

# Making Autonomous Cars Safer – One chip at a time

### Apurva Kalia: Vice President R&D Ann Keffer: Product Management Director

# cādence<sup>®</sup>



Automotive Market
Complex Challenges
ISO 26262 and Basic Safety
Functional Safety Methodology

cadence"

((()))







### **Automotive Semiconductor Growth**

Automotive semiconductor revenue by application



# **CONFERENCE AND EXHIBITION** OFCES Shaping the Automotive Industry

"Automotive Revolution – Perspective towards 2030" – a 2016 McKinsey Report identified 4 areas that deemed particularly important in shaping the auto industry thru 2030

| Vehicle<br>electrification                                                                                                      | Increased<br>Connectivity                                                | Growth of<br>Autonomous<br>Driving                                            | Shared Mobility<br>Services                                                                       |
|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|-------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|
| <ul> <li>Advances to solve</li> <li>High battery<br/>costs</li> <li>Proliferation of<br/>charging<br/>infrastructure</li> </ul> | Advances to<br>• 5G deployment<br>• Telematics<br>services<br>• V2I; V2V | ADAS deployment<br>• Cost effective<br>Level 3 and<br>Level 4 by<br>2020~2025 | <ul> <li>Proliferation of</li> <li>Ride sharing services</li> <li>Car sharing services</li> </ul> |



# **Autonomous** Driving

- Amount of electronics is growing fast
- (ADAS) based on complex SoCs to enable high-performance computing
- Safety critical ADAS applications have stringent requirements on
  - Functional Safety
  - Security
  - Reliability







### **Complex Challenges**



Source: BMW

### Need low-power, small footprint, high-performance SoCs

© Accellera Systems Initiative

### Making a Car Autonomous



**Passive Vision Rear View Camera** Vision Enhancement Auto Dimming Headlights **Blind Spot Detection** 360 View **Parking Assist** Lane Detection and Following Sign Recognition **Traffic Signal Recognition** Rain, Snow, /Fog Removal Pedestrian Tracking /Avoidance **Eve Focus Detection Driver Monitoring** Vehicle Detection/Avoidance

### **Complicated Convolutional Neural Networks**



Automated and Reliable Object Recognition using Convolutional Neural Networks

Need a high-performance, low-power hardware platform to combine and analyze point clouds and accurately identify objects

### **Automotive SoC Verification Challenges**

#### **Systematic Failure Verification**

**Concurrent SW Development** 

**Requirements Traceability** 

**Use Case Verification** 

**Performance Verification** 

**Security Verification** 

**Automotive Protocol Verification** 

**Mixed Signal Verification** 

**Functional Safety Verification** 

**Random Failure Verification** 

### **ADAS SoC**



### **Multiple verification and validation platforms**



### ISO 26262 and Failure Mode Effects and Diagnostic Analysis

## **Example tional Safety standards**

UNITED STATES



#### ISO 26262 defines

- Processes to follow
- Hardware/software performance to achieve
- Safety documentation to produce
- Software tools compliance process



# CONFERENCE AND EXHIBITION

"Absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical and/or electronic systems" (ISO 26262)



# ASIA Determination Example—ISO 26262

ED STATE

For illustration purposes only





FIT gets distributed from the item to each of the elements © Accellera Systems

Initiative







### **ASIL Hardware Metrics**

| ASIL | Failure Rate | SPFM         | LFM          |
|------|--------------|--------------|--------------|
| А    | < 1000 FIT   | Not relevant | Not Relevant |
| В    | < 100 FIT    | > 90%        | > 60%        |
| С    | < 100 FIT    | > 97%        | > 80%        |
| D    | < 10 FIT     | > 99%        | > 90%        |

- FIT Failure In Time (1 Failure / 10<sup>9</sup> hours)
  - PMHF Probalbilistic Metric for Random HW failures
- SPFM Single Point Fault Metric
- LFM Latent Fault Metric



# Functional Safety Life Cycle Main Tasks

• Silicon provider is asked to execute five main activates to implement a Functional Safety life cycle in light of the hardware random capability.

