CDNDrive: Automotive Functional Safety

At CDNLive in Munich, Cadence's Robert Schweiger gave a walkthrough all of the things that Cadence is doing in automotive. In yesterday's post, CDNDrive: Cadence Automotive IP Solutions, I gave an overview and wrote about the automotive IP solutions for memory controllers, Ethernet and neural network DSP. Today it is the EDA side of things, with a look at various aspects of functional safety. Can you count up to 26262?

Functional Safety

We don't need ISO 26262 to tell us that autonomous driving is safety critical. People are worried about driverless cars in the same way that they used to worry about...elevators.

It's true. When elevators were first introduced, people were scared of the very idea of them being automated. It took a strike in New York to change people's minds, and the elevator operators discovered they'd won the battle but lost the war. Here's Gary Kasparov, in an interview mainly about computer chess:

There was a time people didn’t trust elevators without operators. They thought it would be too dangerous. It took a major strike in the city of New York that was equal to a major disaster. You had to climb the Empire State Building with paralyzed elevators. 

The first area to address are the tool flows themselves. The documentation of several flows is assessed as compliant by TÜV SÜD to TCL 1. If you don't know what that means, then read my post What Is Tool Confidence Level 1? The Cadence Automotive Functional Safety Kits for design flows contain comprehensive TCL1 documentation, which can be used by customers for TCL1 predetermination of their specific use case or flow.

Another key component is the Modus Test Solution. In general, the Modus solution is used to generate the scan test for manufacturing test. But automotive requirements mean that SoCs need to be able to run self test on the various blocks, at power up for sure, but also as frequently as several times per second. The Modus solution can be used to construct appropriate scan chains and compress the self-test vectors.

Tensilica tools and IP are ASIL-B ready. Work is going on on a portfolio of automotive IP to get it ASIL-B ready by the end of the year ( MIPI controller and PHY, LPDDR4 controller and PHY, PCIe, automotive Ethernet, and more).

Cadence has set up an ISO 9001 design center to support customers doing safety critical automotive designs.

Automotive Functional Safety Verification Solution

Safety verification is basically simple. A fault is inserted into the design, some verification is run, and the behavior of the system is classified into:

• The fault was noticed, or had no effect, and the system corrected for it and behaved normally. Example: correcting a single bit error on a memory (known as detected safe)
• The fault was noticed and the system dropped back into some safe mode. Example: the airbag was going to deploy accidentally so the airbag controller was shut down and a warning light displayed on the dashboard (known as detected dangerous)
• The fault caused something bad to happen (know as undetected dangerous; this is obviously not good)

However, that basic structure hides a plethora of important details: coming up with the list of faults, running them efficiently, creating summary and detailed reports, reducing the huge amount of data to simple metrics such as FIT numbers. The above diagram shows how it all fits together, with the fault list, the fault results database, and more.

For fault classification, there are two approaches. Functional Safety Simulation can be used for short tests and regressions. Palladium emulation can be used for full-chip and for software analysis. Increasingly, there are some formal approaches that can be used with the JasperGold Formal Platform. Although formal techniques are not always applicable, they are very strong when they are, since they prove safety in a way that is harder with simulation since you never know if you forgot to simulate something important.