Presentation is loading. Please wait.

Presentation is loading. Please wait.

XILINX CONFIDENTIAL. Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.) Mrs. Sylvia Waldhausen (Project Leader TÜV SÜD Rail GmbH)

Similar presentations


Presentation on theme: "XILINX CONFIDENTIAL. Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.) Mrs. Sylvia Waldhausen (Project Leader TÜV SÜD Rail GmbH)"— Presentation transcript:

1 XILINX CONFIDENTIAL. Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.) Mrs. Sylvia Waldhausen (Project Leader TÜV SÜD Rail GmbH) Qualification of a Tool Chain for FPGA Development for IEC and ISO26262 Tool Qualification Symposium 2014; April Validas AG München, Germany

2 XILINX CONFIDENTIAL. Disclaimer © Copyright 2011 Xilinx, Inc. All rights reserved. Xilinx, the Xilinx logo, and other designated brands included herein are trademark of Xilinx in the United States and other countries. All other trademarks are the property of their respective owners. This file contains confidential and proprietary information of Xilinx, Inc. and is protected under U.S. and international copyright and other intellectual property laws. DISCLAIMER This disclaimer is not a license and does not grant any rights to the materials distributed herewith. Except as otherwise provided in a valid license issued to you by Xilinx, and to the maximum extent permitted by applicable law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND WITH ALL FAULTS, WITHOUT ANY REPRESENTATION, WARRANTY, ASSURANCE OR GUARANTEE REGARDING THE ACCURACY, SUCCESS, OUTCOME, OR PERFORMANCE OF THE MATERIALS AND EXPRESSLY EXCLUDE ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and (2) Xilinx shall not be liable (whether in contract or tort, including negligence, or under any other theory of liability) for any loss or damage of any kind or nature related to, arising under or in connection with these materials, including for any direct, or any indirect, special, incidental, or consequential loss or damage (including loss of data, profits, goodwill, or any type of loss or damage suffered as a result of any action brought by a third party) even if such damage or loss was reasonably foreseeable or Xilinx had been advised of the possibility of the same. CRITICAL APPLICATIONS Xilinx products are not designed or intended to be fail-safe, or for use in any application requiring fail-safe performance, such as life- support or safety devices or systems, Class III medical devices, nuclear facilities, applications related to the deployment of airbags, or any other applications that could lead to death, personal injury, or severe property or environmental damage (individually and collectively, "Critical Applications"). Customer assumes the sole risk and liability of any use of Xilinx products in Critical Applications, subject only to applicable laws and regulations governing limitations on product liability. THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS PART OF THIS DOCUMENT AT ALL TIMES. Page 2

3 XILINX CONFIDENTIAL. Page 3 Xilinx Technology Evolution Programmable Logic Devices Enables Programmable Logic ALL Programmable Devices Enables Programmable Systems Integration

4 XILINX CONFIDENTIAL. Page 4 WHAT IS XILINX ALL PROGRAMMABLE? Accelerating Design Creation, Debug and Simplifying Reuse Artix-7 Virtex ® -7 Kintex-7 Scalable Array of Logic, DSP, Memory Analog, Transceivers, Clock Systems XST ngdbuild map par trce bitgen Coregen EDK SysGen 3 rd party ISE Tool chain Vivado Tool chain AXI4 (data) AXI4 Streaming AXI4 AXI4 Lite AXI4 AXI4 Lite Processor AXI Interconnect Block AXI Interconnect Block AXI DDR3 Mem Ctrl AXI DDR3 Mem Ctrl DMA Timer IntCtrl. Flash Int. TEMAC AXI Interconnect Block AXI Interconnect Block Plug & Play IP

5 XILINX CONFIDENTIAL. Xilinx FPGA and Functional Safety Challenges Enabling immunity to common mode failures at the silicon level Page 5 Bit Flipped! Basic SEU Detection Integrated BRAM ECC Robust System Test Accurate FIT Rate Calculation Configuration ECC Dual Core Fault Tolerant XADC Monitor

