Dependable design technique for system-on-chip

Abstract

A technique for highly reliable digital design for two FPGAs under a processor control is presented. Two FPGAs are used in a duplex configuration system design, but better dependability parameters are obtained by the combination of totally self-checking blocks based on a parity predictor. Each FPGA can be reconfigured when a SEU fault is detected. This reconfiguration is controlled by a control unit implemented in a processor. Combinational circuit benchmarks have been considered in all our experiments and computations. All our experimental results are obtained from a XILINX FPGA implementation using EDA tools. The dependability model and dependability calculations are presented to document the improved reliability parameters.

Introduction

Systems realized by field programmable gate arrays (FPGAs) are more and more popular and widely used in more and more applications due to several properties and advantages:

• High flexibility in achieving multiple requirements such as cost, performance and turnaround time.

• Possible reconfiguration and later changes of the implemented circuit, e.g. only via radio net connections.

The FPGA circuits can be used in mission critical applications such as aviation, medicine, space missions, and railway applications as well [1], [2], [3].

Many FPGAs are based on SRAM memories sensitive to Single Even Upsets (SEUs), therefore a simple usage of FPGA circuits in mission critical applications without using any method of error detection is impossible.

One change of a bit in the configuration memory leads to a change of a circuit function, often drastically. The concurrent error detection (CED) techniques allow a faster detection of soft errors (errors which can be corrected by reconfiguration) caused by SEUs [4], [5], [6]. SEUs can change also the content of embedded memory, Look-up Tables (LUTs) and other configuration bits. These changes are not detectable by off-line tests, therefore CED techniques have to be used. The probability of a SEU occurrence in the SRAM is described in [7].

Several CED schemes for the reliable computing system design have been proposed and used commercially. These techniques differ mainly in their error detection capabilities and in the constraints required for the system design. There are many publications on system design with concurrent error detection [8], [9], [10], [11], [12], [13], [14], [15], [16], [17]. They include the design of datapath circuits (e.g., adders, multipliers) and general combinational and sequential logic circuits with the concurrent error detection. Almost all publications on CED focus on their area/performance overhead. CED techniques (based on hardware duplication, parity codes [19], etc.) are widely used to enhance system dependability parameters. All CED techniques introduce some form of redundancy. All the above-mentioned CED techniques guarantee system data integrity against single faults.

However, these CED schemes are vulnerable to multiple faults and common-mode failures (CMFs). Common-mode failures are a special and very important case of multiple faults that generally occur due to a single cause. System data integrity is not guaranteed in the presence of CMFs. They include operational failures that may be caused by external effects (e.g., EMI, power-supply disturbances and radiation) or internal causes. CMFs in redundant VLSI systems are surveyed in [9], [18].

A paper addressing the issue of self-checking FPGA design based on the adoption of error detection codes (e.g., Berger code, Parity code) as an evolution of the traditional approaches developed in the past for the ASIC platform was presented in [20]. The used method is based on the design techniques that allow hardware fault detection in a combinational network through information redundancy at functional/gate level. These techniques allow to use more complete methodology of dynamically reconfigurable FPGAs, which includes recovering from fault states. It means that the system can be reconfigured when the fault is on-line detected.

A self-checking (SC) circuit (Fig. 1) is one possible realization of the CED scheme. The SC circuit is typically composed of the original circuit, parity predictor and checker. The parity predictor is used to generate check bits and together with primary outputs realize a code word. The check bits are generated from primary inputs. The checker depends on the error detection (ED) code used for the parity predictor. Many papers have been published on this topic [21], [22].

In many publications the quality of the SC circuit is characterized by the number of detected faults. However, in many cases when the fault coverage is high (almost 100%) the area overhead is also high. The high area overhead decreases the fault tolerant properties, and it is important to find some trade-off between the area overhead and the fault coverage. These requirements have been taken into account in this paper.

CED techniques based on ED codes are widely used. However, many research groups have not evaluated the totally self-checking (TSC), fault secure (FS) and self-testing (ST) properties of the final circuit. Many publications describe only the TSC parameter. But this parameter provides insufficient information about all faults in a circuit implemented in FPGA. The hidden faults are not taken into account. Therefore a new fault classification is proposed to describe faults in FPGA caused by SEU in this paper.

A fault tolerant system must satisfy fault masking requirements. A fault occurring in such a system is detected and does not lead to an incorrect function. If the system has no repair capability, it must be stopped after the next fault is detected. A fault tolerant system protected against SEU must also be reliable. However, CED techniques increase the final area, and techniques to increase the reliability parameters based on a single FPGA are not sufficient. Some publications have focused on reliable systems based on a single FPGA using a triple module redundancy (TMR) structure [4], [23], [24].

