Global Sources
EE Times-India
 
EE Times-India > EDA/IP
 
 
EDA/IP  

FPGAs for reliable automotive system design

Posted: 11 Feb 2009     Print Version  Bookmark and Share

Keywords:automotive electronics  FPGAs  SRAM 

The increased use of complex automotive electronics systems requires that they be designed for "ultra-reliability," because the failure of an automotive system could place the vehicle's passengers in a life-threatening situation. System designers are considering the use of Field Programmable Gate Arrays (FPGAs) more frequently in these systems, due to the FPGA's ability to integrate and perform complex functions.

However, there are two primary concerns regarding the use of FPGAs in automotive systems: The need to protect the valid FPGA configuration used for initialisation, and prevention of SRAM corruption during device operation. Unless these concerns are fully addressed, FPGAs cannot be part of an ultra-reliable automotive system design.

Fortunately, current AEC-Q100 qualified FPGAs incorporate several advanced features that resolve these concerns. This article will highlight several solutions that address both the initialisation configuration and potential SRAM corruption issues.

FPGA configuration protection
Upon system power up, SRAM-based FPGAs download their configuration from an external source. The boot source can be memory devices such as serial EEPROM or flash. Boot sources can also be intelligent devices, such as a microcontroller, that can provide the correctly formatted and timed data bitstream.

All FPGAs have some type of cyclic redundancy check (CRC) for the initialisation bitstream, which is tested at the end of start-up to verify the integrity of the transfer. If an error is detected in the bitstream, the FPGA will not initialise. This routine prevents incorrect (and possibly dangerous) operation of the system. Most FPGAs will set an external pin that notifies the system controller that the initialisation has failed, prompting another initialisation sequence that, hopefully, will be successful.

There are several scenarios in which the initialisation bitstream can be corrupted. These include:

- Hard failure of the boot memory
- Memory retention issues
- Deliberate tampering
- Memory erasure
- Electrical noise

When designing ultra-reliable automotive systems using FPGAs, there are four fundamental steps that must be followed to properly address these scenarios.

Step one is to use a non-volatile SRAM FPGA that includes on-chip flash memory. This changes the boot device from an external component to a memory array that is internal to the FPGA. Moving the boot source onto the same die eliminates many of the common initialisation failure modes. This type of integrated design also increases the initialisation speed and allows the FPGA to be used in "instant-on" systems.

image name

Figure 1: An example of an FPGA dual-boot system.

Second step is to add an external boot device that can be the automatic fallback device (see figure above). A key feature of FPGAs is field reprogrammability. In automotive systems this feature allows new programs to be downloaded (for example, at the automotive dealership) as an authorised field update to add additional features or to fix design errors.

However, it is possible that the data stream will be corrupted during both the transfer and the programming of the memory, and that the corrupted data stream will prevent correct FPGA initialisation. To deal with update corruption, the design typically includes a "golden" factory copy of the initialisation code in the external memory device. This duplicate allows the system to recover from any problems with the image stored in the internal memory array. By adding the secondary boot device, there is an assured factory backup, or at least a "limp-home" mode operating image.

image name

Figure 2: Decryption of external boot or flash programming bit streams.

Third step is to secure the backup bitstream that is contained in the external memory device by using bitstream encryption to secure the boot image (see figure above). Many of the automotive FPGA families support 128bit AES bitstream encryption to prevent reverse engineering and unauthorised changes to the design. An encrypted image is stored in the external boot device and during initialisation the image is unencrypted and moved into the SRAM cells. This same encryption mechanism can also be used to download a new image into the internal flash memory.

The fourth and final step is to "lock down" the FPGA to prevent unauthorised access to the stored configuration. Programmable registers internal to non-volatile FPGAs control access to the internal configuration memory. The possible combinations are:

- Unlocked
- Key locked—Presenting the 128bit key through the programming interface allows the device to be unlocked
- Permanently locked—The device is permanently locked.

To further complement the security of the device, a One Time Programmable (OTP) mode is available. Once the device is set in this mode it is not possible to erase or reprogram the flash portion of the device.

1 • 2 Next Page Last Page



Comment on "FPGAs for reliable automotive system..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top