Building Ultra-Reliable Automotive Systems – Part 2

With increasing frequency, automotive manufacturers regularly inquire about using FPGAs in high-reliability systems.  In this continuation posting, I will highlight solutions that mitigate potential SRAM corruption issues.

Part one of this blog posting discussed the unique benefits of using AEC-Q100 qualified LatticeXP2 Non-Volatile FPGAs to eliminate issues that surround SRAM-based devices.  These include: hard failure of the boot memory, memory retention issues, deliberate tampering, memory erasure, and electrical noise.

Soft Error Detection
Soft errors occur when high-energy charged particles alter the stored charge in a memory cell in an electronic circuit.  The phenomenon first became an issue in DRAM, requiring error detection and correction for large memory systems in high-reliability applications.  As device geometries continue to shrink, the probability of soft errors in SRAM has become significant for some systems. Designers are using a variety of approaches to minimize the effects of soft errors on system behavior.  The phenomenon is applicable to all devices that include SRAM cells, including: Microprocessors, DSP processors, SRAM devices and FPGAs including Antifuse devices that include memory.

SRAM-based FPGAs store logic configuration data in SRAM cells. As the number and density of SRAM cells in an FPGA increase, the probability that a soft error will alter the programmed logical behavior of the system increases.  A number of varying approaches have been taken to address this issue, most of which involve Intellectual Property (IP) cores that the user instantiates into the logic of the design, using valuable resources and possibly affecting design performance.  The LatticeXP2 devices have a hardware implemented soft error detector that does not affect performance or heat dissipation of the devices.

The SED hardware in the LatticeXP2 devices consists of an access point to the FPGA SRAM configuration memory, SED controller circuitry, and a 32-bit register to store the CRC for the current bitstream (see Figure).  Enabling the SED capabilities does require the use of several I/O pins.  Subtracted from the overall pin count are 4 dedicated input pins as well as 4 dedicated output pins.  These pins are used to enable and start the SED checking as well as providing the status of the SED operation. 

During SED operation, the control circuits read the serial data stream data from the FPGA’s SRAM configuration memory and calculates a CRC.  The calculated CRC result is then compared with the expected CRC that is stored in the 32-bit register.  If the two CRC values do not match, there is corruption of the configuration memory and an external signal is set to a high value to indicate the error.  The user has several options for using the error signal: ignore the error, log the error using an external processor or reload the SRAM configuration from the original load device.

The SED checking inside the LatticeXP2 SED offers security against SRAM corruption that does not impact the performance or operation of the user logic.  FPGA designs implemented with the four items listed in part 1 of this posting can be considered ultra-reliable for startup and initialization.  Designs that incorporate the SED circuitry complete the protection for normal operation and enable complete ultra-reliable FPGA designs.

Building Ultra-Reliable Automotive Systems – Part 1

With increasing frequency, automotive manufacturers regularly inquire about using FPGAs in high-reliability systems.  There are several concerns that are raised during these discussions about corruption of the FPGA configuration used for initialization and SRAM corruption during operation.  In this entry, I will highlight several solutions to mitigate initialization configuration corruption using Lattice AEC-Q100 qualified devices.  Part 2 of this blog post will show solutions for dealing with potential SRAM corruption issues.

SRAM-based FPGAs download their configuration from an external source when the system powers up.  The boot source can be from a memory device such as a serial EEPROM or FLASH device.  Boot sources can also be an intelligent device like a microcontroller that can provide the correctly formatted bitstream.  All FPGAs have some type of CRC check of the initialization bitstream when the device starts.  If an error is found in the bitstream, then the FPGA will not start operating which prevents incorrect (and possibly dangerous) operation of the system.  Most FPGAs will then notify the system that the initialization failed and then start another initialization sequence that hopefully will be successful.

