![Figure 4: Hydraulic monitoring system (from [36]).](/figures/figure-4-hydraulic-monitoring-system-from-36-ubhgx2ia.webp)
![Figure 5: Reactor trip system (from [3]).](/figures/figure-5-reactor-trip-system-from-3-1928igqz.webp)
![Figure 2: ASIC development lifecycle (the V-shaped model) [42].](/figures/figure-2-asic-development-lifecycle-the-v-shaped-model-42-3jmamq2g.webp)
![Figure 6: Body controller unit (from [62]).](/figures/figure-6-body-controller-unit-from-62-1bi2n96y.webp)
![Figure 3: Development Process Proposed by Hilton et al. [39].](/figures/figure-3-development-process-proposed-by-hilton-et-al-39-1r2e71tv.webp)
SRAM-based FPGA Systems for
Safety-Critical Applications: A Survey on
Design Standards and Proposed Methodologies
∗
Cinzia Bernardeschi Luca Cassano Member, IEEE
Andrea Domenici
†
March 29, 2019
Abstract
As the ASIC design cost becomes affordable only for very large
scale productions, the FPGA technology is currently becoming the
leading technology for those appli cat i ons that require a small scale
production. FPGAs can be considered as a technology crossing be-
tween hardware and software. Only a small number of standards for
the design of safety-critical systems give guidelines and recommenda-
tions that take the peculi ar i t i e s of the FPGA technology into consid-
eration. The main contribution of this paper is an overview of the
existing design standards that regulate the design and verification of
FPGA-based systems in safety-critical application fields. Moreover,
the paper proposes a survey of significant published research propos-
als and existing industrial guidelines about the topic, and collec ts
and r e port s about some lessons learned from industrial and research
projects involvin g the use of FPGA devices.
Keywords: Design Verification, Electronic Design, Safety-criti cal Sys-
tems, SRAM-based FPGA
∗
Postprint. Publis he d in: Journal of Computer Science and Technology March 2015,
Volume 30, Issue 2, pp 373390. The final authenticated version is available online at:
https://doi.org/10.1007/s11390-015-1530-5
†
C. Bernardeschi and A. Domenici are with the Department of Information Engineering,
University of Pisa, Italy. L. Cassano is with the Dipartimento di Elettronica, Informazione
e Bioingegneria, Politecnico di Milano, Italy.
1
1 Introduction and Motivations
Since the first FPGA device was developed by Xilin x in 1984 with the XC2064
chip, the FPGA technology has enormously grown in terms of flexibility,
reliability and computati o n al power. Although it is still not comparable
with ASIC technology either in terms of computational powe r or silicon area
occupation, the FPGA technology has imposed itself in many application
fields thanks to very good performance, low non recurrent desi gn cost and
very sh o r t time to market.
In particular, SRAM-based FPGA devices ar e employed in many applica-
tion fields such as broadcast, wireless and wired communication systems [14],
cryptography and network security [ 49 ] , and consumer produ ct s, as well as
in fields with stringent safety requirements, such as airborne [ 18 ] , aerospace
and defense [47], railways [20], and industrial and nuclear power plant con-
trol [55].
This interest is d u e t o the ca p ab i l i ty of SRAM - b ased F PGAs of being
dynamically and partially reconfigured at ru n - t i m e, which makes this tech-
nology much more powerful and flexible than non dynamically reconfigurable
technologies, such as flash- and antifuse-based FPGAs. Usin g SRAM-based
FPGAs and exploiting dynamic partial reconfiguration, a designer can ada p t
the fu n c t io n al i ty implemented by the system to changing environment and
operational requi re m ents. For example, dynamic partial reconfiguration has
been used in a platform for satellite payload p r ocessing [60]. A satellite
payload m ay perform different t as ks in the course of its mission, such as ac-
quiring data, process it, and transmit it to ground. FPGA devices may be
reconfigured for each task, thus improving resource utilization.
