Making your ISO Flow Flawless Establishing Confidence in Verification Tools

Similar documents
Meeting the Challenges of Formal Verification

SWEN 256 Software Process & Project Management

ERAU the FAA Research CEH Tools Qualification

Enabling Model-Based Design for DO-254 Compliance with MathWorks and Mentor Graphics Tools

Functional safety for semiconductor IP

Digital Systems Design

Lies, Damned Lies and Hardware Verification. Mike Bartley, Test and Verification Solutions

AMS Verification for High Reliability and Safety Critical Applications by Martin Vlach, Mentor Graphics

Introduction to co-simulation. What is HW-SW co-simulation?

Getting to Work with OpenPiton. Princeton University. OpenPit

Policy-Based RTL Design

Low Power Design Methods: Design Flows and Kits

INF3430 Clock and Synchronization

The Need for Gate-Level CDC

The AMADEOS SysML Profile for Cyber-physical Systems-of-Systems

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

Agenda. 9:30 Registration & Coffee Networking and Sponsor Table-tops Welcome and introduction

Introducing Functional Qualification

RESPONSIBILITY OF THE SEMICONDUCTOR DESIGN INFRASTRUCTURE

EECS150 - Digital Design Lecture 28 Course Wrap Up. Recap 1

STM RH-ASIC capability

VERIFICATION HORIZONS

Agenda. 9:30 Registration & Coffee Networking and Sponsor Table-tops Welcome and introduction

A Case Study - RF ASIC validation of a satellite transceiver

Pragmatic Strategies for Adopting Model-Based Design for Embedded Applications. The MathWorks, Inc.

Managing Cross-talk Noise

ASIC Computer-Aided Design Flow ELEC 5250/6250

FPGA Design Process Checklist

Model checking in the cloud VIGYAN SINGHAL OSKI TECHNOLOGY

VERIFICATION HORIZONS

Synthesis of Blind Adaptive Beamformer using NCMA for Smart Antenna

EECS 427 Lecture 21: Design for Test (DFT) Reminders

Chapter 1 Introduction

Project BONUS ESABALT

5G R&D at Huawei: An Insider Look

Software Life Cycle Models

Technology Transfers Opportunities, Process and Risk Mitigation. Radhika Srinivasan, Ph.D. IBM

M&S Requirements and VV&A: What s the Relationship?

Timing Issues in FPGA Synchronous Circuit Design

Stakeholder and process alignment in Navy installation technology transitions

EDA Challenges for Low Power Design. Anand Iyer, Cadence Design Systems

PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE

Distributed Systems Programming (F21DS1) Formal Methods for Distributed Systems

Overview of Design Methodology. A Few Points Before We Start 11/4/2012. All About Handling The Complexity. Lecture 1. Put things into perspective

Trends in Functional Verification: A 2014 Industry Study

Signal Integrity Management in an SoC Physical Design Flow

Modernised GNSS Receiver and Design Methodology

Improvements in Functional Safety of Automotive IP through ISO 26262:2018 Part 11

Validation Plan: Mitchell Hammock Road. Adaptive Traffic Signal Control System. Prepared by: City of Oviedo. Draft 1: June 2015

Developing 7nm IP for Safety Critical Automotive Applications. Brian Eplett, Adam Golda and Andrew Cole 12/14/2017

Digital Engineering (DE) and Computational Research and Engineering Acquisition Tools and Environments (CREATE)

Foundations Required for Novel Compute (FRANC) BAA Frequently Asked Questions (FAQ) Updated: October 24, 2017

Evaluating Functional Safety in Automotive Image Sensors

Managing Metastability with the Quartus II Software

Chapter 1 Introduction to VLSI Testing

William Milam Ford Motor Co

Course Outcome of M.Tech (VLSI Design)

Can IP solutions trigger AS ? February DocID: DT-MAR002WHP10E _AS

Low Power System-On-Chip-Design Chapter 12: Physical Libraries

Cross-Service Collaboration Yields Management Efficiencies for Diminishing Resources

