Presentation on theme: "Tool Qualification Symposium 2014; April"— Presentation transcript:
1Tool Qualification Symposium 2014; April 9 - 10 2014 Qualification of a Tool Chain for FPGA Development for IEC and ISO26262Tool Qualification Symposium 2014; AprilValidas AGMünchen, GermanyDr. Giulio Corradi(Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.)Mrs. Sylvia Waldhausen(Project Leader TÜV SÜD Rail GmbH)
4WHAT IS XILINX ALL PROGRAMMABLE WHAT IS XILINX ALL PROGRAMMABLE? Accelerating Design Creation, Debug and Simplifying ReuseArtix™-7Virtex®-7Kintex™-7Scalable Array of Logic, DSP, MemoryAnalog, Transceivers, Clock SystemsProcessorsFPGADSPA/DALL Programmable PlatformZYNQ-7000®AXI4 (data)AXI4StreamingAXI4 LiteProcessorAXIInterconnectBlockAXI DDR3Mem CtrlDMATimerIntCtrl.Flash Int.TEMACPlug & Play IPXSTngdbuildmappartrcebitgenCoregenEDKSysGen3rd partyISE Tool chain Vivado Tool chain
5Dual Core Fault Tolerant Xilinx FPGA and Functional Safety Challenges Enabling immunity to common mode failures at the silicon levelIntegratedBRAM ECCBit Flipped!Basic SEU DetectionRobust System TestDual Core Fault TolerantConfiguration ECCAccurate FIT Rate CalculationXADC Monitor
6Zynq®-7000 All Programmable SoCs The World’s First All programmable system on chip 2x GigEwith DMA2x USB2x SDIOStatic Memory ControllerQuad-SPI, NAND, NORDynamic Memory ControllerDDR3, DDR2, LPDDR2AMBA® SwitchesI/OMUXMIOARM® CoreSight™ Multi-core & Trace Debug512 KB L2 CacheNEON™/ FPU EngineCortex™-A9 MPCore™32/32 KB I/D CachesSnoop Control Unit (SCU)Timer Counters256 KB On-Chip MemoryGeneral Interrupt ControllerDMAConfiguration2x SPI2x I2C2x CAN2x UARTGPIOProcessing SystemProgrammableLogic:System Gates,DSP, RAMXADCPCIeMulti-Standards I/Os (3.3V & High Speed 1.8V)Multi Gigabit TransceiversS_AXI_HP0S_AXI_HP1S_AXI_HP2S_AXI_HP3S_AXI_ACPM_AXI_GP0/1S_AXI_GP0/1EMIOPage 6
7WHY XILINX IN SAFETY APPLICATIONS Technical convenienceDiversity is embedded naturallySafety functions requires often ad-hoc design, FPGA offer itRedundancy easily implementableSafe upgradability in case of later modification via Design PreservationProduct convenienceBehaves like an ASIC but is a standard product “proven in use”Can scale with the applicationMore than 15 years of published quarterly reliability reportsEvery chip is individually tested, always.Robust Technology ReliabilityEnhanced Design For Reliability (DFR) achieving FIT < 15Neutron Test
8WHERE IN SAFETY LOOP Logic Solver Logic Solver CONTROL UNIT SensorCONTROL UNITFinal ElementPROCESStransmissionLogic SolverFPGAFPGA / ZYNQFinal ElementPROCESStransmissionLogic Solver
9Xilinx Solves Functional Safety Challenges Reduce System Cost and Risk for Functional Safety DesignsFewer components, lower risk of obsolescenceDesign Isolation and Verification flows (IDF/IVT) reduce effort for subsequent certification of evolving implementationsReduce development and certification time and riskSafety Manual and qualified tools lowers barrier of entryReduces time and risk for assessor interaction and educationIncrease productivitySafe-/Non-Safe integration and updates to non-safe functionsProven complianceIEC61508ISO26262Reduzieren-System Kosten und Risiken für Funktionale Sicherheit Designs Weniger Bauteile, geringeres Risiko der Veralterung Design-Isolierung und Verifikations-Flows (IDF / IVT) reduzieren Aufwand für die anschließende Zertifizierung von sich entwickelnden Implementierungen Reduzieren Sie die Entwicklung und Zertifizierung Zeit und Risiko Safety Manual und qualifizierte Tools senkt Barriere der Reduziert den Zeitaufwand und das Risiko für Gutachter Interaktion und Bildung Steigern Sie Ihre Produktivität Safe-/Non-Safe Integration und Updates für nicht-sichere Funktionen Bewährte Compliance
