SlideShare a Scribd company logo

Safety Critical Applications of FPGAs

R
Rufino Olay III

This document discusses safety critical applications and functional safety standards. It provides an overview of IEC 61508 functional safety requirements and safety integrity levels. Examples are given of Microsemi FPGA deployments in flight control systems and laser safety curtains. Design techniques for safety such as redundancy, diversity, and secure manufacturing processes are covered. Certifications for quality management and device reliability are also summarized.

1 of 29
Download to read offline
Power Matters. © 2012 Microsemi Corporation. Power Matters. Safety Critical Applications Rufino Olay Microsemi Industrial Business Manager June 26, 2012
Power Matters. 2© 2012 Microsemi Corporation.  Introduction to functional safety  Different safety standards  Design techniques  Deployment examples  Further resources Agenda
Power Matters. 3© 2012 Microsemi Corporation. History of Microsemi FPGAs in safety critical applications Tactical MissilesCommercial Avionics Military Avionics Military Ground VehiclesMedical Equipment Space Systems
Power Matters. 4© 2012 Microsemi Corporation. Increasing safety critical design focus  Safety-Critical Systems • Avionics • Medical • Industrial automation • Power plants • Railmotive • Gas/Oil industry • More...  S-C System Characteristics: • Reliability • Availability • Secure operation • System integrity • Data integrity • System recovery • Maintainability Market Drivers: Industrial manufacturers upgrading products to include more electronics for higher dependability involving reliability, safety, availability, and security  Device selection considerations • Prior deployment in safety critical application • Length of time device has been in the market • Number of devices shipped over current product lifetime • Accessibility to reliability data
Power Matters. 5© 2012 Microsemi Corporation. Industrial Application Examples Configurable Safety Modules Safety Laser Scanners Safety Light CurtainsSafety Drives & Motors, Motor Control Safety PLCs Other Examples from IEC website:  Emergency shut-down systems  Fire and gas systems  Turbine control  Gas burner management  Crane automatic safe-load indicators  Guard interlocking and emergency stopping systems for machinery  Medical devices  Dynamic positioning • Control of a ship's movement when in proximity to an offshore installation  Railway signaling systems (including moving block train signaling)  Variable speed motor drives used to restrict speed as a means of protection  Remote monitoring, operation or programming of a network- enabled process plant *Images copyright of owners
Power Matters. 6© 2012 Microsemi Corporation. Numerous Functional Safety Standards Functional Safety Standards for Different Markets  IEC 61508: Functional safety in industrial equipment  DO-178B/DO-254: Functional safety in avionics  IEC 6060: Functional safety in medical equipment  EN 50128/9: Railway application - software for railway control & protection  ISO 26262: Functional safety in road vehicles
Power Matters. 7© 2012 Microsemi Corporation.  All systems will have a possibility of failure in time • It is impossible for a system with absolute zero failure rate  Each application has a failure rate level • Goal is to significantly increase the time between any failures • Example in a US Nuclear power plant goal is failure in 110,000 years* – Many exceed this to 1 failure in 1M years with target of 1 failure in 10M years  Tolerable failure rates/levels vary per application • Depends on potential for direct or indirect physical injury  Safety Integrity Levels (SILs) are categories to quantify levels of risks Functional Safety Overview *Source: http://www.world-nuclear.org/info/inf06.html
Power Matters. 8© 2012 Microsemi Corporation.  Developed by International Electrotechnical Commission (IEC) • Certification through TUV  Functional safety in industrial equipment • Originally applied at system level but has been also applied to product & components • Addresses Electrical, Electronic, Programmable Electronics including hardware and software IEC 61508: Industrial functional safety standard Safety Integrity Level (SIL) - IEC 61508 SIL Level Availability Probability of Failure Consequence Application Example 4 >99.99% 1 failure in 110,000 yrs Potential for fatalities in the community Nuclear Power Plant Control 3 99.9% 1 failure in 11,100 yrs Potential for multiple on-site fatalities Hazardous area laser curtain sensors 2 99% 1 failure in 1,100 yrs Potential for major on-site injuries or fatalities Hazardous liquid flow meter 1 90% 1 failure in 110 yrs Potential for minor on-site injuries Thermal Meter
Power Matters. 9© 2012 Microsemi Corporation. Safety standards for different markets Source: TUV
Power Matters. 10© 2012 Microsemi Corporation. Our Devices Deployed at the Highest Reliability Levels  Immunity to Firmware Errors • Ensures Data & System Integrity & Control • Fully functional to 100KRads  Fault Tolerance through Redundancy • Hardware redundancy through parallel, dissimilar processes • Cortex-M3 & FPGA running in lockstep Safety Integrity Level (SIL) - IEC 61508 SIL Level Availability Probability of Failure Consequence Application Example 4 >99.99% 1 failure in 110,000 yrs Potential for fatalities in the community Nuclear Power Plant Control 3 99.9% 1 failure in 11,100 yrs Potential for multiple on-site fatalities Hazardous area laser curtain sensors 2 99% 1 failure in 1,100 yrs Potential for major on-site injuries or fatalities Hazardous liquid flow meter 1 90% 1 failure in 110 yrs Potential for minor on-site injuries Thermal Meter Microsemi FPGA Inherent Strengths  Extreme Temperature Operation • Fully operational in harshest conditions • Up to 200oC
