Qualifying a high performance memory subsysten for Functional Safety
1 like286 views
The document discusses the challenges and methodologies involved in qualifying a high-performance memory subsystem for functional safety, emphasizing the need for early integration of functional safety in the development cycle. It highlights automation tools like the vManager safety planner app and formal analysis techniques to optimize fault simulation and ensure compliance with automotive safety standards. The document concludes by advocating for systematic verification approaches and the reuse of verification environments to enhance both functional safety and design reliability.
![12 © 2019 Cadence Design Systems, Inc. All rights reserved.
Safety Verification of Analog Modules
• Analog Fault injection for LPDDR4: Not done.
netlist
test
Defect /
Fault list
Coverage
summary
Defect / Fault
status
Pass/Fail
results These are the three
deliverables specified
by the standard
Simulate test on original
circuit
Enumerate defect & fault list
and weights
Simulate test on
defective/faulty circuits
Report coverage
netlist2
netlistm
netlist1
P2427: Standard for Analog Defect Modelling & Coverage
P2427 specifies Analog defects and coverage
Gap
6
Reference[1]](https://image.slidesharecdn.com/cadencequalifyingahighperformancememory-190830053640/85/Qualifying-a-high-performance-memory-subsysten-for-Functional-Safety-12-320.jpg)
![13 © 2019 Cadence Design Systems, Inc. All rights reserved.
Category Location Degree Root causes
DC short
Same layer
Low resistance Dust
High resistance Stringer
Between
layers
Low resistance Missing oxide
DC open Resistive High resistance Partial contact
Complete Infinite resistance Missing contact
Missing geometry
AC coupling Same layer >2X design value OPC distortion
Between
layers
>2X design value Oxide thinning
Leakage PN junction ESD
Dust
Gate oxide Local weakness in
thin oxide layer
Stuck-on Undercut gate
ESD
Stuck-off Thick oxide
Extreme
variation
> Specified
DF_PDK (Deviation
Factor) to
specification or
process corner
Mouse bite
Blob
The standard does not mandate a particular
defect model to be used, but it does mandate the
model description to be part of coverage report
Defects Commonly Observed in Silicon
and Targeted by Manufacturing Tests
dg_short
gs_short
ds_short
d_open
g_open
Defect
Identification
Defect
Identification
Defect
Defect
Identification
Defect
Simulation
Coverage
Defect
Identification
Defect
Simulation
Coverage
Analysis
Defect
Simulation
Coverage
Analysis
Legato™ platform Environment developed in alignment with IEEE P2427
Reference[2]
Analog Defect Modelling](https://image.slidesharecdn.com/cadencequalifyingahighperformancememory-190830053640/85/Qualifying-a-high-performance-memory-subsysten-for-Functional-Safety-13-320.jpg)
![14 © 2019 Cadence Design Systems, Inc. All rights reserved.