10Xilinx Deliverables for Functional Safety IEC 61508SIL1 to SIL3ISO 26262ASIL-A to ASIL-Dqualified safety data packageQualified tools - ISE 14.2 – and methodology for safety designs with Xilinx FPGASafety Manual, certificate and test reportV-Model, QM and reliability data for devicesIsolation Design Flow and Isolation Verification FlowIntegrate but separate safe and non-safe applications in one deviceReduce effort and risk of subsequent certificationsSEU mitigation IPProvides detection and correction of configuration upsetsTools for FIT rate analysisFIT Rate calculator, Essential and Critical Bit analysis – reduce FIT rate consideration for safety applicationsPower analysis toolsXilinx and supply chain committed to quality and quality managementISO9000/QML/TL9000/TS16494
11IEC61508 and the Safety Life Cycle 11Other risk reduction measuresSpecification and Realisation1Concept2Overall scope Definition3Hazard & Risk Analysis4Overall Safety Requirements5Overall Safety Requirements Allocation15Overall Modification& Retrofit16Decommissioning or disposal12Overall Installation & Commissioning13Overall Safety Validation14Overall operation, maintenance and repair9E/E/PE system safety requirements specificationRealization10E/E/PESafety-related systemsOverallInstallation & Commissioning Planning678Overall Operation & Maintenance PlanningOverall Safety Validation PlanningOverall PlanningBack to appropriateOverall Safety Lifecycle phaseIEC61508 and the Safety Life CycleMitigation of risk to a defined toleranceSafety life cycle has 16 phases roughly dividedPhases 1-5 address analysisPhases 6-13 address realizationPhases address operationCentral to the standard is risk identification and mitigationRisk is a function of frequency of the hazardous event and consequence severityZero risk can never be reachedSafety must be considered from the beginningNon-tolerable risks must be reducedXilinx plays here
13REDUNDANCY SCHEMES FPGA Firmware / Hardware InterlockInput2ResetInput1Output 1Output 1PowerHardwareSafetyResetFPGAFPGA ReadySequencerInterlockOutput 2FunctionOutput 2I/O&CoreHardwareVoltagesPermissivePower Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stablePower Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outsHardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permittedHardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock
14ANNEX E – Table E2 ON CHIP REDUNDANCY FPGASafety FunctionSeparationNon-Safety FunctionSystem Monitor
16SAFETY STANDARDS – WHERE XILINX PLAYS IEC61508 genericIEC60601 medicalISO26262 AutomotiveIEC60730 Home AppliancesIEC61800 Power Drive SystemsIEC62061 machineryIEC60987 NuclearIEC62138 NuclearSOFTWARECATEGORYB OR CIEC60880 NuclearAIEC62425 Railway SystemsIEC62279 SW Railway SignalingEN50128 SW Railway SignalingEN50129 Railway SystemsEN50126 Railway RAMSIEC61511 Process IndustryHW/SWHWSWSystemProcessECSS Q60-02SpatialDO-254 Avionics•Segment specific norms, like for medical, railways, machinery, etc. derives from IEC Some of such norms have more stringent requirements than IEC61508 – but all requires the IEC61508 to be fulfilled.Automotive has its own standard the ISO26262 that it is also part of Xilinx safety program – it covers hardware and software and model based programming (like Matlab for example).RTCA/DO-254, DESIGN ASSURANCE GUIDANCE FOR AIRBORNE ELECTRONIC HARDWARE is a document providing guidance for the development of airborne electronic hardware.The DO-254 is a means of compliance for the design of complex electronic hardware in airborne systems. Complex electronic hardware includes devices like Field Programmable Gate Arrays (FPGAs), Programmable Logic Devices (PLDs), and Application Specific Integrated Circuits (ASICs).The DO-254 standard is the counterpart to the well-established software standard RTCA DO-178B/EUROCAE ED-12B.
