Accelerating Functional Safety Verification

Verifying a design for functional safety requirements for an IP or SoC per ISO 26262 is a complex process that can’t be encapsulated in one tool. Process complexities depend on whether the Tier1 or OEM is targeting safety-levels ASIL-A , B, C or D, where ASIL-D applies to anything truly safety-critical such as airbag controls or automatic braking and steering. A concern for any IP maker or SoC integrator is the implications of safety element out of context (SEooC) testing which may impose additional requirements from higher levels in the integration-chain. You also need to know that tools used in your flow meet the appropriate confidence levels (TCL) to align with the target ASIL level.

Figure 1: Synopsys Unified Functional Safety Verification Solution

Demonstrating and documenting compliance to the next level of integrators is what ISO 26262 compliance is all about and why you need safety managers, processes, culture and systematic methods to generate supporting documentation for your integrator consumers. That documentation includes FMEA reports to determine and justify where failures might occur so that safety mechanisms can be planned to mitigate those failures, and FMEDA reports to demonstrate that those mechanisms deliver as expected in simulated modeling of failures. Integrators also want to see tool safety manuals and certifications. All of this is needed in support of audits each member of the chain will run on their suppliers and that their consumers will run on them.

Anyone building IP or SoCs for modern automotive markets must invest significant resources and infrastructure to meet these needs. One way Synopsys aims to simplify and accelerate the task is in offering a unified functional safety verification solution. This includes more than I had expected, starting with a unified umbrella for fault campaign management. The tool that supports this step is the VC Functional Safety Manager which triggered part of my surprise in that it starts with FMEA analysis. That step has been historically left to design teams to handle since the questions it asks hovers on the edge between design know-how/intent and the design structure. You obviously can’t automate all of this away but it can be simplified through ability to import baseline architectural info from spreadsheets, ability to specify failure modes and safety mechanisms, and maps all of this to a detailed FMEDA.

The manager provides preliminary estimates of coverage through estimates of safety mechanism versus fault mode coverage and initial ISO 26262 metrics, so you can guide design improvements (for example adding or changing safety mechanisms). Design details for these estimates are extracted from existing RTL/netlist data for the design.

The manager will also execute the fault campaign, generating tool setup, running the fault sims and updating the ISO 26262 metrics and iterating as needed. Finally the manager will export the FMEA and FMEDA documentation, per component and for the SoC as appropriate, in a form that can be handed off to assessors and consumers at the next level of integration.

A lot of tools run under the manager. These include TestMAX FuSa (functional safety), a fast-static analysis (interestingly based on SpyGlass) to calculate early single point fault metrics and provide information on how to improve these grades. For analog circuitry, TestMAX Custom Fault will analyze analog/AMS designs for functional safety and coverage. For digital circuitry, the Z01X fault simulator runs concurrent fault sims in support of the fault campaign and the VC Formal app complements this by classifying faults according to controllability and observability reducing simulation cycles (why check a fault if you can’t observe the consequences of that fault?). ZeBu emulation enables longer run-time analyses. Also Certitude can be used to test process robustness against systematic fault, a nice way to add certainty to the completes of the analysis.

Amid all the significant overhead in instrumenting and demonstrating compliance, especially to expectations for autonomous and semi-autonomous vehicles (ASIL-D), I can definitely see value in this level of integration, automation and pushbutton generation of audit deliverables. Integrators need less things to worry about in their own compliance activities. You can learn more about the Synopsys safety verification flow HERE.