| Life Cycle            | Selection of ISO26262 Process Requirements and tailoring of the development process for the specific SoC ( <b>Safety Manger</b> ). |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------|
| Safety Concept        | Assumed Safety Requirements definition for the HW component for the Development of the SoC ( <b>Safety Architect</b> )             |
| Safety Analysis       | Safety Analysis: FMEA/FMEDA/DFA (Safety Engineer)                                                                                  |
| Metrics Computation   | Compute Hardware Architecture Metrics (SPFM, LFM), PMHF based on the defined Safety Concept (Safety Engineer)                      |
| Reviews/Confirmations | Perform applicable Verification Reviews, Confirmation Reviews, Safety Audit and Assessment ( <b>Auditor</b> )                      |

• Safety Manager is the person in charge to define and track the Functional Safety process, define the work products, define the template documentation and execute internal reviews

# **ISO26262**—Functional Safety Principles

### Systematic Failures

(e.g., software bug)

- Addressed by processes (planning, traceability, documentation, specs, ...)
- Strictness of processes are dependent on the ASIL level

### **Random Failures**

(e.g., component malfunction, noise injection)

- Considers permanent failure and transient effects
- Includes safety mechanisms design and integration to handle faults
- Demonstrated by calculations of Reliability/verification of failure rates
- Failure rates and diagnostic coverage requirement depend on ASIL



#### © Accellera Systems Initiative

#### 2018 DESIGN AND VERIFICATION CONFERENCE AND EXHIBITION UNITED STATES

## **Functional Safety Metrics**

- Target metrics values according to ASIL (Automotive Safety Integrity Level)
- Architectural Matrices (measured in %)
  - **SPFM**: Single Point Fault Metrics

The single point fault metric reveals whether or not the coverage by the safety mechanisms (i.e. the **DC**), to prevent risk from single point faults in the hardware architecture, is sufficient. Single point faults are faults in an element that leads directly to the violation of a safety goal  $\rightarrow$  SPFM high means that the set of Safety Mechanisms have high capacity to cover dangerous faults, resulting in high DC.

- LFM: Latent Fault Metrics

The latent fault metric reveals whether or not the coverage by the safety mechanisms, to prevent risk from latent faults in the hardware architecture, is sufficient. Latent faults are multiple-point faults whose presence are not detected by a safety mechanism. Latent faults become dangerous when a second faults appears and it will be not detected due to the latent fault previously occurred  $\rightarrow$  LFM high means that the set of Safety Mechanism have high capability to cover multiple faults (multiple = 2) scenario.



## **Functional Safety Metrics**

- Absolute Metrics
  - **PMHF**: Probabilistic Metric for (Random) Hardware Failures

Is the sum of the single point, residual and multipoint fault metrics. Is expressed in  $FITs \rightarrow PMHF$  low means a low probability that the SoC, including its safety mechanisms, fails without any detection. It is measured in FIT: 1FIT = probability that one failure occur in 10^9 hours. It represents the probability to violate the safety goal

#### 2018 DESIGN AND VERIFICATION CONFERENCE AND EXHIBITION UNITED STATES

## **Work Products and Documentations**

 List of the most relevant documents to be produced during a Functional Safety Development and to be used during an assessment

| Work Products                        | Content                                                                                                               | ISO26262 References              |
|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------|----------------------------------|
|                                      | Company realted process quality standards, product life cyle, product responsibilities, tools qualificaiton, project  |                                  |
| Safety Plan                          | activities plan,                                                                                                      | ISO 26262-2:2018, 6.4.3.9        |
|                                      | Process to control that work products can be uniquely identified and reproduced in a controlled manner at any time,   |                                  |
| Configuration Management Plan        | e.g. bugs tracking and documentation                                                                                  | ISO 26262-8:2018                 |
| Change Management Plan               | Process to changes to safety-related work products throughout the safety lifecycle, impact analysis, revisioning,     | ISO 26262-8:2018                 |
|                                      | Design and safety mechanisms requirements compliant with technical safety report and system requirements              |                                  |
| Safety Requirements                  | (traceable)                                                                                                           | ISO 26262-5:2018, Clause 6       |
| Requirements traceability report     | Show the traceability backward ans forward of the requirements.                                                       | ISO 26262-5:2018 - 7.4.2.5       |
| HW Design Verification Plan          | Descripition of the techniques and masures to avoid systematic capability: the pass and fail criteria for the         | ISO 26262-11:2018, 5.1.9 - table |
|                                      | verification, the metrics; the verification environment; the tools used for verification; the regression strategy.    | 30                               |
|                                      |                                                                                                                       | ISO 26262-8:2018, Clause 9       |
|                                      |                                                                                                                       | ISO 26262-5:2018, 7.4.4 table3   |
| HW Design Verification Report        | Results of the verification measures (typcally metrics driven verification), derogation,                              | ISO 26262-8:2018, Clause 9       |
| Safety Analysis Report               | FMEA, FMEDA. Safety scope description, Base failure rate calculation, Fault models applied, Analysis assumptions,     |                                  |
|                                      | Analysis results , Fault injection strategy (how to execute the measures, which WL, sampling,, expert Judgment        | ISO 26262-9:2018, Clause 8       |
|                                      | evidences ,                                                                                                           | ISO 26262-11, 4.6                |
| Analysis of Dependent Failure report | DFA analysis, assumption, adopted measures and results                                                                | ISO 26262-9:2018, Clause 7       |
|                                      | Confirmation reviews of: saftey plan, safety analysis, software tool criteria evaluation report, completeness of the  |                                  |
| Confirmations Measure Reports        | safety case,                                                                                                          | ISO 26262-2:2018, Table 1        |
|                                      | Applied Safety Life Cycle, safety goal, safety scope, AoU description, fault models, Safety Mech. Description, Safety | ISO 26262-11, 4.5.4.9            |
| Safety Manual                        | results summary,                                                                                                      |                                  |

