### Making Autonomous Cars Safe

Joern Stohmann, Frederico Ferlini

# cādence<sup>®</sup>





# Agenda

器 ((())) Automotive Market **Complex Challenges** ISO 26262 and Basic Safety cadence' Functional Safety Methodology 





© Accellera Systems Initiative

#### The Automotive Market







#### Automotive Semiconductor Growth

Automotive semiconductor revenue by application





2017

DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION

EUROPE

### Forces Shaping the Automotive Industry

"Automotive Revolution – Perspective towards 2030" – a 2016 McKinsey Report identified 4 areas that deemed particularly important in shaping the auto industry thru 2030

| Vehicle<br>electrification                                                                                                      | Increased<br>Connectivity                                                | Growth of<br>Autonomous<br>Driving                                            | Shared Mobility<br>Services                                                                               |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|-------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
| <ul> <li>Advances to solve</li> <li>High battery<br/>costs</li> <li>Proliferation of<br/>charging<br/>infrastructure</li> </ul> | Advances to<br>• 5G deployment<br>• Telematics<br>services<br>• V2I; V2V | ADAS deployment<br>• Cost effective<br>Level 3 and<br>Level 4 by<br>2020~2025 | <ul> <li>Proliferation of</li> <li>Ride sharing<br/>services</li> <li>Car sharing<br/>services</li> </ul> |



#### Autonomous Driving

- Amount of electronics is growing fast
- (ADAS) based on complex SoCs to enable high-performance computing
- Safety critical ADAS applications have stringent requirements on LEVELS OF DRIVING
  - Functional Safety
  - Security
  - Reliability





AUTOMATION AS

STANDARD J3016

**DEFINED IN** 

### Automotive Opportunities and Focus Areas





© Accellera Systems Initiative

# Complex Challenges









Source: Volvo

2017 DESIGN AND VERIFICATION DVCONFERENCE AND EXHIBITION EUROPE

Source: BMW



#### Need low-power, small footprint, high-performance SoCs

© Accellera Systems Initiative

#### Making a Car Autonomous



SYSTEMS INITIATIVE



# **Complicated Convolutional Neural Networks**



#### Lidar Point Cloud



#### ~10-70 MB/sec

#### **Digital Camera**



~20-40 MB/sec

Automated and Reliable Object Recognition using CNN

Need a high-performance, low-power hardware platform to combine and analyze point clouds and accurately identify objects





### Automotive SoC Verification Challenges





ESIGN AND VERIFIC

#### ISO 26262 and Safety Basics







#### **Functional Safety standards**



#### ISO 26262 defines

- Processes to follow
- Hardware/software performance to achieve
- Safety documentation to produce
- Software tools compliance process







# Functional Safety definition—ISO 26262

"Absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical and/or electronic systems" (ISO 26262)





### ASIL determination example—ISO 26262

For illustration purposes only



## ISO 26262—Design and safety flow





FIT gets distributed from the item to each of the elements



© Accellera Systems Initiative

#### **ASIL Hardware Metrics**

| ASIL | Failure Rate | SPFM         | LFM          |
|------|--------------|--------------|--------------|
| А    | < 1000 FIT   | Not relevant | Not Relevant |
| В    | < 100 FIT    | > 90%        | > 60%        |
| С    | < 100 FIT    | > 97%        | > 80%        |
| D    | < 10 FIT     | > 99%        | > 90%        |

- FIT Failure In Time (1 Failure / 10<sup>9</sup> hours)
- SPFM Single Point Fault Metric
- LFM Latent Fault Metric





#### ISO26262—Functional Safety principles

#### **Systematic Failures**

(e.g., software bug)

- Addressed by processes (planning, traceability, documentation, specs, ...)
- Strictness of processes are dependent on the ASIL level

#### **Random Failures**

(e.g., component malfunction, noise injection)

- Considers permanent failure and transient effects
- Includes safety mechanisms design and integration to handle faults
- Demonstrated by calculations of Reliability/verification of failure rates
- Failure rates and diagnostic coverage requirement depend on ASIL