6 XILINX CONFIDENTIAL. 2x GigE with DMA 2x USB with DMA 2x SDIO with DMA Static Memory Controller Quad-SPI, NAND, NOR Dynamic Memory Controller DDR3, DDR2, LPDDR2 AMBA ® Switches I/O MUX MIO ARM ® CoreSight Multi-core & Trace Debug 512 KB L2 Cache NEON/ FPU Engine Cortex-A9 MPCore 32/32 KB I/D Caches NEON/ FPU Engine Cortex-A9 MPCore 32/32 KB I/D Caches Snoop Control Unit (SCU) Timer Counters 256 KB On-Chip Memory General Interrupt Controller DMA Configuration 2x SPI 2x I2C 2x CAN 2x UART GPIO Processing System AMBA ® Switches Zynq®-7000 All Programmable SoCs The Worlds First All programmable system on chip Programmable Logic: System Gates, DSP, RAM XADC PCIe Multi-Standards I/Os (3.3V & High Speed 1.8V) Multi Gigabit Transceivers M_AXI_GP0/1 S_AXI_GP0/1 EMIO Page 6 S_AXI_HP0 S_AXI_HP1 S_AXI_HP2 S_AXI_HP3 S_AXI_ACP

7 XILINX CONFIDENTIAL. Technical convenience –Diversity is embedded naturally –Safety functions requires often ad-hoc design, FPGA offer it –Redundancy easily implementable –Safe upgradability in case of later modification via Design Preservation Product convenience –Behaves like an ASIC but is a standard product proven in use –Can scale with the application – More than 15 years of published quarterly reliability reports –Every chip is individually tested, always. Robust Technology Reliability –Enhanced Design For Reliability (DFR) achieving FIT < 15 –Neutron Test Page 7 WHY XILINX IN SAFETY APPLICATIONS

8 XILINX CONFIDENTIAL. Page 8 WHERE IN SAFETY LOOP Sensor CONTROL UNIT Final Element PROCESS transmission Logic Solver FPGA FPGA / ZYNQ Final Element PROCESS transmission Logic Solver

9 XILINX CONFIDENTIAL. Reduce System Cost and Risk for Functional Safety Designs –Fewer components, lower risk of obsolescence –Design Isolation and Verification flows (IDF/IVT) reduce effort for subsequent certification of evolving implementations Reduce development and certification time and risk –Safety Manual and qualified tools lowers barrier of entry –Reduces time and risk for assessor interaction and education Increase productivity –Safe-/Non-Saf e integration and updates to non-safe functions Proven compliance IEC61508 ISO26262 Xilinx Solves Functional Safety Challenges Page 9

10 XILINX CONFIDENTIAL. qualified safety data package –Qualified tools - ISE 14.2 – and methodology for safety designs with Xilinx FPGA –Safety Manual, certificate and test report V-Model, QM and reliability data for devices –Isolation Design Flow and Isolation Verification Flow Integrate but separate safe and non-safe applications in one device Reduce effort and risk of subsequent certifications SEU mitigation IP –Provides detection and correction of configuration upsets Tools for FIT rate analysis –FIT Rate calculator, Essential and Critical Bit analysis – reduce FIT rate consideration for safety applications Power analysis tools Xilinx and supply chain committed to quality and quality management –ISO9000/QML/TL9000/TS16494 Xilinx Deliverables for Functional Safety Page 10 IEC 61508SIL1 to SIL3 ISO 26262ASIL-A to ASIL-D

11 XILINX CONFIDENTIAL. Page 11 IEC61508 and the Safety Life Cycle Mitigation of risk to a defined tolerance Safety life cycle has 16 phases roughly divided –Phases 1-5 address analysis –Phases 6-13 address realization –Phases address operation Central to the standard is risk identification and mitigation –Risk is a function of frequency of the hazardous event and consequence severity –Zero risk can never be reached –Safety must be considered from the beginning –Non-tolerable risks must be reduced 11 Other risk reduction measures Specification and Realisation 1 Concept 2 Overall scope Definition 3 Hazard & Risk Analysis 4 Overall Safety Requirements 5 Overall Safety Requirements Allocation 15 Overall Modification & Retrofit 16 Decommissioning or disposal 12 Overall Installation & Commissioning 13 Overall Safety Validation 14 Overall operation, maintenance and repair 9 E/E/PE system safety requirements specification Realization 10 E/E/PE Safety-related systems Realization Overall Installation & Commissioning Planning 678 Overall Operation & Maintenance Planning Overall Safety Validation Planning Overall Planning Back to appropriate Overall Safety Lifecycle phase Xilinx plays here

12 XILINX CONFIDENTIAL. REDUNDANCY SCHEMES

13 XILINX CONFIDENTIAL. REDUNDANCY SCHEMES FPGA Output 1 Reset Output 1 Output 2 FPGA Ready Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock Firmware / Hardware Interlock Hardware Interlock Safety Function Power Sequencer FPGA Hardware Permissive I/O&Core Voltages Input2 Input1