There are several scenarios that can cause the corruption of the initialization bitstream.  These include:

•     Hard failure of the boot memory
•     Memory retention issues
•     Deliberate tampering
•     Memory erasure
•     Electrical noise

There are four basic steps for using FPGAs when designing ultra-reliable systems, they are:

Step one is to move the primary boot device (contained in an external component) to a memory array that is internal to the FPGA.  This step eliminates many of the common initialization failure modes.  The integrated design also increases the initialization speed and allows the FPGA to be used in “Instant-On” systems.  The LatticeXP2 is the only non-volatile AEC-Q100 qualified SRAM/FLASH FPGA available.  Having on-die FLASH in devices like the XP2 allows extensive memory testing of the entire device at 125C.  This assures that even with continuous operation of the XP2 at the maximum temperature, there will be no losses in the FLASH memory content for a minimum of 10 years.

The second step for reliable systems is to add a redundant boot device.  This is accomplished by adding an external boot device that can be an automatic fallback device.  As the XP2 Flash Memory is field reprogrammable, it is possible for events to take place during an authorized download of new operating code during a dealer update.  By adding the secondary boot device, there is an assured backup or “limp home” operating image if necessary.  The typical use is to place a “golden” factory copy of the initialization code in the eternal memory device.  This allows the system to recover any problems with the image stored in the internal memory array.

Thirdly, secure the backup bitstream that is contained in the external memory device by using bitstream encryption to secure the boot image.  The XP2 and the LatticeECP2/M families support 128-bit AES bitstream encryption to prevent reverse engineering and unauthorized changes to the design.  An encrypted image is stored in the external boot device and during initialization; the image is unencrypted and moved into the SRAM cells.  This encryption mechanism can also be used to download a new image into the internal FLASH memory.

The last step is to “lock down” the FPGA to prevent unauthorized access to the stored configuration.   Several programmable registers internal to the XP2 control access to the configuration memory.  The possible combinations are:
    1. Unlocked
    2. Key Locked – Presenting the 128-bit key through the programming interface allows the device to be unlocked.
    3. Permanently Locked – The device is permanently locked.
To further complement the security of the device a One Time Programmable (OTP) mode is available. Once the device is set in this mode it is not possible to erase or re-program the Flash portion of the device.

FPGA designs implemented with these four steps can be considered Ultra-Reliable for startup and initialization with the ability to: start with a valid configuration, allow secure updates and prevent attempts to erase, download or modify the initialization configuration.

In the next entry, I will finish off this discussion with the monitoring and protection of the SRAM contents during operation.

Automotive Versions of Flash-based, Non-volatile FPGA Family

Lattice recently introduced AEC-Q100 qualified versions of its LatticeXP2 Instant-On FPGA family.  These are devices built using a process that includes SRAM Programmable Logic + FLASH Storage on a single-die.  Lattice has raised the capabilities of automotive FPGAs by offering new system-on-chip (SoC) features such as full-feature DSP blocks, pre-engineered source I/O blocks and its exclusive FlexiFLASH™ architecture.

The FlexiFLASH architecture integrates the configuration Flash on the same silicon die as the SRAM FPGA logic.  The non-volatile FlexiFLASH architecture enables Instant-On startup speed, FlashBAK capabilities as well as the additional benefits of fault tolerance and redundancy.  FlashBAK enables the contents of the Embedded Block RAM to be written back to the FLASH memory so that during subsequent device initializations, the EBR memory is loaded with the new values.

Automotive system designs are using a growing number of FPGA devices to add additional capabilities and flexibility.  The LA-XP2 provides designers the broadest offering for performance and features of any AEC-Q100 qualified FPGA.  The instant-on capability allows the LA-XP2 FPGA to be used for applications that cannot wait for a typical FPGAs to startup such as Engine Control Units, FlexRay and CAN interfaces, processor bus decoders, Power-on-Reset and low power designs using duty cycling.

Instant-On, Redundancy and FlashBAK, these are a few of the advanced features offered in the LA-XP2 that are enabling advanced automotive systems.

Fighting Microprocessor Obsolescence with FPGAs

This webcast will be a look at microprocessor obsolescence and how it affects customer’s products and how FPGAs provide the best replacement solution. The presentation will include several designs where customers have worked with Lattice Semiconductor to cost effectively recover from an End Of Life as well as protect themselves against future Microprocessor Obsolescence.

