DVCLUB Europe | Automotive Safety and ISO26262

Verification for Automotive AMS ICs

Conference:DVCLUB Europe | Automotive Safety and ISO26262
Speaker:Dirk Hansen, Mentor A Siemens Business, Functional Safety Professional
Abstract:Automotive market analysis predicts double digit annual growth in ICs development over the next decade. Throughout this period, the size and complexity of ICs will continue to grow exponentially, driven by demand for advanced driver-assistance and autonomous drive systems. Design and verification methodologies must evolve to meet demanding product development schedules while simultaneously demonstrating the achievement of functional safety. ISO26262, the state of the art standard ensuring development of functionally safe products, details two types of faults which must be addressed:

  • Systematic Faults: Ensuring the design operates correctly
  • Random Faults: Ensuring the design fails safely in the presence of unpredictable faults

While systematic faults incur their own unique challenges, redefining the methodology and approach to random fault safety analysis can significantly reduce the safety lifecycle execution time and eliminate iterations. The graphic below defines the key steps within an automotive safety lifecycle.

In the past, expert driven judgement was the primary means of completing safety analysis, which includes defining all the failure modes in the design. As IC’s have grown, the ability for experts to comprehend all the failure modes is no longer feasible. Unfortunately, these errors aren’t identified until after the design is modified with safety mechanisms, functional coverage is re-closed, and an expensive fault campaign has completed.

New tools and activities within the Safety Analysis phase are required to eliminate this uncertainty from the safety lifecycle. Specifically, engineers must be able to accurately define how a device will fail and the design modifications required to protect against random hardware faults. These additional activities can be summarized into an initial safety assessment followed by safety exploration.

Using bottoms-up structural analysis techniques, engineers can quickly perform gap analysis on the existing safety architecture and determine the design modifications required to meet the target safety goals. This upfront guidance eliminates schedule uncertainty by providing a systematic approach to a single iteration safety lifecycle.

The first step within Safety Analysis is performing the initial safety assessment. Using structural analysis techniques, the design is evaluated for safety holes and compared against tops down expert driven judgement. This form of gap analysis validates the accuracy of expert estimated safety metrics such as failure in time (FIT), single point fault metric (SPFM), latent fault metric (LFM), and probabilistic metric for hardware failure (PMHF). This bottoms up approach analyzes both instance based and multi-cycle safety mechanisms and will calculate both the FIT and achievable diagnostic coverage of existing safety mechanisms. In addition, it provides valuable guidance into the safety holes in the design and their contribution to the overall FIT rate. With this information, the user is now armed with the knowledge required to evaluate modifications to the safety architecture and move to the safety exploration step.

In safety exploration, additions or modifications to the safety architecture are proposed and the achievable diagnostic coverage and impact to area are calculated. This step is expected to be iterative as it allows the user to experiment with different safety implementations, understand the achievable safety metrics and calculate the impact to power, performance, and area (PPA). Once the optimal safety architecture is identified, design engineers begin the process of hardening the design by implementing the proposed safety mechanisms.

3 Key Points:

  •  More accurate FIT and Diagnostic Coverage is possible when augmenting expert judgement with automated design analysis
  • Design analysis to calculate achievable safety metrics and safety architecture is critical to avoid iterations through the safety lifecycle
  •  Safety analysis ensures safety implementation isn’t under or overdesigned, providing an optimal implementation which meets safety targets with minimal power and area impact
Speaker Biography
  • Master microelectronics engineering technical university of Berlin
  • Career: sales engineer at Siemens
  • Hardware design engineer at Siemens
  • Application engineer at Mentor Graphics
  • Functional safety professional at Mentor Graphics


DVCLUB Europe is made possible through the generosity of our sponsors.