Advanced driver-assistance systems and autonomous drive technologies increase the complexity of automotive integrated circuits (ICs), making it harder to ensure that ICs are protected from random hardware faults. Safety mechanisms must be inserted to identify and control these unpredictable functional failures, and ISO26262 requires that the effectiveness of every safety mechanism is proven.

Functional safety random fault workflow comparison.

Due to this increasing complexity, the traditional, manual, top-down safety analysis approach has become unmanageable and error-prone. Incorporating an automated, bottom-up safety analysis methodology reduces human error and eliminates time-wasting iterations in the random fault workflow.

The goal of safety analysis is to fully understand the susceptibility of the design to random hardware failures as well as the steps that must be taken to achieve the desired safety metrics, defined by the higher-level Automotive Safety Integrity Level (ASIL) target.

Several analytic techniques are deployed to determine design safety relative to the target safety metrics. Structural examination is a proven method for calculating and validating the failures in time (FIT) estimation performed during the creation of a Failure Modes Effects Diagnostic Analysis (FMEDA). Cone of influence analysis, combined with structural analysis, provides visualization into the design structures that are already protected from existing safety mechanisms. Through structural and cone of influence analyses, the effectiveness of safety mechanisms in catching random hardware faults is quantified and the estimated diagnostic coverage (DC) is realized. The FIT and DC estimation represent both FMEDA gap analysis and validation of initial expert-driven analysis.

FMEDA gap analysis is an important checkpoint, as it provides feedback early in the design cycle — avoiding the costly discovery after completing safety verification that there is insufficient fault mitigation. In addition to gap analysis, structural analysis details the FIT contribution of each elementary design structure.

In the event structural analysis demonstrates safety holes, elementary FIT data highlights and prioritizes the design structures that require additional safety enhancement. Using this information, safety architects are empowered to explore enhancement options to achieve the desired safety target while taking into account power and area requirements. For example, a safety architect can estimate the impact of adding error correcting code (ECC) to a memory, review the overall improvement in diagnostic coverage, and determine whether the proposed set of safety mechanisms meets the safety target.

This exploration of options ensures that the proposed safety mechanisms will achieve the ASIL target once the random fault workflow has completed, eliminating iterations through the remaining two phases (safety insertion and safety verification). Lastly, structural analysis generates a fault list used during safety verification.

Once generated, a series of fault optimization techniques reduces the fault list to a minimal problem set. The first optimization identifies the logic contained within the safety-critical cone of influence, eliminating logic that cannot affect the safety goals. Using the same structural analysis algorithms deployed during safety analysis, the fault list is further optimized using safety mechanism-aware analysis, trimming the list to contain only faults that contribute directly to diagnostic coverage. Lastly, fault collapsing is performed to remove any logically equivalent faults.

The outcome of safety exploration is a clear understanding of both the design enhancements required to meet safety goals and the scope of the fault campaign to prove design safety. Bottom-up safety analysis is important in reducing the number of iterations throughout the random fault workflow. In addition to validating expert-driven judgment, it provides critical guidance during design enhancement and fault verification. Automating the random fault workflow delivers a seamless and efficient approach to random fault mitigation and verification.

This article was contributed by Jacob Wiltgen, Functional Safety Solutions Manager, for Mentor, A Siemens Business. For more information, visit here.