The second wave in automotive ISO 26262 analysis: Page 2 of 6

February 03, 2020 //By Jamil Mazzawi and David Kelf
ISO 26262 analysis
It has become well known that the analysis required for the Automotive ISO 26262 Functional Safety Standard involves lengthy and laborious fault analysis, performed using outdated fault simulation designed for manufacturing test quality grading.

Fault simulation bottleneck

Fault simulation is a technique that was invented approximately three decades ago for the purpose of ensuring manufacturing test quality. The idea is simple. Firstly a simulation is run of a clean design using some test vectors derived specifically for this purpose, and the output recorded. A fault (either stuck-at-1 or stuck-at-0) would be inserted on a specific design node and the simulation run again. This would be repeated for every node in the design. If the output was unaffected by a fault, the tests may need improvement since the fault was not detected.

Of course the execution time of this process, which in its raw form would be equivalent to the number of faults * the size of the simulation, was enormous. Even after optimizations the simulation time would be measured in weeks or even months.

Testing for automotive faults is not dissimilar to manufacturing test, in that faults must be injected and the device reaction to them measured. As such, it was inevitable that fault simulation would be the initial tool of choice for ISO 26262 characterization. However, there are important differences that made the older technology inappropriate.

Fig. 1: Fault simulation process.

For example manufacturing tests were scan-path based which meant that a test would only be required to execute from one flip-flop, through logic, to another flip-flop. On the other hand, safety tests have to trigger a fault and measure its impact through multiple clocked flip-flop stages before reaching a Safety Mechanism or an output, thereby making the testing process much longer and more temporal in nature. The type of faults to be measured cannot easily be approximated to a simple stuck at 1 or 0 as in the manufacturing world, which means the simulator has to work with new fault models, such as transient faults, bridging faults, etc.

Fig. 2: Faults and safety mechanisms

Inevitably, automotive semiconductor companies will try to meet the ISO 26262 requirements with a minimum of fault simulation. Some companies will run simulations on small blocks and show how the measurements obtained could be translated up to the broader system level. Others would perform statistical analysis on the results to show that the probability of a safe device is reasonable. Given the size and competitiveness of this market, it is inevitable that improved fault analysis methods would be introduced.

Design category: 

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.