Power Matters. 11© 2012 Microsemi Corporation.  Single Event Upset issue was first discovered in 1979 by Intel and Bell Labs as failures in DRAM’s  In 1999 Sun Microsystems noticed errors in cache SRAM’s for mission critical servers  2000’s saw an increasing concern over SEU in logic devices like FPGAs  Historically neutron interactions have been associated with electronics used in Aircrafts due to the high neutron flux at these altitudes  As more electronics is incorporated in everyday applications, likelihood of interference has increased Neutron Induced Single Event Upset Background
Power Matters. 12© 2012 Microsemi Corporation.  As nodes shrink, the amount of charge on each node is smaller, but charge in Cosmic rays remain same thus causes a bigger “disturb”  As nodes shrink, circuits require less charge per switch to operate  In FLASH FPGAs when neutron or alpha particles strike Configuration Cells in: • Routing Matrix  No change • Logic Block  No change Flash FPGAs immune to Single Event Upset
Power Matters. 13© 2012 Microsemi Corporation.  In SRAM FPGAs when neutron or alpha particles strike the CM’s in • Logic Block  results in a misconnected signal which in turn results in functional failure • Routing Matrix  results in a misrouted or missing signal  In both cases it’s a CM upset leading to severe consequences! • These errors persist until detected • Need rebooting OR power cycling of the FPGA SRAM FPGAs are effected by stray particles
Power Matters. 14© 2012 Microsemi Corporation. No SEU Configuration Failures in Microsemi FPGAs FPGA Technology Equivalent Functional Failure – FIT Rates per Device Ground-Level Applications Commercial Aviation Military Aviation Sea Level 5,000 Ft 30,000 Ft 60,000 Ft Microsemi Antifuse FPGA 1M-Gate 150nm Antifuse No Failures Detected No Failures Detected No Failures Detected No Failures Detected Microsemi Flash FPGA 1.5M-Gate 130nm Flash No Failures Detected No Failures Detected No Failures Detected No Failures Detected Microsemi Upcoming Next Gen Flash FPGA 65nm Flash No Failures Detected No Failures Detected No Failures Detected No Failures Detected SRAM FPGA Vendor 1 1M-Gate 90nm SRAM 320 FITs 1,100 FITs 47,000 FITs 150,000 FITs SRAM FPGA Vendor 2 1M-Gate 90nm SRAM 730 FITs 2,500 FITs 108,000 FITs 346,000 FITs Neutron Testing Results: iRoC Technologies: www.irochtech.com Regular testing at Los Alamos National Labs neutron test facility
Power Matters. 15© 2012 Microsemi Corporation.  IEC61508 Annex E04 • 7.4.5.4 Especially for application of FPGAs and PLDs in E/E/PE safety related systems the following systemic faults shall be controlled Fewer Requirements for Flash Based FPGAs Due to Non Volatility & SEU Immunity Requirement Applicability to Microsemi Loss of information in Configuration RAM (RAM Based FPGAs) na: SEU immune Malfunction of erase feature (EEProm based FPGAs/PLDs) na: Flash is non-volatile Power supply drops, EMC (RAM based) na: Flash is non-volatile Incorrect initialization during power-on (RAM based) na: Live at power-up Faults in individual programming / configuration bits (all technologies) Yes Modification of coarse functionality (macro cells, FPGA & CPLD) Yes Coupling between “independent” channel (temperature, supply voltage, EMC, cross-talk) if implemented on a single chip (all technologies) Yes Single point of failure (e.g. compare logic, efficient self testing even if system uses long time static data during normal operation) Yes Malfunction in design and implementation tools Yes
Power Matters. 16© 2012 Microsemi Corporation. Meeting Security Requirements From IEC 61508, Part 1, P. 8  …this standard demands that any malicious and unauthorized actions are to be examined during the hazard and risk analysis. The application scope of this analysis includes all relevant phases of the security life cycle;  Protection against • Reverse engineering • Tampering • Overbuilding • Cloning
Power Matters. 17© 2012 Microsemi Corporation. Microsemi Security Features  Secured IP • FlashLock® controls access to security settings of the device • No bitstream communicated from external configuration device • Flash cells more secure against micro-probing than other FPGA technologies  Secured manufacturing flow • AES-encrypted programming file sent to manufacturer • Devices pre-programmed with matching AES key sold direct to manufacturer • Protects against overbuilding and cloning EEPROM Configuration Stream
Power Matters. 18© 2012 Microsemi Corporation.  Redundancy is mandatory for safety critical systems • Provides fault-tolerant systems • Operate properly in the event of a failure  Dual Modular Redundancy • Duplicated designs work in parallel – The same inputs are provided to each processing element – Fail safe certification engine checks for consistency  Triple Modular Redundancy • Three control systems • Error in one component can be out-voted by the other two Redundancy Techniques
Power Matters. 19© 2012 Microsemi Corporation. Diversity Concept  What is it – “Diversity”? • Fundamental differences or dissimilarity between two devices – usually to implement the same functions • In case of FPGAs: Silicon (technology & architecture), Software, Hardware development tools  Without Diversity: • In a system is designed with TMR or DMR redundancy, • if ALL FPGA’s behave similar, then if 1 type of failure causes 1 FPGA to fail, • then ALL the redundant (backups in case of failures) could possibly also FAIL, and the system would shut down. • Redundancy in this case did not keep the system running.  With Diversity: • If a system is designed with redundancy, and all FPGA’s are DIVERSE, then 1 type of failure mode is DIFFERENT between 2 DIFFERENT devices • If 1 type of failure causes 1 FPGA to fail, the redundant FPGA behaves DIFFERENTLY. • The system would still RUN.
