mixed signal design addressing complexity & safety challenges · 2017. 12. 1. · cadence...

Confidential

Ian Clifford, EMEA Application Engineering Director

Cadence Design Systems Ltd.

NMI Workshop, April 2016

Mixed Signal Design Addressing Complexity & Safety Challenges

2 © 2016 Cadence Design Systems, Inc.

• 1998-12-11 18:45: Mars Climate Orbiter probe launched

• 1999-09-23 8:50: Orbiter fires main engine to descend into the precisely calculated Mars trajectory

• 9:04: Communication with spacecraft is lost

Incomplete verification has consequences…

Source: NASA/AP


• Everything was “perfect” – only that Lockheed Martin’s software used “pounds” while NASA assumed “kilograms” causing an error in engine power calculation

• Only 4 months later, Nasa’s Mars Polar Lander was lost in landing phase – The likely cause was “a software error that incorrectly identified vibrations,

caused by the deployment of stowed legs, as surface touchdown. This shutdown the engines when the spacecraft was 40m above Mars’ surface.”

– Although it was known that leg deployment could create the false indication, the software's design instructions did not account for that eventuality…

– This issue wasn’t caught due to a problem with the sensor during ground tests

• Lessons learned? – Sometimes the problem can’t be found in the details but only in the bigger picture

– Communication is key - Verification planning might seem an unnecessary overhead, but even the discussion with peers is valuable

– The fact that you known what the spec means, doesn’t necessarily mean that others will interpret it the same way

What happened?

Source: NASA


SOFTWARE

malleable


MIXED SIGNAL

complexity


SMART PRODUCT

vulnerability


Automobiles are a system of systems

Source: Clemson Vehicular Electronics Laboratory

Airbag deployment

Adaptive front lighting

Adaptive cruise control

Head-up display

Parental controls

Engine control

Automatic braking

Night vision

Windshield wiper control

Electric power steering

Electronic throttle control

Electronic valve timing

Idle stop/start

Cylinder de-activation

Active vibration control

Blindspot detection

Remote keyless entry

Parking system

Antilock braking

Transmission control

Seat position control

OBDII

Driver alertness monitoring

Accident recorder

Instrument cluster

Auto-dimming mirror

Interior lighting

Active cabin noise suppression

Voice/data communications

Cabin environmental controls

Entertainment system

Battery management

Lane correction

Electronic toll collection

Digital turn signals

Navigation system

Security system

Active exhaust noise suppression

Active suspension

Hill-hold control

Regenerative braking

Tire pressure monitoring

Lane departure warning

Electronic stability control

Active yaw control

DSRC


Automotive Money and lives are at stake

“Automakers have recalled more U.S. vehicles in the

first six months of this year than any year before.”

June 24, 2014 Cadence and the Cadence logo are trademarks of Cadence Design Systems, Inc. in the United States and other countries. All other trademarks are the property of their respective owners and are not affiliated with Cadence.


Verification is the #1 design challenge – and growing

New design effort

Verification effort

7x growth in

verification

effort

4x growth in

new design

effort

Verification

GAP


Primary cause of operational

problems

System-level defects are the most troubling …

20x as many

fixes to correct

Architecturally

complex defect A structural flaw involving interactions among multiple

components, often residing in different subsystems

Lii et al, (2012)

48%

52% 92%

8% Architecturally

complex defects

Code unit-level

violations

% of total

app defects % of total repair effort


Let’s look at verification for functional safety Automotive

ISO 26262

Traceability

Specification linkage

Change management

Reproducible results

Fault injection

Fault simulation

Multiple abstractions

Safety reports

Verification for

functional safety (ASIL)

Requirement-driven

SoC verification


Medical devices are highly regulated A failure here could mean life or death

IEC 60601**

IEC 62304**

FDA: United States

EMA: Europe

PMDA: Japan

CFDA: China

CDSCO: India

Government regulatory

agencies

*FDA: Design Control Guidance For Medical Device Manufacturers

** 60601 Medical Electronics and 62304 Software contained within

1 general standard

10 collateral standards

60 particular standards

Traceability is key to each

Package integrity tests

Failure modes and effects analysis

Thermal analysis

Worst-case analysis

Examples of FDA

demanded verification

methods*

Set of applicable

standards


IoT Security verification is unfolding


Smart systems: layers upon layers of verification in today’s SoCs

Mixed-signal

Software

Performance

Clock

Power

Security and Safety

You must verify what is supposed

TO happen and what should NOT happen


Incisive automotive functional safety verification Solution within the Cadence System Development Suite