14 XILINX CONFIDENTIAL. Page 14 System Monitor FPGA Safety Function Separation Non-Safety Function Safety Function Separation ANNEX E – Table E2 ON CHIP REDUNDANCY

15 XILINX CONFIDENTIAL. Test Coverage and Characterization Page 15

16 XILINX CONFIDENTIAL. Page 16 SAFETY STANDARDS – WHERE XILINX PLAYS IEC61508 generic IEC60601 medical ISO26262 Automotive IEC60730 Home Appliances IEC61800 Power Drive Systems IEC62061 machinery IEC60987 Nuclear IEC62138 Nuclear SOFTWARE CATEGORY B OR C IEC60880 Nuclear SOFTWARE CATEGORY A IEC62425 Railway Systems IEC62279 SW Railway Signaling EN50128 SW Railway Signaling EN50129 Railway Systems EN50126 Railway RAMS IEC61511 Process Industry HW/SW HW SW System Process ECSS Q Spatial DO-254 Avionics

17 XILINX CONFIDENTIAL. Assess the failure rate –Reliability modeling is needed to assess the failure rate or probability of failure on demand (PFD) of the safety-related element or elements in question. This can then be compared with the target set in Step 3. UG116 (Xilinx Reliability Data) FIT Calculator Spreadsheet (Xilinx tool) Common Cause Failures (CCF) Quantitative assessment of the safety-related system Qualitative assessment against the SILs Assess the systematic failures (software, process, design) –. The various requirements for limiting systematic failures are more onerous as the SIL increases. These cover many of the life-cycle activities. ISE Toolchain = Xilinx Qualified no need of assessment IDF Isolation Design Flow = Xilinx Qualified no need of assessment Page 17

18 XILINX CONFIDENTIAL. ASSESMENT …the procedure requires methods Page 18 For reference only

19 XILINX CONFIDENTIAL. Page 19 COMMON MODE CAUSES Configuration Memory FPGA Power Supply Reset & Power Sequencing Clock COMMON MODE CAUSE I/O Banks Different banks Duplicated Clock SEM IP Readback Power sequencer Dual Supply Mitigation

20 XILINX CONFIDENTIAL. FIT RATE CALCULATOR EXAMPLE (LX9 – Ethernet Powerlink for Motor Control)

21 XILINX CONFIDENTIAL. REDUNDANCY SCHEMES Page 21

22 XILINX CONFIDENTIAL. REDUNDANCY SCHEMES Output 1 Reset Output 1 Output 2 FPGA Ready Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock Firmware / Hardware Interlock Hardware Interlock Safety Function Power Sequencer FPGA Hardware Permissive I/O&Core Voltages Input2 Input1 Page 22

23 XILINX CONFIDENTIAL. Page 23 Validated FPGA Developme nt Process Verification Process Output Test FPGA Safety Requirements specification Code generation FPGA Architecture Module design FPGA design behavioural modelling Module testing Synthesis, Placement and routing Post layout simulation Module integration testing Validation Testing E/E/PES safety requirements specification E/E/PES Architecture Verification of complete FPGA DEVELOPMENT LIFECYCLE – IEC61508

24 XILINX CONFIDENTIAL. LEVELS OF CRITICALITY (taken from IEC61508-Part 4)

25 XILINX CONFIDENTIAL. FPGA design flow overview

26 XILINX CONFIDENTIAL. HW-COSIM completes the IEC61508 V model (adds double verification (a) Xilinx Libraries and (b) Chip execution Design Synthesis Design Verification Design Implementation Device Programming Functional Simulation (RTL simulation) Functional Simulation (with back-annotation) Static Timing Analysis Debug / In-Circuit Verification Schematic Editor Power Analysis Equivalence Checking Timing Constraints Logical / Physical Synthesis Functional Simulation (Gate level simulation) Power Estimation Equivalence Checking I/O Assignment Floorplanning Place & Route Bitstream Generation Programming Design Creation IP Blocks RTL Coding RTL + Timing Constraints Screening Technology Libraries Lib Chip Prob_failure_Library * Prob_failure_Chip_Hwcosim < Prob_failure_Library

27 XILINX CONFIDENTIAL. IP QUALITY - XILINX VERIFICATION INITIATIVE (XVI) Page 27 Verification Sign-off Validation Delivery verification Static checks DUT Xilinx Verification Initiative (XVI) Standardization for logical and functional quality for IC Design and IP development Open Verification Methodology A methodology to improve design and verification efficiency, verification data portability and tool, and VIP interoperability A Class reference manual accompanied by an open-source SystemVerilog base class library implementation and a User Guide..