Power Matters. 20© 2012 Microsemi Corporation. Diversity through two different Microsemi FPGA technologies  Microsemi manufactures Antifuse & Flash FPGAs  Antifuse technology and flash technology are completely different in terms of the manufacturing process, how the devices store the design, and how the devices are programmed with the design.  Antifuse devices are 1-time-programmable (OTP) and the device design is stored by permanently creating a conductive path.  Flash devices are re-programmable and the device design is stored by storing a charge on a floating gate of a flash transistor.
Power Matters. 21© 2012 Microsemi Corporation. Evolution of Programmable Logic Increasing Levels of Integration 1st Generation Low Power FPGA 2nd Generation First Mixed Signal FPGA 3rd Generation Customizable System-On-Chip (cSoC) Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion Programmable Analog  Voltage & Current Monitoring  Temperature Monitoring Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion Embedded ARM® Cortex-M3  Complex Algorithms  System Management Programmable Analog  Voltage & Current Monitoring  Temperature Monitoring Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion
Power Matters. 22© 2012 Microsemi Corporation. SmartFusion Ideal platform to partition software & hardware architecture requirements Software Platform - System layer - Application Layer Hardware Platform - Co-Processing - Customized Drivers
Power Matters. 23© 2012 Microsemi Corporation. Safety Implementation Comparison Microcontrollers  Two core implementation • Redundant Similar Processes  Same code / Algorithm • Potential duplication of code error  Multiple different code / algorithms • Requires higher speed processors • Increases Power Consumption cSoC (FPGA & MCU)  MCU & FPGA implementation • Redundant Dissimilar Processes  Same algorithm designed twice • H/W & S/W implemented on same die  Multiple different code / algorithms • Build parallel processing elements • Lowers power consumption Safety Controller #1 Safety Controller #2 Oriented 90̊ from core #1 SmartFusion Safety Controller #1 Safety Controller #2 Fail Safe Detection Circuitry Fail Safe Detection Circuitry
Power Matters. 24© 2012 Microsemi Corporation. Fusion CoreSPI Power Sensor Power & Reset CoreSPI Aircraft Interface Control Logic Flap Control Stabilizer Control Brake Control Pressure Sensor Safety Critical System Requirement  Firm Error Immunity  Non-Volatile & Live at Power-up Solution  Flight Control Actuator  Aircraft flaps & spoiler control  Trim for speed brakes and horizontal stabilizer  Yaw & roll trim Deployed Example in Fusion Programmable Analog FPGA Logic Safety Critical Application Example #1 Flight Control Actuator Example
Power Matters. 25© 2012 Microsemi Corporation. Safety Critical System Requirement  Firm Error Immunity  Non-Volatile & Live at Power-up  Dissimilar processing elements Solution  Two processing elements • MCU: IR Interface & laser beam surveillance • FPGA: Signal processing and pulse detection Deployed Example in SmartFusion  Laser Safety Curtain: SIL3  Second Highest Safety Integrity Level Safety Critical Application Example #2 SmartFusion ARM Cortex-M3 FPGA Logic IR interface controller, Laser beam surveillance Time to digital conversion, Pulse detection Sensor Laser Safety Curtain Example Sensor Input Programmable Analog Control data Measurement Data Sensor IR configuration interface Rotating Laser beam interface
Power Matters. 26© 2012 Microsemi Corporation. Quality Management Systems & Certification  Quality management system • ISO-9001 (2002) • TS 16949 • SAE / AS9100 • QML  Qualification and certification • MIL-STD-883 Class B • PURE: – European packaging Standard – Commercial components in rugged environments • QML Class Q – Cert for components in high reliability / military • AEC-Q100 – Automotive certification for ProASIC3 devices
Power Matters. 27© 2012 Microsemi Corporation.  Web pages • Safety Critical Solutions: http://www.actel.com/products/solutions/safetycritical/default.aspx • Quality & Reliability Data: http://www.actel.com/techdocs/qualrel/default.aspx • Single Event Effects: http://www.actel.com/products/solutions/ser/default.aspx • Operating in Extreme Environments: http://www.actel.com/products/solutions/extremeenv/default.aspx • Design Security: http://www.actel.com/products/solutions/security/default.aspx  Numerous documentation White Paper • Basics on single event effects • Understanding SEE impact in avionics, networking applications (ground level apps) • Increasing Fault Tolerance by Using Diverse Design Programmable Logic Technologies Frequently Asked Questions – Neutron FAQ Resources: For more information
Power Matters. 28© 2012 Microsemi Corporation.  Military & Aerospace • Radiation Article  Medical • FDA articles on radiation emitting products  EE Times • Automotive – Cosmic Rays Damage Electronics – Alpha particles, DRAMs, SEU, Toyota Acceleration • General – Neutron Storm Swirls Around FPGA Reliability – Soft Errors become hard truth for logic – Space Particles hit logic chips – Reliability and Redundancy  Others • Electronic Products : Battling Single Event Upsets in Programmable logic • Tech Focus Media : Gearing up for rain, new soft error tolerant circuits • EDN : Cosmic Radiation comes to ASIC and SOC Designs 3rd Party Articles, Publications
Power Matters. 29© 2012 Microsemi Corporation.  Flash Based FPGAs are an excellent high reliability platform  History of deployments in Safety Critical Applications • Industrial & Medical • Avionics • Military • Space  Dedication to Quality Systems • Quality management systems & certification  Next Steps • Microsemi exploring IEC 61508 certification for FPGAs & dev S/W – Leveraging knowledge and techniques from other certifications for Industrial • Developing safety documentation package Summary

