How formal reduces fault analysis for ISO 26262

The ISO 26262 standard defines straightforward metrics for evaluating the “safeness” of a design by defining safety goals, safety mechanisms, and fault metrics. However, determining those metrics is difficult. Unlike simulation where it is never known if the design has been simulated enough or given enough input, formal verification conclusively determines if faults are safe or not, making the failure rates from formal analysis more than an arbitrary number determined by fault simulation.

Formal analysis tools that apply SLEC techniques are an ideal solution for fault pruning, fault analysis, and determining diagnostic coverage. This paper discusses how to use formal verification for static and transient fault analysis to generate ISO 26262 safety metrics, first describing fault pruning and then the more sophisticated fault injection using SLEC.

Limitations of fault simulation

The ISO 26262 standard defines straightforward metrics for evaluating the “safeness” of a design by defining safety goals, safety mechanisms and fault metrics. However, determining those metrics is difficult. Systematic failure analysis can find simple faults, such as stuck-ats, but random hardware failure analysis, which poses a much harder challenge, is usually tackled through a process of fault analysis, including fault injection.

Traditionally, safety analysis is handled by a fault simulator. Fault simulators use existing tests and regressions and randomly inject faults during simulation to determine if the injected fault impacts safety critical outputs.

There are many possible methods. For example, using a simulation waveform dump from a golden run, a fault simulator injects faults and compares the results against the expected waveform to see if the fault eventually becomes masked or violates a safety requirement (e.g.,
a safety critical signal).

Verification engineers use this fault information to calculate failure rate metrics (defined in the ISO 26262 standard) or diagnostic coverage, which is the proportion of the failure rate detectable or controlled by a safety mechanism. Or they use it to conduct function injection tests, which determine the effectiveness, correctness and timing of a safety
mechanism.