ISO 26262 covers random and systematic errors



#### Functional Safety Methodology







### **Build a Holistic Solution**





- Integrate Safety Mechanisms to reduce the FIT
  - Positive testing (functional verification)
    - Verify proper functionality prior to safety verification
  - Negative testing (assess diagnostic capability):
    - Targeted tests to confirm failure mode assumptions
    - Statistical tests to ensure design function integrity
    - Transient faults testing to provide evidence safety mechanisms integrity





#### **Build Chips for Safe Autonomous Automobiles**

| Current Need | <ul> <li>A dedicated functional safety verification methodology and process for<br/>these safety-critical IPs and SoCs</li> <li>Safety analysis in semiconductor such as fault injection, fault metrics, base<br/>failure rate estimation, interfaces within distributed developments,<br/>handling of Hardware Intellectual Property (IP)</li> </ul> |
|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Methodology  | •Holistic methodology which combines analytical methodologies such as FMEDA with dynamic fault simulation and formal analysis based methodologies to significantly reduce the safety verification effort and achieve faster product certification                                                                                                     |
| Metrics      | <ul> <li>ISO26262 recommends single point fault metric (SPFM) and Latent Fault<br/>Metric (LFM) for the component (IP and SoCs)</li> <li>Will be measured for each of the identified Safety Goals associated with the<br/>safety critical modules within the IPs and/or SoCs.</li> </ul>                                                              |



DESIGN AND VERIF

# Safety Verification Challenges and More

**Failure Mode Definition** 

Safety Mechanism Design

**Fault Campaign Planning** 

Safety Requirement Traceability

Fault Set (+Optimization) Execution

**Verification Environment Re-use** 

**Multiple Engines Support** 

Link to FMEDA (Metrics Calculation)