Recommended

Evolution of protective systems in petro chem
Evolution of protective systems in petro chemEvolution of protective systems in petro chem
Evolution of protective systems in petro chemGlen Alleman
 
Maintenance and Test Equipment Cyber Security
Maintenance and Test Equipment Cyber Security Maintenance and Test Equipment Cyber Security
Maintenance and Test Equipment Cyber Security Michael Toecker
 
Asset Utilization Metrics Propel a Revival in Safety Solutions
Asset Utilization Metrics Propel a Revival in Safety SolutionsAsset Utilization Metrics Propel a Revival in Safety Solutions
Asset Utilization Metrics Propel a Revival in Safety SolutionsARC Advisory Group
 
Understanding type 2 coordinated protection in motor branch circuit
Understanding type 2 coordinated protection in motor branch circuitUnderstanding type 2 coordinated protection in motor branch circuit
Understanding type 2 coordinated protection in motor branch circuitBassam Gomaa
 
Deep Learning for industrial Prognostics & Health Management (PHM)
Deep Learning for industrial Prognostics & Health Management (PHM) Deep Learning for industrial Prognostics & Health Management (PHM)
Deep Learning for industrial Prognostics & Health Management (PHM) Michael Giering
 
Complying with New Functional Safety Standards
Complying with New Functional Safety StandardsComplying with New Functional Safety Standards
Complying with New Functional Safety StandardsDesign World
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-systemMowaten Masry
 
Pflex um003 -en-p
Pflex um003 -en-pPflex um003 -en-p
Pflex um003 -en-pVo Quoc Hieu
 

Recommended

Evolution of protective systems in petro chem
Evolution of protective systems in petro chemEvolution of protective systems in petro chem
Evolution of protective systems in petro chemGlen Alleman
 
Maintenance and Test Equipment Cyber Security
Maintenance and Test Equipment Cyber Security Maintenance and Test Equipment Cyber Security
Maintenance and Test Equipment Cyber Security Michael Toecker
 
Asset Utilization Metrics Propel a Revival in Safety Solutions
Asset Utilization Metrics Propel a Revival in Safety SolutionsAsset Utilization Metrics Propel a Revival in Safety Solutions
Asset Utilization Metrics Propel a Revival in Safety SolutionsARC Advisory Group
 
Understanding type 2 coordinated protection in motor branch circuit
Understanding type 2 coordinated protection in motor branch circuitUnderstanding type 2 coordinated protection in motor branch circuit
Understanding type 2 coordinated protection in motor branch circuitBassam Gomaa
 
Deep Learning for industrial Prognostics & Health Management (PHM)
Deep Learning for industrial Prognostics & Health Management (PHM) Deep Learning for industrial Prognostics & Health Management (PHM)
Deep Learning for industrial Prognostics & Health Management (PHM) Michael Giering
 
Complying with New Functional Safety Standards
Complying with New Functional Safety StandardsComplying with New Functional Safety Standards
Complying with New Functional Safety StandardsDesign World
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-systemMowaten Masry
 
Pflex um003 -en-p
Pflex um003 -en-pPflex um003 -en-p
Pflex um003 -en-pVo Quoc Hieu
 
Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10Risman BizNet
 
Tdoct0713a eng
Tdoct0713a engTdoct0713a eng
Tdoct0713a engVo Quoc Hieu
 
Sil presentation
Sil presentationSil presentation
Sil presentationValeriano Barrilà
 
Module 5 13 software management control
Module 5 13 software management controlModule 5 13 software management control
Module 5 13 software management controlJoha Rahman
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaVo Quoc Hieu
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryVo Quoc Hieu
 
Yokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlantYokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlantYokogawa
 
Managing securityforautomotivesoc
Managing securityforautomotivesocManaging securityforautomotivesoc
Managing securityforautomotivesocPankaj Singh
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCPankaj Singh
 
Delta v sis safety manual, may 2011
Delta v sis safety manual, may 2011Delta v sis safety manual, may 2011
Delta v sis safety manual, may 2011Robby Kurniawan Novianto
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
DSDConference07
DSDConference07DSDConference07
DSDConference07Adam Taylor CEng FIET
 
CB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORYCB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORYRay Caparas
 
Shb900 rm001 -en-p
Shb900 rm001 -en-pShb900 rm001 -en-p
Shb900 rm001 -en-pVo Quoc Hieu
 
Wsanacip tampres cluster meeting
Wsanacip tampres cluster meetingWsanacip tampres cluster meeting
Wsanacip tampres cluster meetingfcleary
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Functional safety standards_for_machinery
Functional safety standards_for_machineryFunctional safety standards_for_machinery
Functional safety standards_for_machineryie-net ingenieursvereniging vzw
 
Deltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-dataDeltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-dataNhựt Bằng Nguyễn
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
Electranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdfElectranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdfsmrasteg12
 
Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Analog Devices, Inc.
 

More Related Content

What's hot

Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10Risman BizNet
 
Module 5 13 software management control
Module 5 13 software management controlModule 5 13 software management control
Module 5 13 software management controlJoha Rahman
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaVo Quoc Hieu
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryVo Quoc Hieu
 
Yokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlantYokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlantYokogawa
 
Managing securityforautomotivesoc
Managing securityforautomotivesocManaging securityforautomotivesoc
Managing securityforautomotivesocPankaj Singh
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCPankaj Singh
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
CB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORYCB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORYRay Caparas
 
Shb900 rm001 -en-p
Shb900 rm001 -en-pShb900 rm001 -en-p
Shb900 rm001 -en-pVo Quoc Hieu
 
Wsanacip tampres cluster meeting
Wsanacip tampres cluster meetingWsanacip tampres cluster meeting
Wsanacip tampres cluster meetingfcleary
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
Deltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-dataDeltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-dataNhựt Bằng Nguyễn
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 

What's hot (20)

Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10Brochure triconex emergency_shutdownsystemssolutions_03-10
Brochure triconex emergency_shutdownsystemssolutions_03-10
 
Tdoct0713a eng
Tdoct0713a engTdoct0713a eng
Tdoct0713a eng
 
Sil presentation
Sil presentationSil presentation
Sil presentation
 
Module 5 13 software management control
Module 5 13 software management controlModule 5 13 software management control
Module 5 13 software management control
 
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canadaT06 machine safetyachievingandmaintainingregulatorycompliance-canada
T06 machine safetyachievingandmaintainingregulatorycompliance-canada
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachinery
 
Yokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlantYokogawa in the Petrochemical Industry | VigilantPlant
Yokogawa in the Petrochemical Industry | VigilantPlant
 
Managing securityforautomotivesoc
Managing securityforautomotivesocManaging securityforautomotivesoc
Managing securityforautomotivesoc
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoC
 
Delta v sis safety manual, may 2011
Delta v sis safety manual, may 2011Delta v sis safety manual, may 2011
Delta v sis safety manual, may 2011
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
 
DSDConference07
DSDConference07DSDConference07
DSDConference07
 
CB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORYCB&I _ EATON NGSF SUCCESS STORY
CB&I _ EATON NGSF SUCCESS STORY
 
Shb900 rm001 -en-p
Shb900 rm001 -en-pShb900 rm001 -en-p
Shb900 rm001 -en-p
 
Wsanacip tampres cluster meeting
Wsanacip tampres cluster meetingWsanacip tampres cluster meeting
Wsanacip tampres cluster meeting
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Functional safety standards_for_machinery
Functional safety standards_for_machineryFunctional safety standards_for_machinery
Functional safety standards_for_machinery
 
Deltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-dataDeltav sis-system-overview-brochure-data
Deltav sis-system-overview-brochure-data
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 

Similar to Safety Critical Applications of FPGAs

Electranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdfElectranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdfsmrasteg12
 
Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Analog Devices, Inc.
 
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...Sofics
 
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...TI Safe
 
siemens relays catalog - geetech group.pdf
siemens relays catalog - geetech group.pdfsiemens relays catalog - geetech group.pdf
siemens relays catalog - geetech group.pdfGeeTech Group
 
Bus system AS-interface Catalogue 2008/2009
Bus system AS-interface Catalogue 2008/2009Bus system AS-interface Catalogue 2008/2009
Bus system AS-interface Catalogue 2008/2009ifm electronic gmbh
 
t51_process-safety-solution-best-meets-your-needs.pdf
t51_process-safety-solution-best-meets-your-needs.pdft51_process-safety-solution-best-meets-your-needs.pdf
t51_process-safety-solution-best-meets-your-needs.pdfhadjijkarim
 
[iROC Webinar] Do I Need to Worry About Soft Errors?
[iROC Webinar] Do I Need to Worry About Soft Errors? [iROC Webinar] Do I Need to Worry About Soft Errors?
[iROC Webinar] Do I Need to Worry About Soft Errors? iROCTech
 
Omnik micro-inverter-m248-m500-kit
Omnik micro-inverter-m248-m500-kitOmnik micro-inverter-m248-m500-kit
Omnik micro-inverter-m248-m500-kitOmnik Solar
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
 
Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)Panduit
 
Developing functional safety systems with arm architecture solutions stroud
Developing functional safety systems with arm architecture solutions stroudDeveloping functional safety systems with arm architecture solutions stroud
Developing functional safety systems with arm architecture solutions stroudArm
 
Powering-Up the Industrial Network
Powering-Up the Industrial NetworkPowering-Up the Industrial Network
Powering-Up the Industrial NetworkPanduit
 
Qualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyQualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyPankaj Singh
 
Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerationsOptima Control Solutions
 
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...Pradeep Avanigadda
 
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0Ryan O'Mara
 

Similar to Safety Critical Applications of FPGAs (20)

Electranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdfElectranix_Advanced_Simulation_Lab_July_2021.pdf
Electranix_Advanced_Simulation_Lab_July_2021.pdf
 
Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)Data and Power Isolation (Design Conference 2013)
Data and Power Isolation (Design Conference 2013)
 
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
IoT workshop - Is 1kV Also Enough for IoT ESD Protection – Do Current Test Me...
 
EMC in Industrial Automation Systems webinar - May 2020 - Peter Thomas
EMC in Industrial Automation Systems webinar - May 2020 - Peter ThomasEMC in Industrial Automation Systems webinar - May 2020 - Peter Thomas
EMC in Industrial Automation Systems webinar - May 2020 - Peter Thomas
 
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
CLASS 2018 - Palestra de Julio Oliveira (Gerente de Tecnologia, Power Grids G...
 
siemens relays catalog - geetech group.pdf
siemens relays catalog - geetech group.pdfsiemens relays catalog - geetech group.pdf
siemens relays catalog - geetech group.pdf
 
Moise.pdf
Moise.pdfMoise.pdf
Moise.pdf
 
Bus system AS-interface Catalogue 2008/2009
Bus system AS-interface Catalogue 2008/2009Bus system AS-interface Catalogue 2008/2009
Bus system AS-interface Catalogue 2008/2009
 
t51_process-safety-solution-best-meets-your-needs.pdf
t51_process-safety-solution-best-meets-your-needs.pdft51_process-safety-solution-best-meets-your-needs.pdf
t51_process-safety-solution-best-meets-your-needs.pdf
 
[iROC Webinar] Do I Need to Worry About Soft Errors?
[iROC Webinar] Do I Need to Worry About Soft Errors? [iROC Webinar] Do I Need to Worry About Soft Errors?
[iROC Webinar] Do I Need to Worry About Soft Errors?
 
Omnik micro-inverter-m248-m500-kit
Omnik micro-inverter-m248-m500-kitOmnik micro-inverter-m248-m500-kit
Omnik micro-inverter-m248-m500-kit
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RS
 
Spam 20
Spam 20Spam 20
Spam 20
 
Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)Uninterruptible Power Supply (UPS)
Uninterruptible Power Supply (UPS)
 
Developing functional safety systems with arm architecture solutions stroud
Developing functional safety systems with arm architecture solutions stroudDeveloping functional safety systems with arm architecture solutions stroud
Developing functional safety systems with arm architecture solutions stroud
 
Powering-Up the Industrial Network
Powering-Up the Industrial NetworkPowering-Up the Industrial Network
Powering-Up the Industrial Network
 
Qualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional SafetyQualifying a high performance memory subsysten for Functional Safety
Qualifying a high performance memory subsysten for Functional Safety
 
Safety control systems: Some essential considerations
Safety control systems: Some essential considerationsSafety control systems: Some essential considerations
Safety control systems: Some essential considerations
 
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...
DETECTING POWER GRID SYNCHRONISATION FAILURE ON SENSING BAD VOLTAGE OR FREQUE...
 
