It was a beautiful sunny day and traffic on the M40 was light making it a wonderful drive to the Wirral. My wife was browsing on Spotify, I was busy changing lanes and a call comes through. As my wife took the call, the display on my car flickered and then froze! I soon realised that every electrical system except the accelerator and the brakes had failed. At 70 mph on the motorway a cold sweat of fear and panic gripped me as I changed lanes cautiously and nursed the car another ten miles to the nearest service station. True story! Thankfully nothing untoward happened in the end. The car returned to normal after we did a “reboot” of the car’s operating system.
This incident highlights the need for exhaustive verification of complex automotive systems, Including both hardware and software. Cars these days are stuffed with more computing power than some super computers a few decades ago. On-board computers make decisions every single second; acceleration, braking, changing lanes and many more. These decisions often determine if you will make it to your destination or not. Until recently, the concept of exhaustive verification has been a stretch goal. Teams do the best they can until tape out, and some will do better than others. This however is not an option in the world of cars that drive themselves at the touch of a button and that is why functional safety verification for automotive designs is one of the most talked about subjects today.
Functional safety is defined by ISO 26262 as the absence of unreasonable risk due to hazards caused by malfunctioning of electrical and electronic systems. That means that, potentially dangerous conditions are detected and preventative or corrective mechanisms are activated to stop or mitigate the hazardous event. For the world of SoCs, this typically means we need to ensure security, functional safety, reliability and compliance as part of our design and verification process.
At Synopsys we have a unified solution that uses various technologies like simulation, formal, emulation and analog mixed-signal verification to confirm the quality of safety mechanisms as per the FMEA (Failure Mode Effect Analysis) plan.
The FMEA definition essentially defines the ways in which the device can fail and its effect analysis. It also defines the safety mechanism in place to take care of these faults. The figure below gives the complete overview of the fault campaign flow starting from FMEA definition to diagnostic coverage calculations.
The objective of fault campaign or fault classification is to ensure safety mechanisms always trigger in the presence of faulty behaviour. It gives the measure of percentage of faults that can be detected by the safety mechanisms in place. Fault details for the device are derived from the FMEA. Conventionally fault campaign or fault classification is done through fault simulation (Z01X), but it can also be done through formal verification.
VC Formal FuSa App is part of the VC Formal platform and is designed to accelerate fault analysis. VC Formal takes a set of faults as inputs in the form of standard fault format (SFF) that is compatible with Z01X. It performs three key steps; structural observability, formal controllability and formal observability to identify safe faults in the design. These can be saved into a standard fault database as shown below:
Formal can also be used in conjunction with simulation. There will always be faults where simulation will have hard time to conclusively verify faults as observable or safe. Using VC Formal FuSa App, you can verify if instrumented faults propagate all the way to the observation points specified by the designer. If they don’t propagate and are managed well by the design, you can be rest assured and mark them as safe. Only formal verification can give you this sense of definiteness. If the faults do propagate to observation points, you will have to manage them with some safety mechanism to ensure proper operation of the system.
From a methodology perspective, you can use VC Formal before or after running fault simulation using Z01X. Either way, VC Formal FuSa App is essential for every functional safety flow. For more information, please reach out to your Synopsys contact.