The TMR structure is unsuitable when a high area overhead is unacceptable. Some hybrid architecture must be used. TMR architecture and a hybrid system, e.g., the modified duplex system with a comparator and some mostly used types of CED techniques are compared in [25], [26]. A technique based on duplication with comparison (DWC) and the CED technique are described in [27], [28].

The fault tolerant system proposed in this work is based on DWC–CED with reconfiguration. This paper presents the methods for maximum enhancement of the dependability parameters while maintaining the minimal area overhead. The complex structure implemented in each FPGA is divided into small blocks, where every block satisfies TSC properties. This approach can detect a fault before the fault is detected by the output comparator.

Design methodology plays an important role in fault tolerant systems based on a self-checking circuit. The methodology of self-checking code selection was presented in [29], [30]. This methodology assumes that the circuits are described by multilevel logic and are realized by ASICs. The synthesis process of this self-checking circuit is different from the classical method. Each part of the self-checking circuit is synthesized individually, due to possible sharing of logic primitives among these blocks. Sharing the logic decreases the number of detected faults. Some papers describing methodologies for VHDL automatic modification have been published [31], [32].

A design flow for protecting an FPGA-based system against SEUs is presented in [4]. This paper presents a design flow for developing a circuit resilient to SEUs which is composed of standard professional tools and ad-hoc developed tools, too. Experiments are performed on benchmark circuits and on a realistic circuit to show the capabilities of the proposed design flow.

There is another on-line testing approach that the implemented design does not take into account. The on-line test is processed for a whole FPGA, without disturbing the normal system operation [33], [34]. In this case, the structural test is performed.

The possibilities how to keep proper system functions are always based on some redundancy. Redundancy always means great area and/or time overhead. Our proposed structure increases dependability parameters together with ensuring a relatively low area overhead compared with classical methods such as duplication or triplication [35]. The term dependability is used to encapsulate the concepts of reliability, availability, safety, maintainability, performability, and testability.

• Reliability is a conditional probability, in that it depends on the system being operational at the beginning of the chosen time interval. The reliability of a system is a function of time R(t).

• Availability is a function of time A(t), defined as the probability that a system is operating correctly and is available to perform its functions at instant of time t.

• Safety is the probability S(t) that a system will either perform its functions correctly or will discontinue its functions in a manner that does not disrupt the operation of other systems or compromise the safety of any people associated with the system.

• Performability of a system is a function of time P(L, t), defined as the probability that the system performance will be at or above some level L, at instance of time t. In many cases, it is possible to design systems that can continue to perform correctly after the occurrence of hardware and software faults, but the level of performance is somehow diminished.

• Maintainability is a measure of the ease with which a system can be repaired once it has failed. In more quantitative terms, maintainability is the probability M(t), that a failed system will be restored to an operational state within a period of time t. The restoration process includes locating the problem, physically repairing the system, and bringing the system back to its operational condition.

• Testability is simply the ability to test for certain attributes within a system. Measures of testability allow us to assess the ease with which certain tests can be performed.

These parameters are described more precisely in [36].

The availability computation is utilized to compare our modified duplex system with a standard duplex system and TMR system in this paper.

Our solution combines on-line testing design methods with a classical duplex design. It assumes the dynamic reconfiguration of the faulty part of the system after an on-line fault detection. The most important criterion is the speed of the fault detection and the safety of the whole circuit with respect to the application requirement.

Our previous research shows the relation between the area overhead and the SEU fault coverage [37]. Due to the need for a small area overhead, the SEU fault coverage for most circuits is less than 100%. The SEU fault coverage varies typically from 75% to 95%. Therefore we have to use an additional method to keep the TSC property. Combinational circuit benchmarks have been considered in all our experiments and computations. All our experimental results are obtained by a XILINX FPGA implementation by means of EDA tools. The dependability model and dependability calculations based on Markov chains are presented.

This paper comprises partial research results based on software and hardware simulation experiments presented in [38], [39], [40]. Our research aims at the compound design methods for a system-on-a-chip (SoC) composed from several FPGA blocks, processor, memories, etc. We assume some or all FPGA blocks to be dynamically reconfigurable. The resulting SoC design contains several independent FPGA block where each of them can be reconfigured independently.

The paper is organized as follows: first, basic terms concerning the classification of the faults are presented in Section 2. The proposed structure to be implemented in FPGAs is described in Section 3. The dependability models and computations are presented in Section 4. Section 5 describes design methodology for SoC. Fault injection and simulation is described in Section 6. Section 7 summarizes and expresses the results obtained from these models by several graphs and Section 8 concludes the paper.