Paul McLellan

Community Member

Blog Activity
Options

ETS2020: Functional Safety

6 minute read

breakfast bytes logoOne of the keynotes for the European Test Symposium 2020 (ETS2020) was by Cadence's Alessandra Nardi. As you might guess from her name, she's Italian. But I think that's about as European as her presentation got since, instead of coming from Tallinn (pop quiz: of what European country is that the capital?), it came from her home in California. Her keynote was titled Safety-Critical Applications: An EDA Perspective.

Alessandra started off by bemoaning how EDA is so little known. She attended the Grace Hopper Conference on Women in Computing, which has 15,000 attendees. There was just one talk on EDA and it was very introductory. Most attendees had no idea what EDA is. For more about the Grace Hopper conference, see my post Grace Hopper Celebration of Women in Computing. I didn't write much of the post since I'm not a "woman in computing". But I recruited a Cadence director who attended, and the daughter of a friend of mine who was an undergraduate in computer science at Berkeley (now works for Lyft).

Another place where EDA gets little respect is in functional safety, where EDA is a "supporting process". ISO 26262 has a really small chapter on supporting processes, and EDA is just one part of that.

If you look at the application space, engineers work on abstractions without knowing the details of how software is executed on the platform. On the right of the diagram, EDA lets you build complex systems without knowing all the manufacturing processes or the physics. it would be great to get the excitement from applications into EDA.

Trends in EDA

EDA does a remarkable job, in many ways, using computational software to achieve silicon optimization. That requires many aspects, but some key ones are:

  • Performance and capacity: Sheer numbers, since something like power grid analysis has all the nodes connecting billions of transistors. But we need to run on a reasonable machine without a ridiculous memory footprint.
  • Accuracy: It goes without saying that this is obviously important
  • Ease of use: In particular, not requiring designers at high levels to have deep knowledge at low levels, most obviously letting computer scientists write SystemVerilog and get results without requiring deep knowledge of transistors.
  • Robustness and repeatability: No crashing in the middle of long runs, and the same input will give the same output again.

There are several major industry trends at present:

  • Silicon optimization
  • System optimization
  • Deep learning and data science (in both EDA and applications)
  • Distributed cloud computing
  • 5G and edge-computing (ultra-low latency, giving possibility to run on edge or in cloud)
  • Cyber-physical systems (integration of computation, networking, and physical processes)

But the big trend for this topic is the increasing pervasiveness of safety-critical systems, where system failure could result in loss of life, harm, or major physical damage. The most high-profile example is autonomous vehicle technology, but the longest-standing is avionics. However, this also covers drones, medical electronics, and robotics. Increased computational power and high-speed communication are shifting more functions from the human to the electrical/electronic systems (sense + process + actuate).

Dimensions of Safety-Critical Applications

There are a number of dimensions of safety-critical applications. At the top level, these can be grouped as dependability and security, as shown in the diagram. At the next level down, as there are:

  • Reliability, which is quality over time, meaning no failure from manufacture for a defined lifetime
  • Safety is the absence of catastrophic consequences, or better phrased as a reduction of catastrophic consequences (to avoid "The Safest Train Is One that Never Leaves the Station")
  • Integrity: the absence of improper system alterations
  • Availability: readiness for service (such as an elevator refusing to leave a floor for safety reasons, meaning it is safe but not available)
  • Confidentiality (the absence of unauthorized disclosures of information)

EDA and Safety

Alessandra said she would focus on EDA and safety for the rest of the keynote. To show how long people have been concerned about these issues, she quoted Dionysius Lardner, writing about Babbage's Calculating Engine in the 1834 Edinburgh Review:

The most certain and effectual check upon errors which arise in the process of computation, is to cause the same computations to be made by separate and independent computers; and this check is rendered still more decisive if they make their computations by different methods.

Failures are divided into two groups, systemic and random. Systemic means that the problem will always occur under the same circumstances, and so it is a problem created when the system was created. This is addressed by processes: making sure every requirement is verified, and so on. Random failures are what the rest of the keynote covered, the type of failure that needs deeper analysis. There is also some benefit for systematic faults in this sort of analysis.

Safety goals are classified by ASIL levels (ASIL stands for Automotive Safety Integrity Level) ranging from A to D. These consider failures and look at severity (how bad the consequences might be), exposure (how likely is it), and controllability (can you do anything about it). ASIL levels consider three sub-metrics SPFM (single-point fault metric) which looks at probability of a fault, LFM (latent fault metric) which looks at probability of multiple faults where some are obscured by others, and PMHF (probabilistic metric to (random) hardware faiilure) which rolls everything up into a FIT number (failure in time), the number of failures expected in a billion hours of operation. The table shows how these metrics match up to ASIL levels (A means no safety issue such as the radio, and D means things like the brakes).

Functional Safety and Design

Functional safety requires a holistic approach, with stringent traceability requirements through the design flow. On the right of the diagram is the so-called V-diagram. Going down the left-hand side starts from requirements and ends up at detailed implementation. Going back up the right-hand side provides verification at each level, with the tests building on each other in the same way as the requirements drove implementation decisions.

Another key part of functional safety and EDA is using fault simulation to get a metric. A fault campaign is put together with a lot of faults, the simulations are run, and a count is kept of how many of the faults were correctly handled. In this sense, "fault" doesn't only mean the kind of "stuck-at" fault used in test coverage. It can be a software error, a sensor error, a single event upset, a memory glitch, and so on. These are all things that might go wrong, and it is important to reduce the likelihood but also ensure that when a problem does occur that it is handled correctly.

In fact, I can't do much better than use the topic of a blog post I wrote a couple of years ago about another presentation by Alessandra: Make Sure Your Car Doesn't Break Too Often...When It Does, Make Sure You Catch It.

Accellera

There is an Accellera working group on functional safety, which Alessandra is involved with. There are over 20 companies participating. The goal is to create a standard to capture and propagate the functional safety intent throughout the flow (as in the diagram above). This is intended for all safety-critical applications, software and hardware, industrial, A&D. And, of course, automotive.

Summary

And with that, Alessandra wrapped up:

There needs to be a strong connection between EDA and the application that it enables. From my personal perspective, I’ve enjoyed working with functional safety and this sort of collaboration is the breeding ground for innovation.

If you were registered for the conference, you can see a replay of her keynote until mid-June.

Pop quiz: Tallinn is the capital of Estonia. That's one of the three Baltic countries (although often they are referred to as the Baltic States) to the West of Russia, the other two being Latvia (capital Riga) and Lithuania (capital Vilnius).

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.