Changing the Approach to High Mask Costs

EC 1354-Principles of VLSI Design

Instrumentation and Control

Dr. Ralf Sommer. Munich, March 8th, 2006 COM BTS DAT DF AMF. Presenter Dept Titel presentation Date Page 1

From Antenna to Bits:

Debugging a Boundary-Scan I 2 C Script Test with the BusPro - I and I2C Exerciser Software: A Case Study

UNIT-III POWER ESTIMATION AND ANALYSIS

Topics for Project, Diploma, Bachelor s, and Master s Theses

Design of Mixed-Signal Microsystems in Nanometer CMOS

Software Quality Engineering: Testing, Quality Assurance, and Quantifiable Improvement

Architecting Systems of the Future, page 1

A Knowledge-Centric Approach for Complex Systems. Chris R. Powell 1/29/2015

Findings of the Artist2 Workshop Beyond Autosar

Scientific Certification

Industrial Applications and Challenges for Verifying Reactive Embedded Software. Tom Bienmüller, SC 2 Summer School, MPI Saarbrücken, August 2017

Lecture 1: Introduction to Digital System Design & Co-Design

Keysight Technologies Virtual Flight Testing of Radar System Performance Using SystemVue and STK

Development of a Manufacturability Assessment Methodology and Metric

Failure Mode and Effects Analysis of FPGA-Based Nuclear Power Plant Safety Systems

Interested candidates, please send your resumes to and indicate the job title in subject field.

LUCEDA PHOTONICS DELIVERS A SILICON PHOTONICS IC SOLUTION IN TANNER L-EDIT

Circuit Simulators: a Revolutionary E-Learning Platform

Electronics Putting Internet into Things. JP Morgan. 1 April 2015 Sam Weiss Chairman

Innovation for Defence Excellence and Security (IDEaS)

DIGITAL INTEGRATED CIRCUITS A DESIGN PERSPECTIVE 2 N D E D I T I O N

Stratix Filtering Reference Design

Fast Estimation and Mitigation of Substrate Noise in Early Design Stage for Large Mixed Signal SOCs Shi-Hao Chen, Hsiung-Kai Chen, Albert Li

Additive Manufacturing: A New Frontier for Simulation

Testing Digital Systems II

Online Monitoring for Automotive Sub-systems Using

Adaptable C5ISR Instrumentation

Extended Long Range (ELR) Central Applied Ballistics Role in the ELR community

Technology qualification management and verification

Fault Testing of Analog Circuits Using Combination of Oscillation Based Built-In Self- Test and Quiescent Power Supply Current Testing Method

Combination Products Verification, Validation & Human Factors Sept. 12, 2017

Virtual Prototyping - For Real Success

DNVGL-RP-A203 Edition June 2017

Bringing Technology to the Market Successfully

VLSI Design Verification and Test Delay Faults II CMPE 646

LeCroy UWBSpekChek WiMedia Compliance Test Suite User Guide. Introduction

Transcription:

Making your ISO 26262 Flow Flawless Establishing Confidence in Verification Tools Bryan Ramirez DVT Automotive Product Manager August 2015

What is Tool Confidence? Principle: If a tool supports any process governed by ISO 26262 (i.e., if the activities rely on a correct output from the tool), then the user must be able to rely on the correct functioning of the tool A malfunction could mean Introducing a bug into the product Failing to find a bug in the product This is a two part process 1. Provide information to determine level of confidence needed 2. Demonstrate qualification of a tool when applicable See ISO 26262-8, Section 11 2

Why Should You Care About Tool Confidence? ISO 26262 requires that you establish tool confidence and qualify as necessary IC development tool chains are complex with many different tools Many stages in design process Many ways to verify each step Tool qualification can be a large effort Safety critical flows already add significant overhead Needs to be planned for accordingly strategy, time and money Tool qualification doesn t ultimately add incremental value to your product Leverage tool vendors as much as possible to ease this effort Varying levels of expertise within the industry Mature organizations will be more efficient with this process 3

