Designing safe cars - meeting ISO-26262 functionas safety requirements

Designing Safe Automotive Chips
How to ensure your semiconductor design meets ISO-
26262 functional safety requirements
Amir Rahat
VP R&D, Optima Design Automation
1

Automotive Is A Pot Of Gold
...but it is guarded by a dragon
Pictures source: Flickr, pixabay, businesspundit.com
2Amir Rahat, Optima Design Automation Ltd
© All rights reserved
© Accellera Systems Initiative
10/19/2016

(1)SIA Factbook (2)MarketsandMarkets publication (3)IDC publication
$50 B
10.4%
10.4% of global semiconductor
sales in 2014(1)
8% CAGRSegment is expected to grow at four
times the pace of the overall market
with a CAGR of 8% through 2020(2)
$50 Billion by 2022(3)
3 10/19/2016
Amir Rahat, Optima Design Automation Ltd

Or, Look At It This Way
4
1.25 million
deaths in 2015
94% of
crashes
can be tied to a human choice or error
Sources: WHO, NHTSA© Accellera Systems Initiative
10/19/2016

One FIT equals one
failure per billion (109)
hours (once in about
114,155 years)
Safety is a
must-have
requirement
Targets measured in FIT
(usually much less than 100)
5 10/19/2016
...but it is guarded by a dragon
Pictures source: pixabay, flickr, freestockphotos

6
One FIT =
If an average car lasts 10 years, it means one failure,
in one car, out of every 10,000 cars
10/19/2016

ISO 26262 “Road vehicles — Functional safety”
Published 2011. New revision planned for 2018, draft to be published soon
How to Achieve Functional Safety?
• Why follow the ISO-26262 Standard?
– Required by OEM’s, hence Tier-1, etc., for all chips in a car
– Addresses the legal requirement for state of the art safety
– Accepted by other standard bodies as the basis for safety
– Endorsed by the community of practitioners
10/19/20167

ISO 26262 “Road vehicles — Functional safety”
Published 2011. New revision planned for 2018, draft to be published soon
How to Achieve Functional Safety?
Our focus today
Safety relates to several activities:
• Bug prevention – safety from designer errors (26262)
• By using proper design & validation methodologies
• Security – safety from malicious humans
• SAE J3061 “Recommended Practice Cybersecurity Guidebook
• Proper design – safety from unimaginative design
• “Safety of the intended Functionality” future ISO-PAS
• Fault resilience – safety from naturally-occurring faults (26262)
• By ensuring the product will be able to withstand nature
10/19/20168

The Two Types Of Naturally-Occurring
Faults
Pictures source: shutterstock (licensed), intechopen, jes.ecsdl.org
9 10/19/2016
Soft Error/Transient Fault
Bit flip Hard Error/Permanent Fault

Types Of Naturally-Occurring Faults
Soft Error/Transient Fault Bit flip
• Mechanism: cosmic radiation
flips a register logic value of
• Effect: The register stays flipped
until a new value is set
• Detection: requires redundancy
• Prevention of harm:
– Hardening, e.g. more
capacitance
– Redundancy: 2X, 3X, 9X
Hard Error/Permanent Fault
• Mechanism: unexpected damage
e.g. due to environment (heat,
vibrations, dust)
• Effect: the failure is permanent
• Detection: frequent self-testing
• Prevention of harm:
– Graceful degradation
– Redundancy: 2X, 3X, 9X
10 10/19/2016Amir Rahat, Optima Design Automation Ltd

Pictures source: CNN, EEtimes

In
Out
Err
In
Out
Error Corrected
Majority
Gate
Dual Error
In
Out
Error Corrected
Majority
Gate
Dual Error
TMR of imp. 1
TMR of imp. 2
TMR of imp. 3
• 2X = DMR = lockstep
• Single error detection
• No correction capability
• >2X the costs
• 3X = TMR
• Single error correction
• Dual error detection (if > single bit)
• >3X the costs
• 9X = TMR of TMR’s
• Compares 3 implementations
• Protects against design errors, too
• >9X the costs
ProtectionByRedundancy

• Run a test (SW or HW) intermittently
• Compare its results to the expected results
• If the test fails – enter and maintain the safe state
• Probability of error detection depends on:
• Time to detection (=time between intermittent test runs)
• Probability of detecting a fault (=test coverage)
• Measurement of test coverage is required
ProtectionByTest(HEonly)
10/19/2016

Safe Development Process: ISO-26262
Pictures source: ISO-26262
For Random
HW failures
Note: We are only discussing
the safety related parts of the
design, and ignoring other parts

5-6: Specification Of HW Safety
Requirements
Derived from the
technical safety
requirements
allocated to hardware
Include every hardware
requirement that relates
to functional safety
Control, detect and
signal internal or
external failures
Prevent faults from
being latent
Include requirements
beyond Safety
Mechanisms (tolerances
& invariants)
Time-based:
- Fault tolerant time interval
- Fault detection interval
- Fault handling time
Functional safety ensures the product functions as specified
despite HW failures & environmental damage
26262