Join me Wednesday, June 25th, 2008 11:00 AM (GMT -07:00) PDT for the webcast and ask me questions at the conclusion. To join, click here or cut and paste the following link: http://latticesemi.webapp.intevista.com/event/1jzf4qhxn1

Advance Features Enable Lowest-Power CPLD

Lattice just introduced the ispMACH 4000ZE family of CPLD devices in densities ranging from 32 to 256 macrocells.  These offer the lowest standby power of any of the zero-power CPLDs.  One of the main features for reducing the power consumption is Power Guard, which provide an easy way to lower the operating power of the CPLD by disconnecting the logic array from external input signal changes.  Any logic that changes state consumes power, removing the external stimulus activity from the logic array when it is not needed suspends internal logic activity that results in a power savings. 

There are 2 to 16 Power Guard blocks within the CPLDs depending on the density of the device.  The Power Guard control consists of logic between the I/O pin and the input buffer.  The gating logic known as the Block Input Enable (BIE) signal is controlled by an output from one of the internal macrocells in the logic array.  The Power Guard feature is enabled or disabled on a pin-by-pin basis.

Features such as Power Guard contained in this new family of zero-power CPLDs are enabling additional integration within portable and battery powered applications that require ultra low power consumption.

Microcontroller Obsolescence Solution

There are very few customers that enjoy receiving the statement: “Dear customer, the microcontroller in which you invested years of development time and money and planned to have in production for another 10 years is going End-Of-Life!” There have been several popular microcontrollers and microprocessors that have gone EOL over the last few years as semiconductor suppliers consolidate and prune their product portfolios.

Customers have the choice of performing a last-time purchase or re-designing the product. Last time purchases are problematic in the areas of up-front cash outlays and forecast quantities. As far as redesign, a simple board layout change to support a different part is easy, but software compatibility is the major hurdle when moving to a different microcontroller family. Most companies have a large investment in their target software; changing to a new architecture typically requires a complex and costly software port as well as verification.

Lattice to the Rescue
Lattice recently helped a customer in just this situation. The customer had a microcontroller in continuous production for more than 15 years. Not wanting to tie up capital in a last-time buy, the customer looked for other alternatives.

The customer required the replacement to be exactly the same fit and function as the original microcontroller. In addition, external and internal timing, processor functionality and even the same binary program had to run with no modifications. This compatibility included embedded software timing loops in the legacy processor code.

The final hardware solution is a small mezzanine board that contains an instant-on LatticeXP2 FPGA, an ADC device and clock generator. A PLCC connection allows direct interfacing with the manufacturer’s PCB and provides a pin-for-pin replacement for the original microcontroller. As the LatticeXP2 contains on-chip FLASH memory to configure the logic on startup, there is no need for an external boot memory which reduced the board device count and allowed for a smaller final solution.

The software solution used a third-party Intellectual Property (IP) core from Digital Core Design. DCD is a Lattice IP partner that offers a number of microcontroller and peripheral IP solutions. DCD modified an existing microcontroller core to match the exact execution and peripheral set found on the obsolete device.

The pin compatible solution allowed the customer design team to focus their efforts on validating the IP core instead of performing a full hardware and software design and validation. The solution enabled by Lattice and DCD ultimately saved the customer time and money by not having to perform a total system re-design.

Conclusion
Microcontroller and Microprocessor obsolescence will continue, but fortunately there are easy solutions to the problem using FPGAs coupled with microcontroller IP. The Instant-On LatticeXP2 FPGA provides a secure and small footprint solution that also meet customer’s very long life requirements. Microcontroller IP from partners like DCD allows a very quick and cost effective solution to replace existing microcontrollers while retaining exact software compatible with the original design.

Low-Cost Automotive Power Management Solutions

Designing power management control systems in automotive applications has become quite complex due to the continuous changes in technology. While 5-volt devices are preferred by automotive engineers for the robustness of the I/Os, every new generation of devices require a new, smaller operating voltage. On-board management of all the multiple voltage supplies becomes quite a challenge.

Devices that require their supply voltages to be applied in a very specific sequence to insure correct operation further complicate this challenge. All too often a “traditional” power management solution is applied to these “turbo-charged” power management requirements, resulting in circuit board designs that are inefficient, costly and usually compromised by tradeoffs.