A Typical Semiconductor Flow Chip Development Flow Capture Requirements Create Design Concept Create RTL Design Synthesize Design Insert Test Structures Perform Place & Route Manufacture ASIC Program FPGA Evaluate HW Verification and Validation 4

A Typical Semiconductor Flow Chip Development Flow Capture Requirements Create Design Concept Create RTL Design Synthesize Design Insert Test Structures Perform Place & Route Manufacture ASIC Program FPGA Evaluate HW Requirements Tracing Modeling Simulation Simulation Simulation Manufacture Testing Test Harness Requirements Validation Analysis & Reviews Formal Methods Formal Methods Static Timing Analysis Lab Equipment Emulation & Prototyping Verification and Validation Analysis & Reviews 5

A Modern Verification Suite Virtual FPGA Different approaches all linked with a common infrastructure n The methods, combinations, and feature sets are endless n Each flow is unique n Unified IC Flow Tool Confidence Requirements Management Fault Injection Management & Analysis Stimulus Enterprise Verification Platform Stimulus based (dynamic) n Formal methods (static) n Emulation n Prototyping n Automotive Functional Safety Verification So Many Challenges, So Many Tool Choices Visualizer Debug Verification Infrastructure Vista Virtual Prototype Questa Formal Questa Simulation Veloce Emulation 6 Reliability Analysis FPGA Prototype

Determining Tool Confidence Level See ISO 26262-8, Section 11 Tool Error Detection TD1 TD2 TD3 TI1 TCL1 TI2 TCL1 TCL2 TCL3 Tool Impact Tool Confidence Level 7

Determining Tool Confidence Level: Tool Impact Tool Impact (TI): the possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed Tool Error Detection No Yes TD1 TD2 TD3 TI1 TCL1 TI2 TCL1 TCL2 TCL3 Tool Impact: Can the software tool malfunction such that it introduces or fails to detect errors of safety requirements? Tool Confidence Level 8

Determining Tool Confidence Level: Tool Error Detection Tool error Detection (TD): confidence in measures that prevent the software tool from malfunctioning and producing corresponding erroneous output, or in measures that detect that the software tool has malfunctioned and has produced corresponding erroneous output Tool Error Detection: Degree of confidence that the software tool s malfunction and its corresponding erroneous output will be prevented or detected? High Medium Low / None No Yes TD1 TD2 TD3 TI1 TCL1 TI2 TCL1 TCL2 TCL3 Tool Impact: Can the software tool malfunction such that it introduces or fails to detect errors of safety requirements? Tool Confidence Level 9

Determining Tool Confidence Level: Tool Confidence Level TCL1 No further tool qualification activities needed TCL2 / 3 Formalized tool qualification required TCL can be improved by enhancing development process Tool Error Detection: Degree of confidence that the software tool s malfunction and its corresponding erroneous output will be prevented or detected? High Medium Low / None No Yes TD1 TD2 TD3 TI1 TCL1 TI2 TCL1 TCL2 TCL3 Tool Impact: Can the software tool malfunction such that it introduces or fails to detect errors of safety requirements? No Qual Needed Qual Required Tool Confidence Level: Level of confidence that the software tool malfunctions will not lead to the violation of safety requirements. 10

Determining Tool Confidence Level Tool Error Detection: Degree of confidence that the software tool s malfunction and its corresponding erroneous output will be prevented or detected? High Medium Low / None No Yes TD1 TD2 TD3 TI1 TCL1 TI2 TCL1 TCL2 TCL3 Tool Impact: Can the software tool malfunction such that it introduces or fails to detects errors of safety requirements? No Qual Needed Qual Required Tool Confidence Level: Level of confidence that the software tool malfunctions will not lead to the violation of safety requirements. 11

The Challenges of Defining the TCL How do you define High, Medium and Low tool detection confidence? No quantitative means are provided (by the document) The TCL determination process can be quite subjective! The details as to how this should be done are left as an exercise for the tool user The approach defined by the tool user must then be reviewed and accepted by the end product customer s Safety Manager Most tool users: 1. Really don t want to have to figure this out 2. May not have confidence in their analysis/approach 12

