Functional Safety Solutions for Automotive FMEDA automation and

  • Slides: 24
Download presentation
Functional Safety Solutions for Automotive FMEDA automation and predictable ISO 26262 compliance Vladislav Palfy

Functional Safety Solutions for Automotive FMEDA automation and predictable ISO 26262 compliance Vladislav Palfy vladislav. palfy@onespin. com

IC Integrity Functionally correct, safe, secure, and trusted So. Cs/ASICs/FPGAs Functional Correctness Trust and

IC Integrity Functionally correct, safe, secure, and trusted So. Cs/ASICs/FPGAs Functional Correctness Trust and Security Safety IC Integrity So. C/ASIC/FPGA Verification Flow Design Page 2 | © 2019 One. Spin Solutions Integration Implementation One. Spin provides certified IC Integrity Verification Solutions to develop functionally correct, safe, secure, and trusted integrated circuits.

IC Integrity Functionally correct, safe, secure, and trusted So. Cs/ASICs/FPGAs Functional Correctness Trust and

IC Integrity Functionally correct, safe, secure, and trusted So. Cs/ASICs/FPGAs Functional Correctness Trust and Security Safety IC Integrity So. C/ASIC/FPGA Verification Flow Design Page 3 | © 2019 One. Spin Solutions Integration Implementation One. Spin provides certified IC Integrity Verification Solutions to develop functionally correct, safe, secure, and trusted integrated circuits.

Introduction to Functional Safety The objective of functional safety: Freedom from unacceptable risk of

Introduction to Functional Safety The objective of functional safety: Freedom from unacceptable risk of physical injury or of damage to the health of people either directly or indirectly Functional Safety Risks • • Page 4 Systematic Failures o Design faults o Tool faults Random Failures o Permanent faults o Transient faults | © 2019 One. Spin Solutions Risk drivers Risk management through functional safety standards • • • Continuous increase in flow and tool complexity Continuous increase in functionality Increasing density of the design process node Decreasing energy levels • Minimize systematic failures Safeguard against random failures

High-Level Safety Flow Minimize systematic failures Functional Requirements HW Specification Safeguard against random failures

High-Level Safety Flow Minimize systematic failures Functional Requirements HW Specification Safeguard against random failures Safety Requirements/Goals HW Safety Specification HW Safety Analysis Design Implementation Functional Verification Quantification of Verification Safety Mechanism Implementation Verification of the Safety Mechanism Diagnostic Coverage Determination Evaluation of Hardware Metrics Covered by One. Spin Page 5 | © 2019 One. Spin Solutions

One. Spin FMEDA Methodology Overview ISO 26262 compliant flow Safety Goals HW Safety Analysis

One. Spin FMEDA Methodology Overview ISO 26262 compliant flow Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 6 | © 2019 One. Spin Solutions ISO 26262 work products in regards to random hardware failures

Top Down and Bottom Up Safety Analysis Safety Goal: No unintended inflation of airbag,

Top Down and Bottom Up Safety Analysis Safety Goal: No unintended inflation of airbag, ASIL C/D Failure Mode: Wrong value from CPU Failure: 4+4=4 Fault: Stuck. At 0 on bit reg[2] Page 7 | © 2019 One. Spin Solutions Deductive Top Down Inductive Bottom Up

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure modes causing safety goal violations. Safety Goal But which failure mode can be caused by which fault? Failure Mode Hardware Design Safety Goals Fault HW Safety Analysis And, which Safety Mechanisms are in place? Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 8 | © 2019 One. Spin Solutions

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure modes causing safety goal violations. Safety Goal But which failure mode can be caused by which fault? Failure Mode Hardware Design Safety Goals Fault HW Safety Analysis And, which Safety Mechanisms are in place? The FCA App runs a structural HW safety analysis by linking failures to faults (failure mode distribution). This is a deductive (top down) analysis validated by an automated inductive coherency check. Page 9 | © 2019 One. Spin Solutions Diagnostic Coverage Determination Evaluation of Hardware Metrics

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure

Hardware Safety Analysis Failure Mode Contribution Analysis (FCA) App Safety Engineer analyzes the failure modes causing safety goal violations. Safety Goal But which failure mode can be caused by which fault? Failure Mode Hardware Design Safety Goals Fault HW Safety Analysis And, which Safety Mechanisms are in place? The FCA App runs a structural HW safety analysis by linking failures to faults (failure mode distribution). This is a deductive (top down) analysis validated by an automated inductive coherency check. Automated failure mode distribution reduces engineering effort. Precise fault allocation minimizes/eliminates fault simulation. Page 10 | © 2019 One. Spin Solutions Diagnostic Coverage Determination Evaluation of Hardware Metrics

FCA Example: FIFO with ECC Protection clk/rst read write Sub part rd_error rd_corrected full