|                   | C Rar       | Failure                                                      | Mode   | e           | Safe  | e Fra | ction    |         |          | Diag     | g. Co | ov.      | HW S     | Safety   | у Ме<br>`\ | echanisn      | n     |               |
|-------------------|-------------|--------------------------------------------------------------|--------|-------------|-------|-------|----------|---------|----------|----------|-------|----------|----------|----------|------------|---------------|-------|---------------|
|                   | / IP        | Subpart                                                      | Failu  | ıre Ra<br>∖ | ite   | Fa    | ilure    | Mode    | e Dist   | tributi  | on    |          |          |          |            |               |       |               |
|                   |             | SETTINGS                                                     |        |             | SPFMp |       | 59,9     | 97%     |          | SPFMt    |       | 52,7     | 6%       |          |            |               |       |               |
| FIT/gates         | 1,20E-05    | NAND2                                                        | 1      |             | LFM   |       | not cal  | oulated |          |          |       |          |          |          |            |               |       |               |
| FI//gates         | 1,64E-03    | FLIP FLOP                                                    | 8      |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
|                   |             |                                                              |        |             |       | F     | PERMANEN |         |          |          |       | TRANSIEN |          | 2.1.4    |            |               |       |               |
| PART              | SUBPAFT     | Fall are Mode                                                | #Gates | #Flops      | Λp ,  | Sp %  | λpd      | λps     | Apd %    | ٨t       | St %  | λtd      | ts       | Atd %    | DCp        | SMp           | DCt   | SMit          |
|                   | BUS_ITF     | a fault in the AHB interface                                 | 836    | 23          | 0,010 | 0,26  | 0,007447 | 0,00262 | 100,00%  | 0,039099 | 40%   | 0,023459 | 0,015639 | 100,00%  | 30%        | E2E           | 30%   | E2E           |
|                   | DECODEF     | Incorrect instruction Flow caused by                         | 326    | 9           | 0,004 | 0,01  | 0,003885 | 0,00004 | 100,00%  | 0,015298 | 15%   | 0,013003 | 0,002295 | 100,00%  | 60%        | CTRL FLOW, WD | 60%   | CTRL FLOW, WD |
|                   | VIC         | Un-intended execution/not executed                           | 1/1    | 4           | 0.002 | 0.26  | 0.001256 | 0.00044 | 100.00%  | 0.006793 | 40%   | 0.004076 | 0.002717 | 100.00%  | 60%        |               | 60%   |               |
|                   | VIQ         | interrupt request                                            | 141    | 4           | 0,002 | 0,20  | 0,001230 | 0,00044 | 100,0078 | 0,000793 | 40 /8 | 0,004070 | 0,002717 | 100,00 % | 0078       |               | 00 /8 |               |
|                   |             | fault in the register bank shadow                            |        |             | 0,010 | 0,01  | 0,017041 | 0,00010 | 20,13%   | 0,000700 | 15%   | 0,050252 | 0,010156 | 10,010(  | 60%        | PARITY        | 60%   | PARITY        |
|                   |             | ncorrect Instruction Result caused                           |        |             | 0,009 | 0,01  | 0,008998 | 0,00009 | 10,15%   | 0,035685 | 15%   | 0,030332 | 0,005353 | 10,14%   | 90%        |               | 90%   | 1             |
