Disregard Safety and Security at Your Own Peril!
The gold standards for mitigating safety issues call for including safe operation handling systems in FPGA and SoC designs, which must be fully verified for functional correctness and fault tolerance.
Disregard safety and security at your own peril, chip design verification engineers!
Safety and security represent new frontiers in design and verification, adding complexity into chip development, while driving significant change in workflows. They also require a mindset change in how to approach system architectures because mitigating these threats needs to be designed in from the outset. Failure to heed the warning could result in dangerous operational errors caused by environmental effects or deliberate malicious intent with catastrophic results.
The Mil/Aero DO-254 and Automotive ISO 26262 are gold standards for addressing safety risks. These standards require the addition of safe operation handling systems into field programmable gate array (FPGA) and system-on-chip (SoC) designs that must be fully verified for functional correctness and fault tolerance. Protections like these are expensive and need specialized capabilities to validate.
Reducing Vulnerability to Attacks
A range of security features are in play now in modern electronic systems to reduce their vulnerability to malicious attack or a disaster impacting lives. The absence of security holes is hard to ensure––be it leveraging protected regions in processor memory for trusted virtual machines such as Arm’s TrustZone; testing for encrypted key or critical register access via unexpected paths in a design; or even checking for Trojan horse-type malware loaded during the development process.
The electronic design automation (EDA) industry is responding with new tools and techniques that add safety and security capabilities to design and verification methodologies. The alternative, creating tests by hand, would be time consuming and error prone, hardly meeting the required standard for many applications.
The new Accellera Portable Test and Stimulus Standard (PSS), designed to provide powerful abstract verification testbenches, can be used to automate a safety and security flow. It can provide a machine-readable mechanism for describing requirements and safety and security goals, generating rigorous tests, and producing reliable coverage metrics at an effective level of abstraction.
PSS allows verification scenario descriptions to be specified at a high abstraction level, synthesizing tests to be applied across the FPGA or SoC, generating synchronized processor code and transactions that operate together to duplicate the scenario in question. In addition to generating pre-defined “apps” that may be easily configured for different FPGA or SoC architectures, designers can create the required scenarios for a broad range of verification functions. This capability allows tests to be automatically created that thoroughly verify all facets of a multicore processor installation or a functional register transfer level (RTL) block of code with minimal effort for both simulation and emulation applications.
Portable Stimulus tools enable a specification model that can generate functional safety requirements-based tests and perform security analysis. They allow the specification of abstract scenarios that are then executed to generate a broad range of tests that target all associated code. For instance, specifying a TrustZone-style protected region and then generating every possible test to break into it can be simplified if the engineer can start with the spec of the trusted region. In this manner, tests can be synthesized to automatically check vulnerabilities of all kinds that an engineer could not imagine.
ISO 26262 Applicability
The Portable Stimulus standard offers new techniques applicable for ISO 26262, the specification for how safety goals are evaluated in an automotive device development process and highlights the effectiveness of PSS for systematic functional safety requirements. Based on the well-known “V-model,” PSS can be used to describe safety requirements, changing how the implementation of requirements is verified and how the effectiveness of this process is measured.
ISO 26262 provides a clear depiction of specifications where precise verification scenarios can be extracted by a Portable Stimulus software tool. Some of the tools can generate comprehensive test sets and coverage models based on the specification that can be correlated to the modeled scenarios for a closed-loop test system closely mirroring the ISO 26262 recommended procedure.
The ISO 26262 Automotive Safety Standard specifies two central verification processes for hardware design. The Systematic Development Process ensures that requirements for the hardware design are specified correctly and have been fully considered for safety. As well, it ensures that the implementation of these requirements has been fully and rigorously verified. The Random process safeguards that the correct operation of the device is maintained, even if internal components are affected due to environmental or other effects.
The ISO 26262 Systematic Development Process describes a rigorous mechanism for detailing requirements that must be met and starts with system-level concepts, safety requirements specification, system design, and then hardware and software product development. The ISO 26262 standard provides little guidance for how these goals might be broken into requirements. It needs a rationale for the requirement, along with evidence that assumptions made were handled appropriately, any attributes related to the requirement type were defined, and that the requirement must be implementable and fully tested.
PSS can be applied to the systematic verification process, where ISO 26262 safety goals can be broken into functional safety requirements. By describing such a specification and using it to automatically produce tests, together with coverage metrics that can be directly evaluated against the specification elements, PSS has the potential to produce a closed-loop, automated process to evaluate ISO 26262 requirements.
Portable Stimulus models can be displayed as graphs. A Portable Stimulus tool reads this description and by walking the graph, such as randomized actions, produces a test set. This process involves test synthesis, system-level constrained random solving, test scheduling and other process elements. Test sets may then be deployed into different testbenches, depending on the verification phase for which they were intended.
PSS correctly applied can automate a large part of the verification flow and required coverage feedback. Breker Verification Systems, for example, offers a complete Portable Stimulus verification solution called Trek for an ISO 26262 or Mil/Aero DO-254 deployment flow across all verification phases (Figure 1).
With the emerging Portable Stimulus standard, FPGA and SoC designers need not worry about disregarding safety and security. Implementing a verification flow targeting safety and security risks can provide an effective solution for meeting the rigorous Mil/Aero DO-254 and ISO 26262 requirements and goals.
Dave Kelf is chief marketing executive at Breker Verification Systems, the leading provider of Portable Stimulus. Most recently, he served as of vice president of worldwide marketing solutions at formal verification provider OneSpin Solutions. Kelf holds a Bachelor of Science degree in Electronic Computer Systems from the University of Salford and a Master of Science degree in Microelectronics from Brunel University, both in the U.K., and an MBA from Boston University.