A Practical Approach to Establishing Confidence Levels Since no specific methods are provided by ISO 26262 to quantitatively determine confidence levels, why not use an approach well known to the safety community? Failure Modes and Effects Analysis = FMEA FMEA is an inductive reasoning approach involving single point of failure analysis that has been a core task of Safety Engineering since the 1950 s It involves identifying failure modes (of components and systems), along with their causes and effects The failure modes and their resulting effects on the rest of the system are recorded in a specific FMEA worksheet This same analytical approach can be applied to Tool Confidence! 13

Tool FMEA to Establish TD Level A tool Failure Mode is any situation where a faulty tool output could result in a created/missed design bug in the end product A team of tool experts can evaluate the tool to determine what these possible situations might be For each Failure Mode identified, internal or external means may be available to either detect or prevent a resulting design bug Internal means may involve tool development processes, tool use limitations, or tool self-check situations External means may involve message reviews or downstream design flow activities Individual failure modes are captured and analyzed for How severe the potential failure is (severity) How often does it occur (occurrence) How it can be detected (detection) This quantitative approach applies a numerical rating of 1-10 and these numbers are multiplied together to create the Risk Priority Number (RPN) Industry guidance provides High, Medium and Low ranges for RPN 14

ISO 26262 Tool Qualification Methods TCL3 TCL2 TCL1 Methods ASIL A ASIL B ASIL C ASIL D ASIL A ASIL B ASIL C ASIL D 1a 1b 1c 1d Increased confidence from use in accordance with 11.4.7 Evaluation of the tool in accordance with 11.4.8 Validation of the software tool in accordance with 11.4.9 ++ ++ + + ++ ++ ++ + ++ ++ + + ++ ++ ++ + + + ++ ++ + + + ++ Development in accordance with a + + ++ ++ + + + ++ safety standard a No qualification needed 15 ++ = highly recommend for the identified ASIL + = recommend for the identified ASIL a No safety standard is fully applicable to the development of software tools. Instead, a relevant subset of requirements of the safety standard can be selected. EXAMPLE Development of the software tool in accordance with ISO 26262, IEC 61508, or RTCA DO-178. ASIL = Automotive Safety Integrity Level A = Lowest level D = Highest level

Tool Qualification Strategies 16 Increased Confidence from Use (1a) This requires extensive use with the same (or very similar) version, constraints, uses cases, environment, etc. Any tool issues should be documented, monitored, and appropriately worked around if needed Evaluation of Tool Development Process (1b) The tools must be developed to comply with an appropriate standard (e.g., Automotive SPICE, CMMI, ISO 15504) Process should be evaluated and proper application of the assessed development process shall be demonstrated Validation of Software Tool (1c) Verifying the tool performs as expected against its requirements Typically done by testing functional and non-functional aspects Development in Accordance with a Standard (1d) The tool itself is developed in such a way as to be compliant to the relevant aspects of a safety standard (e.g. ISO 26262, IEC 61508 or RTCA DO-178) NOTE: This is very rare Note that a combination of 1b and 1c is the most common approach by far for ASIL C & D

Establishing Tool Confidence Levels ISO 26262 requires a Software Tool Criteria Evaluation Report for each tool or tool chain used This report must include 1. Description of the tool 2. Planned usage of the tool 1. Version, configuration, and environment of the tool 2. How its used in the flow (with specific use cases) 3. The maximum ASIL of the project it will be used on 3. An evaluation of TI, TD, and ultimately the TCL classification 17

Documenting the Tool Confidence Analysis Regardless of whether qualification is needed, the Tool Confidence analysis process needs to be captured and presented for review within the Safety program The type of information includes: Description of the tool Intended purpose Tool identification and version Tool operational environment Inputs and outputs Tool configuration Tool restrictions Tool use cases Environmental or functional constraints Level of Safety of design (that tool is being used on) Tool errata Tool impact Tool detection Tool confidence level (which may involve a FMEA analysis as described) Tool qualification approach (if needed) Mentor Graphics can provide tool users with a documentation kit to facilitate this process 18

