables with direct references to extraction data
  - Easy correction
  - No additional findings by formal-property checks





1

2

3

4

5

6

Introduction

- Formal-Property-Checking Approach
- Structural Analyses
- Automatic Integration Checks
- Experience

#### Summary

Questions





### Summary

- New integration verification flow:
  - 1. Exhaustive formal library verification-for reduced test-architectures
  - 2. Fast automatic structural integration verification for modules
  - 3. Representative limited checks by sub-system or SoC-simulation
- Benefits
  - Efficiency
  - Ease-of-use
    - No expert knowledge for set-up, execution, root-cause analysis
  - Comprehensiveness
  - Uniformity
  - Substantial efforts saved





1

2

3

4

5

6

Introduction

- Formal-Property-Checking Approach
- Structural Analyses
- Automatic Integration Checks
- Experience

#### Summary

Questions





#### Thank You!

Questions ?