© Accellera Systems Initiative



# **Tool Confidence Level (TCL)**



Internal Clocks and Enabling

#### FMEDA – capture and analyse safety goals

|          | Sc                |          | Failure                                                                 | Mod                                                                 | е      | Safe  | e Fra     | ction          |          |         | Diag     | g. Cc<br>∖ | ov. HW S             | Safet             | y Me          | echanisn      | n      |               |        |
|----------|-------------------|----------|-------------------------------------------------------------------------|---------------------------------------------------------------------|--------|-------|-----------|----------------|----------|---------|----------|------------|----------------------|-------------------|---------------|---------------|--------|---------------|--------|
|          |                   | / IP     | Subpart                                                                 | Failu                                                               | ure Ra | te    | Fa        | ilure          | Mode     | e Dist  | tributi  | on         |                      |                   |               |               |        |               |        |
|          |                   |          | SETTINGS                                                                |                                                                     | 1 \    | SPFMp |           | 59,9           | 7%       |         | SPFMt    |            | 52,76%               |                   |               |               |        |               |        |
|          |                   | 1,20E-05 | NAND2                                                                   |                                                                     |        | LFM   |           | not cal        | oulated  |         |          |            |                      |                   |               |               |        |               |        |
| TF       | T/gates           | 1,64E-03 | FLIP FLOP                                                               | 8                                                                   |        |       |           |                | _        |         |          |            |                      |                   | $\rightarrow$ |               |        |               |        |
| D        | PART              | SUBPAFT  | Failure Mode                                                            | #Gates                                                              | #Flops | λρ    | Р<br>Sp % | ERMANEN<br>λpd | λρς      | λpd %   | λt       | St %       | TRANSIENT<br>λtd λts | λtd %             | DCp           | SMp           | DCt    | SMt           |        |
|          | TANT              | BUS ITF  | Wrong Data Transaction caused by                                        | #Gates                                                              | 23     | 0,010 | 0,26      | 0,007447       |          |         |          | 40%        | 0,023459 0,015639    |                   | 30%           | E2E           | 30%    | E2E           |        |
| 1        |                   |          | a fault in the AHB interface<br>Incorrect instruction Flow caused by    |                                                                     |        |       |           |                |          |         |          |            |                      | ,                 |               |               |        |               |        |
| 2        |                   | DECODER  | a fault the decode logic                                                | 326                                                                 | 9      | 0,004 | 0,01      | 0,003885       | 0,00004  | 100,00% | 0,015298 | 15%        | 0,013003 0,002295    | 100,00%           | 60%           | CTRL FLOW, WD | 60%    | CTRL FLOW, WD |        |
|          | LINK              | VIC      | Un-intended execution/not executed<br>interrupt request                 | 141                                                                 | 4      | 0,002 | 0,26      | 0,001256       | 0,00044  | 100,00% | 0,006793 | 40%        | 0,004076 0,002717    |                   |               | INT MONITOR   | 60%    | INT MONITOR   |        |
|          | ٩                 |          |                                                                         | forrupt data or value caused by a fault in the register bank shadow |        |       | 0,010     | 0,01           | 0,017041 | 0,00018 | 20,13%   | 0,009709   | 15%                  | 0,059252 0,010450 |               | 60%           | PARITY | 60%           | PARITY |
|          |                   |          | ncorrect Instruction Result caused                                      |                                                                     |        | 0,009 | 0,01      | 0,008998       | 0,00009  | 10,15%  | 0,035685 | 15%        | 0,030332 0,005353    |                   |               |               | 90%    |               |        |
| ľ        |                   |          | ncorrect Instruction Result caused                                      |                                                                     |        | 0,002 | 0,01      | 0,002229       | 0,00002  | 2,51%   | 0,008508 | 15%        | 0,007232 0,001276    |                   | 90%           | HW REDUNDANT  | 90%    | HW REDUNDANT  |        |
| 6        | CPU               | ALU      | by a fault in the adder                                                 | 7465                                                                | 206    |       | ,         |                |          |         |          |            |                      |                   |               | RANGE CHK     |        | RANGE CHK     |        |
| 7        | <b>\</b>          |          | y a fault in the divider                                                |                                                                     |        | 0,002 | 0,01      | 0,001256       | 0,00035  | 1,42%   | 0,006779 | 15%        | 0,005763 0,001017    | 7 1,93%           | 90%           |               | 90%    |               |        |
| 8        |                   | k /      | fault in the register bank                                              |                                                                     |        | 0,030 | 0,01      | 0,029329       | 0,00030  | 33,09%  | 0,115579 | 15%        | 0,098242 0,017337    | 32,85%            | 95%           | STL           | 0%     | -             |        |
|          |                   | $\sim$   | Incorrect Instruction Flow caused by<br>a fault the pipeline controller |                                                                     |        | 0,029 | 0,01      | 0,028984       | 0,00029  | 32,70%  | 0,115579 | 15%        | 0,098242 0,017337    | 32,85%            | 40%           | CTRL FLOW, WD | 40%    | CTRL FLOW, WD |        |
|          |                   |          | Incorrect Instruction Flow caused by<br>a fault the branch logic (Wrong |                                                                     |        | 0.001 | 0.01      | 0.001005       | 0.00004  | 5.050/  | 0.000400 | 450/       | 0.000000 0.045000    | 0.04574           | 25%           |               | 450/   | WD            |        |
| 10       |                   | FETCH    | Branch Prediction)                                                      | 1606                                                                | 44     | 0,001 | 0,01      | 0,001025       | 0,00001  | 5,35%   | 0,003422 | 15%        | 0,002908 0,015639    | 0,04574           | 25%           | STL, WD       | 15%    | WD            |        |
| 11       | I                 |          | Incorrect Instruction Flow caused by<br>a fault the fetch logic         |                                                                     |        | 0,018 | 0,01      | 0,018115       | 0,00018  | 94,65%  | 0,071387 | 15%        | 0,060679 0,015639    | 0,95426           | 19%           | STL           | 0%     | -             |        |
| 12       |                   |          |                                                                         |                                                                     |        |       |           |                |          |         |          |            |                      |                   |               |               |        |               |        |
| 13<br>14 |                   |          |                                                                         |                                                                     |        |       |           |                |          |         |          |            |                      |                   |               |               |        |               |        |
| 14       | $\mathbf{\nabla}$ |          | -                                                                       |                                                                     |        |       |           |                |          |         |          |            |                      |                   |               |               |        |               |        |
| 16       |                   |          |                                                                         |                                                                     |        |       |           |                |          |         |          |            |                      |                   |               |               |        |               |        |
| 17       | BUS               |          |                                                                         | 40274                                                               | 286    |       |           | 0.420204       | 0.00450  |         |          |            | 0 402189 0 40470     |                   | l             |               |        |               |        |
|          |                   |          |                                                                         | 10374                                                               | 200    |       |           | 0,120364       | 0,00452  |         |          |            | 0,403188 0,104706    |                   |               |               |        | 0017          |        |