17Quantitative assessment of the safety-related system Assess the failure rateReliability modeling is needed to assess the failure rate or probability of failure on demand (PFD) of the safety-related element or elements in question. This can then be compared with the target set in Step 3.UG116 (Xilinx Reliability Data)FIT Calculator Spreadsheet (Xilinx tool)Common Cause Failures (CCF)Qualitative assessment against the SILsAssess the systematic failures (software, process, design). The various requirements for limiting systematic failures are more onerous as the SIL increases. These cover many of the life-cycle activities.ISE Toolchain = Xilinx Qualified no need of assessmentIDF Isolation Design Flow = Xilinx Qualified no need of assessment
18ASSESMENT …the procedure requires methods For reference only
19Reset & Power Sequencing COMMON MODE CAUSESConfiguration MemoryFPGAPower SupplyReset & Power SequencingClockCOMMON MODE CAUSEI/O BanksDifferent banksDuplicated ClockSEM IPReadbackPower sequencerDual SupplyMitigation
20FIT RATE CALCULATOR EXAMPLE (LX9 – Ethernet Powerlink for Motor Control)
22Firmware / Hardware Interlock REDUNDANCY SCHEMESFirmware / Hardware InterlockInput2ResetInput1Output 1Output 1PowerHardwareSafetyResetFPGAFPGA ReadySequencerInterlockOutput 2FunctionOutput 2I/O&CoreHardwareVoltagesPermissivePower Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stablePower Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outsHardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permittedHardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock
27IP Quality - Xilinx Verification Initiative (XVI) Sign-offXilinx Verification Initiative (XVI)Standardization for logical and functional quality for IC Design and IP developmentOpen Verification MethodologyA methodology to improve design and verification efficiency, verification data portability and tool, and VIP interoperabilityA Class reference manual accompanied by an open-source SystemVerilog base class library implementation and a User Guide..ValidationDelivery verificationVerificationStatic checksDUT
28Test Coverage at Multiple Levels IP Quality - XVIOpen Verification MethodologyTransaction coverage: coverage definition on the user‐controlled parameters usually defined in the transaction class & controlled through sequences.Error coverage: coverage definition on the pre‐defined error injection scenariosProtocol coverage: AXI Handshake coverageFlow coverage: covers various features like, outstanding, inter‐leaving, write data before write address etcTest Coverage at Multiple Levels
30WHAT IS IT? A two-parts design flow to ensure functional separation ISOLATIONISOLATION VERIFICATIONApproved by NSA (US national security agency)Approved by TUV-SUEDFor IEC61508And ISO26262Use planahead and floorplanning
31How works the Design Flow IDF requires up-front floorplanning, usually done through PlanAhead, to identify and floorplan the isolated regions.IDF requires hierarchical bottom-up synthesis.To verify isolation, Xilinx provides the Isolation Verification Tool (IVT) which allows the user to check isolation at two stages, against the UCF before implementation and then against the final routed netlist (NCD). More details about IVT are provided in the following slides.STANDARD FLOWINDIPENDENT VERIFICATION ASSURANCE
32Design Preservation …manage the design Use previous implementation results to preserve QoR for unchanged blocksImported Partitions are copied and pastedImplemented Partitions are placed and routedInitial RunIncremental RunThis slide as animation to copy over the blue, green and orange block. Then the red block is ‘implemented’. Click once to ‘import’ blue, click again to ‘import’ green click again to ‘import’ orange, click again to ‘implement’ red.
33Final Results - View of Final Isolated Design in PlanAhead and FPGA Editor Device UtilizationRegisters18%LUT35%SLICE57%I/O23%RAMB59%DSP4855%PLL16%BUFG31%Time to Implement2 hrs.UnroutesTiming ScoreIn the PlanAhead view, notice that there are 7 different colored regions in the device. These 7 regions are the floorplanned functionally and physically isolated regions of the design. The FPGA Editor view shows the routed design with the distinguishable isolated regions.Finally, a quick summary of the Spartan-6 LX150T utilization by the design is provided.
34IDF Logical and . Physical Ownership Isolated Region B(reg_B.vhd)Isolated Region D(reg_D.vhd)Isolated Region A(reg_A.vhd)Isolated Region C(reg_C.vhd)●DCMFENCEF E N C EBUFGclock_gen.vhdtop_design.vhdLogical Ownershipreg_A.vhdreg_B.vhdreg_C.vhdreg_D.vhdEach isolated region physically owns the components that are logically owned by each isolated function.Global logic is logically owned by the top level and not by it’s own isolated function. This requires the that global logic be physically owned by the isolated regions.