– Schematic netlists (no layouts)
– Process files: typical, SS, SF,
FS, FF
– Specifications, with limits, only
for 3.3 volt operation at 27C
OPAMP• 77 Hard defects (after collapsing)
– 43 shorts : 3 per MOS transistor, 1 per diode,
C, R (JFET)
– 34 opens: 2 per MOS transistor, 1 per diode,
C, R (JFET)
• Defect Models. Short: 200 Ω. Open: 1 GΩ
Defect
type
Defect
Model
Detected
defects #
Undetectab
le Defects #
Undetected
Defects #
Detectable
Coverage (%)
Weightin
g
algorithm
Corner(
s)
Test
conditions
Short 200 Ω 34 0 9 81 None Fast/Slo
w
Input: 1 MHz
0.5V sine, 1.65 V
bias, via 10 kOpen 1 GΩ 17 0 17 50 none Fast/Slo
w
Coverage Report
Note: Soft and parametric defect injection is not supported yet in the official release
Reference[2]
Example: Op-Amp From ITC’17 Benchmarks](https://image.slidesharecdn.com/cadencequalifyingahighperformancememory-190830053640/85/Qualifying-a-high-performance-memory-subsysten-for-Functional-Safety-14-320.jpg)
Qualifying a high performance memory subsysten for Functional Safety
- 1. Qualifying a high performance Memory subsystem for Functional Safety Pankaj Singh CDNLive Bangalore August 29, 2019
- 2. 2 © 2019 Cadence Design Systems, Inc. All rights reserved. Safety Verification Challenges • Functional Safety (FuSa) sometimes starts late and may not be an integral part of the development cycle. • Verification environment/testcases development takes effort for FuSA • Manual approach of Safety architecture/requirement analysis is iterative process and prone to error. • Significant Scaling of Simulation and Analysis Is Required to Meet Regulatory Standards • Fault Simulation tool flow needs to integrated/automated to run regression • Gaps in Safety Verification of Analog design6 1 4 3 2 5
- 3. 3 © 2019 Cadence Design Systems, Inc. All rights reserved. Reuse of Functional Testbench/Testcases for Functional Safety Simulations Early start of FuSa along with Systematic verification Reuse of verification environment/parametrized testcasesReuse of verification environment/parametrized testcases 1 2 PVPL: Product Verification Plan PVS: Product Verification Spec FuSs: Functional Safety
- 4. 4 © 2019 Cadence Design Systems, Inc. All rights reserved. LPDD4 FMEDA Details • Initial focus was to target modules with higher FIT rate . • Full Regression at Early stage gives good picture on Diagnostic Coverage. • Limitations: • No integration with design date for accuracy of details. The result update to FMEDA sheet is time consuming and prone to manual error. FMEDA: Failure Mode, Effects and Diagnostic Analysis FIT: Failure in Time
- 5. 5 © 2019 Cadence Design Systems, Inc. All rights reserved. vManager Safety Planner App – High Level FM’s Generate Report Filter Options ✓ Web enabled Safety Planner App can overcome limitation of manual error and also improve accuracy due to design data input . ✓ Supports FMEDA Analysis/update to define the safety architecture (SM) and safety requirements. ✓ Supports Verification of the FMEDA by means of fault injection and formal analysis 3
- 6. 6 © 2019 Cadence Design Systems, Inc. All rights reserved. Significant Scaling of Simulation and Analysis Is Required to Meet Regulatory Standards Functional Simulations Fault Injection Simulations SPFM LFM ASIL B ≥ 90 % ≥ 60 % ASIL C ≥ 97 % ≥ 80 % ASIL D ≥ 99 % ≥ 90 % TARGET Jasper FSV fault analysis/optimization FST step removes untestable faults ASIL: Automotive Safety Integrity Level
- 7. 7 © 2019 Cadence Design Systems, Inc. All rights reserved. FSV Structural Analysis Techniques • Out-of-COI Analysis • A fault node outside the Cone-of-Influence (COI) has no physical connection to the functional strobe(s) • Fault is Untestable (Safe)! • Activatable Analysis • A SA0/1 fault injected on a node which is constant 0/1 cannot be activated • Fault is Unactivatable (Safe)! • Propagatable Analysis • A fault that is activated and in COI, but cannot be observed on the functional strobe • Fault is Unpropagatable (Safe)! Strobe OOCOI Strobe Barrier Unprop Unact Const Dangerous Fault Safe Fault