#### A SM can cover more the one FMs

#### One FM can be covered by multiple SMs



© Accellera Systems Initiative

#### **Typical Functional Safety Workflow**



accellera SYSTEMS INITIATIVE

### Safety Verification Solution Vision



SYSTEMS INITIATIVE

- Unified functional + safety verification flow and engines
- Integrated fault campaign management across formal, simulation, and emulation
- Common fault results database unifies diagnostic coverage
- Proven requirements traceability, enabling FMEDA integration



#### Safety Mechanisms in Ethernet IP



2017

CONFERENCE AND EXHIBITION

EUROPE



#### GEM Block – FMEDA Analysis

| Block or<br>Subblock | λ [FIT] | Failure Mode                                                 | FM<br>Distribution | Effect Description of FM                                                                                                                           | SM Implemented                   |
|----------------------|---------|--------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| TSU                  | 0.0719  | Fault in TSU compare pulse                                   | 0.9%               | TSU compare interrupt is incorrect                                                                                                                 | Compare logic is duplicated      |
| TSU                  | 0.0719  | Fault in TSU seconds<br>increment pulse                      | 0.9%               | The TSU seconds interrupt is incorrect                                                                                                             | Interrupt logic is duplicated    |
| TSU                  | 0.0719  | Fault in generation of the TSU strobe pulse to the registers | 0.9%               | The timer value may not be captured or captured incorrectly                                                                                        | Strobe Pulse Logic is duplicated |
| TSU                  | 0.0719  | Fault in TSU timer output<br>value                           | 97.3%              | TX/RX timestamp is corrupted, output<br>TSU timer value to local system will be<br>invalid, Timer value read back in registers<br>is also invalid. | Timer logic is<br>duplicated     |
| Registers            | 0.3013  | Fault in static configuration outputs from the registers     | 95%                | Unpredictable behavior of IP                                                                                                                       | Parity generation and detection  |



20

DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION

#### Ethernet IP – GEM Block

accellera

SYSTEMS INITIATIVE



#### GEM Block – FMEDA Verification

| Block or<br>Subblock | λ [FIT] | Failure Mode                                                 | FM Distribution | DC Number Estimated | DC Number<br>Achieved |
|----------------------|---------|--------------------------------------------------------------|-----------------|---------------------|-----------------------|
| TSU                  | 0.0719  | Fault in TSU compare pulse                                   | 0.9%            | 95%                 | 96%                   |
| TSU                  | 0.0719  | Fault in TSU seconds increment pulse                         | 0.9%            | 95%                 | 98%                   |
| TSU                  | 0.0719  | Fault in generation of the TSU strobe pulse to the registers | 0.9%            | 95%                 | 78%                   |
| TSU                  | 0.0719  | Fault in TSU timer output value                              | 97.3%           | 95%                 | 100%                  |
| Registers            | 0.3013  | Fault in static configuration outputs from the registers     | 95%             | 90%                 | 92.5%                 |



20

DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION









# Fault Injection Campaign – Example



- DUT: 2 memories
  - FS Requirement: ASIL-D
    - E.g. HW arch. metrics: SPFM >= 99%, LFM >= 90%
- MEM1
  - Bit-Width: 32 bit
  - FS Analysis: use 8 bit CRC (CRC-8)
- MEM2
  - Bit-Width: 8 bit
  - FS Analysis: use 4 bit CRC (CRC-4)
- Reuse functional verification environment
  - Contains multiple tests
- Goal:

"Calculate DC values for MEM1, MEM2 required for HW architectural metrics calculation."



