Assure diagnostic coverage from RTL to gate level during analysis for functional safety

Until recently, functional safety requirements were the responsibility of Tier 1 system manufacturers and OEM car manufacturers. With the introduction of autonomous car features that rely on electronics, that responsibility now also falls on semiconductor developers, as defined by the ISO 26262 safety standard for road vehicles.

Proving automotive safety integrity level (ASIL) targets, as defined by ISO 26262, can be a costly task. Addressing systematic faults, mitigating random faults, and combining safety data and work products to demonstrate a product has achieved functional safety can add months to the development life cycle. Time-to-market pressure forces developers to seek out methodologies and technologies that optimize the safety workflow and accelerate time-to-certification.

To help users deliver on these requirements, Austemper, a part of Siemens Digital Industries Software, has developed a suite of functional safety development tools that provide accurate ASIL metrics early in the safety lifecycle, reducing that time to achieve certification.

Rapid safety testing shortens ISO 26262 certification

Safety-analysis technology enables users to rapidly test IC designs in automotive applications and other markets where functional safety and high reliability are essential for standards compliance.

Austemper SafetyScope performs safety analysis of the design at the register transfer level and in the gate level netlist. It provides metrics for failures in time (FIT), diagnostic coverage (DC), and others required for a failure mode effects and diagnostic analysis (FMEDA) such as single point fault metrics (SPFM) and latent fault metrics (LFM).

Most verification engineers start functional tests when they receive RTL from the design team; this is also true for functional safety testing. To understand if they are reaching their safety targets early, companies can run safety analysis on RTL blocks as soon as they are available. Getting as much safety testing done as possible on RTL optimizes the entire safety workflow, lowering project cost and accelerating time-to-certification.

Furthermore, the ISO 26262 standard requires metrics at the gate level to pass audits and achieve certification. Therefore, it is essential that the RTL-to-gate level netlist flow proves that the metrics at the RTL are realistic at the gate level.

RTL-to-gate level netlist Austemper SafetyScope 

An RTL-to-gate level netlist safety analysis flow that proves the equality of the safety mechanisms also has these time-saving attributes:

• Safety mechanism files that do not have to be recreated for each run;
• No manual mapping of safety mechanisms from RTL-to-gate level netlist;
• Automatic creation of the equivalency map file; and
• Automated set up.

The process of proving metrics, from the RTL to the gate level netlist, is completed by following these steps (also illustrated in Figure 1):

1. Run safety analysis on RTL code.
   • Input:
     1. RTL design
     2. Technology files
   • Output
     1. Metrics: FIT, DC, SPFM, LFM, P/T
     2. Cover.node files (nodes that are covered by safety mechanisms)

2. Run safety analysis on gate level netlist
   • Input:
     1. Gate level netlist design
     2. Technology files
     3. Cover.node files
     4. Synthesis library
     5. Equivalency mapping file

• • Output:
    • Metrics: FIT, DC SPFM, LFM, P/T

3. Compare diagnostic coverage

Figure 1: RTL-to-gate level netlist flow (Siemens EDA – click to enlarge)

Table 1 shows the results of this RTL-to-gate level netlist flow that were generated for an open-source Ethernet MAC design.

Putting safe autonomous vehicles on the road

The Austemper RTL-to-gate-level safety analysis approach enables companies to efficiently reach the optimal safety architecture in the analysis phase of their safety workflows, saving valuable engineering time and effort. Companies can successfully and rapidly meet stringent automotive safety requirements, with automotive IC design teams experiencing a reduction of functional safety testing cycles from what was commonly one year down to just a few months.

This strategy also offers benefits beyond a single project. The automatic insertion of safety mechanisms enables users to create standardized flows for on-chip safety mechanism insertion, resulting in code reusability and ease-of-use. With the RTL to gate level netlist flow, companies can reuse all the analysis work completed in RTL at the gate level, eliminating human error and following an accelerated path to ASIL certification.

As demonstrated on real-world IC designs, the automated Austemper SafetyScope RTL-to-gate level safety analysis flow has assured companies that diagnostic coverage had less than a 5% variance between RTL and gate level netlist, thus meeting safety needs. Automotive IC design teams can be highly confident their development project will meet ASIL D certification, the highest level of assurance that safety goals have been achieved to prevent life-threatening or serious injury.

As driver-assistance technology innovators develop cutting-edge designs that accelerate the future of autonomous driving, Siemens offers the expertise and advanced technology necessary to bring even the most ambitious IC designs to life. Austemper SafetyScope is part of the Siemens Digital Industries Software Xcelerator portfolio, which helps companies of all sizes create and leverage the digital twins that provide them with new insights, opportunities, and levels of automation to drive innovation.