What Does a Validation Approach Entail? n Documentation of the Tool Confidence Analysis (as described previously) PLUS n A documented Tool Qualification Plan n Tool requirements n A tool test suite n Mapped to the requirements being tested These requirements should be tied to those specific failures left undetected through internal/external means A way to run the tests and capture results n Functional and non-functional requirements that need to be verified So the tool user can run the validation suite in the project environment A tool qualification summary Documenting the process and results 19

Mentor Functional Safety Verification Requirements Management Fault Injection Virtual Prototyping CyberSecurity Simulation FPGA Prototyping Formal Emulation 20

Tool Confidence Example: A Requirements Management Tool Requirements management software is used to trace functional and safety requirements from definition through implementation with correlation to results The tool use is as follows: Requirements are entered into the tool via the user or imported through other requirement tools The tool traces requirements through implementation and correlates results back to requirements The tool outputs metrics regarding the completeness of each requirements It s Tool Impact is TI1 The tool does not create design code and cannot create an error in the design The tool does not verify the design and thus cannot fail to detect a design error Its Tool Error Detect is TD1 Based on the FMEA analysis And the documented use in the Safety Manual The RPN number falls into the LOW range The Tool Confidence Level is determined to be TCL1 Tool Impact Tool Detection 21 TCL1: No qualification necessary.

Tool Confidence Example: A Simulator Simulation is to verify RTL and gate-level models of the design during development The tool use is as follows: Stimulus is created (i.e., test cases that verify the requirements) The tool executes the test cases on the design model The tool outputs the behavior of the model to the test cases (and compares to expected responses) It s Tool Impact is TI2 The tool does not create design code and cannot create an error in the design, BUT The tool does verify the design, and can potentially fail to detect a design error Its Tool Error Detect is TD1 Based on the FMEA analysis And the documented use in the Safety Manual The RPN number falls into the LOW range The Tool Confidence Level is determined to be TCL1 Tool Impact Tool Detection 22 TCL1: No qualification necessary.

Tool Confidence Example: A Formal Methods Application A clock domain crossing tool that uses formal methods to identify clock-domain crossing issues that could cause design metastability The tool use is as follows: Cross clock domains are identified and formally checked for correctness against asynchronous domain crossing models It s Tool Impact is TI2 The tool does not create design code and cannot create an error in the design, BUT The tool does verify the design, and can potentially fail to detect a design error Its Tool Error Detect is TD1 Based on the FMEA analysis And the documented use in the Safety Manual The RPN number falls into the LOW range The Tool Confidence Level is determined to be TCL1 Tool Impact Tool Detection 23 TCL1: No qualification necessary.

Summary Tools are a vital part of a safety program and confidence in them must be established Different tools have different functions and therefore different potential impacts on the design If a tool malfunction may result in a design bug (being created or missed in verification) this must be examined further Internal and external means may be available to prevent or detect design bugs Hazard analysis (FMEA/RPN) can add a familiar and structured quantitative aspect to this notwell-defined process TCL1 is your friend If sufficient means for detection/prevention aren t available, then Tool Qualification is necessary Several options exist for Tool Qualification Tool vendors can assist tool users with this process 24

Mentor Graphics and ISO 26262 Fault Injection Requirements Management Virtual Prototyping Mentor is a leading supplier of both automotive software and EDA tools Mentor s industry leading tools are being used by top automotive semiconductor suppliers Mentor is investing in ISO 26262 with several ISO 26262 experts on staff CyberSecurity Simulation Mentor is assisting companies with ISO 26262 tool confidence needs FPGA Prototyping Formal Mentor is formalizing Tool Qualification kits and enhancing tools/flows to further facilitate our customers ISO 26262 processes Emulation 25

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback