Attain Functional Safety with the Midas Safety Platform

 
The rapid increase in innovations such as ADAS, lidar, radar, and automation has led to the proliferation of electronics/semiconductors in cars. With the evolution of hybrid/electric vehicles (EVs), these are expected to reach more than 75% of the total cost of internal combustion engine (ICE) cars. As complexity due to advanced features increases, the risk of unexpected behavior also increases, causing advanced safety features to keep evolving and becoming more stringent. These features are defined and mandated in safety standards such as ISO 26262.

Future safety systems will be highly dependent on reliable semiconductors. Although there are advancements in the design environments and verification of semiconductors, currently more than 80% of field failures are due to the analog or mixed-signal portion of products. Safety verification (simulation or formal) is a much more accurate approach to determine the diagnostic coverage (DC) and calculate the hardware safety metrics, but it is deployed later in the SoC design process. Safety cannot be an afterthought and must be addressed early and at all stages of SoC development in safety-critical verticals. Including functional safety can be cumbersome and time consuming, so design engineers are looking for highly automated, integrated functional safety solution to help them achieve ISO 26262 certification faster.

“Simulating random faults in functional safety verification is a big challenge in industrial applications. Modeling the diverse nature of safety mechanisms adds significant complexity and requires reliable and flexible simulation tools. In providing flow automation, turnaround time optimization, and quality of results, the new Cadence Safety Solution extends the existing Cadence Verification Suite and helps us achieve faster IEC 61508 certification.”

- Franck Roche, Architecture, Technical support, Application and tools Director, Microcontroller Division, STMicroelectronics

As a leader in safe and intelligent system design, Cadence has enabled customers to design systems that not only meet their desired constraints/budgets (PPA/TAT) but also comply with the required safety standards such as ISO 26262 and IEC 61508 for safety-critical applications such as automotive, industrial, aerospace, and healthcare. While safety gives freedom from unacceptable risks, functional safety ensures acceptable behavior even in presence of faults—e.g., using fireproof material is safety, while installing a fire protection system is functional safety.

The Cadence Safety Solution consists of the Midas Safety Platform tightly integrated with Cadence IC design flows covering both analog and digital verification planning, analysis, and tracking. Cadence’s vManager Safety Manager and Legato Reliability Solution manage and execute the fault campaigns, including fault classification and control of all verification engines. The Cadence Safety Solution allows customers to perform Failure Mode Effect and Diagnostic Analysis (FMEDA)-driven analog and digital verification of safety-critical semiconductors for advanced automotive, industrial, and aerospace applications..

Functional Safety and its Requirements 

Functional safety is a paramount requirement for safety-critical applications. Functional safety standards aim to identify and mitigate the risk of faults in the type of system they address (aerospace, automotive, industrial, medical, etc.), while avoiding any case of physical injury or damage. As per ISO 26262, “functional safety” is the absence of unreasonable risk due to hazards caused by systematic and random faults incurred due to malfunctioning behavior of electrical/electronic (E/E) systems. This dry contractual definition can be represented as a chain of implications: malfunction (E/E component), hazard (unintended situation), risk (of damage), required risk reduction (based on acceptable level of risk). Based on the implications of such faults, four different types of Automotive Safety Integrity Level (ASIL) —A, B, C , and D—are defined and range from 60% safety for A to 99% safety for D. 

To comply with functional safety standards, it is preferred to start safety practices from the architecture phase. In the functional safety lifecycle and development, the concept phase is owned by the car manufacturer and defines the systems needed to implement a function at the vehicle level. 

The ASIL is determined at this level and the safety goals and the functional safety requirements are defined from it. When the system-level product development phase begins, for each functional safety requirement, the technical safety requirements are derived with respect to the hardware/software components of the safety-related function.

Essentially, the safety goals start at the vehicle level and are mapped and refined during the development chain until the hardware failure metrics are defined and allocated to the various hardware subsystems. 

Safety mechanisms are the technical solutions on a chip that detect and mitigate or make the design tolerate or control faults to maintain the intended functionality. These mechanisms reside in safety islands that are independent of power and clock. 