10/19/2016
Classification of Faults in safety-related HW
16
Can it do any harm?
It is a Safe Fault
(SF, λS)
Is it
detected
?
Is there
a
relevant
SM?
Is it
perceived
by the
driver?
It is a Detected
Fault(λMPF,D)
It is a Single-point
Fault (SPF, λSPF)
Is it
detected
by the
SM?
Is it
perceived
by the
driver?
It is a Residual
Fault (RF, λRF)
It is a Latent Fault
(MPF,L λMPF,L) It is a Perceived
Fault (λMPF,P)
λ = λSPF + λRF + λMPF,D + λMPF,P + λMPF,L + λS
Never By itself
Only with other faults
No
No
No
Yes
Yes
Yes
No
No
Yes
Yes
(SM = Safety
mechanism)
Failure rate (λ) is the frequency with
which an engineered system or
component fails, expressed
in failures per unit of time. (Wikipedia)

Q: How to tell how well we cope with random hardware failures?
5-8: HW Architectural Metrics
– SPFM – Single-point fault metric: 1 - (λSPF + λRF) / λ
• ≥90% for ASIL B, ≥97% for ASIL C, ≥99% for ASIL D
– LFM – Latent-fault metric: 1 - λMPF,L / (λ - λSPF - λRF)
• ≥60% for ASIL B, ≥80% for ASIL C, ≥90% for ASIL D
10/19/201617
A: Using two metrics:
Computed with Diagnostic coverage or estimated

10/19/201618
Can it do any harm?
It is a Safe Fault
(SF, λS)
Is it
detected
?
Is there
a
relevant
SM?
Is it
perceived
by the
driver?
It is a Detected
Fault(λMPF,D)
Fault (SPF, λSPF)
Is it
detected
by the
SM?
Is it
perceived
by the
driver?
It is a Residual
Fault (RF, λRF)
Fault (λMPF,P)
Never By itself
No
No
No
Yes
Yes
Yes
No
No
Yes
Yes
(SM = Safety
mechanism)
SPFM – Single-point fault metric: 1 - (λSPF + λRF) / λ
≥90% for ASIL B, ≥97% for ASIL C, ≥99% for ASIL D 26262

10/19/2016
19
Can it do any harm?
It is a Safe Fault
(SF, λS)
Is it
detected
?
Is there
a
relevant
SM?
Is it
perceived
by the
driver?
It is a Detected
Fault(λMPF,D)
Fault (SPF, λSPF)
Is it
detected
by the
SM?
Is it
perceived
by the
driver?
It is a Residual
Fault (RF, λRF)
Fault (λMPF,P)
Never By itself
No
No
No
Yes
Yes
Yes
No
No
Yes
Yes
(SM = Safety
mechanism)
LFM – Latent-fault metric: 1 - λMPF,L / (λ - λSPF - λRF)
≥60% for ASIL B, ≥80% for ASIL C, ≥90% for ASIL D 26262

5-9: Violations Due To Random HW Failures
Is it
under
the
target?
For every safety goal:
Sum the probabilities of all
faults that can violate it
Safe
Unsafe, must
be fixed
10/19/2016
NoYes
10-8 per hour: ASIL-D
10-7 per hour: ASIL-C/B
26262
20

Automating The 26262 Requirements
• Manage the specification of Safety Requirements
• Automatically scan all the possible faults
• Classify each fault to the correct category
– Allocate the probabilities of the possible outcomes
• Automatically calculate:
– SPFM – Single-point fault metric
– LFM – Latent-fault metric
• Automatically check the probabilities of all goals
21
26262
26262
26262
26262
10/19/2016

Risk Mitigation Options
• Redundancy is the simplest & most expensive option
– Addresses both soft and hard errors
– Costs 2X for problem detection, 3X for problem correction
• Memory banks can be protected by ECC
– Error detection and correction codes
– Standard, off-the-shelf solutions for all tradeoff points
• Soft errors can be mitigated by flop hardening
– Increasing capacitance to lower susceptibility
– Can even implement a single-flop TMR
– Selective hardening: selecting specific flops to harden
• Hard errors can be detected with SW or HW tests
– Disruptive tests (based on Manufacturing tests) are easy
– Functional tests are harder but do not require reboots
10/19/201622Amir Rahat, Optima Design Automation Ltd

How Does Selective Hardening Work?
Flop name Sensitivity
User Decision
on flop type
Hardened
Silicon cost
Hardened
Power Cost
Hardened
Flop FIT
Derated FIT
Contribution
rx_eq0/frame_end_bytes[0] 100% 4 61 16 0.000001 0.000001
meta[0].meta_sync_single0/out 80% 3 27 7 0.023 0.0184
rx_stats_fifo0/fifo0/ctrl0/wr_gray_meta[2] 55% 3 27 7 0.023 0.01265
rx_stats_fifo0/fifo0/ctrl0/wr_gray_reg[0] 20% 2 23 6 0.19 0.038
rx_eq0/xgxs_rxd_barrel[7] 10% 1 20 5 0.23 0.023
rx_eq0/crc32_d8[12] 0% 1 20 5 0.23 0
Total 21392 5525 6.111366
10/19/201623
Provided by the
simulation
Decided by the
designer
Based on flop
selection & vendor
datasheet
Calculated
Only works with accurate, reliable sensitivity results!
Now, do the tradeoff