|                   | $\Lambda$ / | ncorrect Instruction Result caused                           |        |             | 0.002 | 0.01  | 0.002220 | 0.00002 | 2 51%    | 0.008508 | 15%   | 0.007232 | 0.001276 | 2 12%    | 90%        | HW REDUNDANT  | 90%   | HW REDUNDANT  |
| CPU               | ALJ         | by a fault in the adder                                      | 7465   | 206         | 0,002 | 0,01  | 0,002223 | 0,00002 | 2,5170   | 0,000300 | 1570  | 0,007232 | 0,001270 | 2,4270   | 3078       | RANGE CHK     | 3078  | RANGE CHK     |
|                   |             | by a fault in the divider                                    |        |             | 0,002 | 0,01  | 0,001256 | 0,00035 | 1,42%    | 0,006779 | 15%   | 0,005763 | 0,001017 | 1,93%    | 90%        |               | 90%   | 1             |
|                   |             | Corrupt data or value caused by a fault in the register bank |        |             | 0,030 | 0,01  | 0,029329 | 0,00030 | 33,09%   | 0,115579 | 15%   | 0,098242 | 0,017337 | 32,85%   | 95%        | STL           | 0%    | - 1           |
|                   | $\sim$      | Incorrect Instruction Flow caused by                         |        |             | 0.020 | 0.01  | 0.028084 | 0.00020 | 32 70%   | 0 115570 | 15%   | 0.008242 | 0.017337 | 32 85%   | 40%        |               | 40%   |               |
|                   |             | a fault the pipeline controller                              |        |             | 0,023 | 0,01  | 0,020304 | 0,00029 | 32,7078  | 0,113379 | 1070  | 0,030242 | 0,017557 | 02,0070  | 4070       | OTAL LEOW, WD | 4070  |               |
|                   |             | a fault the branch logic (Wrong                              |        |             | 0,001 | 0,01  | 0,001025 | 0,00001 | 5,35%    | 0,003422 | 15%   | 0,002908 | 0,015639 | 0,04574  | 25%        | STL, WD       | 15%   | WD            |
|                   | FETCH       | Branch Prediction)                                           | 1606   | 44          |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
|                   |             | a fault the fetch logic                                      |        |             | 0,018 | 0,01  | 0,018115 | 0,00018 | 94,65%   | 0,071387 | 15%   | 0,060679 | 0,015639 | 0,95426  | 19%        | STL           | 0%    | -             |
|                   |             |                                                              |        |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
| $\mathbf{X}$      |             |                                                              |        |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
| $\mathbf{\nabla}$ |             | _                                                            |        |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
|                   |             |                                                              |        |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
| BUS               |             |                                                              |        |             |       |       |          |         |          |          |       |          |          |          |            |               |       |               |
|                   |             |                                                              | 10374  | 286         |       |       | 0.120364 | 0.00452 |          |          |       | 0.403188 | 0.104706 |          |            |               |       |               |

