AWS for Industries
TSMC certifies Siemens EDA tools on AWS for N2/N3 process node technology
The semiconductor industry continues to witness rapid technological advancements, requiring design workflows to evolve for better performance, efficiency, and scalability. A major milestone in this evolution is the Taiwan Semiconductor Manufacturing Company (TSMC) certification of Siemens electronic design automation (EDA) tools on the AWS Cloud, which brings profound benefits to semiconductor designers and engineers across the globe. This certification represents not only a stamp of approval from one of the most advanced semiconductor foundries in the world but also marks a shift toward cloud-enabled Siemens EDA workflows that deliver increased flexibility, performance, and innovation.
“AWS is pleased to work with Siemens EDA and TSMC on successfully certifying design solutions for TSMC’s advanced N2 and N3 process nodes for customers. This project enables customers to run EDA workloads, share data and collaborate with TSMC in a secure and trusted environment on AWS. The joint effort is testimony to the close collaboration and partnership between the three companies. TSMC advanced node certification is a significant milestone in the EDA on AWS journey.”
-Ravi Poddar, Principal Advisor Hi-Tech and Semiconductor Industry, Amazon Web Services.
This blog provides a technical overview of the secure, collaborative chamber on AWS that TSMC leverages to certify the N2/N3 process node technology using Siemens EDA tools. The initiative highlights the technical synergies between the involved parties and underscores the growing importance of cloud computing in the semiconductor industry.
Secure Cloud Chamber architecture for TSMC Certification Project
Figure 1: Secure cloud chamber architecture for TSMC certification project on AWS
Figure 1 depicts the overall secure cloud architecture deployed for this project using AWS industry solution Scale-Out Computing on AWS (SOCA). This custom architecture design was developed to meet specific project requirements from TSMC including a high performance compute (HPC) environment that is scalable to meet the infrastructure demands for the project as well as stringent security requirements to protect key assets and project IP. The architecture includes several AWS services and HPC components including the scheduler that orchestrates the jobs across various queues, the directory service (or LDAP) for user authorization and authentication, the license server to manage Siemens tool licenses, the autoscaling compute nodes, and the file systems. These components are encapsulated within the TSMC Open Innovation Platform (OIP) Virtual Design Environment (VDE). In addition to the VDE subnet, the secure file transfer subnet provides TSMC personnel access to the chamber to transfer the PDK (Process Design Kit) and other project files from on-premise servers. The DMZ (Demilitarized Zone) subnet provides the Siemens product engineers access to connect and work in the chamber through a virtual private network (VPN). Key data flows and functions supported by the chamber include:
- Secure File Transfer subnet for TSMC personnel to transfer the Process Design Kit (PDK), Graphic Design System (GDS), and other project files from the on-premise servers to Amazon S3 buckets on AWS.
- VDE chamber including the scheduler, the directory service (or LDAP), the license server, the autoscaling compute nodes and the file systems.
- DMZ subnet for the Siemens product engineers to connect and work in the chamber through VPN. This includes accessing the PDK and design data, running experiments using the Siemens EDA tools, and interactive sessions using NICE DCV Display servers.
- Automatic scanning to quarantine all files coming in and out of the chamber that are initially stored in a temporary bucket. Cybersecurity related checks are performed in the scan – such as malware detection, phishing and other forms of vulnerabilities. If the scan passes all security checks, the files go into the clean bucket for use within the chamber.
TSMC Security Requirements for Certification Project
TSMC key security objectives for the certification project on AWS includes: 1/ audit log and traceability, 2/ prevent unauthorized access, and 3/ data security, or more specifically, protecting the PDK. To achieve these objectives, we put together a set of security controls leveraging several AWS services and features. The key security services and controls implemented in the chamber include:
- Network Access Control (NACL): A feature part of Amazon VPC (Virtual Private Cloud), NACL is used to control and report traffic at IP and protocol level in a subnet within the virtual private cloud or VPC. In effect, the NACL works as a network firewall on AWS. By default, all inbound and outbound traffic is blocked by NACL except what is explicitly allow-listed by TSMC to access the secure chamber on AWS.
- Security Group: In addition to the NACL that acts as the network firewall, a security group serves as a virtual firewall for each instance to control inbound and outbound traffic on AWS.
- Virtual Private Cloud (VPC) Flow Logs: VPC flow logs capture information about the IP traffic going to and from network interfaces in the VPC. Flow log data publishes to Amazon CloudWatch logs for analytics. Flow logs monitor the traffic that is reaching the compute instances and also determines the direction of the traffic to and from the network interfaces. Flow log data is collected outside of the path of your network traffic and therefore does not affect your network throughput or latency.
- Observability and Monitoring: Amazon CloudWatch is used as an integrated, single-pane window for all monitoring to meet the logging and security objective. All logs generated in the project, including VPC flow logs, AWS CloudTrail, Amazon GuardDuty, Amazon S3 and application logs are all consolidated in Amazon CloudWatch with mechanisms to trigger alarms and workflows in case of suspicious activities. AWS EventBridge is used to keep track of all resources deployed in the chamber and any modifications to the resources is captured automatically with notification capability.