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0
Protection, Automation and Monitoring: SIPROTEC 5 v7.9/v8.0
 

Safety Critical Applications of FPGAs

  • 1. Power Matters. © 2012 Microsemi Corporation. Power Matters. Safety Critical Applications Rufino Olay Microsemi Industrial Business Manager June 26, 2012
  • 2. Power Matters. 2© 2012 Microsemi Corporation.  Introduction to functional safety  Different safety standards  Design techniques  Deployment examples  Further resources Agenda
  • 3. Power Matters. 3© 2012 Microsemi Corporation. History of Microsemi FPGAs in safety critical applications Tactical MissilesCommercial Avionics Military Avionics Military Ground VehiclesMedical Equipment Space Systems
  • 4. Power Matters. 4© 2012 Microsemi Corporation. Increasing safety critical design focus  Safety-Critical Systems • Avionics • Medical • Industrial automation • Power plants • Railmotive • Gas/Oil industry • More...  S-C System Characteristics: • Reliability • Availability • Secure operation • System integrity • Data integrity • System recovery • Maintainability Market Drivers: Industrial manufacturers upgrading products to include more electronics for higher dependability involving reliability, safety, availability, and security  Device selection considerations • Prior deployment in safety critical application • Length of time device has been in the market • Number of devices shipped over current product lifetime • Accessibility to reliability data
  • 5. Power Matters. 5© 2012 Microsemi Corporation. Industrial Application Examples Configurable Safety Modules Safety Laser Scanners Safety Light CurtainsSafety Drives & Motors, Motor Control Safety PLCs Other Examples from IEC website:  Emergency shut-down systems  Fire and gas systems  Turbine control  Gas burner management  Crane automatic safe-load indicators  Guard interlocking and emergency stopping systems for machinery  Medical devices  Dynamic positioning • Control of a ship's movement when in proximity to an offshore installation  Railway signaling systems (including moving block train signaling)  Variable speed motor drives used to restrict speed as a means of protection  Remote monitoring, operation or programming of a network- enabled process plant *Images copyright of owners
  • 6. Power Matters. 6© 2012 Microsemi Corporation. Numerous Functional Safety Standards Functional Safety Standards for Different Markets  IEC 61508: Functional safety in industrial equipment  DO-178B/DO-254: Functional safety in avionics  IEC 6060: Functional safety in medical equipment  EN 50128/9: Railway application - software for railway control & protection  ISO 26262: Functional safety in road vehicles
  • 7. Power Matters. 7© 2012 Microsemi Corporation.  All systems will have a possibility of failure in time • It is impossible for a system with absolute zero failure rate  Each application has a failure rate level • Goal is to significantly increase the time between any failures • Example in a US Nuclear power plant goal is failure in 110,000 years* – Many exceed this to 1 failure in 1M years with target of 1 failure in 10M years  Tolerable failure rates/levels vary per application • Depends on potential for direct or indirect physical injury  Safety Integrity Levels (SILs) are categories to quantify levels of risks Functional Safety Overview *Source: http://www.world-nuclear.org/info/inf06.html
  • 8. Power Matters. 8© 2012 Microsemi Corporation.  Developed by International Electrotechnical Commission (IEC) • Certification through TUV  Functional safety in industrial equipment • Originally applied at system level but has been also applied to product & components • Addresses Electrical, Electronic, Programmable Electronics including hardware and software IEC 61508: Industrial functional safety standard Safety Integrity Level (SIL) - IEC 61508 SIL Level Availability Probability of Failure Consequence Application Example 4 >99.99% 1 failure in 110,000 yrs Potential for fatalities in the community Nuclear Power Plant Control 3 99.9% 1 failure in 11,100 yrs Potential for multiple on-site fatalities Hazardous area laser curtain sensors 2 99% 1 failure in 1,100 yrs Potential for major on-site injuries or fatalities Hazardous liquid flow meter 1 90% 1 failure in 110 yrs Potential for minor on-site injuries Thermal Meter
  • 9. Power Matters. 9© 2012 Microsemi Corporation. Safety standards for different markets Source: TUV
  • 10. Power Matters. 10© 2012 Microsemi Corporation. Our Devices Deployed at the Highest Reliability Levels  Immunity to Firmware Errors • Ensures Data & System Integrity & Control • Fully functional to 100KRads  Fault Tolerance through Redundancy • Hardware redundancy through parallel, dissimilar processes • Cortex-M3 & FPGA running in lockstep Safety Integrity Level (SIL) - IEC 61508 SIL Level Availability Probability of Failure Consequence Application Example 4 >99.99% 1 failure in 110,000 yrs Potential for fatalities in the community Nuclear Power Plant Control 3 99.9% 1 failure in 11,100 yrs Potential for multiple on-site fatalities Hazardous area laser curtain sensors 2 99% 1 failure in 1,100 yrs Potential for major on-site injuries or fatalities Hazardous liquid flow meter 1 90% 1 failure in 110 yrs Potential for minor on-site injuries Thermal Meter Microsemi FPGA Inherent Strengths  Extreme Temperature Operation • Fully operational in harshest conditions • Up to 200oC
  • 11. Power Matters. 11© 2012 Microsemi Corporation.  Single Event Upset issue was first discovered in 1979 by Intel and Bell Labs as failures in DRAM’s  In 1999 Sun Microsystems noticed errors in cache SRAM’s for mission critical servers  2000’s saw an increasing concern over SEU in logic devices like FPGAs  Historically neutron interactions have been associated with electronics used in Aircrafts due to the high neutron flux at these altitudes  As more electronics is incorporated in everyday applications, likelihood of interference has increased Neutron Induced Single Event Upset Background
