Addressing the Challenges of Safety verification for LPDDR4. ✓Avoid traditional approach of starting functional safety after functional verification : Iterative and expensive development phase 1. Functional Safety Need to be Architected and not added later. 2. Safety Analysis must start prior to implementation. ‘Design for safety/verification’ 3. Reuse & Synergize : Nominal and Functional Safety Verification. ✓Fault optimization with formal and other techniques is necessary to overcome challenges with scaling simulation and analysis. ✓Integrated push button fault simulation flow is need of hour and saves verification engineers time. ✓Analog defect modelling and coverage can be performed based on IEEE P2427.

1. Qualifying a high performance Memory subsystem
for Functional Safety
Pankaj Singh
CDNLive Bangalore
August 29, 2019

2. 2 © 2019 Cadence Design Systems, Inc. All rights reserved.
Safety Verification Challenges
• Functional Safety (FuSa) sometimes starts late and may not be an integral part of the development
cycle.
• Verification environment/testcases development takes effort for FuSA
• Manual approach of Safety architecture/requirement analysis is iterative process and prone to error.
• Significant Scaling of Simulation and Analysis Is Required to Meet Regulatory Standards
• Fault Simulation tool flow needs to integrated/automated to run regression
• Gaps in Safety Verification of Analog design6
1
4
3
2
5

3. 3 © 2019 Cadence Design Systems, Inc. All rights reserved.
Reuse of Functional Testbench/Testcases for Functional Safety
Simulations
Early start of FuSa along with Systematic verification
Reuse of verification environment/parametrized testcasesReuse of verification environment/parametrized testcases
1
2
PVPL: Product Verification Plan
PVS: Product Verification Spec
FuSs: Functional Safety

4. 4 © 2019 Cadence Design Systems, Inc. All rights reserved.
LPDD4 FMEDA Details
• Initial focus was to target modules with higher FIT rate .
• Full Regression at Early stage gives good picture on Diagnostic Coverage.
• Limitations:
• No integration with design date for accuracy of details. The result update to FMEDA sheet is time
consuming and prone to manual error.
FMEDA: Failure Mode, Effects and Diagnostic Analysis
FIT: Failure in Time

5. 5 © 2019 Cadence Design Systems, Inc. All rights reserved.
vManager Safety Planner App – High Level FM’s
Generate Report
Filter Options
✓ Web enabled Safety Planner App can overcome limitation of manual error and also
improve accuracy due to design data input .
✓ Supports FMEDA Analysis/update to define the safety architecture (SM) and
safety requirements.
✓ Supports Verification of the FMEDA by means of fault injection and formal analysis
3

6. 6 © 2019 Cadence Design Systems, Inc. All rights reserved.
Significant Scaling of Simulation and Analysis Is Required to Meet
Regulatory Standards
Functional
Simulations
Fault Injection Simulations
SPFM LFM
ASIL B ≥ 90 % ≥ 60 %
ASIL C ≥ 97 % ≥ 80 %
ASIL D ≥ 99 % ≥ 90 %
TARGET
Jasper FSV fault analysis/optimization
FST step removes untestable faults
ASIL: Automotive Safety Integrity Level

7. 7 © 2019 Cadence Design Systems, Inc. All rights reserved.
FSV Structural Analysis Techniques
• Out-of-COI Analysis
• A fault node outside the Cone-of-Influence
(COI) has no physical connection to the
functional strobe(s)
• Fault is Untestable (Safe)!
• Activatable Analysis
• A SA0/1 fault injected on a node which
is constant 0/1 cannot be activated
• Fault is Unactivatable (Safe)!
• Propagatable Analysis
• A fault that is activated and in COI, but
cannot be observed on the functional strobe
• Fault is Unpropagatable (Safe)!
Strobe
OOCOI
Strobe
Barrier
Unprop
Unact
Const
Dangerous Fault
Safe Fault

8. 8 © 2019 Cadence Design Systems, Inc. All rights reserved.
Fault Analysis and Optimization
Functional Safety Verification Timeline
Optimized Fault list
• FSV Analysis Optimization:
✓ Cone-Of-Influence of
Outfunctional strobes
✓ Unactivatable due to constants
✓ Unactivatable due to design
✓ Unpropagatable to functional strobes
Controller:
Fault targets – 138K
total →
Optimized to 58,504
PHY:
Fault targets – 241K
total→
Optimized to 73,835
4
• Other Techniques based on
design knowledge/Analysis:
✓ Duplicated instances removal
✓ Bus reduction: If Some bits with
same fault type (SA0/SA1) are
covered, other bits could be waived
✓ Bist & Debug mode related
functionality
✓ Redundant Logic removal