- Access Control: Amazon Identity and Access Management (IAM) is used to prevent unauthorized access. VPN is used to secure user permission from the end device, and multi-factor authentication acts as an additional layer of security to prevent unauthorized users from accessing these accounts, Open LDAP directory service that manages users with their respective credentials and privileges. Security groups and web application firewall (WAF) are used to implement network and application access controls at the IP, port, and protocol level.
- Data Protection: To prevent PDK leakage, we use permission and encryption controls at the storage level, including Amazon S3 and Elastic File Storage (EFS). In addition to the standard AWS network and security controls, we implemented an automatic scanning mechanism to quarantine all files coming in and out of the chamber that first goes into a temporary bucket, and then after all security checks are performed, goes into the clean bucket for use within the chamber.
Testing and results
The goal of the project was to take seven of TSMC’s sign-off Siemens EDA production flows and verify their results by comparing against TSMC’s golden values on sets of select testcases from TSMC’s 2 nanometer and 3 nanometer accuracy test suites. Test data and golden results were securely uploaded to the cloud test environment, and made accessible to technical stakeholders inside Siemens.
Methodology
The objective of the accuracy tests was to compare two identical runs – same version of the tool, same rules – with the only difference between the two runs being that one occurred inside TSMC’s secure on-premises chamber and the other occurred inside the secure AWS environment. The golden results were transferred as part of the test package including testcase data, setup files, design rules and so forth. Comparison of the two rules resulted in a report file which was reviewed by TSMC.
Test strategies varied. In some cases, tests were conducted on large numbers of test patterns or small cells, and in other cases tests were run on complete full-chip designs. In the case of full chip runs, the host machines were configured inside the AWS cloud environment to run in distributed mode, with communication between a primary host and multiple remote hosts. In cases of individual test patterns or cells, thousands of individual jobs were submitted to the compute environment. As part of the runs, we compared with TSMC’s golden values and automatically produced test reports which we made available back to TSMC.
We tested accuracy by comparing cloud results with the on-premises run, and also tested parallelism to ensure accuracy with parallel jobs running across multiple cloud hosts. The team ran multiple diverse testcases covering simulations across transient, AC, DC, RF, and aging analysis, as well as multi-simulations using Monte Carlo methods.
Results
For the Calibre nmDRC, SmartFill, nmLVS, PERC, xACT and mPower tests, we conducted a single run for the full chip with distributed processing. For the individual test cells, we ran multiple tests in parallel across multiple hosts. The results of these tests gave consistent and identical results on cloud and on-premises.
SolidoTM SPICE and AFS, part of SolidoTM Simulation Suite, were tested for accuracy and scalability on various circuits in TSMC N2 process technology. Test cases included standard cell, analog and IO circuits that ranged from small to large capacity designs. Single simulation analyses included AC, DC, transient, phase noise and aging for selective designs as specified by TSMC. Their accuracy metrics included bandwidth, phase margin, DC gain, frequency, power, current, phase noise, delay, slew, leakage as appropriate to each design. Multi-simulations for monte-carlo transient were also done on single and multiple machines for standard cells, with slews and cell delays being the accuracy metrics. All results showed consistent and identical results on cloud and on-premises.
“Siemens EDA is pleased this 3-way collaboration showed that AWS cloud meets TSMC’s stringent security requirements for protection of foundry and customer data – giving the fabless semiconductor ecosystem confidence to use the AWS cloud for their most sensitive workloads. This was also an excellent demonstration that the AWS cloud can be leveraged for high accuracy additional surge capacity to run the industry leading Calibre nmPlatform and Solido/AFS workloads.”
– Michael White, Senior Director, Calibre Physical Verification.
Conclusion
The collaborative project between TSMC, Siemens EDA, and AWS demonstrates parity between the results from cloud environments versus on-premises setups, but with the added benefits of scalability, flexibility, and cost-effectiveness. The successful certification of Siemens EDA’s signoff flows on AWS provides high confidence in the cloud’s capabilities, paving the way for broader adoption in the semiconductor industry.
The journey of this project underscores the importance of collaboration and innovation in meeting the ever-growing computational demands of the semiconductor industry. As cloud computing continues to evolve, it promises to play a pivotal role in shaping the future of semiconductor design and manufacturing.
“Our recent collaboration with AWS and Siemens marks a major advancement in semiconductor design workflows in Cloud, enabling next-generation chip design using TSMC’s most advanced process technologies, while providing designers with enhanced efficiency and flexibility. We will continue to work closely with our EDA and Cloud partners to lower the barriers to semiconductor design, helping designers worldwide quickly launch their chip innovations.”
– Dan Kochpatcharin, Head of the Ecosystem and Alliance Management Division at TSMC