Functional safety analysis is used to evaluate the safety level achieved by the product (e.g., an IP, an SoC). It comprises quantitative evaluations, such as FMEDA and timing analysis, and qualitative assessments, such as dependent failure analysis (DFA). FMEDA is a structured approach to define the failure modes, failure rate, and diagnostic capabilities of a hardware component. Based on the component functionality, the FMEDA hierarchy is structured in parts, subparts, elementary subparts (depending on the detail level), and failure modes. Each failure mode is categorized as to whether it affects the safety goal or not. For each failure mode defined and affecting safety goals, the basic inputs needed are: 

• Failure rate (FR): The rate at which the component experiences faults, i.e., the reliability 
• Safety mechanism (SM): Whether there is a safety mechanism to detect the failure mode 

• Diagnostic coverage (DC): The effectiveness of the safety mechanism at detecting faults 

FMEDA can be used during the concept phase to analyze the hardware safety metrics. An architectural FMEDA can be used to create the technical safety concept of the SoC providing early estimations on the safeness of the design at the SoC level. Not only is this an ISO 26262 requirement, it also ensures that the safety measures made in a design are adequate to reach the desired ASIL. If needed, the safety architecture can be still modified as it is early in the design cycle. 

Based on the predicted failure rates, the risk for a violation of a safety goal can be determined early in the design cycle and an appropriate safety architecture can be defined. Completing a design with functional safety standards and adhering to time constraints is a challenging task. 

Midas Safety Platform 

The FMEDA-driven safety design and verification methodology from Cadence allows customers to ensure their automotive semiconductors meet rigorous safety standards while accelerating the ISO 26262 certification process. It uses defect-oriented tests to measure and maximize the detection coverage. Since all Cadence flows are tightly connected to the Midas Safety Platform, a comprehensive FMEDA-based methodology from the architecture phase to IC implementation has been enabled to accelerate the safety design, verification, and implementation. 

The Midas Safety Platform helps to set up a FMEDA-based safety analysis and guides the engineer through all key safety steps of the FMEDA process: configuration, analysis, validation, and result. The options of importing the design hierarchy directly in case the SoC design is available and exploring early-phase functional safety in the absence of native chip design data are available. One of the key advantages of the Midas Safety Platform, compared to other commercially available third-party FMEDA tools, is its direct access to the IC design database of the Cadence IC design flows. IC design data, such as the number of gates, flops or transistor count, area size, and design hierarchy structure, can be imported into the Midas Safety Platform to perform a more accurate and detailed safety analysis. In order to set up a safety verification plan in the Midas Safety Platform, the observation, detection points, and test lists must be defined for all the failure modes. The FMEDA-driven digital and analog/mixed safety analysis and verification flows using the Midas Safety Platform are shown in the figure below. 

Conclusion 

The race to self-driving cars and the corresponding large growth of electronics content and complexity has stretched the need for guaranteeing functional safety from semiconductor companies and tool providers. Cadence’s FMEDA-driven Midas Safety Platform allows customers to perform an early architectural FMEDA as well as: 

• Incorporating analog and digital data, design parts, failure mode descriptions, and safety mechanisms 
• Driving the fault campaign scope for both flows during safety verification 
• Providing key information to configure the fault injection campaign in vManager Safety 
• Automatically generating a detailed FMEDA report, including the hardware architectural metrics 

Learn More 

• Cadence Functional Safety Solution 
• Cadence Introduces Comprehensive Safety Solution for Faster Certification of Automotive and Industrial Designs 
• “Holistic FMEDA-Driven Safety Design and Verification for Analog, Digital, and Mixed-Signal Design,” Cadence white paper, 2021 
• “Automotive Functional Safety Using LBIST and Other Detection Methods,” Cadence white paper, 2019 
• Schaldenbrand, Art, Walter Hartong, Amit Bajaj, Hany Elhak, and Vladimir Zivkovic, “Improving Test Coverage and Eliminating Test Escapes Using Analog Defect Analysis”, Cadence white paper, 2019