A SM can cover more the one FMs

One FM can be covered by multiple SMs

© Accellera Systems Initiative



## **FMEDA Analysis**

- User defines the FMEDA Hierarchy starting from design requirements
- Part and Subpart are not one by one with the physical implementation



FMEDA Hierarchy

Design Hierarchy: from requirements

| CO | re         | _      |               |                  |
|----|------------|--------|---------------|------------------|
|    | bus_if     | dec_hi | dec_lo        | vic_int vic_ctrl |
|    | alu        |        |               | fsm pipe         |
|    |            |        |               | fatah unit       |
|    | branch_fsr | n      | branch_buffer |                  |



## **FMEDA Analysis**

 User provides textual description of the FMs (for every subpart) figured-out during the failure functional analysis
 FM definition: comes from a cause-effect user

| ID | PART | SUBPART | Failure Mode                                                                            |
|----|------|---------|-----------------------------------------------------------------------------------------|
| 1  |      | BUS_ITF | Wrong Data Transaction caused by a fault in the AHB interface                           |
| 2  |      | DECODER | Incorrect Instruction Flow caused by a fault the decode logic                           |
| 3  | ſ    | VIC     | Un-intended execution/not executed interrupt                                            |
| 4  |      |         | Corrupt data or value caused by a fault in the register bank shadow                     |
| 5  |      |         | Incorrect Instruction Result caused by a fault in the multiplier                        |
| 6  | CPU  | ΔΗΗ     | Incorrect Instruction Result caused by a fault in the adder                             |
| 7  |      |         | Incorrect Instruction Result caused by a fault in the divider                           |
| 8  |      |         | Corrupt data or value caused by a fault in the register bank                            |
| 9  |      |         | Incorrect Instruction Flow caused by a fault the pipeline controller                    |
| 10 | L    | FETCH   | Heterrect Instruction Flow caused by a fault the branch logic (Wrong Branch Prediction) |
| 11 |      |         | Incorrect Instruction Flow caused by a fault the fetch logic                            |

**FM definition**: comes from a cause-effect user analysis starting from specs or RTL



FM4: "Corrupt data or value caused by a fault in the register bank shadow"

#### e.g. The ALU function has six different way to fail





## **FMEDA Validation**

• **FM mapping** is performed by the user associating FMs (defined into the FMEDA) to Design Instances (hierarchical full path name)

#### CPU core bus if vic int vic ctrl dec hi dec lo alu reg\_banks \_FM10 add reg\_bank fsm\_pipe reg shadow mul fetch\_unit branch buffer branch fsm

#### MODULES **DES INFO** #flops Not Stuctural #gates bus if 810 21 295 dec 12 vic int 70 2 vic ctrl 50 6 20 reg shadow 1650 add 1100 40 mul 1200 60 div 1500 80 60 reg bank 2240 fsm pipe 2320 73 branch fsm 98 4 branch buffer 1420 35 tot 12753 413

#### Design Hierarchy: instances full path names



### **FMEDA** Validation

- Before executing the fault injection campaigns an FMEDA Plan shall be finalized
- The FMEDA validation is executed on a FM basis, meaning that a specific fault campaign is executed for every FM.
- The user supplies, still on a FM basis, observation points and detection points according to the verification requirements supplied by the safety engineer





- When the SoC complexity grows a modular approach is required to initiate an FMEDA and execute its validation
- An FMEDA team based approach should be also supported to allow splitting the job among different teams, enabling an IP-based methodology
- IP could be provided from 3<sup>rd</sup> party IP provider and will come with it's own FMEDA



### Functional Safety Methodology





| Requirements Traceability        |
|----------------------------------|
| Verification and Safety Planning |



## **Build a Holistic Solution**

- Integrate Safety Mechanisms to reduce the FIT
- Positive testing (functional verification)
  - Verify proper functionality prior to safety verification
- Negative testing (assess diagnostic capability):
  - Targeted tests to confirm failure mode assumptions
  - -Statistical tests to ensure design function integrity
  - Transient faults testing to provide evidence safety mechanisms integrity

# Build Chips for Safe Autonomous Automobiles

| Current Need | <ul> <li>A dedicated functional safety verification methodology and process for these safety-critical IPs and SoCs</li> <li>Safety analysis in semiconductor such as fault injection, fault metrics, base failure rate estimation, interfaces within distributed developments, handling of Hardware Intellectual Property (IP)</li> </ul> |
|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|              |                                                                                                                                                                                                                                                                                                                                           |
| Methodology  | <ul> <li>Holistic methodology which combines analytical methodologies such as FMEDA with<br/>dynamic fault simulation and formal analysis based methodologies to significantly<br/>reduce the safety verification effort and achieve faster product certification</li> </ul>                                                              |
|              |                                                                                                                                                                                                                                                                                                                                           |
| Metrics      | <ul> <li>ISO26262 recommends single point fault metric (SPFM) and Latent Fault Metric (LFM) for the component (IP and SoCs)</li> <li>Will be measured for each of the identified Safety Goals associated with the safety critical modules within the IPs and/or SoCs.</li> </ul>                                                          |
|              |                                                                                                                                                                                                                                                                                                                                           |

### **Safety Verification Challenges and More**

#### **Failure Mode Definition**

CONFERENCE /

Safety Mechanism Design

Fault Campaign Planning

**Safety Requirement Traceability** 

Fault Set (+Optimization) Execution

**Verification Environment Re-use** 

**Multiple Engines Support** 

Link to FMEDA (Metrics Calculation)