9. 9 © 2019 Cadence Design Systems, Inc. All rights reserved.
Testbenh
(SystemVerilog, ‘e’,
SystemC, etc)
Fault List/Control
File
Fault Machine
Simulation
Elaboration
(Instrumenting)
Fault Campaign
Data
Fault Campaign Resutls
(Detected, undetected,
partially detected)
Fault report
generation (Total
detected,
undetected, etc.)
Good Machine data
and fault set
Design
(Verilog, VHDL,
SVD)
Good Machine
Simulation
Fault Machine
SimulationFault Machine
Simulation (1…N)
Fault commands
and control
LPDDR4 Statistical Fault Regression Flow
Stastical
Fault
simulation
DDRTestCases
T
1
T
n
Representative
Faults
FMEDAEstimates
FaultSimulation
ANALYSIS&Actions
Safety
Verification
Report
• #1 Compile and elaborate
• Specify the target area for fault
injection
• #2 Execute a good simulation
• Specify strobe information to generate
the good machine data
• #3 Execute N fault runs
• N is number of nodes in the fault list
• #4 Generate a report from the fault
campaign
• Merge all fault runs in a single,
cumulative report
5
vManager Safety Client (mdv/AGILE/18.03.001)
Xcelium Simulator (xcelium/AGILE/18.03.001)
™
™

10. 10 © 2019 Cadence Design Systems, Inc. All rights reserved.
Working Effort – Burning of NC &DU Faults
• NC does not mean SAFE !
• If functionality is not active, fault would not impact F-O
• Fault on target must be propagated to functional output as much as possible
• DU does not mean DANGEROUS !
• Fault simulation time == Good simulation time
• Timeout threshold is too large to count up over threshold
• Duration of good sim + 20% margin
NC
DU
Develop test to
cover function DU
Set Proper Checker
DD
Set Proper Checker
Analysis fault
Develop test and
enable proper
checker function
Run regression
& collect DD list
Update waiver
list according to
fault reduce rule
DC < 99 %
Safety verification
Functional coverage + Code coverage +
Diagnostic coverage
Record DD list to reduce fault
simulation run number
DD: Dangerous Detected
DU: Dangerous Undetected
NC: No Convergence

11. 11 © 2019 Cadence Design Systems, Inc. All rights reserved.
Sample Fault Grade Report

12. 12 © 2019 Cadence Design Systems, Inc. All rights reserved.
Safety Verification of Analog Modules
• Analog Fault injection for LPDDR4: Not done.
netlist
test
Defect /
Fault list
Coverage
summary
Defect / Fault
status
Pass/Fail
results These are the three
deliverables specified
by the standard
Simulate test on original
circuit
Enumerate defect & fault list
and weights
Simulate test on
defective/faulty circuits
Report coverage
netlist2
netlistm
netlist1
P2427: Standard for Analog Defect Modelling & Coverage
P2427 specifies Analog defects and coverage
Gap
6
Reference[1]

13. 13 © 2019 Cadence Design Systems, Inc. All rights reserved.
Category Location Degree Root causes
DC short
Same layer
Low resistance Dust
High resistance Stringer
Between
layers
Low resistance Missing oxide
DC open Resistive High resistance Partial contact
Complete Infinite resistance Missing contact
Missing geometry
AC coupling Same layer >2X design value OPC distortion
Between
layers
>2X design value Oxide thinning
Leakage PN junction ESD
Dust
Gate oxide Local weakness in
thin oxide layer
Stuck-on Undercut gate
ESD
Stuck-off Thick oxide
Extreme
variation
> Specified
DF_PDK (Deviation
Factor) to
specification or
process corner
Mouse bite
Blob
The standard does not mandate a particular
defect model to be used, but it does mandate the
model description to be part of coverage report
Defects Commonly Observed in Silicon
and Targeted by Manufacturing Tests
dg_short
gs_short
ds_short
d_open
g_open
Defect
Identification
Defect
Identification
Defect
Defect
Identification
Defect
Simulation
Coverage
Defect
Identification
Defect
Simulation
Coverage
Analysis
Defect
Simulation
Coverage
Analysis
Legato™ platform Environment developed in alignment with IEEE P2427
Reference[2]
Analog Defect Modelling

