Industry Insights Blogs

Automotive electronics is a huge business opportunity for semiconductor makers, but even a small error or malfunction can cause physical damage, injury, or death. Cadence today (Oct. 22, 2014) is announcing a new automotive solution that will help automate safety verification, while reducing the effort required for ISO 26262 safety compliance by up to 50 percent.

The new solution expands the Cadence Incisive functional verification platform with new fault injection and safety verification technologies. Its primary components are the new Incisive Functional Safety Simulator and a Functional Safety Analysis capability for the Incisive vManager solution. The simulator represents a major step forward for fault simulation, a technology that goes back to the early days of EDA in the 1980s but has not seen widespread industry use or major innovations during the past 15 years.

The term “functional safety” is defined in the ISO 26262 standard as “absence of unreasonable risk due to hazards caused by malfunctioning behavior of EE [electrical or electronic] systems.” The standard covers functional safety aspects of the entire development process, including requirements specification and traceability, design, implementation, integration, verification, validation, and configuration. It provides an automotive safety lifecycle, a risk-based approach to determining integrity levels, requirements for validation and confirmation, a tool confidence level (TCL), and requirements for relationships with suppliers.

According to Adam Sherer, product management group director at Cadence, automotive functional safety is part of a larger movement towards “dependability” in electronic design. “Today, everyone is doing power aware design, and we think dependable design is the next big thing,” he said. While the concept may extend to other application areas in the future, Cadence is starting with automotive, a market in which electronic components must continue functioning even if they’re temporally impaired.

A Slipped Bit Matters

Until recently, Sherer noted, companies that developed ICs for automobiles would simply make sure that the chip passed manufacturing test. Today, however, advanced process nodes and device complexity increase the likelihood of a failure during the long lifespan of the device. Failures can be due to factors beyond the control of manufacturers, such as radiation, electromagnetic fields, or common mode failures that can cause transient bit errors.

Think missing a bit is not a big problem? A car’s five-speed transmission needs only three bits of data to encode the gear position, Sherer noted. If you’re on the highway in fifth gear and the most significant bit slips, you don’t want the transmission to suddenly drop into first gear. Functional safety verification can determine whether the transmission system will detect the single bit error and recover while it’s functioning.

Meanwhile, fault simulation is a technology that injects potential faults into a gate-level netlist to determine whether manufacturing test could find those faults if they occurred. Because testers can only observe signals at the inputs and outputs of a device under test, they might not detect an error due to a malfunction deep inside the silicon. Furthermore, the safety systems that respond to functional errors are triggered by checkers within the design and therefore need internal detection. With fault simulation, you can determine whether your logic simulator will find a stuck-at-0 fault or a stuck-at-1 fault deep inside the chip. In this way, fault simulation tests your tests to determine whether they will catch all potential errors.

When automatic test pattern generation (ATPG) came along in the late 1990s, interest in fault simulation waned and digital designers put the technology “on the shelf,” Sherer said. Custom and analog designers couldn’t use ATPG, so there continued to be some use of fault simulation in the custom/analog area, and some automotive users continued to depend on fault grading for their testing.

New Life for Fault Simulation

With growing electronic complexity and the need to comply with ISO 26262, designers of automotive SoCs are getting interested in fault simulation once again. Cadence has long had a digital fault simulation product called Verifault-XL, but like other “traditional” fault simulation products, it has some limitations. It works at the gate level only and simulates stuck-at faults to identify potential manufacturing defects. “It just doesn’t have the ability to run the SoC functional tests, when you bring the system up with digital, analog, and software running,” Sherer said.

The new Incisive Functional Safety simulator is also a fault simulator. However, it works with both gate-level and RTL designs and will run everything that Incisive runs. “We can now run a full SystemVerilog testbench and propagate digital faults through mixed-signal circuits without any change to the design under test,” Sherer said. “As a result, the user can always assure the ISO 26262 auditor that all of the safety verification was done on the actual design.”

Fault types that are interesting from a functional safety standpoint, Sherer said, include single-event transient and single-event upset faults. While the new simulator supports them, these kinds of faults “give traditional fault simulation a lot of trouble.” If a fault takes several hundred clocks to propagate from the point of injection to a detectable output, he noted, “traditional fault simulation memory blows up.”

Further, the new simulator runs within the Incisive Enterprise Simulator compiled-code engine, boosting runtime performance up to 10X compared to Verifault-XL, which is interpreted.

Requirements Traceability

Safety requirements tracing is a big part of the ISO 26262 specification, and that’s where Incisive vManager comes in. Introduced in February 2014 (see blog post here), vManager is a verification planning and management environment built on a client-server architecture. It lets users create test plans, launch jobs, view results, analyze metrics and coverage, track progress, and submit reports. It can work with any requirements management tool to provide tracking and tracing.

The ability of safety systems to detect faults is the critical measure for ISO 26262 compliance. The Functional Safety Analysis capability in vManager allows the safety engineer to automatically generate a safety verification regression from the fault dictionary created by the simulator, and allows vManager to track millions of detected, potentially detected, and undetected faults that were introduced into the simulation.

The new Cadence functional safety solution provides the design flow shown at the right. This flow enables safety requirements tracing with an integrated verification plan (vPlan) that is used throughout the flow. The Functional Safety Simulator provides both permanent and transient fault simulation. The flow also provides automated safety reporting. It provides the traceable audit trail needed in the system design chain from IC to OEM suppliers.

Automotive suppliers today are familiar with ISO 26262 and functional safety requirements. The only question is how these requirements will be met. While some companies are spending millions of dollars on manual efforts, Cadence proposes an automated flow with next-generation fault injection and automated reporting and traceability. It’s a good first step in the new quest for dependable design.

Get further information about the functional safety solution.

Richard Goering

Related Blog Posts

- Ethernet in Cars—The Next Big Thing for Ethernet

- DAC 2014 Dual Keynote: How Automobiles are Getting Smarter

- EDA Must Think Beyond ICs in Automotive Electronics Market, Panel Says