**Tool Confidence Level (TCL)** 

© Accellera Systems Initiative

### ADAS SoC Example







### **Safety Verification Methodology**

2018 DESIGN AND VERIFICATION





### **Safety Verification Solution**



2018

DESIGN AND VERIFICA

- Unified functional + safety verification flow and engines
- Integrated fault campaign management across formal, simulation, and emulation
- Common fault results database unifies diagnostic coverage
- Proven requirements traceability, enabling FMEDA integration



### Example Design and FMEDA



# **Safety Mechanisms in Ethernet IP**





### **GEM Block – FMEDA Analysis**

| Block or<br>Subblock | λ [FIT] | Failure Mode                                                   | FM<br>Distribution | Effect Description of FM                                                                                                                           | SM Implemented                     |
|----------------------|---------|----------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
| TSU                  | 0.0719  | Fault in TSU compare<br>pulse                                  | 0.9%               | TSU compare interrupt is incorrect                                                                                                                 | Compare logic is duplicated        |
| TSU                  | 0.0719  | Fault in TSU seconds<br>increment pulse                        | 0.9%               | The TSU seconds interrupt is<br>incorrect                                                                                                          | Interrupt logic is duplicated      |
| TSU                  | 0.0719  | Fault in generation of the TSU strobe pulse to the registers   | 0.9%               | The timer value may not be captured or captured incorrectly                                                                                        | Strobe Pulse Logic is duplicated   |
| TSU                  | 0.0719  | Fault in TSU timer output value                                | 97.3%              | TX/RX timestamp is corrupted, output<br>TSU timer value to local system will<br>be invalid, Timer value read back in<br>registers is also invalid. | Timer logic is duplicated          |
| Registers            | 0.3013  | Fault in static<br>configuration outputs from<br>the registers | 95%                | Unpredictable behavior of IP                                                                                                                       | Parity generation<br>and detection |

### **Ethernet IP – GEM Block**



© Accellera Systems Initiative

2018

DESIGN AND VERIFICATION"

CONFERENCE AND EXHIBITION



| Block or<br>Subblock | λ [FIT] | Failure Mode                                                 | FM Distribution | DC Number Estimated | DC Number<br>Achieved |
|----------------------|---------|--------------------------------------------------------------|-----------------|---------------------|-----------------------|
| TSU                  | 0.0719  | Fault in TSU compare pulse                                   | 0.9%            | 95%                 | 96%                   |
| TSU                  | 0.0719  | Fault in TSU seconds increment pulse                         | 0.9%            | 95%                 | 98%                   |
| TSU                  | 0.0719  | Fault in generation of the TSU strobe pulse to the registers | 0.9%            | 95%                 | 78%                   |
| TSU                  | 0.0719  | Fault in TSU timer output value                              | 97.3%           | 95%                 | 100%                  |
| Registers            | 0.3013  | Fault in static configuration outputs from the registers     | 95%             | 90%                 | 92.5%                 |











## **GEM Block Diagram – SM View**



### **EXAMPLE EM Block Diagram – Fault Campaign view**



FO and CO Strobe List

## **ISO26262 Compliant Fault Classification**

2018 DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION



formal analysis to justify the expert judgment

### **Demo Setup and Run the VNC**

PRE

RUN

Live Run

**Description** 5 Failure modes for the demo showcasing the solution and automation capabilities

- fm\_tsu\_comp\_pulse Fault in TSU comp pulse show cases the ranking capability and undetected faults as SM is not implemented
- fm\_tsu\_tmr\_op\_val Fault in TSU timer Output value show cases the ranking capability and detected faults as SM is implemented
- fm\_tsu\_sec\_incr Fault in TSU seconds increment pulse run campaign for the module TSU

2018

RENCE AND EXHIBITION

DESIGN AND VERIFIC

- fm\_tsu\_tmr\_op\_val Fault in generation of the TSU strobe pulse to the registers run campaign for the module TSU
- fm\_tsu\_tmr\_op\_val\_samp Fault in generation of the TSU strobe pulse to the registers run campaign for the module TSU