24
Protecting The Design From Faults
Memory or
Logic?
Pick appropriate
ECC
Redundancy
OK?
OK to
implement
Pick a redundancy
mechanism
SE or HE?
(can do both)
Focus on registers Focus on all nodes
Need SE selective
hardening
Harden all flops
Pick the right DFT
technique
Create a
functional test
Need HE coverage
metric
Is full hardening
OK?
Disruptive test
OK?
Memory Logic
Too expensiveOK
SE
HE
Unsafe
OKOK
expensive
OK to implement,
but expensive
OK to implement,
but expensive
OK to implement,
but disruptive
10/19/2016

25
What do
you need?
How accurate
should it be?
Guess the
impact (no
way to check)
Guard-band
the results to
account for
errors
Identify ways
to improve
coverage
Guard-band
the results to
account for
errors
Identify ways
to improve
coverage
Simulation*-Based Analysis
Accurately
calculate the
resulting risks
Collect
accurate
coverage data
How accurate
should it be?
Use “expert
opinion” to
select flops to
harden
Partially
simulate and
select flops to
harden
Exhaustively
simulate to
select flops to
harden
Partially
simulate and
get an
indication
Exhaustively
simulate to
measure
coverage
HE Coverage metric
Very
accurate
Sortof
Notvery
Sort of
Very
accurate
* (including Emulation)
SE Selective hardening
Must run 1M flops, 200 errors per flop
(= 200M simulations) in machine-weeks
10/19/2016

Report results
26
Using Fault Simulations
Design (RTL or Gate Level) in a HDL (Verilog or VHDL)
Test environment (test-bench, SW or input values)
Comparator
SE Sensitivity Monitor:
Did the fault impact a safety goal?
Faulty Machine Simulator Good Machine Simulator
HE Coverage Monitor:
Was the fault detected?
SE: Which flop flips and when?
HE: Which node breaks and how?
Fault details
Report results
10/19/2016

27
Using Fault Simulations
Design (RTL or Gate Level) in a HDL (Verilog or VHDL)
Test environment (test-bench, SW or input values)
Comparator
SE Sensitivity Monitor:
Did the fault impact a safety goal?
Faulty Machine Simulator Good Machine Simulator
HE Coverage Monitor:
Was the fault detected?
Fault details
Report results Report results
10/19/2016
Repeat for all
relevant faults

Automating The Full Flow
• Manage the design protection from faults
– Coordinate across all levels of hierarchy & IPs
– Decide the right answer for every design type
• Run and manage millions of faults
– Orders of magnitude faster than regular simulation
• Support all fault models
– Soft-errors
– Multiple models of hard-errors
• Integrate with the 26262-requirements automation
10/19/2016

Alternatives to Simulation
• HW-Based Fault Injection: harassing the fabricated chip
– Heavy ion radiation, electromagnetic interferences, power
supply disturbances, laser fault injections, pin-level probes,
sockets
– Not applicable for HE, so cannot provide a HE coverage metric
– Not applicable for SE Selective hardening
• SW-Based Fault Injection: modifying the software
– Simulate register and memory faults, dropped or replicated
network packets, erroneous error conditions and flags, mis-
timings, replays, faulty disk reads
– Very difficult to apply to HE, so no HE coverage metrics
– Not applicable for SE Selective hardening
10/19/2016

• Optima developed an EDA solution for Soft Errors
– Based on an ultra-fast Fault simulator
• Supports all the automation requirements mentioned
• Runs 200M simulations in machine-weeks - 100% confidence
• Manages the overall design flow
– Follows the optimal safety methodology
– Creates an exhaustive campaign
– Runs it and generates reports
– Enables selective hardening with easy tradeoff what-ifs
– Generates all the 26262 metrics
• The only comprehensive soft-error safety tool available
• Hard Error support to be released soon
Optima’s Soft Error Safety Tool
10/19/2016

Bottom Line: The Work Flow
• To best balance safety and costs, follow this flow:
Specify the HW Safety Requirements
At all design revisions & abstraction levels:
Classify the Faults in the safety-related HW
Compute the HW Architectural Metrics
Optimize the tradeoff between FIT, area and power
10/19/2016

32
To make money
To create Automotive chips
To ensure safety
To follow ISO-26262
To address random HW faults
To get good diagnostic coverage
Low cost protection from faults
High-accuracy analysis
Summary
You Need
You Need
You Need
You Need
You Need
You Need
10/19/2016

Questions?
amir@optima-da.com
10/19/2016
33

Designing safe cars - meeting ISO-26262 functionas safety requirements

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Similar to Designing safe cars - meeting ISO-26262 functionas safety requirements

Similar to Designing safe cars - meeting ISO-26262 functionas safety requirements (20)

Recently uploaded

Recently uploaded (20)

Designing safe cars - meeting ISO-26262 functionas safety requirements