With the evolution of automobiles from purely mechanical machines into today's highly integrated drive-by-wire automotive electronics systems, design engineers now face added challenges. They must continually add complex electronics to each successive model year while still maintaining high standards for quality and reliability, all while meeting the stringent demands of low-cost, high-volume production.

Traditionally, these developers have relied on microcontrollers (MCUs), ASICs and bulky wiring harnesses to implement and control these systems and expand the capabilities of each automotive generation. Today, these technologies are reaching their limits, as well as creating reliability concerns as complexity grows exponentially. To solve these problems, many designers are turning to FPGAs as a flexible, low-cost solution for their next-generation automotive electronics designs.

Failures from space
The need for component reliability data is essential to ensure the proper function of the various systems in today's vehicles. While most elements of component reliability are well understood, there are some unique issues that should be factored into the selection process when selecting programmable logic devices such as FPGAs.

Specifically, technology decision makers must anticipate sources of failure that will impact programmable logic systems specifically. While the concept of bombardment of neutrons from space (cosmic rays) sounds a bit like something straight out of a Star Trek episode, neutron-induced errors are a dangerous reality for many types of electronic equipment.

Neutron-induced firm errors have progressed from being a nuisance to being a significant problem. For example, a neutron-induced upset to the configuration element of an SRAM-based (static-RAM-based) FPGA could result in loss of functionality. When this occurs, it may cause the host system to malfunction. Looking into the future, this problem will only worsen as future deep submicron manufacturing processes will continue to create substantial challenges for designers of FPGA-based automotive electronics.

The single-event upsets (SEUs) caused by neutrons inside integrated circuits can occur in any type of volatile memory cells. The aforementioned SRAM-based FPGAs use internal memory elements to hold the configuration state (or personality) of the FPGA. These memory elements pose a more serious reliability threat. When the contents are changed, it is called a "soft-error" because data, not functionality is affected. While the device can successfully be rewritten with correct data (EDAC (error detection and correction) or TMR (triple module redundancy) can be used for SRAM data and registers respectively), soft errors can lead to loss of data or "system exceptions."

When an SRAM-based FPGA configuration memory cell is corrupted, it is called a "firm error" because these errors are not easily detected or corrected and are not transient in nature. Once a firm error occurs in an FPGA, the device must be reloaded with its original configuration. In some cases, the power must first be recycled to clear the fault, and then, reconfigured.

The consequences of a neutron-induced SEU in one of these configuration cells could be severe. If a configuration bit upsets and changes state, it could change the entire functionality of the device, resulting in significant data corruption or the forwarding of spurious signals into other circuits in the system. In extreme cases, the undetected existence for a prolonged period of a firm error can become a "hard error" and cause the destruction of the device itself or the system containing the device (a neutron-induced firm error that misroutes a signal creating an internal short is one common example of this type of problem).

Significant safety implications
Neutron-induced errors have significant implications for mission-critical automotive applications that utilize an SRAM-based FPGA. Existing detection techniques, reliant on reading back FPGA configuration at regular intervals, do nothing to prevent the error within the system.

Additionally, the read-back circuits that enable detection of a corrupted configuration are themselves subject to SEUs or damage. Furthermore, the widespread deployment of susceptible FPGA technology could create the need for a new qualification system as part of the AEC-Q100 standard to supplement JEDEC standard 89 in checking the immunity of automotive systems to neutron-induced errors. Adding to the "costs" of neutron-induced errors, current schemes to detect and correct FPGA firm errors add extra complexity to the system design and increase board space and bill-of-materials cost.

Neutron-induced firm errors can contribute significantly to the overall system failure in time (FIT) rate. Difficult to detect and almost impossible to diagnose, soft and firm errors could create maintenance and service issues with the potential to escalate to larger warranty concerns. Of the three main FPGA technologies—antifuse, flash and SRAM, only antifuse and flash are immune to the effects of neutron-induced soft and firm errors.

An example: Automotive system with SRAM-based FPGAs
This example analyzes an in-the-cab ground-based system. Neutron flux densities were calculated for Denver, CO at an elevation of 5,000 feet using SpaceRad 4.5 (a widely used radiation effects prediction software program). Working from published radiation data on 0.22-micron SRAM-based FPGAs, the predicted upset rate of 1.05E-4 upsets per 1M-gate FPGA per day.

If a vendor deploys a 1M gate SRAM-based FPGA in an occupant sensor and airbag control module, multiply 1.054E-4 upsets per 1M gate device per day to model 4.38E-06 upsets per system per day, or 4,375 FITs. This means if the same vendor uses the 1M gate SRAM-based FPGA safety system in 500,000 vehicles, multiply the number of upsets (1.05E-4) by the number of vehicles/systems on the road to arrive at a total of 52.5 upsets per day (assuming constant operation of the vehicle) for the population.

This translates to an upset every 27.4 minutes. Even if a more modest 2 hours a day number is used for vehicle usage the number is still over 2 upsets a day. Because these are firm errors, they will persist until the SRAM FPGA is reloaded (normally by power cycling or forcing reconfiguration).

Soft errors are already of great concern in devices built in current semiconductor technologies. It is widely assumed that these will become a major issue as device sizes continue to shrink. These errors can often drastically reduce the system availability. Soft error avoidance is strongly required to maintain the system availability at an acceptable level.

What to do?
When selecting an FPGA, it is important to evaluate the total cost of ownership for each of the various programmable architectures and to identify suppliers with inherently reliable core technology, rather than those who just up-screen or re-qualify commercial products designed for less demanding applications.

For designers using SRAM-based FPGAs, it will become necessary to implement circuits to detect and correct configuration errors, adding to system cost and complexity. Alternately, radiation test data have shown that antifuse- and flash-based FPGAs are not subject to loss of configuration due to neutron-induced upsets. This makes them eminently suitable for all applications where reliability is a concern.

Now, imagine this slightly different opening scenario: You are driving 75 miles per hour down the highway in your new 2006-model listening to Steve Miller's Greatest Hits. Aware that the engine management system leverages a nonvolatile flash FPGA not one of its SRAM-based brethren, you crank up "The Joker" and settle in for a comfortable and trouble-free commute.

Read a recent How-To article on how testing can ensure auto electronics reliability against radiation effects such as cosmic rays.

Martin Mason is director, silicon product marketing for Actel Corporation.

Go to our Forums page and give us your opinion on the effect of cosmic rays on automotive electronics circuits and components.