( ESNUG 572 Item 1 ) -------------------------------------------- [05/30/17]
Subject: Jim Hogan on how Safety Critical Verification is Next Big Thing
When a safety critical chip is in the field, it must be "fail-safe", meaning it can recover in real-time from an operating condition failure; such as a single memory bit flip due to electromagnetic interference.
- 16 Formal Apps that make Formal easy for us non-Formal engineers
From: [ Jim Hogan of Vista Ventures LLC ]
Hi, John,
Since DAC'17 is only 3 weeks away, I thought I'd expand on my past DeepChip
series related to verification [Formal, COVE, Emulation], and on my comment
last year about safety critical chips -- by doing a very detailed look at
what I call "Safety Critical Verification (SCV)" -- as I believe it will be
a driving force in verification methods moving forward.
---- ---- ---- ---- ---- ---- ----
IT'S ALL ABOUT COMPLIANCE
Safety critical verification is compliance-driven. It has neutral outside
UN-like sanctioning bodies that govern this compliance -- with very strict
and very specific regulations for each industry.
Although safety critical chip design appears to be a different animal when
you look at it across different industries, one way to think of it is:
"A system whose failure or malfunction may result in personal injury,
severe damage to equipment or property, or environmental harm."
The traditional place where safety critical chip design is done has
historically been for chips in nuclear power station instrumentation,
defense hardware, medical -- and even in industrial settings where a
malfunctioning factory robot could hurt workers. And it also now
includes chips for cars, planes, and trains.
An engineer working in any of these safety critical spaces needs to
understand the requirements that will be enforced.
---- ---- ---- ---- ---- ---- ----
TO GET RELIABILITY
Safety critical devices must be extremely reliable. It is worth reviewing
the principles of reliability metrics for a device where the serviceable
life is measured in decades. If you sample a high number of electronic
devices and look at the length of time in operation before they fail, you
end up with a "bathtub" curve, with its central point referred as the mean
time before failure (MTBF).
With safety critical design, you must ensure your chip is compliant during
its entire useful life -- the bottom of bathtub -- and then when it goes
into its "wear-out" phase the chip fails gracefully (safely).
The two common safety critical verification methods, fault simulation and
formal fault injection, improve reliability during the engineering phase.
Additionally, chip houses sometimes during the manufacturing phase perform
device "burn-in" for 10 to 20 hours, plus extensive yield binning to catch
those ICs which fail during initial operation or "infancy period".
There are also applications which require high reliability that may not be
safety critical, such as chips for satellites, or base stations for mobile
phones, which are placed in locations that can be difficult, and expensive,
to get to repair if they're broken. Additionally some safety critical
chips are also quite hard to access, such as heart pacemakers.
Consumer electronic devices have a much a shorter serviceable life than say
a nuclear reactor might. Even so, these consumer devices must be reliable
during their serviceable life.
- Television is a good example of this (50,000+ hours)
- Cars (10 years or 200,000 miles).
- Laptops (4 years)
- phones as well (2-3 years)
... or any other device with a microprocessor in it.
WHY SHOULD I CARE?
Some of you may think "well I don't do safety critical designs right now",
but in the not-to-distant future, you will be. It will be yet another spec
you will design against -- like power, area, clock frequency, latency, etc.
... which will make your chip verification much more painful. Some of you
won't be doing safety critical, instead you'll be doing high reliability,
which is pretty much the same thing.
Safety standard practices are all about having a rigorous process for chip
design and chip verification.
---- ---- ---- ---- ---- ---- ----
THE INTERNATIONAL ELECTRONICS CONSORTIUM (IEC)
The International Electronics Consortium (IEC) is the world organization
which creates most of the individual regulations that ensure safety critical
standards are met. Coming up with these regulations is a difficult,
complex, expensive, time-consuming, and slow moving business. One upside
is these regs tend not to change for decades, making it a positive for chip
houses that once they meet the regs, they tend to stay met for a long time
afterwards. The IEC's overarching safety standard is IEC 61508. Some
specific standards are:
- ISO 26262 for automotive devices
- IEC 61513 for nuclear power instrumentation
Interestingly, the US DO-254 reliability standard for aeronautical devices
is not based on IEC 61508.
Different countries enforce standards differently. For example, in the US:
- The FTA enforces the DO-254 standard for aircraft
- The DMV enforces automotive regulations ISO26262 -- on a
state-by-state basis.
---- ---- ---- ---- ---- ---- ----
AUTOMOTIVE & ISO 26262
While all these applications are important, I will focus the rest of this
post on ISO 26262 and automotive chips.
Car manufacturers must differentiate -- it's the only way they can win in
such a competitive world market. For chip designers, it's a fast changing
space with lots of moving parts.
Many car components such as: brakes, engine management, suspension, and
steering each have integrated micro-controllers. Additionally, there are
electronic systems which control the way the car is driven, like:
- Self-parking
- Adaptive cruise control which speeds up and slows down the
car if it sees another car ahead
- Systems for automatically braking the car when it encounters
an obstruction
- Airbag controllers that sense a crash and inflate the airbags
And even fully autonomous self-driving cars aren't far off in the future.
Fundamentally, all electronics in an automobile are governed by the same
regulation: ISO 26262. This includes electronic systems that may not
directly impact safety -- for example navigation and audio systems (such
as Toyota Entune, BMW iDrive, NissanConnect...)
---- ---- ---- ---- ---- ---- ----
RANKINGS FROM ASIL "A" TO ASIL "D"
Safety critical devices are classified according to an Automotive Safety
Integrity Level (ASIL). ASIL has a range, running from "A", for devices
that aren't particularly dangerous, to "D", where it's extremely important
that the device itself operates correctly, such as the brakes or an airbag.
For an ASIL D, the single point fault coverage metric is 99 percent. For
the remaining 1%, the engineers must prove that it won't cause a problem.
These coverage tests must be run at the gate-level. Although engineers also
run RTL level tests to ensure that their mechanisms are working properly,
the final report is based on the final, gate-level version of the chip.
Any talk of automotive chip design always involVes ISO 26262 and its
specific ASIL ranking...
- Jim Hogan
Vista Ventures LLC, OneSpin BoD Los Gatos, CA
---- ---- ---- ---- ---- ---- ----
Related Articles
Jim Hogan on how Safety Critical Verification is Next Big Thing
Jim Hogan on ISO 26262 certification and systematic verification
Jim Hogan on using Formal along with random fault verification
Jim Hogan rates all the EDA vendors on Safety Critical IC design
Join
Index
Next->Item
|
|
