Building Ultra-Reliable Automotive Systems – Part 2

With increasing frequency, automotive manufacturers regularly inquire about using FPGAs in high-reliability systems.  In this continuation posting, I will highlight solutions that mitigate potential SRAM corruption issues.

Part one of this blog posting discussed the unique benefits of using AEC-Q100 qualified LatticeXP2 Non-Volatile FPGAs to eliminate issues that surround SRAM-based devices.  These include: hard failure of the boot memory, memory retention issues, deliberate tampering, memory erasure, and electrical noise.

Soft Error Detection
Soft errors occur when high-energy charged particles alter the stored charge in a memory cell in an electronic circuit.  The phenomenon first became an issue in DRAM, requiring error detection and correction for large memory systems in high-reliability applications.  As device geometries continue to shrink, the probability of soft errors in SRAM has become significant for some systems. Designers are using a variety of approaches to minimize the effects of soft errors on system behavior.  The phenomenon is applicable to all devices that include SRAM cells, including: Microprocessors, DSP processors, SRAM devices and FPGAs including Antifuse devices that include memory.

SRAM-based FPGAs store logic configuration data in SRAM cells. As the number and density of SRAM cells in an FPGA increase, the probability that a soft error will alter the programmed logical behavior of the system increases.  A number of varying approaches have been taken to address this issue, most of which involve Intellectual Property (IP) cores that the user instantiates into the logic of the design, using valuable resources and possibly affecting design performance.  The LatticeXP2 devices have a hardware implemented soft error detector that does not affect performance or heat dissipation of the devices.

The SED hardware in the LatticeXP2 devices consists of an access point to the FPGA SRAM configuration memory, SED controller circuitry, and a 32-bit register to store the CRC for the current bitstream (see Figure).  Enabling the SED capabilities does require the use of several I/O pins.  Subtracted from the overall pin count are 4 dedicated input pins as well as 4 dedicated output pins.  These pins are used to enable and start the SED checking as well as providing the status of the SED operation. 

During SED operation, the control circuits read the serial data stream data from the FPGA’s SRAM configuration memory and calculates a CRC.  The calculated CRC result is then compared with the expected CRC that is stored in the 32-bit register.  If the two CRC values do not match, there is corruption of the configuration memory and an external signal is set to a high value to indicate the error.  The user has several options for using the error signal: ignore the error, log the error using an external processor or reload the SRAM configuration from the original load device.

The SED checking inside the LatticeXP2 SED offers security against SRAM corruption that does not impact the performance or operation of the user logic.  FPGA designs implemented with the four items listed in part 1 of this posting can be considered ultra-reliable for startup and initialization.  Designs that incorporate the SED circuitry complete the protection for normal operation and enable complete ultra-reliable FPGA designs.

Building Ultra-Reliable Automotive Systems – Part 1

With increasing frequency, automotive manufacturers regularly inquire about using FPGAs in high-reliability systems.  There are several concerns that are raised during these discussions about corruption of the FPGA configuration used for initialization and SRAM corruption during operation.  In this entry, I will highlight several solutions to mitigate initialization configuration corruption using Lattice AEC-Q100 qualified devices.  Part 2 of this blog post will show solutions for dealing with potential SRAM corruption issues.

SRAM-based FPGAs download their configuration from an external source when the system powers up.  The boot source can be from a memory device such as a serial EEPROM or FLASH device.  Boot sources can also be an intelligent device like a microcontroller that can provide the correctly formatted bitstream.  All FPGAs have some type of CRC check of the initialization bitstream when the device starts.  If an error is found in the bitstream, then the FPGA will not start operating which prevents incorrect (and possibly dangerous) operation of the system.  Most FPGAs will then notify the system that the initialization failed and then start another initialization sequence that hopefully will be successful.

