# Meeting Functional Safety Requirements Efficiently Via Electronic Design Tools and Techniques

By Philippe Roche, STMicroelectronics, Adam Sherer and Ann Keffer, Cadence

In an intelligent electronic system, unexpected errors can lead to unplanned, unexpected behavior. This can be a potentially dangerous proposition for an automotive manufacturer, as well as a costly occurrence for consumer product developers. Compliance to the latest safety standards can be a laborious, time-consuming process. Fortunately, there are now technologies available that can automate the process of meeting functional safety requirements. This paper examines the Cadence® functional safety solutions, showing how these technologies and tools can help engineers efficiently and effectively create safe, reliable products.

#### Contents

| Contents                                               |
|--------------------------------------------------------|
| Introduction1                                          |
| Why Is Functional Safety Important?2                   |
| What Does Functional Safety Require?2                  |
| Key Safety Standards: IEC 61508 and ISO 262622         |
| What Safety Must Address Today3                        |
| Safety Requirements on the Horizon                     |
| Long Term View of Safety3                              |
| Tools and Technologies that Address Functional Safety4 |
| Summary5                                               |
| References5                                            |
| For Further Information6                               |

#### Introduction

Intelligent electronics are everywhere, from smartphones to automobiles, airplanes, trains, power plants, pacemakers, and even refrigerators. This intelligence fuels powerful products with simple interfaces built on top of sophisticated electronics. However, as design complexity grows, the risk that unexpected errors will lead to unplanned, unexpected behavior also grows. While the risk of personal injury for errors in automotive designs may be obvious, we cannot overlook the risk of financial loss and the damaged image a car manufacturer may experience when an alpha particle causes an unexpected error in a key electronic component, thereby causing a life-threatening incident.

Compliance to safety standards takes considerable effort, from staying up-todate on the latest standard modifications to managing data in various formats and refactoring the verification environment to fit the traditional tool flow. While forgoing safety is clearly not an option, there are technologies available now that automate the process of meeting functional safety requirements, making the process more efficient and effective than before. Efficiency and effectiveness is required in this environment of increasing system complexity.

This paper will discuss design and verification tools that can provide the assurance that systems on chip (SoCs) are functionally safe at the IC and system levels. While functional safety is pertinent to an array of application areas, we will focus our discussion on the automotive space. Automotive applications, guided by a clear set of standards, provide a good illustration of the concerns and requirements around functional safety.

## Why Is Functional Safety Important?

Functional safety refers to the concept that an overall system will remain dependable and function as intended even in the event of an unplanned or unexpected occurrence. Moreover, the system is assured to avoid unacceptable risk of physical injury or damage. For SoCs, especially as we move deeper into the submicrons, susceptibility to errors becomes greater. For example, phenomena that we cannot see—from radiation sources to large magnetic fields and internal wear (common cause failure)—can be highly disruptive to advanced-node SoCs. Imagine the repercussions if the most significant bit flips (single event upset (SEU) in a chip that controls the transmission of the car you're driving down the highway, causing your vehicle to drop into a different gear.

It's not just lives at risk—it could be as simple as a company's damaged brand image. On a more positive note, having a higher degree of safety can differentiate your product, as well as consumers' perceptions of it. As basic design requirements go, dependable design is becoming as critical a criterion as meeting power, performance, and area (PPA) specifications.

#### What Does Functional Safety Require?

The design of safety systems requires redundancy and checkers:

- Redundancy provides multiple processing paths to limit the risk that any one error will upset the system. The
  tradeoff is that redundant systems consume IC area that could otherwise be used for additional functionality, as
  well as increase cost.
- Checkers monitor the systems and trigger error response and recovery features when necessary. While checkers don't consume too much area, they may provide only partial recovery.

Safety engineers must implement requirements tracing from the system to components, and ensure their development flow aligns with the tool confidence level (TCL). Quality measurement involves functional verification at all levels of abstraction and for all system elements, as well as safety verification, which measures response of systems to undesired/unplanned events. Finally, it is important to record and report functional safety measures in order have a verified system.

To achieve safety verification from a process standpoint, safety engineers should able to take their functional verification environment and essentially replay pieces of it while injecting errors (faults) into their system. Redundant logic can "vote" on the correct data to eliminate errors, maintaining continuous operation. Checkers monitor for erroneous data within specified time periods and apply error corrections. As an example, consider the pressure sensors for power windows of cars. When operating correctly, pressure sensors prevent power windows from closing on the fingers of a curious child who is playing with the window's up/down switch. Imagine what might happen if the checker on these sensors samples every five seconds versus every quarter of a second!

