Let's take our example design and look at how we can significantly improve reliability by using the redundancy techniques previously described. Figure 2 below shows the changes to the example system. In order to improve network reliability we added redundant Ethernet connections to the upstream node and the downstream node. The new redundant power subsystem helps recover from a failure in the main supply. Power will switch over to a redundant supply if the main supply fails. The System Controller and Equipment Controller are now each implemented using a Dual Modular Redundancy (DMR) technique, as illustrated in the 'blow-up' of the Equipment Controller (The System Controller would use a similar technique). The controller functions are duplicated and compare logic is added to identify any outputs that do not 'agree'. When such an error is detected the subsystem responsible for the error can be reset and diagnostics performed. This mitigates the chance of the error resulting in a system failure. Note that the dual implementations of the System Controller use a design diversity technique. One controller is implemented with an MCU and the other is implemented with an FPGA. This provides additional reliability since each implementations error characteristics will be significantly different and thus the chance of a common systematic error (for example their response to noise, temperature, voltage, timing differences or even implementation 'bugs') will be significantly reduced.
Using Microsemi SmartFusion2 SoC FPGAs
Figure 2. Example design with DMR and design diversity
to see a larger, more detailed version of this image)
When implementing the example design from Figure 2, it would be possible to use separate components for the FPGA implementation of the controller, the MCU implementation and the Compare Logic blocks. These extra components will create new possibilities for errors and system failures however. An approach that integrates all of these functions into a single device has advantages to the system designer, namely better MTBF due to the reduction of components, better cost, and now the ability to drive functional safety into smaller systems. The Microsemi SmartFusion2 architecture, shown in Figure 3, has a hardened ARM-Cortex™-M3 based Microcontroller Subsystem (MSS) and sufficient FPGA logic to integrate the entire Dual Equipment Controller in a single device, keeping component count the same as our initial, non-redundant, implementation. A SmartFusion2 device would be used for the Dual System Controller as well where a single device could integrate the entire function. Additionally, SmartFusion2 has multiple SerDes channels (up to 16) so that the Ethernet Switch could even be implemented in a single SmartFusion2 device using less signaling between the MAC and the physical layer than standard Mac/Phy interfaces.. This would allow additional redundancy, error checking and advanced error recovery mechanisms to be included in the switch to create a more reliable design than those available in an ASSP.
Figure 3. SmartFusion2 architectural block diagram and key features
to see a larger, more detailed version of this image)
A SmartFusion2 design also benefits from other reliability advantages like zero FIT-rate configuration memory (due to its Flash memory implementation), SEU protected memories, SECDED support for external memory controllers and built-in self-test. SmartFuson2 devices don't require an external configuration device so this reduces component count and thus improves reliability. Additionally, SmartFusion2 devices have very low static power consumption, a unique ultra low power Flash Freeze mode (that can be used to preserve the state of the FPGA while stopping dynamic operation) and a very low start-up current requirement (unlike SRAM based FPGA implementations, which have a large start-up current 'spike'). These low power features can result in a smaller and less complex power supply requirements, further improving system reliability.
Protecting the system during remote reprogramming updates and upgrades requires a secure communications channel for the FPGA configuration data and MCU code. SmartFusion2 devices are programmed with a Differential Power Analysis (DPA) hardened bit stream protocol. Because of this the built-in security features of the SmartFusion2 device can be used to ensure remotely sourced configuration bitstreams are protected from unauthorized observation and hacking.
Security is an aspect of functional safety that is new. From a security perspective functional safety can broadly be defined as being secure in the knowledge that what you designed and built performs the intended functions to an acceptable FIT rate. This article focused mainly on design however there is an equal important aspect to functional safety and that is supply chain and manufacturing assurance. Supply chain assurance is a guarantee that the components you are buying are genuine. Manufacturing assurance is a guarantee that the system built is genuine. SmartFusion2 devices have unique features that can aid the systems designer in achieving these goals. Each device is shipped with an embedded x.509 digitally signed device certificate that contains the complete part number, date code and device version. The device certificate can be read during manufacturing and compared to the purchase order verifying that a genuine Microsemi SoC FPGA has been placed on the PCB. During manufacturing programming of the device a Certificate of Conformance can be generated that cryptographically verifies that the device was programmed with the intended bitstream. These 2 items can aid the systems designer in proving the veracity of the system being built.
In the example system there may be additional requirements for security to protect your design IP. For example, it may be important to protect the manufacturing flow and to include anti-tampering features. The single chip nature of the SmartFusion2 implementation protects against attempts to reverse engineer the design. An AES key protects the programming bit stream and also controls the number of units that can be programmed. This protects the design against cloning and overbuilding by our manufacturing subcontractors. A zeroization feature, where the programmed design information can be quickly erased, can help create a very robust anti-tampering mechanism.
About the author
Tim Morin is Director Product Line Marketing, New Products, at Microsemi Corporation, SoC Products Group. Please visit www.microsemi.com
for more details on SmartFusion2 SoC FPGAs.
If you found this article to be of interest, visit Programmable Logic Designline
where – in addition to my Max's Cool Beans
blogs – you will find the latest and greatest design, technology, product, and news articles with regard to programmable logic devices of every flavor and size (FPGAs, CPLDs, CSSPs, PSoCs...).
Also, you can obtain a highlights update delivered directly to your inbox by signing up for my weekly newsletter – just Click Here
to request this newsletter using the Manage Newsletters tab (if you aren't already a member you'll be asked to register, but it's free and painless so don't let that stop you [grin]).