There are several scenarios that can cause the corruption of the initialization bitstream.  These include:

•     Hard failure of the boot memory
•     Memory retention issues
•     Deliberate tampering
•     Memory erasure
•     Electrical noise

There are four basic steps for using FPGAs when designing ultra-reliable systems, they are:

Step one is to move the primary boot device (contained in an external component) to a memory array that is internal to the FPGA.  This step eliminates many of the common initialization failure modes.  The integrated design also increases the initialization speed and allows the FPGA to be used in “Instant-On” systems.  The LatticeXP2 is the only non-volatile AEC-Q100 qualified SRAM/FLASH FPGA available.  Having on-die FLASH in devices like the XP2 allows extensive memory testing of the entire device at 125C.  This assures that even with continuous operation of the XP2 at the maximum temperature, there will be no losses in the FLASH memory content for a minimum of 10 years.

The second step for reliable systems is to add a redundant boot device.  This is accomplished by adding an external boot device that can be an automatic fallback device.  As the XP2 Flash Memory is field reprogrammable, it is possible for events to take place during an authorized download of new operating code during a dealer update.  By adding the secondary boot device, there is an assured backup or “limp home” operating image if necessary.  The typical use is to place a “golden” factory copy of the initialization code in the eternal memory device.  This allows the system to recover any problems with the image stored in the internal memory array.

Thirdly, secure the backup bitstream that is contained in the external memory device by using bitstream encryption to secure the boot image.  The XP2 and the LatticeECP2/M families support 128-bit AES bitstream encryption to prevent reverse engineering and unauthorized changes to the design.  An encrypted image is stored in the external boot device and during initialization; the image is unencrypted and moved into the SRAM cells.  This encryption mechanism can also be used to download a new image into the internal FLASH memory.

The last step is to “lock down” the FPGA to prevent unauthorized access to the stored configuration.   Several programmable registers internal to the XP2 control access to the configuration memory.  The possible combinations are:
    1. Unlocked
    2. Key Locked – Presenting the 128-bit key through the programming interface allows the device to be unlocked.
    3. Permanently Locked – The device is permanently locked.
To further complement the security of the device a One Time Programmable (OTP) mode is available. Once the device is set in this mode it is not possible to erase or re-program the Flash portion of the device.

FPGA designs implemented with these four steps can be considered Ultra-Reliable for startup and initialization with the ability to: start with a valid configuration, allow secure updates and prevent attempts to erase, download or modify the initialization configuration.

In the next entry, I will finish off this discussion with the monitoring and protection of the SRAM contents during operation.

Low-Cost Automotive Power Management Solutions

Designing power management control systems in automotive applications has become quite complex due to the continuous changes in technology. While 5-volt devices are preferred by automotive engineers for the robustness of the I/Os, every new generation of devices require a new, smaller operating voltage. On-board management of all the multiple voltage supplies becomes quite a challenge.

Devices that require their supply voltages to be applied in a very specific sequence to insure correct operation further complicate this challenge. All too often a “traditional” power management solution is applied to these “turbo-charged” power management requirements, resulting in circuit board designs that are inefficient, costly and usually compromised by tradeoffs.

Looking for powerful, cost effective solutions, several automotive customers requested Lattice provide the popular power manager devices in an automotive temperature range. Lattice responded, and in February 2008 announced the release of the automotive temperature LA-ispPAC-POWER1014/A power manager devices. The Lattice POWR-1014/A are the only fully-programmable power managers offered in automotive temperature.

The POWER1014/A incorporates both in-system programmable logic and in-system programmable analog circuits to perform the special functions that are optimized for power supply control, sequencing and monitoring. The POWR-1014A has 10 analog inputs for voltage monitoring, and can control up to 14 outputs. A built-in reset generator is available for control of external microprocessors.

By using a programmable, mixed signal power management device. Automotive designers can standardize on this “power management PLD,” using the device across all the automobile's ECUs, resulting in reduced cost as well as increased reliability.

Disposable Cars?

Recently another FPGA supplier announced their first family of AEC-Q100 automotive qualified devices.  They received quite a bit of press due to their testing to automotive Grade-1 that equates to a temperature range of -40C to +135C Junction.  According to the datasheet these devices have a Maximum Tj of +150C.  This sounds very attractive to automotive customers looking to use FPGA devices in under the hood applications.

