25 - 26 September, 2019

Radisson Blu Bengaluru

Bangalore, India

Event Details

MP Associates, Inc.
THURSDAY September 26, 11:30am - 1:00pm | Arabica
Design & Functional Safety
Pankaj Singh - Cadence Design Systems, Inc.
While the tools and methodology for ISO 26262 functional safety verification of digital design has matured, the overall effort is complex and time consuming especially for higher level of ASIL compliance requirements. Traditional approach is to rely on simulation based safety verification. 
Formal tools can be utilized not only for systematic faults but also for random fault verification. This session has innovative presentations which provides holistic hybrid approach towards achieving desired functional safety verification goals by using simulation and formal approach in an efficient manner. Besides safety verification this session also describes challenges involved in design of response tracking system that is necessary in SoC with complex IP interaction requiring protocol conversion.

2.1High Frequency Response Tracking System Micro-Architecture
In order to meet higher performance targets and to keep track of ordering, every data transfer protocol used in the SOC has its own rules and features. The implementation of these features differ extensively among the different protocols. There is thus a need to develop various bridges to convert from one protocol to the other. In order to reformat responses in a way required by the requester some of the attributes of the incoming transaction have to be stored by these bridges. Hence there is a need to have a response tracker in the design for this purpose. This paper discusses the complexities involved in the high frequency design of such a tracker.
 Speaker: Sateesh Vadlamuri - Intel Corp.
 Authors: Sateesh Vadlamuri - Intel Corp.
Gopalakrishnan Sridhar - Intel Corp.
2.2Formal Assisted Fault Campaign for ISO26262 Certification
With ever increasing Electrical and Electronic components (e/e) in the modern-day automobiles, safety is becoming a key requirement. Part 5 of ISO26262 specifies the requirements for product development at the hardware level for automotive applications. The necessary activities and processes for the product development at the hardware level include: - The hardware implementation of the technical safety concept; - The analysis of potential hardware faults and their effects; and - The coordination with software development. This paper essentially deals with “The analysis of potential hardware faults and their effects”. Diagnostic coverage is the quantitative measure of the effectiveness of the safety mechanism, that is defined as the number of faults observed or diagnosed by the safety mechanism. As a conventional approach for fault analysis to get the desired Diagnostic coverage as per the ASIL requirements, faults are injected in the design and observed at observation or diagnostic points using fault simulation. This approach suffers from the issue of identification or generation of test patterns to excite the injected faults and propagate them to the diagnostic points, leading to lower diagnostic coverage. During the start of the simulation cycle the progress is generally linear, but soon, simulation tests hit a limit where we start seeing diminishing results until we reach the plateau where the gains are negligible with passage of time. Safety engineers need to spend days or sometimes weeks to manually analyze the design and write test patterns for the faults that are not tested, either not controlled or not detected. This paper proposes a hybrid formal approach to target the faults left out by simulation or upfront take up faults before the simulation and aid in achieving the desired diagnostic coverage. Formal Functional Safety analysis or FuSa as we call it, essentially does the following analysis: 1) Structural observability All the faults that lie outside the logic cone or Cone Of Influence (COI) of the union of observation points, can never be detected at the observation points. Hence can safely be marked as untestable and hence excluded from simulation bucket. 2) Formal Observability Can a fault cause a faulty design to behave differently from a good design? If so, this fault will be observable and hence not safe. If not, this fault is not observable and can be marked untestable The resultant of above analysis can be fed back to the simulation environment. Formal analysis: 1) Helps boost diagnostic coverage to attain the assigned ASIL requirements 2) Reduce manual effort, saving huge man hours 3) Helps meeting TTM with appropriate ISO certification Fault analysis is generally done at subsystem or SoC level designs and faults targeted are of magnitude of few hundred thousand to millions. Formal conventionally does not scale up well to such huge problem statement. This paper also proposes a methodology using which one can avoid hitting formal capacity limitations and achieve high ROI on formal verification efforts. Since the problem in hand is safety analysis, blackboxing or stubbing out portions of design to handle capacity is not recommended as it can result in false positives. Specific techniques need to be used for simplification of problem statement in case of Functional Safety application. Following are few proposed methodologies: 1) Intelligent blackboxing 2) Fault universe reduction 3) Design reduction Intelligent Blackboxing is a proposed methodology where the intention is to stub out the complex design elements with some safe assumptions. In Fault universe reduction approach, following could be the methodology to reduce the number of faults targeted together: 1) Reduction based on fault location type Fault location type could be Port, Register, Wire or Array. One could choose to target these fault types individually instead of taking all of them together. 2) Reduction based on fault location Another way to reduce the targeted fault universe could be to analyze the current diagnostic coverage and select the blocks based on following recommendations (one or combination or multiple): a. Blocks having least diagnostic coverage b. Blocks that are most safety critical c. Blocks close to the observation points Design reduction proposal aims at reducing the design state space by adding new observation points and relish the low hanging fruits early while spending more time on the hard problems. Related Work Formal Verification of Safety Mechanism Purpose of safety mechanism in the design to detect the untoward behaviour due to faults of any type. Effectiveness of a safety mechanism is assessed by diagnostic coverage. Closure of the diagnostic coverage is directly proportional to the logic under Safety mechanism. Using simulation, determining faults which are safe and dangerous as per terms of safety mechanism is a long pole in terms of effort and time. Leveraging formal verification, we tried a safety mechanism which is the base of many of IPs and data paths. By employing formal in Safety Applications, we got excellent results. Formal gave deterministic results to mark faults as safe and dangerous. We tried on IPs with million faults and after Intelligent Blackboxing, we observed formal gave us a deterministically 67% of faults given as safe, thus saving our efforts by many folds. Employing formal methods helped us to channelize manual efforts in the required direction where ROI was maximum. Summary Formal assisted fault campaign with correct methodology can help in achieving desired diagnostic coverage with less manual effort, saving numerous man hours.
 Speaker: Nitin Ahuja - Synopsys India Pvt. Ltd.
 Authors: Nitin Ahuja - Synopsys India Pvt. Ltd.
Sandeep Jana - Synopsys India Pvt. Ltd.
Mayank Agarwal - NXP Semiconductors
2.3Assisting Fault Injection Simulations for Functional Safety Signoff using Formal
With formal verification being part of routine design verification practices, it is essential to bring out more value from formal verification beyond exercising assertions and bug hunting. One such area is Functional Safety Verification. This paper discusses the Formal Techniques that can be used in assisting the Fault Injection simulations for Functional safety signoff.
 Speaker: Pulicharla Ravindrareddy - Analog Devices, Inc.
 Author: Pulicharla Ravindrareddy - Analog Devices, Inc.