ISO 26262 is the functional safety standard for automotive, as you probably already know. It is hard to attend any event concerned with semiconductors without hearing about automotive. The automotive market has been memorably described as a pot of gold guarded by a dragon, and that dragon is ISO 26262. For obvious reasons, vehicles need to be safe. In fact, they need to fail less than the underlying semiconductors. This requires a multi-faceted approach to safety, involving everything from semiconductor process, through design, testing, and the design tool environment. In general, material produced at one level to demonstrate compliance are used at the next higher level, all the way up to the vehicle as a whole. One aspect of the standard is that the tools used to generate the design need to be documented. Cadence has been working for some time with an internationally accredit testing and conformity company called TÜV SÜD. As you might guess from the umlauts, it is headquartered in Germany. Surprisingly, it was founded back in 1866, inspecting industrial steam boilers. In October, Cadence announced the they had delivered a Tool Confidence Level 1 (TCL1) documentation compliant with ISO 26262. This covers the analog/mixed-signal tool chain, and the digital front-end design and verification flows. There is an ongoing evaluation of the digital implementation and signoff flow, and that is expected to be complete by the end of the year. Once this is done, more than 30 Cadence EDA tools will contribute to an ISO 26262-compliant development life cycle. That sounds good in a press release, but what does it actually mean? As I already said, the ISO 26262 standard has a number of different aspects to it. You can get some idea of the complexity from ISO's own overview above. The OEM (car manufacturer) has final responsibility, but compliance efforts rippled down the supply chain to the Tier 1s, the groups designing the semiconductors, and to Cadence as a supplier of the EDA tools being used. That ends up in part 8, inside the red oval above. This defines "confidence", "qualification", and "proven in use." Cadence's approach is TCL1 predetermination. This is flow-based compliance based on which tools may be used in the flow. But it easily accommodates customers' unique flows and environments. The Cadence Automotive Functional Safety Kits comprise: Safety manual: Describes a typical tool-chain sub-flow and recommended good development processes and procedures Tool classification analysis (TCA): Assessment of tool confidence level for multiple use cases, failure modes, and effect analysis, and expected behavior of the tool under anomalous conditions Technical report: TÜV SÜD has evaluated the functional safety kits and confirmed that they support the ISO 26262 standard Tools are divided into two classes. A bug in a verification tool, such as an RTL simulator, cannot introduce an error that was not already present in the source RTL. However, a bug in a tool that transforms the design, such as RTL synthesis, can introduce problems even if the input RTL is correct. So the two classes are tools that may fail to detect and error, and tools that may introduce an error. These are red and blue in the example digital design and verification flow shown below: Cadence is not the ASIC supplier. The tool qualification approach is to ensure that the tools used by the ASIC supplier are documented with Cadence and customer material to satisfy the ISO 26262 requirements. For each tool, it is necessary to assess the probability that a tool failure could leave an undetected critical flaw in the work product, evaluate the measure to prevent the tool from producing erroneous output or to detect errors, determine the level of confidence that tool malfunctions will not cause violations of the technical safety requirements, and to document both Cadence and customer tool classification results in the Software Tool Criteria Evaluation Report. It is worth emphasizing that TCL is exclusively a measure of the ability to detect tool errors. It only covers cases where a good input is provided and unexpected output is created, not cases where bad input is correctly handled. Basically, Cadence has done this work so that each of our customers does not have to do the work separately, which is obviously not very efficient. By doing this, Cadence is saving its customers time and resources. Customer can make adaptations depending on the actual flows and tools they are using (which might include internally developed tools or tools from other suppliers). Users are required by ISO 26262 to submit a Software Tool Criteria Evaluation Report and the Cadence Automotive Functional Safety Kits become part of that submission. Previous: Moore and Medical at ARM TechCon![]()
![]()
↧