Is A Guestimate Good Enough For Obtaining Failure Mode Distribution?

SoCs targeting automotive applications are required to meet certain safety and quality standards as described in ISO 26262. A quantitative approach to safety analysis involves performing Failure Mode Effects and Diagnostic Analysis (FMEDA). FMEDA is a systematic quantitative analysis technique to obtain subsystem/product level failure rates, failure modes and diagnostic capabilities of systematic faults. Among the various techniques FMEDA considers for the components of a design is the failure modes of each component and the effect of each component failure mode on the product functionality, which is measured by the Failure Mode Distribution (FMD) of those failures.

The FMD is normally entered as an estimation value in FMEDA. This is acceptable for ASIL A/B. But ISO 26262 requires a quantified analysis for traceability, especially for ASIL C/D.

Limitations of a qualitative approach

The Failure Mode Distribution (FMD) is the percentage of area relative to a block in a design that could cause a failure.

When several failure modes exist in a hardware subpart, it is necessary to find out which contributes how much within that distribution. There are many ways to fill in the FMD data in an FMEDA. Some are the qualitative approaches, such as:

• Linear scaling: All the failure modes in the hardware subpart get equal distribution. For example, if there are 5 failure modes identified in a hardware subpart, then each has 20% contribution. The advantage of this approach is that it is easy and quick. The trade-off is that it is not reflective of the reality of the actual distribution as certain failure modes can weigh in more than the others.
• Engineering judgment: The next better approach is to have the engineer of the logic provide the distribution through expert knowledge and judgment. The engineer provides the distribution of the various failure modes.

Eventually the failure modes for that hardware subpart will all add up to 100% of the contribution. Similar distribution needs to be done for all failure modes within each hardware subpart.

The qualitative results have limitations, including:

• Subjective and potentially incomplete
• If the Failure Mode spans across sub-hierarchies that the designer doesn’t own, results can be inaccurate
• An inaccurate value can risk influencing the ASIL ratings of a product inaccurately, especially in ASIL-D
• There is no other traceable evidence of how distributions have been decided in an FMEDA to justify its values to a safety assessor (ISO 26262 is particular on traceable evidence)
• When the designer leaves the organization, most of the original design knowledge is gone
• Due to lack of any other method, the manual FMD is used as-is to mimic the soft error contribution for transient fault analysis, which should ideally be done based on the probabilities of occurrence in the number of flops inside each Failure Mode cone

While qualitative analysis is still acceptable to the safety assessors in an ASIL-B scenario, the confidence level in the results is not high.

Advantages of an automated tool-based flow

An automated approach addresses the limitations of the qualitative approach. A tool can automatically take actual design data through a static structural analysis and do a quantitative analysis of the Failure Mode Distribution. The key here is to identify the right logic cells that fit into the Failure Mode cone.

The idea is to specify an observation point that is the output impacted for each failure mode. The logic back-tracing of its interconnections should be pursued all the way to the inputs, transcending the timing hardware subpart points such as flops, ports, and hierarchies. The logic back-tracing becomes the Cone of Influence (COI) for that failure mode. Once the cone is identified, the cells within the cone are also identified. The sum of the areas of the cells within these cones will be the area of the cone. The relative comparison of the areas of the cone can then be used to arrive at the FMD for that hardware subpart.

Fig. 1: Cone of Influence examples.

This approach offers the following advantages when compared to a manual non-tool-based flow to ascertain the Cone of Influence (COI):

• Accurate and realistic
• Reduces subjectivity in engineering judgments
• Reduces errors
• Tool does bulk of the work, turnaround of results is fast
• Works well for the accurate permanent and transient FMD data

The accuracy of FMD can influence the overall SPFM / LFM to ASIL ratings, especially in low margins of ASIL-C/D. A quantitative result with evidence of analysis is mandatory for ASIL-C/D scenarios.

FMD analysis in TestMAX FuSa

Synopsys TestMAX FuSa uses a static analysis approach to accurately calculate the FMD for a design or portion of a design.

For the FMD analysis, the user specifies the observation point(s) specific to a failure mode. The tool back-traces the logic to carve out a Cone of Influence (COI) all the way to the design’s inputs, transcending the timing stop points like flops, ports, and any sub-hierarchies (if present). The areas of all the cells within a COI are added up to form the area contribution for that failure mode. This is then relatively distributed across the various failure modes.

Fig. 2: Using static analysis and observability calculation to propagate backward from an observation point.

After the analysis is done the FMD is reported as the COI for the observation points of a failure mode for transient and permanent errors. TestMAX FuSa can report gate- or area-based COI metric.

For the gate-based approach, the gate count is used to compute the COI metrics. This can be applied to RTL designs but can also be used if the area information is missing in netlist design.

The area-based approach is using the cell area to compute the COI metrics. This is possible for netlist designs where the area information is available in the Liberty File (.lib).

Fig. 3: TestMAX FuSa reports Gate or Area based COI metric.

To summarize, an automated tool-based approach using Synopsys TestMAX FuSa in obtaining FMD saves time, reduces subjectivity, reduces errors, and provides data reports for traceability.