Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Driving reliable automotive system design with FPGAs

Posted: 03 Dec 2009 ?? ?Print Version ?Bookmark and Share

Keywords:reliable automotive? automotive system design? FPGA?

The increased use of complex automotive electronics systems requires that they be designed for "ultra-reliability," because an automotive system failure could place vehicle passengers in a life-threatening situation. System designers are considering the use of FPGAs more frequently in these systems due to these devices' ability to integrate and perform complex functions.

However, there are two primary concerns regarding the use of FPGAs in automotive systems: the need to protect the valid FPGA configuration used for initialization and prevention of SRAM corruption during device operation. Unless these concerns are fully addressed, FPGAs cannot be part of an ultra-reliable automotive system design.

Fortunately, current AEC-Q100 qualified FPGAs incorporate several advanced features that resolve these concerns. This article highlights several solutions that address both the initialization configuration and potential SRAM corruption issues.

FPGA configuration protection
Upon system power up, SRAM-based FPGAs download their configuration from an external source. The boot source can be memory devices such as serial EEPROM or flash. Boot sources can also be intelligent devices, such as a microcontroller, that can provide the correctly formatted and timed data bitstream.

All FPGAs have some type of cyclic redundancy check (CRC) for the initialization bitstream, which is tested at the end of startup to verify the integrity of the transfer. If an error is detected in the bitstream, the FPGA will not initialize. This routine prevents incorrect (and possibly dangerous) operation of the system. Most FPGAs will set an external pin that notifies the system controller that the initialization has failed, prompting another initialization sequence that will be successful.

There are several scenarios in which the initialization bitstream can be corrupted. These include:
? Hard failure of the boot memory;
? Memory retention issues;
? Deliberate tampering;
? Memory erasure;
? Electrical noise.

When designing ultra-reliable automotive systems using FPGAs, there are four fundamental steps that must be followed to properly address these scenarios.

Step one is to use a non-volatile SRAM FPGA that includes on-chip flash memory. This changes the boot device from an external component to a memory array that is internal to the FPGA. Moving the boot source onto the same die eliminates many of the common initialization failure modes. This type of integrated design also increases the initialization speed and allows the FPGA to be used in "instant-on" systems.

Figure 1: Shown is an example of an FPGA dual-boot system.

Second step is to add an external boot device that can be the automatic fallback device (Figure 1). A key feature of FPGAs is field reprogrammability. In automotive systems, this feature allows new programs to be downloaded (for example, at the automotive dealership) as an authorized field update to add additional features or to fix design errors.

However, it is possible that the data stream will be corrupted during both the transfer and the programming of the memory, and that the corrupted data stream will prevent correct FPGA initialization. To deal with update corruption, the design typically includes a "golden" factory copy of the initialization code in the external memory device. This duplicate allows the system to recover from any problems with the image stored in the internal memory array. By adding the secondary boot device, there is an assured factory backup or at least a "limp-home" mode operating image.

Figure 2: Shown is decryption of external boot or flash programming bit streams.

Third step is to secure the backup bitstream that is contained in the external memory device by using bitstream encryption to secure the boot image (Figure 2). Many of the automotive FPGA families support 128bit AES bitstream encryption to prevent reverse engineering and unauthorized changes to the design. An encrypted image is stored in the external boot device and during initialization the image is unencrypted and moved into the SRAM cells. This same encryption mechanism can also be used to download a new image into the internal flash memory.

The fourth and final step is to "lock down" the FPGA to prevent unauthorized access to the stored configuration. Programmable registers internal to non-volatile FPGAs control access to the internal configuration memory. The possible combinations are:

? Unlocked;
? Key lockedPresenting the 128bit key through the programming interface allows the device to be unlocked;
? Permanently lockedThe device is permanently locked.

To further complement the security of the device, a One Time Programmable (OTP) mode is available. Once the device is set in this mode, it is not possible to erase or reprogram the flash portion of the device.

When choosing an automotive grade AEC-Q100 qualified non-volatile FPGA, it is important to review the manufacturer's non-volatile memory endurance and data retention specification to verify that the FPGA will retain its memory contents at both operation and storage temperatures for the life of the vehicle.

For example, the LatticeXP2 is a non-volatile AEC-Q100 qualified SRAM/flash FPGA available that satisfies all of these system requirements. The on-die flash of the LatticeXP2 allows extensive memory testing of the entire device, assuring that even with continuous operation at the maximum temperature, there will be no loss of memory content for a minimum of 10 years.

Soft errors are caused by the naturally occurring bombardment of charged alpha particles from packaging materials and neutrons from cosmic rays, which can alter the stored charge in a memory cell. The phenomenon first became an issue in DRAM, requiring error detection and correction for large memory systems in high-reliability applications. As device geometries continue to shrink, the probability of soft errors in SRAM has become significant for some systems.

The higher-performance FPGAs that are used in automotive applications store their logic configuration data in SRAM cells. As the number and density of SRAM cells in an FPGA increase, the probability that a soft error will alter the programmed logical behavior of the system also increases.

Various approaches have been taken to address this issue, most of which involve intellectual property (IP) cores that the user instantiates into the logic of the design. While this approach provides a solution, it also consumes valuable programmable resources and can possibly affect performance. However, these shortcomings can be avoided. LatticeXP2 FPGAs, for example, have a hardware-implemented soft error detector that does not affect system performance or heat dissipation of the devices.

The SED hardware in these non-volatile FPGAs consists of an access point to the FPGA SRAM configuration memory, an SED controller circuit and a 32bit register to store the CRC for the current bitstream (Figure 3). Enabling the SED capabilities requires the use of several I/O pins, and so four dedicated input pins and four dedicated output pins are subtracted from the overall pin count. These pins are used to enable and start the SED checking, as well as to provide the status of the SED operation.

Figure 3: The SED hardware in these non-volatile FPGAs consists of an access point to the FPGA SRAM configuration memory, an SED controller circuit and a 32bit register to store the CRC for the current bitstream.

During SED operation, the control circuits read the serial data stream data from the FPGA's SRAM configuration memory and calculate a CRC (cyclic redundancy check). The calculated CRC is then compared with the expected CRC that is stored in the 32bit register. If the two CRC values do not match, there is corruption of the configuration memory, and an external signal is set to a high value to indicate the error. The user then has several options when responding to the error signal: Ignore the error; log the error using an external processor; or reload the SRAM configuration from the original boot device.

LatticeXP2 FPGAs are non-volatile, AEC-Q100 qualified SRAM/flash devices capable of satisfying all of these system requirements. The on-die flash of the LatticeXP2 allows unified system testing, assuring against memory loss or system failure for a minimum of 10 years. In addition, the dual-boot capabilities and hardware-implemented SED checking feature offer security against SRAM corruption without affecting the performance or operation of the user logic.

FPGA designs implemented with these four configuration protection techniques can be considered ultra-reliable for startup and initialization, including the ability to start with a valid configuration, allow secure updates, and prevent attempts to download, erase, or modify the initialization configuration. Additionally, designs that incorporate SED management logic add protection against changes in the operating configuration caused by charged particles.

Incorporating both startup and SED protection enables automotive designers to design and build complete high reliability FPGA designs without worrying about deliberate configuration tampering or environmental corruption.

- Kerry Howell
Senior Product Marketing Engineer
Lattice Semiconductor Corp.

Article Comments - Driving reliable automotive system d...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top