  • 12. Power Matters. 12© 2012 Microsemi Corporation.  As nodes shrink, the amount of charge on each node is smaller, but charge in Cosmic rays remain same thus causes a bigger “disturb”  As nodes shrink, circuits require less charge per switch to operate  In FLASH FPGAs when neutron or alpha particles strike Configuration Cells in: • Routing Matrix  No change • Logic Block  No change Flash FPGAs immune to Single Event Upset
  • 13. Power Matters. 13© 2012 Microsemi Corporation.  In SRAM FPGAs when neutron or alpha particles strike the CM’s in • Logic Block  results in a misconnected signal which in turn results in functional failure • Routing Matrix  results in a misrouted or missing signal  In both cases it’s a CM upset leading to severe consequences! • These errors persist until detected • Need rebooting OR power cycling of the FPGA SRAM FPGAs are effected by stray particles
  • 14. Power Matters. 14© 2012 Microsemi Corporation. No SEU Configuration Failures in Microsemi FPGAs FPGA Technology Equivalent Functional Failure – FIT Rates per Device Ground-Level Applications Commercial Aviation Military Aviation Sea Level 5,000 Ft 30,000 Ft 60,000 Ft Microsemi Antifuse FPGA 1M-Gate 150nm Antifuse No Failures Detected No Failures Detected No Failures Detected No Failures Detected Microsemi Flash FPGA 1.5M-Gate 130nm Flash No Failures Detected No Failures Detected No Failures Detected No Failures Detected Microsemi Upcoming Next Gen Flash FPGA 65nm Flash No Failures Detected No Failures Detected No Failures Detected No Failures Detected SRAM FPGA Vendor 1 1M-Gate 90nm SRAM 320 FITs 1,100 FITs 47,000 FITs 150,000 FITs SRAM FPGA Vendor 2 1M-Gate 90nm SRAM 730 FITs 2,500 FITs 108,000 FITs 346,000 FITs Neutron Testing Results: iRoC Technologies: www.irochtech.com Regular testing at Los Alamos National Labs neutron test facility
  • 15. Power Matters. 15© 2012 Microsemi Corporation.  IEC61508 Annex E04 • 7.4.5.4 Especially for application of FPGAs and PLDs in E/E/PE safety related systems the following systemic faults shall be controlled Fewer Requirements for Flash Based FPGAs Due to Non Volatility & SEU Immunity Requirement Applicability to Microsemi Loss of information in Configuration RAM (RAM Based FPGAs) na: SEU immune Malfunction of erase feature (EEProm based FPGAs/PLDs) na: Flash is non-volatile Power supply drops, EMC (RAM based) na: Flash is non-volatile Incorrect initialization during power-on (RAM based) na: Live at power-up Faults in individual programming / configuration bits (all technologies) Yes Modification of coarse functionality (macro cells, FPGA & CPLD) Yes Coupling between “independent” channel (temperature, supply voltage, EMC, cross-talk) if implemented on a single chip (all technologies) Yes Single point of failure (e.g. compare logic, efficient self testing even if system uses long time static data during normal operation) Yes Malfunction in design and implementation tools Yes
  • 16. Power Matters. 16© 2012 Microsemi Corporation. Meeting Security Requirements From IEC 61508, Part 1, P. 8  …this standard demands that any malicious and unauthorized actions are to be examined during the hazard and risk analysis. The application scope of this analysis includes all relevant phases of the security life cycle;  Protection against • Reverse engineering • Tampering • Overbuilding • Cloning
  • 17. Power Matters. 17© 2012 Microsemi Corporation. Microsemi Security Features  Secured IP • FlashLock® controls access to security settings of the device • No bitstream communicated from external configuration device • Flash cells more secure against micro-probing than other FPGA technologies  Secured manufacturing flow • AES-encrypted programming file sent to manufacturer • Devices pre-programmed with matching AES key sold direct to manufacturer • Protects against overbuilding and cloning EEPROM Configuration Stream
  • 18. Power Matters. 18© 2012 Microsemi Corporation.  Redundancy is mandatory for safety critical systems • Provides fault-tolerant systems • Operate properly in the event of a failure  Dual Modular Redundancy • Duplicated designs work in parallel – The same inputs are provided to each processing element – Fail safe certification engine checks for consistency  Triple Modular Redundancy • Three control systems • Error in one component can be out-voted by the other two Redundancy Techniques
  • 19. Power Matters. 19© 2012 Microsemi Corporation. Diversity Concept  What is it – “Diversity”? • Fundamental differences or dissimilarity between two devices – usually to implement the same functions • In case of FPGAs: Silicon (technology & architecture), Software, Hardware development tools  Without Diversity: • In a system is designed with TMR or DMR redundancy, • if ALL FPGA’s behave similar, then if 1 type of failure causes 1 FPGA to fail, • then ALL the redundant (backups in case of failures) could possibly also FAIL, and the system would shut down. • Redundancy in this case did not keep the system running.  With Diversity: • If a system is designed with redundancy, and all FPGA’s are DIVERSE, then 1 type of failure mode is DIFFERENT between 2 DIFFERENT devices • If 1 type of failure causes 1 FPGA to fail, the redundant FPGA behaves DIFFERENTLY. • The system would still RUN.
