- Ultra-fast fault analysis, reducing months of simulation to days
- High degree of accuracy, allowing for improved ASIL rating
- High degree of automation making solution easy to use
One of the most complex fault types noted in ISO 26262, that must be eliminated in an automotive device, are transient faults or soft errors. Soft errors are temporary state changes in flip-flops or memories that last for a short time. If these occur at just the wrong time in the device operation process, they have the potential to disrupt normal device operation and cause a hazard.
By their nature, the safe occurrence of a transient fault condition is hard to verify, as the timing of the condition is vital to its effect. However, the remedies for these soft errors allow for a reasonable verification process, providing a high level of simulation performance is available. Traditionally this has been missing from most design flows.
Soft Errors in flip-flops are usually remedied by using Dual or Triple Modular Redundancy (DMR/TMR), that is, the flip-flop is duplicated or triplicated and the output of the two or three flops compared. If one of the flops is different from the other(s), an error has occurred. This “hardening” of the flop can be applied to every flip-flop in the design, resulting in a 70% increase in silicon usage, assuming DMR.
A DMR Hardened Flip-Flop using a C-element
Depending on the logic of the design, it is not necessary to harden many flops as a temporary fault in them will be masked by the rest of the design logic, or will not cause an unsafe condition. The AVF, or Architectural Vulnerability Factor, of a flip-flop provides measure of the probability of an error on the flop making it to a safety goal output. Only flops with a high AVF need to be hardened to achieve a high ASIL rating, and often this may be 5% or fewer of all the flops, with a considerable saving in power consumption and silicon area versus hardening all the flops in the design.
To measure AVF requires fault simulation, but traditional fault simulators will take many 1000s of hours to provide an accurate measure across the device. This is where Optima-SE™ plays a key role.
Device Hardening and Verification Process
Leveraging Optima’s Fault Injection Engine (Optima-FIE™) technology, the calculation of the AVF may be accelerated to just a few hours by Optima-SE. Optima-SE starts by measuring the Failure-In-Time (FIT) rate by running an exhaustive simulation of the device while injecting faults, one by one, on every flip-flop. This produces an AVFfor each flop. Hardening is then applied to every flop with an AVF greater than 20%, and the fault simulation re-run. This process is repeated while adjusting the hardening application, until the required FIT rate is achieved. The overall FIT rate should be reduced to a factor great than 99% for the device to be considered safe to the ASIL-D level.
Optima-SE Inputs/Outputs and User Interface
Optima-SE provides all the calculations to produce the AVF reports and the FMEDA parameters to calculate the ASIL-D rating. It also provides certification audit information. Its’ debug environment reveals critical flip-flop coverage detail to allow engineers to easily hone in on issues.
The use of Optima-SE transforms complex fault simulation processes that may take many months and lead to indeterminate results, and instead allow this task to be performed in just a few days, automating information output to complete an ISO 26262 audit easily and reliably.
Memory bit flips is also a major issue in automotive devices. Memory reliability is often handled using Error Correcting Codes (ECC), where the memory words are encoded before writing, and then decoded. Coding systems such as Hamming Codes allow single bit changes to be switched back to their correct values, and dual bit changes to at least be recognized as a fault.
The ECC safety handling circuit must also be tested using fault simulation where faults are injected on each memory bit and the simulation run to ensure the faults are correctly handled. Similarly to the flip-flop case, these soft errors must also be eliminated to a level greater than 99%.