FMEDA-driven SoC design of safety-critical semiconductors – Cadence closing the gap between safety analysis and chip design

The growing complexity of electronics in modern cars is driving the automotive industry to adopt even more stringent processes throughout the supply chain. The lack of tools and methodologies to enforce a traceable safety lifecycle and exchange of safety-relevant information has created the need for an integrated design flow that addresses the requirements of the semiconductor industry and can be used across the supply chain.

This requires a new safety methodology, providing a seamless flow that closes the gap between safety analysis and typical chip design tasks such as safety verification and safety-aware implementation. Furthermore, as the development of safety-critical semiconductors and IPs is a complex and compute-intensive task, the automation of this process is crucial in increasing confidence in the safety methodology and improving productivity.

Enhanced Safety Methodology

From the perspective of safety methodology, commonly used safety analysis tools such as FMEDA are not integrated with IC design tools or flows. This means there is no formal way to describe and propagate the safety intent captured in the FMEDA to the IC design flow driving safety tools accordingly (top-down methodology). Conversely, there is no formal way to back-annotate simulation-based data from a fault injection campaign into the FMEDA (bottom-up methodology) to replace estimated failure rates with more accurate values.

Some key enhancements are necessary to support a top-down and bottom-up safety methodology fully:

• Tight integration between FMEDA and safety IC design flows
• Formal description to specify the safety intent of the chip that all IC design tools support and can adhere to
• Import of the chip design data to establish a formal connection between FMEDA and chip hierarchy
• Back-annotation of simulation results into the FMEDA to improve the accuracy of estimated metrics

Cadence has introduced the new Midas^™ Safety Platform to close these gaps. The Midas platform is seamlessly integrated with all Cadence IC design flows to enable an FMEDA-driven design, analysis, verification, and implementation of analog/mixed-signal and digital semiconductors and IPs. The integrated framework provides a workflow that guides the safety engineer through all the key steps, from FMEDA creation to safety analysis.

Supported Industry Standards

Despite the ISO 26262 standard, the lack of safety standards in formal ways to describe safety intent, including supported tool flows, has led to various in-house developed safety solutions mainly using spreadsheets and scripts. However, standards bodies such as Accellera and IEEE have formed dedicated working groups to address these safety requirements in establishing an adequate safety standard. The Midas platform, as the Cadence^® Functional Safety Solution, provides a safety framework with various interfaces meant to work within an ecosystem of tools and flows (Figure 1),

The Midas platform is a modular and open solution that can be easily tailored to different applications and use cases while having solid foundations in existing standards for functional safety. This is primarily why the Midas platform integrates a safety analysis engine supporting the ISO 26262 (automotive) and IEC 61508 (industrial) standards.

The safety analysis engine can leverage estimated design information (e.g., area, number of flip flops or memory bits) provided by the user or use chip design data of Cadence IC design tools such as Genus^™ (Synthesis), Innovus^™ (Place & Route) or Xcelium^™ (Fault simulation) to calculate the hardware safety metrics automatically.

In addition, Midas provides a dedicated engine for the Base Failure Rate (BFR) calculation according to the reliability model for integrated circuits defined in IEC TR 62380 standard. The BFR can be calculated after entering information such as semiconductor process technology, custom mission profiles, and package information.

FMEDA Creation

Safety engineers can start with an “Architectural FMEDA,” an early-phase exploration of different safety architectures to identify the optimal set of safety mechanisms to achieve the safety goals.

To set up the FMEDA, it is necessary to define the parts and subparts representing the functional building blocks of the SoC to create the FMEDA hierarchy (Figure 2). It is also necessary to define one or more failure modes for each part and subpart and map a safety mechanism. If no chip data is available, the base failure rate can be equally distributed across all failure modes. Now the architectural FMEDA is set up, and the safety analysis engine can calculate the hardware safety metrics (SPFM, LFM, PMHF).

Once chip design data becomes available, a “Detailed FMEDA” can be performed. After importing the chip design into the Midas platform, the design hierarchy, including all design blocks, show up as a hierarchical tree (Figure 2). Now design instances can be easily mapped per drag-and-drop to the FMEDA hierarchy. Chip design data such as design instances, numbers for area, gates, and flops are assigned automatically to all failure modes, and the BFR distribution can be adjusted accordingly. Finally, everything is prepared to set up the fault injection campaign in the Cadence Verisium^™ Manager Safety.

After the safety verification is completed, the simulation results can be back-annotated to the Midas platform. As the failure distribution and diagnostic coverage values are now based on real design and simulation data, the recalculated HW safety metrics are much more accurate.

Unified Safety Format

The Unified Safety Format (USF) is a set of commands to define and verify the functional safety intent in electronic design.

The functional safety intent includes the information required to model, specify, analyze, implement and verify safety-critical systems, semiconductors, and intellectual properties (IPs), enabling the portability of the same information across various commercial EDA tools.

USF facilitates the automation of the safety analysis and becomes the common framework to design, verify, and implement safety-critical systems. The safety analysis engine is also available via a command line interface, which makes the Midas platform fully scriptable and supports different levels of automation.

Leveraging USF, safety engineers can model the FMEDA and its effects on the behavior of a system (failure modes) by describing failure modes, including safety mechanisms and their physical implementation.

As with USF, the FMEDA process can be fully captured, and USF can also be modified and reused to automate the FMEDA creation of other projects.

Figure 3 shows a simple example of USF commands describing an architectural FMEDA (design information is estimated at the failure mode level) and a detailed FMEDA (design information is gathered from a real design).

Midas Safety Platform

The Graphical User Interface of the Midas platform integrates various functional safety tasks:

• Safety analysis authoring (design partitioning, failure modes definition, safety mechanism selection, and failure modes mapping);

  

• Safety report generation and export of relative metrics (e.g., Single Point Faults Metric, Latent Faults Metric) and absolute metrics (e.g., Probabilistic Metric for Random Hardware Failures)
• Safety configurations to create, save and restore different safety scenarios where one or more parameters can be changed (e.g., add or remove safety mechanism to analyze the effect on the diagnostic coverage);
• Support custom attributes mapping to a safety object (e.g., parts, subparts, failure modes, and safety mechanisms).

Safety Verification Flow

The Midas platform leverages the central role of Cadence as an EDA vendor, providing a safety solution and safety cockpit to enable FMEDA-driven safety verification and safety-aware implementation.

The tight integration of the Midas platform with the Cadence Safety Verification flow represents a flexible verification solution, enabling the validation of assumptions made in the safety analysis phase.

The Verisium Manager Safety plays a critical role in the verification process. It provides a unified fault campaign management to automate and manage complex fault injection campaigns driving all safety engines such as Xcelium, Jasper^™ Functional Safety Verification (FSV) App, Spectre^® AMS Designer and Spectre.

The Verisium platform covers tasks such as fault campaign execution, test selection and ranking, fault classification, coverage, fault debugging, fault campaign reporting, and back-annotation of simulation results into the Midas platform.

After fault injection, the safety verification flow starts with fault analysis using the Jasper FSV App. By applying structural and formal fault analyses, the Jasper FSV App can identify untestable, unobservable, and equivalent faults that can be ignored in the subsequent fault simulation. This significantly reduces the fault list, accelerating the overall safety verification process. After fault analysis, the Xcelium Safety App simulates all remaining faults, leveraging the serial or concurrent fault simulation engines.

Further, the Midas platform also integrates with the Spectre Simulation Platform and Legato^™ Reliability Solution, addressing analog and mixed-signal fault identification and simulation. Similar to the digital safety flow, the Midas platform can collect analog design information from the Spectre Simulator.

Safety-aware Implementation Flow

The Midas platform enables an FMEDA-driven safety-aware implementation, where the synthesis and Place & Route tools work in tandem.

USF allows the definition of safety mechanisms such as dual-core lockstep, safety islands, triple modular redundancy (TMR), logic isolation, and others. Once defined, the safety mechanism can be generated by the Genus Synthesis Solution. A USF file describing the implementation of the safety mechanisms can be saved and read by Innovus to drive the physical implementation accordingly.

Conclusion

The Midas Safety Platform is the first solution that truly enables an FMEDA-driven safety methodology for analog/mixed-signal and digital. The Midas platform is the unified cockpit across all Cadence safety flows, connecting FMEDA with SoC safety verification and safety-aware implementation. The solution is leveraging USF as the foundation to define the safety intent enabling automated safety flows.