28 XILINX CONFIDENTIAL. IP QUALITY - XVI Page 28 Open Verification Methodology Transaction coverage: coverage definition on the user controlled parameters usually defined in the transaction class & controlled through sequences. Error coverage: coverage definition on the pre defined error injection scenarios Protocol coverage: AXI Handshake coverage Flow coverage: covers various features like, outstanding, inter leaving, write data before write address etc Test Coverage at Multiple Levels

29 XILINX CONFIDENTIAL. IDF (Isolation Design Flow)

30 XILINX CONFIDENTIAL. A two-parts design flow to ensure functional separation –ISOLATION –ISOLATION VERIFICATION Approved by NSA (US national security agency) Approved by TUV-SUED – For IEC61508 – And ISO26262 Use planahead and floorplanning WHAT IS IT? Page 30

31 XILINX CONFIDENTIAL. Page 31 How works the Design Flow STANDARD FLOW INDIPENDENT VERIFICATION ASSURANCE

32 XILINX CONFIDENTIAL. Page 32 Design Preservation …manage the design Use previous implementation results to preserve QoR for unchanged blocks Imported Partitions are copied and pasted Implemented Partitions are placed and routed Initial Run Incremental Run

33 XILINX CONFIDENTIAL. Final Results - View of Final Isolated Design in PlanAhead and FPGA Editor Page 33 Device Utilization Registers18% LUT35% SLICE57% I/O23% RAMB59% DSP4855% PLL16% BUFG31% Time to Implement 2 hrs. Unroutes0 Timing Score 0 PlanAhead FPGA Editor

34 XILINX CONFIDENTIAL. IDF Logical and. Physical Ownership Page 34 Physical Ownership Isolated Region B (reg_B.vhd) Isolated Region D (reg_D.vhd) Isolated Region A (reg_A.vhd) Isolated Region C (reg_C.vhd) DCM FENCEFENCE F E N C E FENCEFENCE BUFG clock_gen.vhd top_design.vhd Logical Ownership reg_A.vhd reg_B.vhd reg_C.vhd reg_D.vhd

35 XILINX CONFIDENTIAL. Isolation Design Flow (IDF) is the software methodology that allows for physically isolating one module from another. –Methodology backed by significant schematic analysis and software verification (IVT) to ensure elimination of single points of failure Page 35 Isolated Design Flow General Introduction

36 XILINX CONFIDENTIAL. IVT – UCF Mode Package Pin Checks Must have at least one row or column isolation between pin groups Package pin layout has three adjacency violations Note: Three Violations in two locations not visible in device view J21 H20 R23 P23 A B AB R24 Typical Package Layout Page 36

37 XILINX CONFIDENTIAL. LOCK-STEP Diversity

38 XILINX CONFIDENTIAL. DIVERSITY Page 38 PL + PS PL + Microblaze +PS PL + PS + MB_Lock_Step PS PL Microblaze Microblaze Lock-Step

39 XILINX CONFIDENTIAL. Lock-step architecture two processors the master and the checker execute the same code being strictly synchronized. Master access to the system memory and drives all system outputs. Checker continuously executes the instructions fetched by the master processor. The outputs produced by the checker, both addresses and data, feed the compare logic (monitor). The compare logic checks the consistency of their Master and Checker data, address and control lines. Disagreement on the value of any pair of duplicated bus lines reveals a fault on either CPU without giving the chance to identify the faulty CPU. LOCK-STEP CONCEPT

40 XILINX CONFIDENTIAL. Lockstep Microblaze Block Diagram

41 XILINX CONFIDENTIAL. LOCK-STEP XILINX IMPLEMENTATION The fault tolerance features included in MicroBlaze: –Enabled with C_FAULT_TOLERANT –Error Detection for internal block RAMs, –Support for Error Detection and Correction (ECC) in LMB block RAMs. –All soft errors in block RAMs are detected and corrected Protected parts –Instruction and Data Cache –MMU Unified Translation Look-Aside –Branch Target Cache –Exception Handling Scrubbing Support –To ensure that bit errors are not accumulated in block RAMs, they must be periodically scrubbed –Microblaze_scrub() is the function to check memory integrity