| Block or<br>Subblock | λ [FIT] | Failure Mode                                                 | FM<br>Distribution | Effect Description of FM                                                                                                                  | SM Implemented                  |
|----------------------|---------|--------------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|
| TSU                  | 0.0719  | Fault in TSU compare pulse                                   | 0.9%               | TSU compare interrupt is incorrect                                                                                                        | Incomplete                      |
| TSU                  | 0.0719  | Fault in TSU seconds increment pulse                         | 0.9%               | The TSU seconds interrupt is incorrect                                                                                                    | Incomplete                      |
| TSU                  | 0.0719  | Fault in generation of the TSU strobe pulse to the registers | 0.9%               | The timer value may not be captured or captured incorrectly                                                                               | Incomplete                      |
| TSU                  | 0.0719  | Fault in TSU timer output value                              | 97.3%              | TX/RX timestamp is corrupted, output TSU timer value to local system will be invalid, Timer value read back in registers is also invalid. | Timer is duplicated             |
| Registers            | 0.3013  | Fault in static configuration outputs from the registers     | 95%                | Unpredictable behavior of IP                                                                                                              | Parity generation and detection |

# Fault Campaign Executor - Interface



### Inputs: FMEDA info

- Fault List
  - Definition of the faults to be injected
- Strobe List
  - Definition of the observation points

### **Inputs: FS Verification Engineer**

- Test List
  - Tests to be used during the campaign
- Campaign Configuration:
  - Define the campaign parameters

### **Outputs:**

- Annotated Fault List
  - Fault classification is back annotated
- Reports
  - Various kind according to the use case

### Fault Campaign Executor - Interface



- Test selection
  - Execute the user defined list of tests

### Good Simulation

- Fault instrumentation
- Generate strobe data for each selected test

### Fault Simulation Setup

 Prepare fault simulation including static and dynamic (formal) fault set optimization

### Fault Simulation Execution

- Simulate each fault with the selected tests

| Campaign Execution: Statist                                                           |                                                                                     | aign Rer                                                                           | orts - Abstract                    |
|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|------------------------------------------------------------------------------------|------------------------------------|
| Report Generation Date:<br>Tool Version<br>FAULT_CAMPAIGN_NAME<br>FAULT_CAMPAIGN_TYPE | : 2018/02/06 12:49:11<br>: XFS<br>: fs_gem_demo_tmr_op<br>: permanent.              | val                                                                                | Safe Faults by Formal              |
| FS_TC_CALC                                                                            | : pessimistic (PD fat                                                               | ults considered U faults)                                                          |                                    |
| Fault analyzed                                                                        | faults                                                                              | prime faults                                                                       |                                    |
| nr faults<br>nr faults untestable<br>nr faults testable                               | [F]:       964 [100.03         [UT]:       336 [34.93         [T]:       628 [65.13 | \$]       964 [100.0%]         \$]       336 [34.9%]         \$]       628 [65.1%] |                                    |
| Faultsim Execution Statisti                                                           | cs                                                                                  |                                                                                    |                                    |
| sampling factor<br>(100% means no sampling)                                           | : 100%                                                                              |                                                                                    |                                    |
| nr faults selected for <u>faultsi</u>                                                 | m: 628                                                                              | 21                                                                                 |                                    |
| nr faults tono<br>nr faults processed<br>nr faultsim runs                             | : 628 [100.0]<br>: 1661                                                             | o]<br>}]                                                                           |                                    |
| nr faultsim runs / fault                                                              | : 2.64                                                                              |                                                                                    |                                    |
| Sampling options                                                                      |                                                                                     |                                                                                    | Possibly need to improve work load |
| Sampled Fault Type<br>Sampling Seed                                                   | : SA0+SA1<br>:                                                                      |                                                                                    |                                    |
| Sampling Percentage                                                                   | : 100                                                                               |                                                                                    |                                    |
| Sampled Number<br>Sampling Scope                                                      | :<br>: testable                                                                     |                                                                                    |                                    |
| Fault Classification (dual                                                            | strobe)                                                                             |                                                                                    | Detected Faults                    |
| nr faults UNKNOWN<br>nr faults UNDETECTED                                             | [UK]: 36 [ 3.7<br>[U]: 0 [ 0.0                                                      | \$]       36 [ 3.7%]         \$]       0 [ 0.0%]                                   |                                    |
| nr faults DETECTED                                                                    | [D]: 592 [ 61.4                                                                     | \$] 592 [ 01.48]                                                                   | Test Coverage = (D/(D+U))          |
| <br>Toggle Coverage %                                                                 | : 41.53012642255185                                                                 |                                                                                    |                                    |
| Test Coverage                                                                         |                                                                                     |                                                                                    |                                    |
| Coverage                                                                              | : 1.0                                                                               |                                                                                    | Fault Coverage = (D/(D+U+UT))      |
| Fault Coverage                                                                        | : 0.63793105                                                                        |                                                                                    |                                    |

