One of the big themes of pretty much any conference on semiconductors these days is automotive, and DVCon Europe was no exception. For me the most memorable phrase of the day was from Amir Rahat of Optima, that automotive semiconductors are "a pot of gold guarded by a dragon." That dragon has a name, ISO 26262, the requirement that automotive semiconductors are reliable and safe. Cadence ISO 26262 Tutorial The first day of DVCon were tutorials and one of those was by John Brennan and Viktor Preis of Cadence on ISO 26262, This Changes Everything . For verification of chips, automotive is disruptive. For liability reasons, it is necessary to be able to prove safe aspects of the vehicle and ensure integrity of design and supply chain. But it is not just the risk of injury. One design error and you have a huge recall. Functional Safety (FuSa) ensures a much better overall design process. It is not just automotive: on the plane to and from Munich, there were cabin announcements that if any of us had a Samsung Galaxy Note 7 that we were not to turn it on, even in airplane mode. That's not the marketing message you ever want to hear about one of your own products. So why is it a pot of gold? Automotive was 10.4% of semiconductor sales in 2014. It is growing and is expected to continue to grow at 8% CAGR, four times the growth of the semiconductor industry as a whole. That will take it to $50B by 2022. Or another way to look at the opportunity, in non-financial terms, is that automotive was responsible for 1.25 million deaths in 2015 and almost all crashes are caused by human error. The dragon, as I said above, is reliability. This is measured in FITS (failures in time), which are faults per billion hours of operation. One FIT is once in 114,000 years. If a car lasts 10 years, that means one failure in one car in every 10,000 cars. Can you feel the dragon's heat? To achieve functional safety, you must follow ISO 26262. It is required by OEMs, hence tier-1s, hence everyone. It addresses the legal requirements for state-of-the-art safety. And it is understood by the practitioners, there are training courses and so on. Reliability is one aspect of safety, making sure things don't fail too often. But with the need to achieve reliability of perhaps 10 FITS per vehicle using semiconductor processes with a reliability of perhaps 500 FITS, just addressing reliability is not going to get that gap closed. We live on a radioactive planet bombarded with cosmic rays, so high-energy neutrons are not something that we can completely protect against, either. So, in addition to making the chips as reliable as possible, we need to address functional safety, ensuring that when chips do have faults that we catch them. There is a lot more to ISO 26262 such as documentation and tool certification standards. But the focus of the Cadence tutorial was on functional safety assessment. This is a process for evaluating a design for functional safety. It is partly a way of testing, and partly probabilistic. The challenge, in a single sentence, is to create a fault-tolerant design since the underlying silicon is not going to get us there. All problems are not created equal. Some, like say the speedometer failing, are not a whole lot more than an inconvenience. Some, like the ABS system failing, are life threatening. These concepts are formalized by automotive safety and integrity levels (ASIL). The highest level is ASIL level D, requiring the most stringent safety measures, with risk of life or serious injury in the event of failure. The FIT rate is defined per those levels. The implications of this for design and verification tools is that: Fault-tolerant designs are required to reduce FITS Positive (functional) testing is needed prior to safety testing Negative (functional safety) testing is divided into specific tests based on failure modes, and statistical tests to ensure design integrity Testing transient faults (such as single-event effects from neutrons) are required Faults are classified into a four-way box based on whether checking hardware notices the fault, and whether the fault propagates to the outputs (and so affects the vehicle): Not propagating and not detected: The system is safe but may have a problem if another fault occurs that interacts, known as a latent fault Not propagating but detected: System is safe Propagating but not detected: This is an unrecoverable failure. Red flag Propagating but also detected: System is in danger but can recover Cadence had a weird experience in the last few years. We have had a fault simulator for years but everyone uses scan for manufacturing test, and so fault grading vectors is no longer required. No development had gone into it for years (it didn't support SystemVerilog, for example). But suddenly it started to sell. The reason was not that people were suddenly wanting to grade test vectors, but that it was an imperfect tool for seeing how faults were handled in automotive. For example, if this flop got flipped, then would it be detected or cause a failure? So in the past, fault simulation was used for grading the vectors. Now it was being used to grade the design. Naturally, what we had on the shelf wasn't ideal for this. It needed better detected/undetected grading, use cases, and working with much of the design not at gate level. Plus, formal verification would be good to fold in where appropriate. Development has now resulted in the Incisive Functional Safety Simulator (IFSS). This takes in lists of faults, along with a design and other data, and classifies all the faults as to whether they are detected (and when). This is called a fault campaign. This approach allows estimated values defined as estimates during the requirements phase to be validated against real values from the actual design (and potentially guide changes to the design to improve functional safety). That's a lot of data, but in the end it comes down to a summary captured in three numbers: Optima ISO 26262 Tutorial After talking about the vivid image of automotive being a pot of gold guarded by a dragon, Amir Mohat of Optima went on to talk about the importance of ISO 26262. He is actually on the standard committee. Since OEMs require certification, this ripples down the supply chain and everyone needs it, too. Absolute safety is impossible to provide, of course. In the most extreme cases, nine-way duplication can be used, with three independent implementations being examined together, with each implementation triply redundant. This is obviously very expensive and, in fact, is only used occasionally in aerospace. Amir talked about handling faults that require addressing. He divided them into two classes: memory and logic. We have known for years how to address random memory faults by adding error correcting codes (ECC) of sufficient power for our needs. Logic can be addressed by redundancy if the cost is not prohibitive, otherwise selected hardening can be applied. Optima sells a high-speed soft-error safety tool for looking at these kinds of intermittent errors. Summary As a summary, it is hard to do better than Amir's summary slide: Previous: Wave Computing: a Dataflow Processor for Deep Learning![]()
![]()
↧