42 XILINX CONFIDENTIAL. LOCK-STEP APPLICATIONS

43 XILINX CONFIDENTIAL. Lockstep Microblaze Block Diagram Page 43

44 XILINX CONFIDENTIAL. Current Floorplan Page 44

45 XILINX CONFIDENTIAL. LOCK-STEP MOTOR CONTROL Diego Quagreda (QDESYS) + Trevor Hardcastle (Xilinx) APPLICATIONS

46 XILINX CONFIDENTIAL. 7 Functionally and Physically Isolated Functions. 1.First MicroBlaze (Primary) Existing MicroBlaze with local instruction and data memory 2.Second MicroBlaze (Secondary) New MicroBlaze that is exact copy of the first, with its own local instruction and data memory. 3.First MicroBlaze Comparator Compares outputs of First and Second MicroBlazes cycle for cycle. Error output is routed to on-board LED connection. Comparator is added to the design. 4.Second Microblaze Comparator (Redundant to First) Compares outputs of First and Second MicroBlazes cycle for cycle. Error output is routed to on-board LED connection. Comparator is added to the design. 5.Microblaze Peripherals Contains the existing AXI interconnect and all the basic and Command and Control AXI peripherals. 6.Avnet Motor FMC Driver and 2 FOC Cores. Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board. Existing components grouped together. 7.NetMot Board Driver and 2 FOC Cores. Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board. Existing components grouped together. The LX150T Design Page 46

47 XILINX CONFIDENTIAL. Updated LX150T Design Block Diagram Page 47

48 XILINX CONFIDENTIAL. XAPP1086 –Developing Secure and Reliable Single FPGA Designs With Xilinx 7 Series FPGAs using Isolation Design Flow –http://www.xilinx.com/support/documentation/application_notes/xapp1086-secure-single-fpga-using- 7s-idf.pdfhttp://www.xilinx.com/support/documentation/application_notes/xapp1086-secure-single-fpga-using- 7s-idf.pdf WP412 –The Xilinx Isolation Design Flow for Fault-Tolerant Systems –http://www.xilinx.com/support/documentation/white_papers/wp412_IDF_for_Fault_Tolerant_Sys.pdfhttp://www.xilinx.com/support/documentation/white_papers/wp412_IDF_for_Fault_Tolerant_Sys.pdf UG116 –Xilinx quarterly device reliability report –http://www.xilinx.com/support/documentation/user_guides/ug116.pdfhttp://www.xilinx.com/support/documentation/user_guides/ug116.pdf Dual-Core Lock-Step Motor Control via Isolation Design Flow –(send to References

49 XILINX CONFIDENTIAL. XAPP 1085 –7-series Isolation Design Flow Lab using ISE Design Suite 14.4 –http://www.xilinx.com/support/documentation/application_notes/xapp1085-7s-isolation-design-flow-ise-14-4.pdfhttp://www.xilinx.com/support/documentation/application_notes/xapp1085-7s-isolation-design-flow-ise-14-4.pdf XAPP1104 –Implementation of a Fail-Safe Design in the Spartan-6 Family –http://www.xilinx.com/support/documentation/application_notes/xapp1104_S6FailSafe_Design.pdfhttp://www.xilinx.com/support/documentation/application_notes/xapp1104_S6FailSafe_Design.pdf XAPP1105 –Single Chip Crypto Lab Using PR/ISO Flow –http://www.xilinx.com/support/documentation/application_notes/xapp1105_V5SCC_PRISO.pdfhttp://www.xilinx.com/support/documentation/application_notes/xapp1105_V5SCC_PRISO.pdf XAPP1134 –Developing Secure Designs Using the Virtex-5 Family XAPP1145 –Developing Secure Designs with the Spartan-6 Family Using the Isolation Design Flow –http://www.xilinx.com/support/documentation/application_notes/xapp1145_S6Secure_Designs.pdfhttp://www.xilinx.com/support/documentation/application_notes/xapp1145_S6Secure_Designs.pdf References

50 XILINX CONFIDENTIAL. Integration in one device and redundancy by isolation is no contradiction Xilinx povide a TÜV-certified solution for Functional Safety according to IEC and ISO with the Isolation Design Flow Over 15 years of published quarterly reliability reports and FIT the rate calculator tool from Xilinx let you determine the reliability safely Summary Follow Xilinx on: facebook.com/XilinxInctwitter.com/XilinxIncyoutube.com/XilinxInc


Download ppt "XILINX CONFIDENTIAL. Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.) Mrs. Sylvia Waldhausen (Project Leader TÜV SÜD Rail GmbH)"

Similar presentations


Ads by Google