© Accellera Systems Initiative

### Mapping FMEDA to Fault Injection Campaign





DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION

EUROPE

# Fault Campaign Executor - Interface



#### Inputs: FMEDA

- Fault List
  - Definition of the faults to be injected
- Strobe List
  - Definition of the observation points

#### Inputs: Safety Verification Engineer

- Test List
  - Tests to be used during the campaign
- Campaign Configuration
  - Define the campaign parameters

#### **Outputs: Safety Client**

- Annotated Fault List
  - Fault classification is back annotated
- Reports
  - Various kind according to the use case



accelle

SYSTEMS INITIATIVE

# Fault Campaign Executor – Execution Flow



SYSTEMS INITIATIVE

ESIGN AND VERIFIC

#### Fault Campaign Executor – GUI Example

| View Regression Help                                            |                       |                                 |                          |                |                      |             |                                         |                            |                                                     | cāden                                      | ce                                                                           |
|-----------------------------------------------------------------|-----------------------|---------------------------------|--------------------------|----------------|----------------------|-------------|-----------------------------------------|----------------------------|-----------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------|
| 된 🙆 📕                                                           | El cos                | R.                              | r⊾<br>vManag             | er euvclo42:8  | 3888 (64) [ <i>4</i> |             |                                         | r <b>o</b><br>euvclo10)    | ×                                                   | <b>A</b> m                                 |                                                                              |
|                                                                 | ew Analys             | is Help                         |                          |                |                      |             |                                         |                            |                                                     |                                            | cadence                                                                      |
| bal Operations S<br>Sessions Metrics<br>ession Start Til Caster | Tests vPla            | an Scripts New<br>Manager VPlai | Edit Reloz<br>vPlan vPla | d Context Sour | rce<br>Ip            | -           | a All<br>Runs                           | Formal<br>Prop.<br>Analyze |                                                     | Lit all at Edit each S                     | Rep Analyze Failures<br>Analyze All Runs<br>Analyze Formal Properties        |
| tatus                                                           | and the second second |                                 | Flainer                  | Settings       | VIC                  |             |                                         | Analyze                    |                                                     | Runs                                       | Correlate Runs                                                               |
| (no filter) (no 🖉 🗗                                             | Marria                | sts Hierarchy                   |                          |                | Overall Avera        | ne Grade    | 0                                       | verall Covered             | Te                                                  | est Status                                 | Rank Runs                                                                    |
| ompleted 2/24/17                                                |                       |                                 |                          |                |                      | ge ordae    |                                         |                            |                                                     |                                            | 🔊 Edit all at once                                                           |
| ompleted 2/24/17 2                                              |                       | t-Case Model                    |                          |                | 95.74                | 4%          |                                         | 6 / 47 (95.74%)            |                                                     | 95.74%                                     | 🛃 Edit each                                                                  |
| ompleted 2/24/17 🕞                                              | <b>▲ ⊗</b> ⊆          |                                 |                          |                | 95.74                |             |                                         | 6 / 47 (95.74%)            |                                                     | 95.74%                                     | • Attribute change history                                                   |
|                                                                 | A 10                  | training_default                |                          |                | 95.74                |             |                                         | 6 / 47 (95.74%)            | -                                                   | 95.74%                                     | 🗢 Rerun                                                                      |
|                                                                 |                       | = training_defa                 | ult_test                 |                | 95.74                | 4%          | 45                                      | 6 / 47 (95.74%)            | -                                                   | 95.74%                                     | + Create Context                                                             |
| Showing 3 out of 40 i                                           |                       |                                 |                          |                |                      |             |                                         |                            |                                                     |                                            | Create uncompacted context                                                   |
| Showing 3 out of 40 i                                           | Showin                | g 4 items                       |                          |                |                      |             |                                         |                            |                                                     |                                            | Stop Run                                                                     |