FCA Example: FIFO with ECC Protection clk/rst read write Sub part rd_error rd_corrected full empty control Area / Failure Mode Distribution State Count storage 151. 2 72 1024 100% control 32. 3 8 434 0% clk/rst-tree 0. 7 0 28 0% active-encode 4. 4 0 52 ? % active-decode 9. 55 0 126 ? % 10. 73 0 130 ? % passive-decode Page 11 FFs rd_data decode data encode FCA results with diagnostic coverage estimation | © 2019 One. Spin Solutions Fault Count Diagnostic Coverage

Hardware Safety Analysis Overview ISO 26262 compliant flow Automated design analysis a key factor

Hardware Safety Analysis Overview ISO 26262 compliant flow Automated design analysis a key factor for efficient analysis of random hardware failures Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 12 | © 2019 One. Spin Solutions ISO 26262 work products in regards to random hardware failures

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are covered by safety mechanisms? How many of the faults in the safety-related hardware element cannot violate the safety goal (Safe Fault Fraction)? Hardware Design Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 13 | © 2019 One. Spin Solutions

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are covered by safety mechanisms? How many of the faults in the safety related hardware element cannot violate the safety goal (Safe Fault Fraction)? Expert judgment of diagnostic coverage leverages precise FCA fault allocation. When expert judgment cannot be applied the FDA App determines the diagnostic coverage or fault simulation is applied. FPA App automates safe fault extraction based on assumptions of use. Hardware Design Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 14 | © 2019 One. Spin Solutions

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are

Diagnostic Coverage Determination Fault Propagation and Detection Analysis (FPA/FDA) Apps How many faults are covered by safety mechanisms? How many of the faults in the safety related hardware element cannot violate the safety goal (Safe Fault Fraction)? Expert judgment of diagnostic coverage leverages precise FCA fault allocation. When expert judgment cannot be applied the FDA App determines the diagnostic coverage or fault simulation is applied. FPA App automates safe fault extraction based on assumptions of use. Safe fault extraction eliminates manual fault analysis. Automated diagnostic coverage determination does not require a testbench and can replace fault simulation. Page 15 | © 2019 One. Spin Solutions Hardware Design Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics

Fault Detection Analysis App Flow Diagnostic coverage without simulation FFs decode Inputs encode Inject

Fault Detection Analysis App Flow Diagnostic coverage without simulation FFs decode Inputs encode Inject Faults in SMs • Detected (multipoint) Fault can propagate to at least one observation point and alarm is asserted • Observation Non-detected (residual) Fault can propagate to at least one observation point and alarm is NOT asserted Points • Non-propagated (safe or latent) Fault does not propagate to observation points control Diagnostic Points RTL / Netlist Fault List Input Constraints Page 16 | © 2019 One. Spin Solutions FDA Fault Classification Report/DB

FDA Example: FIFO with ECC Protection clk/rst read write Sub part rd_error rd_corrected full

FDA Example: FIFO with ECC Protection clk/rst read write Sub part rd_error rd_corrected full empty control Area / Failure Mode Distribution State Count Fault Count 151. 2 72 1024 100% 32. 3 8 434 0% clk/rst-tree 0. 7 0 28 0% active-encode 4. 4 0 52 100% active-decode 9. 55 0 126 75% 10. 73 0 130 24% mem-data control passive-decode Page 17 FFs rd_data decode data encode Measuring diagnostic coverage for each sub-part | © 2019 One. Spin Solutions Diagnostic Coverage

One. Spin FMEDA Methodology Overview ISO 26262 compliant flow Automated design analysis a key

One. Spin FMEDA Methodology Overview ISO 26262 compliant flow Automated design analysis a key factor for efficient analysis of random hardware failures Safety Goals HW Safety Analysis Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 18 | © 2019 One. Spin Solutions ISO 26262 work products in regards to random hardware failures

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced to achieve ISO 26262 compliance? • Single-Point Fault Metric (SPFM) Reflects the robustness of the component with respect to safety goal violation by individual faults • Latent Fault Metric (LFM) Reflects the robustness of the component with respect to safety goal violation by multiple-point faults (faults in safety mechanism and function) • Hardware Design Safety Goals HW Safety Analysis Probabilistic Metric for Random Hardware Failures (PMHF) Residual risk of the safety architecture. Measured by Failure in Time (FIT) Diagnostic Coverage Determination Evaluation of Hardware Metrics Page 19 | © 2019 One. Spin Solutions

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced to achieve ISO 26262 compliance? • Single Point Fault Metric (SPFM) Reflects the robustness of the component with respect to safety goal violation by individual faults • Latent Fault Metric (LFM) Reflects the robustness of the component with respect to safety goal violation by multiple-point faults (faults in safety mechanism and function) • Hardware Design Safety Goals HW Safety Analysis Probabilistic Metric for Random Hardware Failures (PMHF) Residual risk of the safety architecture. Measured by Failure in Time (FIT) The HMC App enables full chip, multi-user, early estimation of the hardware metrics and compliance when data from FCA and the Diagnostic Coverage Determination becomes available. Page 20 | © 2019 One. Spin Solutions Diagnostic Coverage Determination Evaluation of Hardware Metrics