• Reduces functional safety effort – Eliminates testbench recoding

– Automates fault simulation execution

• Fault injection simulation – Gate-level, Verilog, and VHDL

– Digital / mixed-signal simulation

– Verify with IEEE languages

– Fault types: stuck at 0/1, transient, single event upset

– Automated safety classification

• Safety requirements tracing – Integrated regression throughout for compliance metrics

– Integrated permanent and transient fault simulation

– Helps reduce ISO 26262 effort by half

Incisive®

Functional Safety

Simulator

vManager™

Fault collection

Safety Reporting

Incisive Enterprise

Simulator

Fa

ult

Engin

e

…

Fa

ult

Engin

e

…

Safety

Verification

Plan

Cadence

User Key

vPlan™


How about analog / mixed-signal?


Some things seem to change slowly


Crossing the verification chasm between analog and digital

Replace analog

with Verilog/VHDL

digital equivalents

Metric-Driven

Verification

This method keeps everything on a

well understood digital

methodology, but all of the analog

nature of the block is wiped out

You could:

This method characterizes the

analog behavior better, but analog

physical effects impact is lost and

effort is higher to create models

Replace analog

with Verilog Real

Number models

Metric-Driven

Verification

Or:

But what if

you could:

Maintain analog

circuits and tests

but track them

along with the

digital

Metric-Driven

Verification

Solution Required…

Analog


Improve quality and turnaround time Metrics for the analog domain

• Metrics drive the process. “Begin with the end in mind.” – Planning : What do you need to verify and how

– Tracking to closure: Metric allow to determine the progress converging on those goals

– Execution and debugging

For digital tracking means :

• Functional Coverage

(SV, e coverage)

• SVA, PSL dynamic assertions

• Test coverage (pass, fail)

• Code coverage (Block, expression,

toggle, statement, FSM, etc.)

• Formal static assertions

What do analog simulations track?

• Specification coverage

• PVTs (corners & Monte Carlo)

• Operating modes & interfaces

• Variation in inputs signals & loads

e.g. V, I, freq ranges, ramps etc.

• Analog Checks/Assertions

e.g. vdd paths, high Z, SOA checks


Analog Verification Planning

Experience from

previous projects Requirements from

other teams

Existing tests Analog Verification

Plan

Specification

features/parameters

Virtuoso ADE

Spice Scripts


Tool flows Incisive vManager Digital(MS) versus Virtuoso ADE Verifier - Analog (MS)

Maps requirements to tests

Runs tests and simulations

Regression support /

assertion assistant

Tracks results

Functional safety reporting

Incisive ® vManager™ top-level view

Cadence digital simulation and emulation

System Development Suite

JasperGold®

technology

Palladium®

platform

Cadence analog and mixed-signal simulators

V3 GUI

Verification Mgmt

Virtuoso® ADE Verifier

Virtuoso ADE Assembler/Explorer

Requirements Management


• A cockpit to drive plan based verification for analog designs

• Top down requirements driven analog verification flow

• Regression running capabilities enable more automated verification

• Requirements based reports/pass/fail/summary table to track progress

• Link analog verification to requirement management and digital verification tools

• Support customers needs for requirements tracking (lSO26262)

Virtuoso ADE Verifier A new concept in analog verification


• NASA implemented a complex system of Verification checks and cross checks and applied them to all of its designers and suppliers – With a focus to identify interface errors.

• The result, the most successful series of interplanetary spacecraft – Nasa’s has a unprecedented 100% success rate for it’s Mars missions

Nasa drove changes in it’s system verification strategy

Mission Launch Date Status Role

Mars Odyssey April 2001 Still operational Orbiter

Spirit June 2003 100% mission success Rover

Opportunity June 2003 Still operational Rover

MRO August 2005 Still operational Orbiter

Phoenix August 2007 100% mission success Lander

Curiosity November 2011 Operational Rover

MAVEN November 2013 Operational Orbiter


Welcome to Mars Earthlings View from Curiosity at Rocknest Oct-Nov 2012

Image credit: NASA/JPL-Caltech/MSSS

mixed signal design addressing complexity & safety challenges · 2017. 12. 1. · cadence...

Documents