FPGAs are increasingly being used for safety-critical applications, and designers have to achieve product design goals while also meeting required safety standards. The RTCA/DO-254 airborne electronics design assurance standard defines a process that must be followed for FPGA and ASIC designs for in-flight systems.
|
|
(Click graphic to zoom by 1.8x)
|
Since the safety stakes are high for DO-254 compliance, an assured design process with the ability to reproduce every step and consistently yield the same result is important (see sidebar), but the default operation for commercial synthesis tools does not meet the stringent requirements of DO-254. This is causing many companies to re-evaluate their design methodologies and tools – and ask which tools best support the needs of DO-254. Sanjay and Michelle address the challenges of DO-254 and the synthesis process, including considerations for design optimization vs. assurance, Single Event Upset (SEU) protection, redundancy control, and late design changes, and examine default tool operation versus what is required for DO-254 compliance.
Challenge: DO-254 compliance
Synthesis is at the heart of all modern design flows and increases designer productivity by automatically converting high-level design description to gate-level designs. One important consideration is design optimization. Another consideration is that default synthesis operation does not offer the SEU protection, redundancy control, or late design change capabilities required in FPGA synthesis tools for DO-254 compliance.
Design optimization vs. assurance
Default synthesis tool operation performs various optimizations like resource sharing, boundary optimization, and retiming to reduce area and improve timing. These transformations make the DO-254 design assurance process cumbersome as the original HDL and optimized synthesis netlist become difficult to compare.
Since optimizations performed during synthesis transform the design, it is important to ensure that design safety is not compromised in pursuit of better performance. FPGA synthesis tool users must focus on design assurance even if it could mean possibly sacrificing some design performance. Users must understand the tool’s operation and select the appropriate options to disable all synthesis optimizations that would make the synthesis results difficult to verify. An example of such an optimization is RAM inferencing, which makes comparing HDL and synthesized netlist difficult.
Finite State Machine (FSM) synthesis for SEU protection
Default synthesis operation prunes unreachable states to generate only the valid states and transitions. However, for optimized state machines, an SEU due to radiation effects can pose a safety risk. Since DO-254 applies to avionics, if radiation changes one of the state bits and the system enters an invalid or undefined state, then it cannot automatically recover from this error condition.
In a safety-critical system, the state machine should recover to a valid state at the next clock cycle after a single event upset. Therefore, state machine behavior for all 2n possible state values (n = state vector length) should be specified. The DO-254 appropriate FPGA synthesis tool should provide the capability to create state machines that are so safe as to preserve even unreachable states (Figure 1). Another important synthesis tool capability is to actually create fault-tolerant state machines, which prevent single-bit errors from having any effect on the design. Applications where fault avoidance is needed and overhead of parity bits can be tolerated should utilize a synthesis tool that supports this additional safety mechanism. In general, designers should ensure they understand the operation and options of their FPGA synthesis tool to support state machine capabilities in their designs.
Figure 1: The DO-254 appropriate FPGA synthesis tool should provide the capability to create state machines that are so safe as to preserve even unreachable states.
Redundancy control for single-point failure avoidance
Redundant circuitry directly conflicts with the goal of reducing design size and meeting timing performance in avionics and other designs. Hence, by default, FPGA synthesis tools focus on finding and optimizing away redundancy in the design. They do not automatically consider whether redundancy was intentionally designed in for safety. Unfortunately, this default behavior runs directly contrary to the needs of DO-254 compliance.
To ensure safer operation, designers need to use the DO-254 appropriate synthesis tool to support insertion and preservation of redundancy. One such technique to insert redundancy is called Triple Modular Redundancy (TMR). TMR replaces one signal, register, or module with three (Figure 2). The outputs of all three circuits are compared against one another, and the majority vote is assumed correct. This takes up significantly more area but provides fail-safe operation in real time. DO-254 appropriate FPGA synthesis tools support this technique.
Figure 2: With Triple Module Redundancy (TMR), the outputs of all three circuits are compared against one another, and the majority vote is assumed correct.
Managing late design changes
For late design changes in a project striving for DO-254 compliance, it may be desirable to update only local parts of the design where the fix is needed. To address this, a design team may adopt an incremental design flow where the main design blocks are partitioned up front by the designers. But a second, more user-friendly variant is automatic incremental synthesis. In this case, design blocks are not partitioned up front, but instead the FPGA synthesis tool can limit the impact of a design change to only locally affected logic.
DO-254 FPGA synthesis tools: Forging ahead
DO-254 compliance is a challenge that many aerospace hardware vendors now face. The ability to establish certifiable and productive design flows is critical to meet that challenge. Since synthesis is at the heart of design flows, an FPGA synthesis tool that goes beyond the usual design optimization goals and specifically focuses on safety-related aspects is important to the success of a DO-254 compliant project. Some key capabilities of FPGA synthesis tools that designers should utilize include state machine synthesis for SEU protection, redundancy control, and support for late-stage design changes. CS
Mentor Graphics
408-451-5640
www.mentor.com