| 2040                        | Campa                  | lian Rep                                         | orts - Abstract               |
|-----------------------------|------------------------|--------------------------------------------------|-------------------------------|
| Campaign Execution: Sta     | tistics and Data       | · <b>3</b> · · · · · · · · · · · · · · · · · · · |                               |
| Report Generation Date:     | : 2018/02/07 05:50:09  |                                                  |                               |
| Tool Version                | : XFS                  |                                                  |                               |
| FAULT_CAMPAIGN_NAME         | : fs_gem_demo_tmr_op_v | al_ser_net                                       |                               |
| FAULT CAMPAIGN TYPE         | : permanent            |                                                  |                               |
| FS_TC_CALC                  | : pessimistic (PD faul | ts considered U faults)                          |                               |
| Fault analyzed              | faults                 | prime faults                                     |                               |
| ng faults                   | [F] : 16170 [100.0%]   | 9499 [100.0%]                                    |                               |
| ng faults untestable        | [UT] : 1049 [ 6.5%]    | 551 [ 5.8%]                                      | Sampled Fault Processed       |
| ng faults testable          | [T] : 15121 [ 93.5%]   | 8948 [ 94.2%]                                    |                               |
| Faultzim Execution Stat     | istics                 |                                                  |                               |
| sampling factor             | : 5%                   |                                                  |                               |
| (100% means no sampling)    |                        |                                                  |                               |
| nr faults selected for faul | tsim : 8948            |                                                  |                               |
| nr faults todo              | : 8501 [ 95.0%]        |                                                  |                               |
| nr faults processed         | : 447 [ 4.0%]          |                                                  |                               |
| nr faultsim runs            | : 1062                 |                                                  |                               |
| ng faultsim runs / fault    | : 2.38                 |                                                  |                               |
| Sampling options            |                        |                                                  |                               |
| Sampled Fault Type          | : sa0+sa1              |                                                  |                               |
| Sampling Seed               | :                      |                                                  |                               |
| Sampling Percentage         | : 5                    |                                                  |                               |
| Sampled Number              | :                      |                                                  |                               |
| Sampling Scope              | : testable_prime       |                                                  |                               |
| Fault Classification (d     | ual strobe)            |                                                  |                               |
| ng faults UNKNOWN           | [UK]: 197 [ 1.2%]      | 197 [ 2.1 <del>8</del> ]                         |                               |
| nr faults UNDETECTED        | [U]: 0 [ 0.0%]         | 0 [ 0.0%]                                        |                               |
| RE faults DETECTED          | [D]: 250 [ 1.5%]       | 250 [ 2.6%]                                      |                               |
| Work Load Qualification     |                        |                                                  | Test Coverage = (D/(D+U))     |
| Toggle Coverage %           | : 15.051711726986445   |                                                  |                               |
| Test Coverage               |                        |                                                  |                               |
| Test Coverage               | : 1.0                  |                                                  |                               |
| Fault Coverage              | : 0.19245574           |                                                  | Fault Coverage = (D/(D+U+UT)) |









- Autonomous cars are coming and 'Mind-Off' driving is expected to be real by the mid 2020s
- ISO 26262 is the automotive standard that defines the processes to follow, the performance level for hardware and software performance and the compliance process
- A systematic analysis technique such as the FMEDA is essential for meeting ISO 26262 metrics
- The complexity of ADAS SoCs requires a new holistic approach to functional verification and functional safety
  - Functional safety and functional verification are complementary problems
- A multi-engine automated solution is required to meet ASIL certification goals in a timely manner.



### Questions

# cādence®

www.cadence.com/automotive



# **DVCon Slide Guidelines**

- Use Arial or Helvetica font for slide text
- Use Courier-new or Courier font for code
- First-order bullets should be 24 to 28 point
  - Second-order bullets should be 24 to 26 point
    - Third-order bullets should be 22 to 24 point
    - Code should be at least 18 point
- Your presentation will be shown in a very large room
  - These font guidelines will help ensure everyone can read you slides!





### **Code and Notes**



Informational boxes should be 18pt Arial-bold, or larger (using a background color is optional)