FMEDA at chip level can be augmented with fault injection techniques to validate and measure the diagnostic coverage of safety mechanisms. medini supports the connection to fault injection tools via the IPD-XML interface so that any 3rd Party tools implementing the exchange format can participate in the workflow. As prerequisite, an IP Design is required that must be imported and linked to failure modes and safety mechansisms as described in this section.
The outline of the workflow is as follows:
Create a chip architecture in SysML on which the FMEDA is executed. This level describes the chip design by blocks and connections as a high-level and simplified model. In the FMEDA, identify failure modes and associate safety mechanisms as you would do normally for a design assigning estimated values for the diagnostic coverage (DC) of the safety mechanisms (SM).
Import a chip design via IPD-XML as described in Import of Chip Design Data (IP Design). This implementation model can be used for failure rate distributions (see Failure Rate Aggregation for Chip Design Analysis) as well as for fault injection described here.
Map the failure modes of the architecture to observation points in the IP design. All failure modes that shall be executed in a fault injection campaign need to be mapped to IP design instances (e.g. ports, signals).
Map the safety mechanisms to diagnostic points in the IP design where the SM will flag a detected fault.
Generate the fault injection campaign from the FMEDA based on the above mappings. This step will produce an extended IPD-XML with a section for fault injection (essentially failure modes, safety mechanism and their link to the instance hierarchy).
Execute the fault injection using a 3rd Party tool (e.g. Synopsys/Cadence/Optima tool suites) or your own custom solution that can process IPD-XML for fault injection. As result of this step, an updated version of the same IPD-XML will be produced that contains the result of the fault injection runs.
Update the estimated DC values in the FMEDA with the measured ones done in the previous step.
The following subsections describe how to map failure modes and safety mechanisms (see Mapping failure modes and safety mechanisms to IP design models), how to export the fault injection data (see Exporting Fault Injection Campaign Data), and how to update the DC values with results of the fault injection (see Updating Diagnostic Coverage values from fault injection runs).
The essential part for fault injection is to tell medini how a failure mode of the chip design manifests in the implementation. ISO 26262-11 / ISO PAS 19451 uses the terminology of observation points, which means the port or signal where the failure mode will be observed. That usually means an output signal or value that is different compraed to the expected output value (i.e. "good run" in the functional simulation).
In order to define the observation points for a failure mode, do the following:
Select the failure mode to be mapped in the FMEDA or Model Browser and open the properties view
Go the "Profile" tab and select the "Observation Points" field. Note: If you do not see a profile tab or this property, you did not have loaded an IP Design model into the project. See Import of Chip Design Data (IP Design) how to do this.
If you double click in the "Observation Points" field a selection dialog comes up that allows you to select instances and/or ports of the imported design. Choose the relevant ports/signals where the failure mode can be observed.
Press OK to confirm the selection.
The same steps apply for permanent and transient failures. Note that these steps have to be repeated for all failure modes of concern that should be included in a fault injection run.
Similarly, the safety mechanisms must be mapped to diagnostic points. Diagnostic describe the outputs where the safety mechanisms will flag the detection of a fault. This will allow the fault injection engine to determine the percentage of how many injected faults are actually detected and hence the diagnostic coverage:
Open the safety mechanism collection/configuration editor, see Safety Mechanisms and Predefined Catalogs for more details.
Select the safety mechanism to be mapped and double-click into the "Diagnostic Points" column.
A selection dialog opens showing all potential target models. Check those ports (or instances) on which the safety mechanism will flag the detection of a fault.
Press OK to confirm the selection.
After defining both the observation and diagnostic points, you are ready to generate a fault injection campaign as described in the following section.
Once all relevant failure modes and safety mechanisms have been mapped according to Mapping failure modes and safety mechanisms to IP design models, the fault injection campaign data can be generated. The campaign is a configuration that allows automated execution of fault injection runs. The exchange format is the IPD-XML (Version 1.2) publicly available on the Ansys website.
In order to generate the fault injection data do the following:
Select an FMEDA worksheet in the Model Browser as scope of the export
In the context menu, select "Export -> IPD-XML Fault Injection Campaign..." to the export wizard
Choose a target file for generation. Use the option "Exclude latent failure modes" if you just want to export the single point fault mechanisms and not the diagnostic functions.
If you press "Next", a consistency check will be executed to point you to any issues in the mappings. The wizard will show warnings and errors, for example, if failure modes/safety mechanisms are not mapped. Check whether everything is as intended and continue with "Next" or resume on refining the mapping.
If you press "Next", the export will happen and produce the output file.
Pass the generated file to any fault injection tool that supports the IPD-XML and execute the campaign.
Note: the export of Fault Injection Campaigns is limited to FMEDA worksheets without individual metrics enabled.
If a fault injection campaign has been successfully executed, you should receive an updated IPD-XML from the 3rd Party tool that contains the measured diagnostic coverage of residual faults and (optionally) latent faults. To load these values into the original FMEDA, do the following:
Select the FMEDA from which the fault injection campaign was originally exported.
Choose "Import -> Update DC from FI..." from the context menu to open the update wizard.
On the first page specify the IPD-XML file which contains the fault injection results. Check the values which shall be updated, i.e. single point/residual fault DC and/or latent fault DC (if included). If "Backup existing values" is checked, all previous DC values are copied into a separate column of the FMEDA, so that you can analyze the differences subsequently.
Confirm the update with "Next" and check the status that appears on the final page of the import wizard.
Note that the wizard will update all failure modes which are found in the IPD-XML (by internal unique ID), independent of whether they are still marked as "violating safety goal" or not.
Note further that the backup columns are not visible by default! To turn them ON, go to the project settings and choose "Profiling -> Diagnostic Coverage". In the Profiling section for "DC Failure Entry" you can activate "Estimated SPF DC" and "Estimated LF DC". If you return to the worksheet, the values shall be visible.