| ion 🗸                                                           | O Ru                  | ns   Test-Cas                   | e Model                  |                |                      |             |                                         |                            |                                                     |                                            | Den run directory                                                            |
| 311                                                             | <b>69</b> -           |                                 | (E)                      |                |                      |             |                                         |                            |                                                     |                                            | Compact Selected Runs                                                        |
|                                                                 | Index                 | AZDuration (sec.                | Status                   |                | Fault Classif.       | ▲ Fault F   | ault Node                               |                            |                                                     |                                            | Show Waveform                                                                |
| , Ei                                                            |                       |                                 |                          |                |                      | Туре        |                                         |                            |                                                     |                                            | Clear Filters                                                                |
| Tracking                                                        | (no filte             |                                 |                          | filter)        | (no filter)          | (no filter) |                                         |                            | (no filter)                                         |                                            | v Clear Filters                                                              |
|                                                                 | 6                     | 107                             | 3 failed                 |                | DU                   |             | 1.7765                                  | mem1_i.crc_chk_i.          |                                                     |                                            |                                                                              |
|                                                                 | 43                    | 106                             | 😮 failed                 |                | DU                   |             |                                         | mem1_i.crc_chk_i           |                                                     |                                            | Copy Cell<br>Copy Row                                                        |
|                                                                 | 1                     | 113                             | 🔮 passed                 |                | SD                   |             | st.dut_inst.r                           | neml_i.crc_chk_i.          | .crc_gen_i.gl                                       | .112.Y                                     | Соруком                                                                      |
|                                                                 | 4                     | 107<br>107                      | O passed                 |                | SD<br>SD             |             | TROBES Waveform 1<br>⊻iew Explore Forma |                            |                                                     |                                            |                                                                              |
|                                                                 | 7                     | 107                             | 🕜 passed<br>🙆 passed     |                | SD                   |             |                                         |                            | nd To: 🔖 🚝 🚉 🔐                                      | : 🕅 🔲 🔲 🖬 👘                                | Èu By 🖉 🔊 🔌 K D û X 🕽 🔅 🕷 📶                                                  |
|                                                                 | ,                     | 104                             | 😡 passed                 |                | SD                   | JAI         | nes: Value -                            | I 🔍 🥼 🚬 TimeA 🗸            |                                                     |                                            |                                                                              |
|                                                                 | 9                     | 104                             | 😡 passed                 |                | SD                   | Design Bro  | vser                                    | × 0                        | Baseline ▼= 0<br>r-Baseline <del>▼</del> = 0        | Baseline = 0                               |                                                                              |
|                                                                 | 10                    | 104                             | passed                   |                | SD                   | SAO Scope:  | All Available Data<br>stroke            | ▼ 300 (Q) 194 Name         | o. ⊂ Cursor o                                       |                                            |                                                                              |
|                                                                 | 11                    | 104                             | passed                   |                | SD                   |             | ) test<br>                              |                            | <pre>4ta_out[31:0] 'h xxxxxxx 4err_detected x</pre> |                                            |                                                                              |
|                                                                 | 12                    | 100                             | O nassed                 |                | SD                   | SAL         | aut_inst                                |                            | <pre>4data_out[7:0] 'h xx 4err_detected x</pre>     | 00 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) | 4 }) [B3 ] ]] ] 32] ] 30]]))] (]] [R9 ]]] []] []] []] []] []] []] []] []] [] |