## Key Safety Standards: IEC 61508 and ISO 26262

The foundation functional safety standard is IEC 61508, which addresses the assessment and reduction of risk that unexpected errors will lead to unplanned behavior. It defines assessment methods for requirements tracing, functional safety, and TCL, culminating in an audited safety integrity level (SIL, ASIL for automotive). A variety of industrial standards are derived from IEC 61508, including the automotive safety standard, ISO 26262.



Figure 1: Elements of ISO 26262 from a verification perspective

All of these standards have one thing in common—the massive amount of data collection and analysis needed to achieve the safety integrity level. Massive amounts of data can mean tens of person-years in the development cycle for a product line, translating into millions of dollars in added development expense. With an increasing number of OEMs and tier 1 integrators requiring an audited ASIL certificate, the challenge is to find immediate solutions that can evolve as products grow in complexity.

## What Safety Must Address Today

Requirements tracing, functional safety assessment, and TCL for digital designs are the core requirements that must be met today. The design and test teams start by identifying potential safety issues, along with the checking and error correction systems that can detect those faults. Safety requirements are captured in a safety plan that augments the functional verification plan. These metric-driven verification plans monitor sets of metadata through both the functional and safety verification flows. For the functional flow, the metadata includes well-known coverage, test completion, and other metrics using conventional verification flows. While the functional safety flow adds a new technology for fault injection and detection, it must integrate seamlessly with the conventional flows for two critical reasons—efficiency and tool confidence. Safety verification is a complex task so engineering teams must reuse environments already created in the conventional flow. Along these lines, achieving a TCL1 for the flow is dependent on using both a well-known flow and redundant tooling. By fitting the fault injection and requirements tracing within the conventional flow, a TCL1 assessment for the flow is justified.

As simulation provides a means for functional verification of systems, fault injection allows for functional safety assessment by simulating the behavior of the system under various error conditions by momentarily or permanently changing the values seen in a given simulation. Fault models include manufacturing-time stuck-at-0 and stuck-at-1 faults, as well as SEU faults and transient faults that can occur while the ICs are functioning in the system. Fault simulation helps safety verification engineers cover a wide range of possible system malfunctions.

While the TCL assessment is important, the efficiency of fitting in the conventional functional verification flow is equally important. Part of the safety assessment requires fault analysis at the gate level, which can be achieved with a fault injection using a well-proven gate-level simulator. However, temporal faults can require longer simulations with more of the SoC context. This context can include both analog circuits and software, implying the need for mixed-signal and hardware-based verification. Moreover, the gate-level simulation can be exceedingly long, so safety engineers must develop the safety verification at higher levels of abstraction, develop the RTL for the immediate need, and then replay the verification at the gate level as needed for an ISO 26262 audit in the automotive space. Therefore, the fault injection technology and requirements tracing must work well with conventional verification flows.

#### Safety Requirements on the Horizon

While digital functional safety simulation is the critical starting point, it is not sufficient to demonstrate safety only in the complex SoCs being deployed in vehicles. Systems throughout the vehicle, such as the powertrain and chassis systems, require Automotive Safety Integrity Level D (ASIL D) certification and involve digital, analog, design for test (DFT), AUTOSAR-based software components, and design and verification IP.

Functional safety solutions will include analog/mixed-signal verification that matches safety verification for digital, as well as requirements tracing, fault injection, and metrics collection. Doing so will allow both internally developed and commercially accessed design IP and verification IP to be assessed in the complete system. As these systems become increasingly large and dependent on software, hardware-based verification systems will be needed to run enough cycles to inject faults in the running system and measure the combined digital, analog, and software system response.

#### Long Term View of Safety

In the full view, the safety of the vehicle depends on more than the individual ICs. It depends on the interaction of those ICs in the electronic control unit (ECU). This implies that level analysis is needed to develop fault models for board-level signal and power integrity on the traces between the ICs. It also implies that safety monitoring should be designed at higher levels of abstraction, suggesting the need for fault analysis in the earliest phase of design where the modeling is abstracted using algorithmic and untimed design models. These systems then will be traced through implementation and final verification, completing the system view of functional safety.

# Tools and Technologies that Address Functional Safety

Cadence has been in the fault simulation business for more than 25 years. It is now expanding to provide an end-to-end functional safety solution, based on its proven functional verification platform, that reduces the automotive ISO 26262 certification effort by over 50%. The solution accomplishes this efficiency gain by automating what is otherwise a time-consuming manual verification process of fault injection and result analysis for IP, SoC, and system designs. For safety requirements tracing, the solution integrates permanent and transient fault simulation.