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced

Evaluation of Hardware Metrics Hardware Metric Computation (HMC) App Which metrics must be produced to achieve ISO 26262 compliance? • Single Point Fault Metric (SPFM) Reflects the robustness of the component with respect to safety goal violation by individual faults • Latent Fault Metric (LFM) Reflects the robustness of the component with respect to safety goal violation by multiple-point faults (faults in safety mechanism and function) • Hardware Design Safety Goals HW Safety Analysis Probabilistic Metric for Random Hardware Failures (PMHF) Residual risk of the safety architecture. Measured by Failure in Time (FIT) The HMC App enables full chip, multi-user, early estimation of the hardware metrics and compliance when data from FCA and the Diagnostic Coverage Determination becomes available. No expert level ISO 26262 knowledge required and avoids spreadsheet madness. Page 21 | © 2019 One. Spin Solutions Diagnostic Coverage Determination Evaluation of Hardware Metrics

Hardware Metric Calculation Example Web technology enables different use model Calculates hardware metrics •

Hardware Metric Calculation Example Web technology enables different use model Calculates hardware metrics • SPFM • LFM • PMHF Supports layering • Estimation layer • FCA layer Client/Server architecture • Multi-user • Single DB Page 22 | © 2019 One. Spin Solutions

One. Spin FMEDA Methodology Summary ISO 26262 compliant flow Safety Goals FMEDA HW Safety

One. Spin FMEDA Methodology Summary ISO 26262 compliant flow Safety Goals FMEDA HW Safety Analysis Diagnostic Coverage Determination ISO 26262 work products in regards to random hardware failures Evaluation of Hardware Metrics Automated FMEDA flow for predictable ISO 26262 compliance Reduce fault simulation Reduce/eliminate manual analysis Implement a repeatable, reusable and robust flow Page 23 | © 2019 One. Spin Solutions

Thank You! Page 24 | © 2019 One. Spin Solutions

Thank You! Page 24 | © 2019 One. Spin Solutions

FTNC Automotive FTNC Automotive FTNC Automotive FTNC AutomotiveFTNC Automotive FTNC Automotive FTNC Automotive FTNC Automotive
Automotive Batteries Automotive Batteries n WHAT AND AUTOMOTIVEAutomotive Batteries Automotive Batteries n WHAT AND AUTOMOTIVE
automotive logistics Automotive History 1998 First automotive logisticsautomotive logistics Automotive History 1998 First automotive logistics
automotive logistics Automotive History 1998 First automotive logisticsautomotive logistics Automotive History 1998 First automotive logistics
automotive logistics Automotive History 1998 Erste automotive Logistikaktivittenautomotive logistics Automotive History 1998 Erste automotive Logistikaktivitten
FMEDA of the Fast Beam Interlock System RiccardFMEDA of the Fast Beam Interlock System Riccard
Automation Engine ismertet Automation Engine Az Automation EngineAutomation Engine ismertet Automation Engine Az Automation Engine
Office Automation Office Automation OS Office Automation SystemsOffice Automation Office Automation OS Office Automation Systems
Office Automation Office Automation OS Office Automation SystemsOffice Automation Office Automation OS Office Automation Systems
History of industrial Automation What is Automation AutomationHistory of industrial Automation What is Automation Automation
Automation meets IT Automation meets IT Automation meetsAutomation meets IT Automation meets IT Automation meets
MWUG QAD Automation Solutions Automotive Case Study AdamMWUG QAD Automation Solutions Automotive Case Study Adam
Functional Safety Istec International Functional Safety SIL WhatFunctional Safety Istec International Functional Safety SIL What
FUNCTIONAL GROUPS AND PREPARATIONS FUNCTIONAL GROUPS The functionalFUNCTIONAL GROUPS AND PREPARATIONS FUNCTIONAL GROUPS The functional
Properties of Solutions Chapter 11 Solutions Solutions SolutionsProperties of Solutions Chapter 11 Solutions Solutions Solutions
Safety Solutions on Tour Introduction to Functional SafetySafety Solutions on Tour Introduction to Functional Safety
Functional Text What is functional Text Definition FunctionalFunctional Text What is functional Text Definition Functional
Functional Text What is functional Text Definition FunctionalFunctional Text What is functional Text Definition Functional
Functional Decomposition Functional Decomposition Functional Decomposition RothKarp DecompositionFunctional Decomposition Functional Decomposition Functional Decomposition RothKarp Decomposition
FUNCTIONAL GROUPS FUNCTIONAL GROUPS A functional group isFUNCTIONAL GROUPS FUNCTIONAL GROUPS A functional group is
4 Functional Programming PS Functional Programming Roadmap Functional4 Functional Programming PS Functional Programming Roadmap Functional
Organic Chemistry Functional Groups Nomenclature Functional groups FunctionalOrganic Chemistry Functional Groups Nomenclature Functional groups Functional
Going Functional Primo Gabrijeli Functional programming Functional programmingGoing Functional Primo Gabrijeli Functional programming Functional programming