- 8. 8 © 2019 Cadence Design Systems, Inc. All rights reserved. Fault Analysis and Optimization Functional Safety Verification Timeline Optimized Fault list • FSV Analysis Optimization: ✓ Cone-Of-Influence of Outfunctional strobes ✓ Unactivatable due to constants ✓ Unactivatable due to design ✓ Unpropagatable to functional strobes Controller: Fault targets – 138K total → Optimized to 58,504 PHY: Fault targets – 241K total→ Optimized to 73,835 4 • Other Techniques based on design knowledge/Analysis: ✓ Duplicated instances removal ✓ Bus reduction: If Some bits with same fault type (SA0/SA1) are covered, other bits could be waived ✓ Bist & Debug mode related functionality ✓ Redundant Logic removal
- 9. 9 © 2019 Cadence Design Systems, Inc. All rights reserved. Testbenh (SystemVerilog, ‘e’, SystemC, etc) Fault List/Control File Fault Machine Simulation Elaboration (Instrumenting) Fault Campaign Data Fault Campaign Resutls (Detected, undetected, partially detected) Fault report generation (Total detected, undetected, etc.) Good Machine data and fault set Design (Verilog, VHDL, SVD) Good Machine Simulation Fault Machine SimulationFault Machine Simulation (1…N) Fault commands and control LPDDR4 Statistical Fault Regression Flow Stastical Fault simulation DDRTestCases T 1 T n Representative Faults FMEDAEstimates FaultSimulation ANALYSIS&Actions Safety Verification Report • #1 Compile and elaborate • Specify the target area for fault injection • #2 Execute a good simulation • Specify strobe information to generate the good machine data • #3 Execute N fault runs • N is number of nodes in the fault list • #4 Generate a report from the fault campaign • Merge all fault runs in a single, cumulative report 5 vManager Safety Client (mdv/AGILE/18.03.001) Xcelium Simulator (xcelium/AGILE/18.03.001) ™ ™
- 10. 10 © 2019 Cadence Design Systems, Inc. All rights reserved. Working Effort – Burning of NC &DU Faults • NC does not mean SAFE ! • If functionality is not active, fault would not impact F-O • Fault on target must be propagated to functional output as much as possible • DU does not mean DANGEROUS ! • Fault simulation time == Good simulation time • Timeout threshold is too large to count up over threshold • Duration of good sim + 20% margin NC DU Develop test to cover function DU Set Proper Checker DD Set Proper Checker Analysis fault Develop test and enable proper checker function Run regression & collect DD list Update waiver list according to fault reduce rule DC < 99 % Safety verification Functional coverage + Code coverage + Diagnostic coverage Record DD list to reduce fault simulation run number DD: Dangerous Detected DU: Dangerous Undetected NC: No Convergence
- 11. 11 © 2019 Cadence Design Systems, Inc. All rights reserved. Sample Fault Grade Report
- 12. 12 © 2019 Cadence Design Systems, Inc. All rights reserved. Safety Verification of Analog Modules • Analog Fault injection for LPDDR4: Not done. netlist test Defect / Fault list Coverage summary Defect / Fault status Pass/Fail results These are the three deliverables specified by the standard Simulate test on original circuit Enumerate defect & fault list and weights Simulate test on defective/faulty circuits Report coverage netlist2 netlistm netlist1 P2427: Standard for Analog Defect Modelling & Coverage P2427 specifies Analog defects and coverage Gap 6 Reference[1]
- 13. 13 © 2019 Cadence Design Systems, Inc. All rights reserved. Category Location Degree Root causes DC short Same layer Low resistance Dust High resistance Stringer Between layers Low resistance Missing oxide DC open Resistive High resistance Partial contact Complete Infinite resistance Missing contact Missing geometry AC coupling Same layer >2X design value OPC distortion Between layers >2X design value Oxide thinning Leakage PN junction ESD Dust Gate oxide Local weakness in thin oxide layer Stuck-on Undercut gate ESD Stuck-off Thick oxide Extreme variation > Specified DF_PDK (Deviation Factor) to specification or process corner Mouse bite Blob The standard does not mandate a particular defect model to be used, but it does mandate the model description to be part of coverage report Defects Commonly Observed in Silicon and Targeted by Manufacturing Tests dg_short gs_short ds_short d_open g_open Defect Identification Defect Identification Defect Defect Identification Defect Simulation Coverage Defect Identification Defect Simulation Coverage Analysis Defect Simulation Coverage Analysis Legato™ platform Environment developed in alignment with IEEE P2427 Reference[2] Analog Defect Modelling
