A Safety Verification Methodology For Automotive Semiconductors

The traditional safety analysis approach based on spreadsheets cannot scale to handle modern SoC complexity.


By Alessandra Nardi (Synopsys), Teo Cupaiuolo (Synopsys), and Liu Min (SGS-TÜV Saar)

Functional safety has been a long-standing requirement for many electronics applications, including implanted medical devices, space-borne systems, and nuclear power plants. The widespread use of advanced driver assistance systems (ADAS) and the advent of self-driving vehicles have added automotive chips to the list of safety-critical designs. Functional safety is required throughout the entire supply chain, from semiconductor design houses and electronic design automation (EDA) tool providers to automobile manufacturers.

Functional safety engineers involved in the analysis of complex semiconductors are tasked with identifying thousands of modes in which a design might fail, also known as failure modes (FMs), and what may be causing such failures. Ensuring effective and efficient functional safety analysis of complex designs manually is incredibly time-consuming. Traditional approaches using spreadsheets may be error-prone and unproductive when aiming to meet the requirements of the relevant standards.

Automotive applications must adhere to two safety standards: IEC 61508, for the general electronics market, and ISO 26262, for electrical and/or electronic systems installed in road vehicles. The standardized system lifecycle proposed in ISO 26262 requires the implementation of numerous processes and methods to achieve systematic safety capability targets. This process recommends using state-of-the-art and certified EDA technologies for requirements engineering, architectural modelling, verification, and implementation.

For system-on-chip (SoC) automotive designs targeting ISO 26262 certification, a certified functional safety assessor must be involved in the safety planning stage. The functional safety assessor provides guidance on overall safety methodology adopted for Failure Modes Effects and Diagnostic Analysis (FMEDA) analysis and tools used during the development cycle. At a minimum, advanced FMEDA analysis tools should enable:

  • Safety methodology leveraging certified tools to provide scalability to the SoC level
  • Simultaneous contributions from engineers to achieve similar target safety goals over a common database across the chip development cycle
  • The ability to incrementally track FMEDA across the entire design flow
  • Importing safety requirements from project and requirement management tools

The key role of these processes within the functional safety lifecycle is definition of the safety analysis goals followed by verification of the system architecture. Developers must provide evidence that the design executes safety-related functions in accordance with the target ASIL (Automotive Safety Integrity Level). Furthermore, the safety analysis must investigate possible causes of systematic and random hardware failures as well as the effects of these failures on functionality.

It is critical to verify the safety mechanisms with the aim to detect random faults as and when they occur during the hardware lifecycle and to achieve a safe state when a fault occurs. This includes the calculation of diagnostic coverage (DC). The key hardware architectural metrics are SPFM (Single Point Fault Metric) and LFM (Latent Fault Metric). These are determined qualitatively by Failure Mode and Effect Analysis (FMEA) and design FMEA (D-FMEA), and quantitatively by FMEDA.

Figure 1 highlights the types of faults that may occur during the semiconductor lifecycle and associated key safety analysis metrics. To address systematic failures, the qualitative D-FMEA is used to investigate their causes. For addressing random failures, both qualitative FMEA and quantitative FMEDA are incrementally performed and refined over the functional safety development lifecycle based on how incremental design information becomes available.

Fig. 1: Systematic and random failures with the corresponding safety analysis.

As shown in figure 2, during the beginning of the functional safety lifecycle, the qualitative analysis of random failures is typically performed based on the identification of ways in which the design could fail. In this phase, only the block diagram is available. Based on this, the functional safety expert is involved in the partitioning of the design into a safety hierarchy of parts, sub-parts, and FMs according to its functional description.

As the functional safety lifecycle progresses and the RTL design becomes available, early FMEDA estimation (quantitative analysis) is done by the functional safety expert to estimate the design area. Such estimations are performed for an initial calculation of Base Failure Rate (the probability of failure of the design) using corresponding reliability standards (SN 29500, IEC 62380, MIL-HDBK-217) or the company’s database based on operating experience. In this phase, the Failure Mode Distribution (FMD), the relative weight of the failure mode, is calculated by focusing the analysis towards the most important part of the circuit.

By the last phase of the functional safety lifecycle, design information is stable, and a gate level netlist is available. At this stage, the functional safety expert iterates the quantitative analysis (signoff) done on the final design, thereby achieving a higher accuracy in terms of base area and Base Failure Rate calculations. Partitioning of the design and definition of failure mode are based on the final design hierarchy.

Fig. 2: Qualitative and quantitative analysis.

In summary, the functional safety expert performs three phases of analysis, each of which constitutes the analysis of the specific failure mode and its “connection” with the corresponding design component (root cause of the failure). The process of connection and calculation of probabilistic values, based essentially on area occupation and technology type, is traditionally manual and complex, and based on a variety of heuristics.

The support of the EDA tools in the automation of mapping operations is crucial to reduce manual effort and avoid overlooking errors. Further, the seamless compatibility of the functional safety analysis flow with the chip design flow is critical for shorter time to certification. Lastly, functional safety engineers also require a persistent FMEDA database that allows traceability analysis, access management, audit option, and revision control.

Synopsys VC Functional Safety Manager (FSM) automates functional safety (FuSa) management, displacing the traditionally manual approach of using spreadsheets or any in-house FMEDA analysis solutions which are incompatible with functional safety verification flows. VC FSM acts as an FMEDA analysis cockpit for driving the entire semiconductor design development for functional safety, encompassing the design exploration and analysis, verification, and implementation phases.

Synopsys VC FSM helps the functional safety experts and engineers in four key areas:

  • It is TCL 1 certified by Exida, the world’s leading US-based product certification company in compliance with ISO 26262-8 Section 11, as required by ISO 26262 for verification and implementation tools.
  • It communicates with the major requirement management systems to import the requirements specifications for FMEDA, as required by ISO 26262
  • It is highly scalable with the increasing SoC design complexity, as required for modern automotive designs with high complexity
  • It provides complete automation of the FuSa lifecycle by enabling the exchange of information with verification and implementation technologies, as shown in figure 3
  • This FMEDA analysis technology is also tailored to enable faster ISO 26262 certification and time-to-market in partnership with SGS-TÜV Saar, a world leading testing, inspection and certification company

Fig. 3: Synopsys VC Functional Safety Manager and the unified FuSa verification flow.

Increasing electrification of automobiles and advancements in autonomous driving to reduce emissions and risk are leading to greater complexity of automotive designs. This mandates the FuSa verification methodology to adopt FMEDA automation across the entire design development flow including design verification. The traditional safety analysis approach based on spreadsheets cannot scale to handle modern SoC complexity, including thousands of failure modes.

The usage of Synopsys VC Functional Safety Manager for seamlessly driving the design development during FMEDA analysis and exploration, followed by verification and implementation technologies spanning the whole functional safety lifecycle, helps to simplify the achievement of ISO 26262 certification without any significant increase in turnaround time. A white paper is available with more details.

Teo Cupaiuolo is a staff applications engineer at Synopsys.

Liu Min is a functional safety project manager at SGS-TÜV Saar GmbH.

Leave a Reply

(Note: This name will be displayed publicly)