Looking for powerful, cost effective solutions, several automotive customers requested Lattice provide the popular power manager devices in an automotive temperature range. Lattice responded, and in February 2008 announced the release of the automotive temperature LA-ispPAC-POWER1014/A power manager devices. The Lattice POWR-1014/A are the only fully-programmable power managers offered in automotive temperature.

The POWER1014/A incorporates both in-system programmable logic and in-system programmable analog circuits to perform the special functions that are optimized for power supply control, sequencing and monitoring. The POWR-1014A has 10 analog inputs for voltage monitoring, and can control up to 14 outputs. A built-in reset generator is available for control of external microprocessors.

By using a programmable, mixed signal power management device. Automotive designers can standardize on this “power management PLD,” using the device across all the automobile's ECUs, resulting in reduced cost as well as increased reliability.

FPGA Video Interfacing Fundamentals - Revisited

I first presented information on FPGA Video Interfacing Fundamentals in February of 2006. I am excited by the opportunity to revisit this topic and add additional details and design examples.  These excerpts from the webcast provides the best overview of the topics I will discuss:

"The use of image and video processing in electronic equipment continues to grow. This page lists several of the common market trends that are driving video growth. New applications, increasing customer expectations as well as declining display prices help to fuel this growth. New standards require support such as SMPTE, MediaLB and Display Port; which need easily implemented and cost effective solutions.

The implementation of low cost imagers and cameras has exploded in the areas of automotive and surveillance systems. Lastly, many systems are moving from a single display to supporting multiple displays.

I will go over the 3 main components of a typical system: video imagers, LCD panels, and video controller systems."

Join me Wednesday, March 26, 2008 11:00 AM (GMT -07:00) PDT for the webcast and ask me questions at the conclusion. To join, click here or cut and paste the following link:

http://www.latticesemi.com/corporate/webcasts/fpgavideointerfacingfunda.cfm

LatticeXP2 FPGA flexiFLASH and FlashBAK

The flexiFLASH architecture found in the LatticeXP2 FPGA relates to the on-die FLASH memory and contains the following features; Instant-on configuration, small footprint, single chip, FlashBAK technology and serial TAG memory.

One of the main features of this architecture is called FlashBAK.  FlashBAK allows EBR (Embedded Block RAM) data to be written and stored in the configuration Flash memory.  Flash to EBR transfer occurs as part of the device startup or by user command, and an EBR to FLASH transfer will occur upon user command.  The ability to store information such as CPU instructions, error codes, coefficients, system calibrations, graphical system configuration and startup data provides the benefit of having the information instantly available the next time the system starts.  Additionally, keeping the EBR data on-die also secures the designs operating data.

The FlashBAK feature allows system designs with greater flexibility, smaller foot print and better security then other FPGA solutions.

Disposable Cars?

Recently another FPGA supplier announced their first family of AEC-Q100 automotive qualified devices.  They received quite a bit of press due to their testing to automotive Grade-1 that equates to a temperature range of -40C to +135C Junction.  According to the datasheet these devices have a Maximum Tj of +150C.  This sounds very attractive to automotive customers looking to use FPGA devices in under the hood applications.

I thought, “Wow, this is impressive”.  My initial excitement was soon dashed when I looked through the datasheet and found their HTR (High Temperature Data Retention) results.  This is the amount of time the internal Flash memory is not expected to have a failure due to flash cell leakage.   Operating these devices at +70C provides an HTR value of +100 years, however at +125C the HTR value drops to 6.2 years and at under the hood temperature of +135C the value is 4.4 years (+150C = 2.2 years).

For some consumers an engine or brake system failure after 4.4 years of service may not be an issue, but for others it can be a life-threatening situation.

The Lattice FPGA temperature ratings are (Grade 2, -40C to +125C Tj) and the HTR results for Lattice Flash based devices is greater than 100 years at full temperature.  This means almost no chance of an automotive system malfunction due to Flash memory retention issues.  I know that I want any vehicle my family travels in to continue to operate even in high temperature conditions.  Lattice FPGA devices provide me that peace of mind.