35Isolated Design Flow General Introduction Global Logic Route(Clock Tree)F E N C EIsolated Region B(reg_B.vhd)Isolated Region D(reg_D.vhd)Isolated Region A(reg_A.vhd)Isolated Region C(reg_C.vhd)FENCEIntra-Region RouteInter-Region RouteThe Isolation Design Flow (IDF) allows for multiple physically isolated and independent functions to be implemented within a single FPGA, utilizing a fence of unused device components between each function. Each isolated function is separated by this fence, generating isolated regions within the device. The flow uses early floorplanning, modular design, modular and bottom-up synthesis, and adherence to a set of rules and considerations to guarantee isolation between functions.On-chip communication between isolated functions is achieved through the use of trusted routing, which is handles automatically by the Xilinx tools. For two isolated regions to communicate with one another, they must share an edge separated by a fence.Isolation Design Flow (IDF) is the software methodology that allows for physically isolating one module from another.Methodology backed by significant schematic analysis and software verification (IVT) to ensure elimination of single points of failure
36IVT – UCF Mode Package Pin Checks 3/31/2017IVT – UCF Mode Package Pin ChecksMust have at least one row or column isolation between pin groupsPackage pin layout has three adjacency violationsNote: Three Violations in two locations not visible in device viewTypical Package LayoutAIVT looks for Package PIN to PIN isolation violation and I/O bank IOB to IOB isolation violations. The final bullet shows that adjacent package pins aren’t necessarily adjacent within a bank.BH20P23J21R23R24AB
39LOCK-STEP CONCEPTLock-step architecture two processors the master and the checker execute the same code being strictly synchronized.Master access to the system memory and drives all system outputs.Checker continuously executes the instructions fetched by the master processor.The outputs produced by the checker, both addresses and data, feed the compare logic (monitor).The compare logic checks the consistency of their Master and Checker data, address and control lines.Disagreement on the value of any pair of duplicated bus lines reveals a fault on either CPU without giving the chance to identify the faulty CPU.
41LOCK-STEP XILINX IMPLEMENTATION The fault tolerance features included in MicroBlaze:Enabled with C_FAULT_TOLERANTError Detection for internal block RAMs,Support for Error Detection and Correction (ECC) in LMB block RAMs.All soft errors in block RAMs are detected and correctedProtected partsInstruction and Data CacheMMU Unified Translation Look-AsideBranch Target CacheException HandlingScrubbing SupportTo ensure that bit errors are not accumulated in block RAMs, they must be periodically scrubbedMicroblaze_scrub() is the function to check memory integrity
45APPLICATIONS LOCK-STEP MOTOR CONTROL Diego Quagreda (QDESYS) + Trevor Hardcastle (Xilinx)
46The LX150T Design 7 Functionally and Physically Isolated Functions. 3/31/2017The LX150T Design7 Functionally and Physically Isolated Functions.First MicroBlaze (Primary)Existing MicroBlaze with local instruction and data memorySecond MicroBlaze (Secondary)New MicroBlaze that is exact copy of the first, with its own local instruction and data memory.First MicroBlaze ComparatorCompares outputs of First and Second MicroBlazes cycle for cycle.Error output is routed to on-board LED connection.Comparator is added to the design.Second Microblaze Comparator (Redundant to First)Microblaze PeripheralsContains the existing AXI interconnect and all the basic and Command and Control AXI peripherals.Avnet Motor FMC Driver and 2 FOC Cores.Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board.Existing components grouped together.NetMot Board Driver and 2 FOC Cores.
47Updated LX150T Design Block Diagram Areas highlighted in blue indicate each of the physically and functionally isolated functions. MicroBlaze 0 is the first MicroBlaze. MicroBlaze 1 is the second Microblaze. The SLINK RCLK and SLINK RDATA components are not part of an isolated function. This is because they are global clocking components (IBUFGDS), and in accordance with Isolation Design Flow (IDF) rules and guidelines, cannot be part of an isolated function. This will be covered later in more detail in the included IDF overview.Notice only the AXI interconnect outputs go to MicroBlaze 1. MicroBlaze zero connects to both the inputs and outputs.The MB0 reset only resets the first MicroBlaze system. This allows testing of breaking the Lockstep between the two MicroBlazes.Notice the Comparator Errors are routed to LEDs on the board as previously discussed.
48ReferencesXAPP1086Developing Secure and Reliable Single FPGA Designs With Xilinx 7 Series FPGAs using Isolation Design FlowWP412The Xilinx Isolation Design Flow for Fault-Tolerant SystemsUG116Xilinx quarterly device reliability reportDual-Core Lock-Step Motor Control via Isolation Design Flow(send to
49References XAPP 1085 XAPP1104 XAPP1105 XAPP1134 XAPP1145 7-series Isolation Design Flow Lab using ISE Design Suite 14.4XAPP1104Implementation of a Fail-Safe Design in the Spartan-6 FamilyXAPP1105Single Chip Crypto Lab Using PR/ISO FlowXAPP1134Developing Secure Designs Using the Virtex-5 FamilyXAPP1145Developing Secure Designs with the Spartan-6 Family Using the Isolation Design Flow
50SummaryIntegration in one device and redundancy by isolation is no contradictionXilinx povide a TÜV-certified solution for Functional Safety according to IEC and ISO with the Isolation Design FlowOver 15 years of published quarterly reliability reports and FIT the rate calculator tool from Xilinx let you determine the reliability safelyFollow Xilinx on:facebook.com/XilinxInctwitter.com/XilinxIncyoutube.com/XilinxInc