14. 14 © 2019 Cadence Design Systems, Inc. All rights reserved.
– Schematic netlists (no layouts)
– Process files: typical, SS, SF,
FS, FF
– Specifications, with limits, only
for 3.3 volt operation at 27C
OPAMP• 77 Hard defects (after collapsing)
– 43 shorts : 3 per MOS transistor, 1 per diode,
C, R (JFET)
– 34 opens: 2 per MOS transistor, 1 per diode,
C, R (JFET)
• Defect Models. Short: 200 Ω. Open: 1 GΩ
Defect
type
Defect
Model
Detected
defects #
Undetectab
le Defects #
Undetected
Defects #
Detectable
Coverage (%)
Weightin
g
algorithm
Corner(
s)
Test
conditions
Short 200 Ω 34 0 9 81 None Fast/Slo
w
Input: 1 MHz
0.5V sine, 1.65 V
bias, via 10 kOpen 1 GΩ 17 0 17 50 none Fast/Slo
w
Coverage Report
Note: Soft and parametric defect injection is not supported yet in the official release
Reference[2]
Example: Op-Amp From ITC’17 Benchmarks

15. 15 © 2019 Cadence Design Systems, Inc. All rights reserved.
LPPDDR4 Safety Verification Summary
✓ Avoid traditional approach of starting functional safety after functional
verification : Iterative and expensive development phase
✓ Functional Safety Need to be Architected and not added later.
✓ Safety Analysis must start prior to implementation. ‘Design for safety/verification’
✓ Reuse & Synergize : Nominal and Functional Safety Verification.
✓ Fault optimization with formal and other techniques is necessary to overcome
challenges with scaling simulation and analysis.
✓ Integrated push button fault simulation flow is need of hour and saves verification
engineers time.
✓ Analog defect modelling and coverage can be performed based on IEEE P2427.
IP
REQ
Customer REQ
App Assumption
FuSA
Concept
FMEA FMEDA
Functional Verification (Systematic)
Digital
P
V
P
L
P
V
S
Design
Update
(Safety
Mech)
✓Architecture→
✓Product→
✓Design
✓FailureModes
✓ASIL REQ
✓FailureMode
→ Safety
Mechanism
✓DC(ASIL)
✓PVPL:Product
Verif. Plan
✓Verifiability
✓Verification
Assignment.
✓Verification
Domain
✓PVS: Product
Verif. Spec
✓Verif Strategy
Safety (Random) Verification: Formal/Dynamic
✓Qualitative
Verification
(Fault
injection) of
Safety
Mechanism
✓Functional
Verification
(Systematic)
Closure
Safety
Metric
Verification
Report
✓Statistical
(Fault
injection)
Verification
✓Analysis
SAFETY ANALYSIS/ Fault Optimization
Analog
DESIGN
Fault
Campaign
Mgmt
1
2
3
46
5

16. 16 © 2019 Cadence Design Systems, Inc. All rights reserved.
Safety-Compliance IP : Requirement for Automotive Application
ASIL-D/C
ASIL-D/C
ASIL-D/C
®
ISO 26262
Functional Safety Is Critical to the Success of Autonomous Vehicles Being Designed Today

17. 17 © 2019 Cadence Design Systems, Inc. All rights reserved.
Acknowledgements
DDR IP Safety Team
– Mingyang Zhu
– YJ Patil
– James Yang
– Siva Prasad
– Pranesh M
– Tony Vu
– Tobing Soebroto
Guidance on Automotive Safety
Standards/tools/flow
– Mangesh Pande-Safety Verification
tools/flow
– Pradeep Bagavathiappan –Jasper
– Amit Bajaj: P2427
– Brian Taylor: ISO26262
Helping Me Tell Our Story
– Thomas Wong

18. 18 © 2019 Cadence Design Systems, Inc. All rights reserved.
References
1. Using IEEE P2427 to measure the coverage of analog tests. European Test Symposium (ETS) May 2019, Baden Baden,
Germany, Vladimir Zivkovic (Cadence), Jeff Rearick(AMD)
2. Legato™ Reliability Solution ADE/Spectre Fault Simulation. Cadence Customer Presentation. Walter Hartong , Jianhe Guo
3. Functional Safety Workshop. Stefano Lorenzini, Mangesh Pande, Joerg Mueller
Thank you

19. © 2019 Cadence Design Systems, Inc. All rights reserved worldwide. Cadence, the Cadence logo, and the other Cadence marks found at www.cadence.com/go/trademarks are trademarks or registered trademarks of
Cadence Design Systems, Inc. All other trademarks are the property of their respective owners.