- 14. 14 © 2019 Cadence Design Systems, Inc. All rights reserved. – Schematic netlists (no layouts) – Process files: typical, SS, SF, FS, FF – Specifications, with limits, only for 3.3 volt operation at 27C OPAMP• 77 Hard defects (after collapsing) – 43 shorts : 3 per MOS transistor, 1 per diode, C, R (JFET) – 34 opens: 2 per MOS transistor, 1 per diode, C, R (JFET) • Defect Models. Short: 200 Ω. Open: 1 GΩ Defect type Defect Model Detected defects # Undetectab le Defects # Undetected Defects # Detectable Coverage (%) Weightin g algorithm Corner( s) Test conditions Short 200 Ω 34 0 9 81 None Fast/Slo w Input: 1 MHz 0.5V sine, 1.65 V bias, via 10 kOpen 1 GΩ 17 0 17 50 none Fast/Slo w Coverage Report Note: Soft and parametric defect injection is not supported yet in the official release Reference[2] Example: Op-Amp From ITC’17 Benchmarks
- 15. 15 © 2019 Cadence Design Systems, Inc. All rights reserved. LPPDDR4 Safety Verification Summary ✓ Avoid traditional approach of starting functional safety after functional verification : Iterative and expensive development phase ✓ Functional Safety Need to be Architected and not added later. ✓ Safety Analysis must start prior to implementation. ‘Design for safety/verification’ ✓ Reuse & Synergize : Nominal and Functional Safety Verification. ✓ Fault optimization with formal and other techniques is necessary to overcome challenges with scaling simulation and analysis. ✓ Integrated push button fault simulation flow is need of hour and saves verification engineers time. ✓ Analog defect modelling and coverage can be performed based on IEEE P2427. IP REQ Customer REQ App Assumption FuSA Concept FMEA FMEDA Functional Verification (Systematic) Digital P V P L P V S Design Update (Safety Mech) ✓Architecture→ ✓Product→ ✓Design ✓FailureModes ✓ASIL REQ ✓FailureMode → Safety Mechanism ✓DC(ASIL) ✓PVPL:Product Verif. Plan ✓Verifiability ✓Verification Assignment. ✓Verification Domain ✓PVS: Product Verif. Spec ✓Verif Strategy Safety (Random) Verification: Formal/Dynamic ✓Qualitative Verification (Fault injection) of Safety Mechanism ✓Functional Verification (Systematic) Closure Safety Metric Verification Report ✓Statistical (Fault injection) Verification ✓Analysis SAFETY ANALYSIS/ Fault Optimization Analog DESIGN Fault Campaign Mgmt 1 2 3 46 5
- 16. 16 © 2019 Cadence Design Systems, Inc. All rights reserved. Safety-Compliance IP : Requirement for Automotive Application ASIL-D/C ASIL-D/C ASIL-D/C ® ISO 26262 Functional Safety Is Critical to the Success of Autonomous Vehicles Being Designed Today
- 17. 17 © 2019 Cadence Design Systems, Inc. All rights reserved. Acknowledgements DDR IP Safety Team – Mingyang Zhu – YJ Patil – James Yang – Siva Prasad – Pranesh M – Tony Vu – Tobing Soebroto Guidance on Automotive Safety Standards/tools/flow – Mangesh Pande-Safety Verification tools/flow – Pradeep Bagavathiappan –Jasper – Amit Bajaj: P2427 – Brian Taylor: ISO26262 Helping Me Tell Our Story – Thomas Wong
- 18. 18 © 2019 Cadence Design Systems, Inc. All rights reserved. References 1. Using IEEE P2427 to measure the coverage of analog tests. European Test Symposium (ETS) May 2019, Baden Baden, Germany, Vladimir Zivkovic (Cadence), Jeff Rearick(AMD) 2. Legato™ Reliability Solution ADE/Spectre Fault Simulation. Cadence Customer Presentation. Walter Hartong , Jianhe Guo 3. Functional Safety Workshop. Stefano Lorenzini, Mangesh Pande, Joerg Mueller Thank you
- 19. © 2019 Cadence Design Systems, Inc. All rights reserved worldwide. Cadence, the Cadence logo, and the other Cadence marks found at www.cadence.com/go/trademarks are trademarks or registered trademarks of Cadence Design Systems, Inc. All other trademarks are the property of their respective owners.