ONFERENCE AND EXHIBITION

# Fault Campaign Executor – Reporting



#### Comprehensive report generation

- Campaign Execution Statistics
- Fault Classification Hierarchical View
- Test execution order
- Fault annotation list

|          | UNKNOWN              | [UK] : |    | 0   | [ 0.0%]  | 0    | [ 0.0%]  |
|----------|----------------------|--------|----|-----|----------|------|----------|
| r faults | UNTESTABLE           | [UT] : | 2  | 58  | [ 9.8%]  | 258  | [ 11.6%] |
| r faults | SAFE UNDETECTED      | [SU] : | 1  | 60  | [ 6.1%]  | 121  | [ 5.4%]  |
| r faults | SAFE DETECTED        | [SD] : | 13 | 88  | [ 52.9%] | 1090 | [ 48.9%] |
| r faults | DANGEROUS DETECTED   | [DD] : | 5  | 20  | [ 19.8%] | 458  | [ 20.6%] |
| r faults | DANGEROUS UNDETECTED | [DU] : | 3  | 00  | [ 11.4%] | 300  | [ 13.5%] |
| r faults | total                |        | 26 | ~ ~ |          | 2227 |          |

Computed metrics to be back-annotate to FMEDA



SYSTEMS INITIATIVE

#### FMEDA – estimated and simulated values

| Part | Sub-part | Safety<br>related | Failure mode          | Failure Rate<br>(FIT) | Safe<br>Faults<br>[%] | Safety<br>Mechanism | DC – Residual or<br>Single Point Fault<br>[%] | RES/SPF<br>Failure Rate | DC – Latent<br>[%] | Latent MP<br>Failure Rate |
|------|----------|-------------------|-----------------------|-----------------------|-----------------------|---------------------|-----------------------------------------------|-------------------------|--------------------|---------------------------|
| DUT  | MEM1     | SR                | permanent             | 4.0                   | 0%                    | SMEM1               | 99%                                           | 0.040                   | 90%                | 0.396                     |
|      | MEM2     | SR                | permanent             | 1.0                   | 0%                    | SMEM2               | 99%                                           | 0.010                   | 90%                | 0.099                     |
|      |          |                   |                       |                       |                       |                     |                                               | 0.050                   |                    | 0.495                     |
|      |          |                   |                       |                       |                       | SPFM (Calc)         | 99.0%                                         | LFM (Calc)              | 90.0%              |                           |
|      |          | Estimate          | d Values              |                       |                       |                     | SPFM (Target)                                 | >= 99%                  | LFM (Target)       | >= 90%                    |
| Part | Sub-part | Safety<br>related | Failure mode          | Failure Rate<br>(FIT) | Safe<br>Faults<br>[%] | Safety<br>Mechanism | DC – Residual or<br>Single Point Fault<br>[%] | RES/SPF<br>Failure Rate | DC – Latent<br>[%] | Latent MP<br>Failure Rate |
| DUT  | MEM1     | SR                | permanent             | 4.0                   | 10.0%                 | SMEM1               | 88.3%                                         | 0.421                   | 94.1%              | 0.188                     |
|      | MEM2     | SR                | permanent             | 1.0                   | 8.7%                  | SMEM2               | 100.0%                                        | 0.000                   | 93.2%              | 0.062                     |
|      |          |                   |                       |                       |                       |                     |                                               | 0.421                   |                    | 0.250                     |
|      |          |                   | d Values<br>nulation) |                       |                       |                     | SPFM (Calc)                                   | 91.6%                   | LFM (Calc)         | 94.5%                     |
|      |          |                   | indiacion)            |                       |                       |                     | SPFM (Target)                                 | >= 99%                  | LFM (Target)       | >= 90%                    |



20

DESIGN AND VERIFICATION





© Accellera Systems Initiative



## Summary

- Autonomous cars are coming and 'Mind-Off' driving is expected to be real by the mid 2020s
- ADAS SoCs are very large, complicated designs
- ISO 26262 is the automotive standard that defines the processes to follow, the performance level for hardware and software performance and the compliance process
- A systematic analysis technique such as the FMEDA is essential for meeting ISO 26262 metrics
- Safety verification provides quantitative data useful in verifying ASIL metrics have been met



#### Questions