  • 20. Power Matters. 20© 2012 Microsemi Corporation. Diversity through two different Microsemi FPGA technologies  Microsemi manufactures Antifuse & Flash FPGAs  Antifuse technology and flash technology are completely different in terms of the manufacturing process, how the devices store the design, and how the devices are programmed with the design.  Antifuse devices are 1-time-programmable (OTP) and the device design is stored by permanently creating a conductive path.  Flash devices are re-programmable and the device design is stored by storing a charge on a floating gate of a flash transistor.
  • 21. Power Matters. 21© 2012 Microsemi Corporation. Evolution of Programmable Logic Increasing Levels of Integration 1st Generation Low Power FPGA 2nd Generation First Mixed Signal FPGA 3rd Generation Customizable System-On-Chip (cSoC) Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion Programmable Analog  Voltage & Current Monitoring  Temperature Monitoring Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion Embedded ARM® Cortex-M3  Complex Algorithms  System Management Programmable Analog  Voltage & Current Monitoring  Temperature Monitoring Flash FPGA Fabric  Hardware Acceleration  Customized Pulse Width Modulation  I/O Expansion
  • 22. Power Matters. 22© 2012 Microsemi Corporation. SmartFusion Ideal platform to partition software & hardware architecture requirements Software Platform - System layer - Application Layer Hardware Platform - Co-Processing - Customized Drivers
  • 23. Power Matters. 23© 2012 Microsemi Corporation. Safety Implementation Comparison Microcontrollers  Two core implementation • Redundant Similar Processes  Same code / Algorithm • Potential duplication of code error  Multiple different code / algorithms • Requires higher speed processors • Increases Power Consumption cSoC (FPGA & MCU)  MCU & FPGA implementation • Redundant Dissimilar Processes  Same algorithm designed twice • H/W & S/W implemented on same die  Multiple different code / algorithms • Build parallel processing elements • Lowers power consumption Safety Controller #1 Safety Controller #2 Oriented 90̊ from core #1 SmartFusion Safety Controller #1 Safety Controller #2 Fail Safe Detection Circuitry Fail Safe Detection Circuitry
  • 24. Power Matters. 24© 2012 Microsemi Corporation. Fusion CoreSPI Power Sensor Power & Reset CoreSPI Aircraft Interface Control Logic Flap Control Stabilizer Control Brake Control Pressure Sensor Safety Critical System Requirement  Firm Error Immunity  Non-Volatile & Live at Power-up Solution  Flight Control Actuator  Aircraft flaps & spoiler control  Trim for speed brakes and horizontal stabilizer  Yaw & roll trim Deployed Example in Fusion Programmable Analog FPGA Logic Safety Critical Application Example #1 Flight Control Actuator Example
  • 25. Power Matters. 25© 2012 Microsemi Corporation. Safety Critical System Requirement  Firm Error Immunity  Non-Volatile & Live at Power-up  Dissimilar processing elements Solution  Two processing elements • MCU: IR Interface & laser beam surveillance • FPGA: Signal processing and pulse detection Deployed Example in SmartFusion  Laser Safety Curtain: SIL3  Second Highest Safety Integrity Level Safety Critical Application Example #2 SmartFusion ARM Cortex-M3 FPGA Logic IR interface controller, Laser beam surveillance Time to digital conversion, Pulse detection Sensor Laser Safety Curtain Example Sensor Input Programmable Analog Control data Measurement Data Sensor IR configuration interface Rotating Laser beam interface
  • 26. Power Matters. 26© 2012 Microsemi Corporation. Quality Management Systems & Certification  Quality management system • ISO-9001 (2002) • TS 16949 • SAE / AS9100 • QML  Qualification and certification • MIL-STD-883 Class B • PURE: – European packaging Standard – Commercial components in rugged environments • QML Class Q – Cert for components in high reliability / military • AEC-Q100 – Automotive certification for ProASIC3 devices
  • 27. Power Matters. 27© 2012 Microsemi Corporation.  Web pages • Safety Critical Solutions: http://www.actel.com/products/solutions/safetycritical/default.aspx • Quality & Reliability Data: http://www.actel.com/techdocs/qualrel/default.aspx • Single Event Effects: http://www.actel.com/products/solutions/ser/default.aspx • Operating in Extreme Environments: http://www.actel.com/products/solutions/extremeenv/default.aspx • Design Security: http://www.actel.com/products/solutions/security/default.aspx  Numerous documentation White Paper • Basics on single event effects • Understanding SEE impact in avionics, networking applications (ground level apps) • Increasing Fault Tolerance by Using Diverse Design Programmable Logic Technologies Frequently Asked Questions – Neutron FAQ Resources: For more information
  • 28. Power Matters. 28© 2012 Microsemi Corporation.  Military & Aerospace • Radiation Article  Medical • FDA articles on radiation emitting products  EE Times • Automotive – Cosmic Rays Damage Electronics – Alpha particles, DRAMs, SEU, Toyota Acceleration • General – Neutron Storm Swirls Around FPGA Reliability – Soft Errors become hard truth for logic – Space Particles hit logic chips – Reliability and Redundancy  Others • Electronic Products : Battling Single Event Upsets in Programmable logic • Tech Focus Media : Gearing up for rain, new soft error tolerant circuits • EDN : Cosmic Radiation comes to ASIC and SOC Designs 3rd Party Articles, Publications
  • 29. Power Matters. 29© 2012 Microsemi Corporation.  Flash Based FPGAs are an excellent high reliability platform  History of deployments in Safety Critical Applications • Industrial & Medical • Avionics • Military • Space  Dedication to Quality Systems • Quality management systems & certification  Next Steps • Microsemi exploring IEC 61508 certification for FPGAs & dev S/W – Leveraging knowledge and techniques from other certifications for Industrial • Developing safety documentation package Summary