Figure 2: A functional safety verification flow

Fulfilling the traceability, safety verification, and TCL requirements of ISO 26262, Cadence's functional safety solution includes fault injection though simulation with the Xcelium™ Safety Solution, functional safety regression, fault list optimization and test ranking with the vManager™ Safety client, and broad structural fault testability, activatability, and relation analysis.

The Xcelium Safety solution offers seamless reuse of functional and mixed-signal verification environments to accelerate the time to develop safety verification. The simulator provides 50X the runtime performance compared to the interpreted Incisive Verifault-XL engine traditionally used in functional safety simulation. With the Xcelium Safety solution, users benefit from fault identification during elaboration and the ability to reuse their SystemVerilog, Universal Verification Methodology (UVM), and e functional verification environments unchanged. The solution simulates the unaltered design under test (DUT); faults are injected during simulation and can propagate through SystemC®, analog transistor or behavioral models, and assertions. The simulator also supports multiple fault types, including SEU, stuck-at-0/stuck-at-1, and single event transient.

The functional safety analysis capability in the vManager Safety Client automatically generates a safety verifination regression from the fault dictionary created by the simulator. The vManager Safety client can track millions of detected, potentially detected, and undetected faults introduced into simulation to verify the safety systems in a design. The capability also highlights potential and undetected fault runs for further debugging.

The JasperGold® Safety and Security App provides formal propagatability and activatability analysis for the Xcelium Safety solution. Adding this application to the flow orchestrates and measures fault analysis and adds formal propagatability analysis to assist and improve fault qualification.

These technologies are available in the Cadence System Development Suite. The vManager Safety client has been used in production by several US and European automotive IC suppliers. In fact, the first ISO 26262-certified chip used the Cadence solution with a requirements management tool. Cadence is continuing to expand its functional safety solution to encompass more hardware, software, and IP components.



Figure 3: Leveraging metric-driven verification to provide a comprehensive functional safety regression analysis

#### Summary

As discussed in this paper, meeting functional safety in automotive designs is only the beginning. Safety require—ments touch a multitude of application areas, from medical devices to industrial automation to military systems and much more. Complying with safety specifications can be laborious and time-consuming. However, electronic design tools, technologies, and methodologies—such as those offered by Cadence—can automate the process. By doing so, these tools and techniques can make it faster and more efficient for SoC designers to ensure that their chips will function as intended once inside the end products, even in the face of errors or other unplanned or unexpected circumstances.

#### References

- 1. P. Roche, G.Gasiot, "SEE on advanced CMOS BULK, FinFET and UTTB SOI technologies", short course, Nuclear Space Radiation Effects Conferences, NSREC/RADECS conferences, Paris, July 2014
- 2. P.Roche, "Changing the radiation paradigm with sub-28nm CMOS technologies", tutorial, International Reliability Physics Symposium, IRPS, Hawaii, April 2014
- 3. P. Roche, "Technology Downscaling Worsening Radiation Effects", Invited talk, SEMATECH Reliability Council, Dresden, Germany, July 2013
- 4. P. Roche, J.L. Autran, G. Gasiot, D. Munteanu, "Technology Downscaling Worsening Radiation Effects in Bulk: SOI to the Rescue", Invited talk, IEDM conference, Washington DC, USA, December, December 2013
- 5. P. Roche, J.L. Autran, G. Gasiot, D. Munteanu, "Addendum to the Anthology of the Development of Radiation Transport Tools as Applied to Single Event Effects", Invited contribution, IEEE Transactions on Nuclear Science, Special Issue, December 2013.
- 6. P. Roche, Gilles Gasiot, Sylvain Clerc, Jean-Marc Daveau, Cyril Bottoni, Maximilien Glorieux, Vincent Huard, Laurent Dugoujon, "A 65nm CMOS Platform for Space Applications: Qualification Test Results on Rad-Hard Microprocessors", submitted to IEEE Transactions on Nuclear Science, December 2013

#### **Further Information**

Learn more about Cadence's functional safety solution at <a href="http://www.cadence.com/cadence/newsroom/features/">http://www.cadence.com/cadence/newsroom/features/</a> Pages/fusa.aspx

Learn more about the Cadence System Development Suite at <a href="http://www.cadence.com/solutions/system\_to\_silicon\_verification/pages/default.aspx">http://www.cadence.com/solutions/system\_to\_silicon\_verification/pages/default.aspx</a>

Learn more about the Incisive verification platform at

http://www.cadence.com/products/fv/enterprise\_simulator/pages/default.aspx

Learn more about vManager solution at

http://www.cadence.com/products/fv/vmanager/pages/default.aspx