I thought, “Wow, this is impressive”.  My initial excitement was soon dashed when I looked through the datasheet and found their HTR (High Temperature Data Retention) results.  This is the amount of time the internal Flash memory is not expected to have a failure due to flash cell leakage.   Operating these devices at +70C provides an HTR value of +100 years, however at +125C the HTR value drops to 6.2 years and at under the hood temperature of +135C the value is 4.4 years (+150C = 2.2 years).

For some consumers an engine or brake system failure after 4.4 years of service may not be an issue, but for others it can be a life-threatening situation.

The Lattice FPGA temperature ratings are (Grade 2, -40C to +125C Tj) and the HTR results for Lattice Flash based devices is greater than 100 years at full temperature.  This means almost no chance of an automotive system malfunction due to Flash memory retention issues.  I know that I want any vehicle my family travels in to continue to operate even in high temperature conditions.  Lattice FPGA devices provide me that peace of mind.

Lattice Automotive (LA-) Devices Complete Media Interface

Recently I was sent a design that shows the value of Lattice AEC-Q100 automotive qualified CPLDs.  This design was provided to Lattice by the system designer and is shown here with their permission.

The design is for an Automotive Network Gateway.  The system is a protocol converter that handles communication between the various automobile buses: MOST, FlexRay, Ethernet, CAN and LIN.  The bulk of the processing is performed in the Freescale PowerPC processor that has on-board network Media Access Controllers that directly interface with many of the external physical transceivers.  The one device that does not directly connect is the SMSC MOST to MediaLB transceiver.  The MediaLB interface is 3 or 5-wire interface that is a multi-drop bus which is similar in operation to I2C and I2S.

For this application, the designer found that some signal translation and manipulation was required between the SMSC device and the microprocessors.  After reviewing the available options, these functions were implemented in the Lattice Mach4064V.

This functionality could have been performed in discrete logic, but in addition to the MediaLB interface, the designer was able to incorporate other system functionality and glue logic required in the design into this one CPLD device.  The Mach4064V provides a fast, small footprint solution that is very inexpensive.  As Lattice is the only TS16949 certified CPLD supplier that offers a –40C to +125C ambient device that is fully AEC-Q100 qualified, this customer was able to easily meet their customer’s temperature requirements.

While Lattice offers automotive qualified crossover CPLDs in the LA-MachXO family and has high performance FPGA’s on the roadmap, we can’t forget the small CPLDs that can easily solve many of the logic problems that automotive designers encounter every day.

Automotive Multimedia Meets Consumer Products

Travel just about anywhere today and you see someone wearing headphones plugged into a ubiquitous portable consumer multimedia device. These small units have the ability to store large amounts of audio and video content; more recent devices include streaming multimedia combined into a cell phone. The one place you ‘hopefully’ won’t see these units in use is by the operator of a vehicle on public roads and highways or in conjunction with any form of transportation.

The inability to play multimedia files from portable media in automobiles is a frustration for drivers. There are some workarounds that allow them to be used: FM Transmitters, Cassette tape adapters, but these generally produce less than desirable results. Some factory radios now have auxiliary audio inputs for interfacing with a media player or the option for direct iPod connection. While the iPod connection usually allows control of the iPod from the auto multimedia system, it does exclude the other 50% of the non-Apple portable player market.

Automotive manufacturers are working on new systems to allow additional connections to portable consumer devices. Implementation of these connections is through one of more of the following: Bluetooth, SD/SDIO, WiMAX, USB and proprietary connections. Recently the MOST consortium announced that their automotive media bus is now available for incorporation into consumer devices. This may open the way for additional connection methodologies.

Automotive manufacturers are also building multimedia platforms with hard disk and DVD drives. These have been incorporated to allow additional functionality in the areas of Navigation mapping, audio and video content. Combined with a wireless interface, it is also possible to use a wireless network system to download multimedia content to the local hard drive for playback. As most new HDD and DVD drives are using Serial ATA, the automotive manufacturers must now incorporate S-ATA interfaces into their systems.

Lattice is working with automotive manufacturers to provide complete hardware and software solutions for vehicle electronics. From the automotive versions of the LA-MACH4000 CPLD families to the LatticeECP2M FPGA that has on-chip SERDES and can support S-ATA and PCI Express. Lattice is helping automotive customers meet their overall functionality goals - at a lower system cost coupled with a faster time to market.