Nevertheless, SRAM-based FPGA devices are still seldom used in those
parts of systems related with the safety of the system itself, due to the
vulnerability to faults of the SRAM-based configuration m em or y [61]. On
the ot h er hand, in the last years a number of dedicated conferences and
workshops, such as the NASA/ESA Conferences on Adaptive Hardware and
Systems and the Military and Aerospace Programmable Logic Devi ces Work-
shops demonstrate great interest in employing SRAM-based FPGA devices
in safety- and mission-critical applications. In [53], the maturity of reconfig-
urable FPGA technologies for safety-critical applications is discussed.
A safety-critical system is a syst em whose failure or malfunction may
result in death or serious injury to people, loss or serious damage of equ i p -
ment, or environmental harm. In the IEC 61508-2 functional safety stan-
2
dard [42], for safety related Electric/Elect r o n i c/Pr o gr am m a b l e Electronic
systems (E/E/PE) operating in a low-dem a n d mode of oper at i on, the lower
limit on the target failure measures is set at an average probability of 10
−5
dangerous failu r es per hour of functioning. On the other h an d, for E/E/PE
safety-related systems operating in a high-demand continuou s mode of oper-
ation, the lower limit is set at an average probability of 10
−9
.
As discussed in [11] , testing alone cannot guarantee such requirement;
combining fault tolerant approaches, such as replication and diversity, to-
gether with testing and other techniques such as Failure Mode and Effects
Analysis (FMEA) and reliability ana ly si s methods, can improve t h e relia-
bility of the system, but the result is still far fr om the 10
−9
goal. It is
then necessary to complement the fault removal (i.e., testing) and fault tol-
erance strategies with a fault avoidance st r at egy, with the goal of producing
high-quality systems, a s free as possible of systematic faults. This goal can
be achieved with rigorous development processes carried out according to
standards that explicitly take into account the requirements of safety-critical
systems.
Many stand ar d s are available to d evelopers of safety-cr it i ca l systems, but
most of them do not d i r ect l y address the specific issues of the FPGA tech-
nology, or provide only limi t ed guidance about them. Two are the main
differences between th e ASIC and th e FPGA design fro m the system de-
signer point of view. The first difference is that the FPGA design flow is
much more automated than the ASIC one, and thus it leads designers to
rely much more on the CAD tools provided by the FPGA vendor and to pay
less attention to verifying the correctness of the int er m ediate products of the
various design phases and to trust too much the CAD tools [21]. The second
difference is that the final product of the FPGA design is a software, i.e., the
bitstream. Because of this, FPGAs are often perceived by d esi gn er s as easy
to modify and correct late in the development process, thus FPGA based
systems are often designed with developm ent methods more similar to a code
and fix approach than a tru e hardware design process, methods that would
not be accepted for the design of more costly and less flexible technologies,
such a s ASICs or microprocessors [17].
In [17] Cercone et al. discuss how FPGA programming has not evolved
much beyond the classical sequential development metho dology of sp eci fyi ng
requirements, creatin g the design, coding, simulating and testing. Often the
documentation and testing of an FPGA project is left as an “end of project”
task. The authors discuss how logic and functional testing are often com-
3
pleted only for known operational conditions, thus ensuring that the device
does what it is supposed to do, but with ou t ensuring that it does not perform
unrequested functions. The paper strongly endor ses the necessity of adapting
verification and validation methodologies relying on modern design process es
to the FPGA design, incorporating verification techniques as integral parts
of the entire design process.
Habinc et al. [35], as well as Fern´andez-Le´on in [21] and Gibbons and
Ames in [28], discuss how many problems and failu r es in space applications
involving FPGA devices are the result of applying inadequate development,
verification and validation methodologies. The authors observe that since
the FPGA technology became sufficiently mature, it is being employed more
and more heavily in space app l i cat i on s , performi ng more and mo r e complex
and critical tasks.
Gibbons and Ames discuss the failure of the NASA Wide Field Infr ar ed
Explorer (WIRE) project, that was due to the indeterminate stat e of the
output of a control FPGA device, during the power-up phase. The authors
focus on that experience, arguing that a robust design process of an FPGA-
based safety-critical system must rely on a great experience of designers in
any as pect of the specifi c FPGA technology employed.
Finally, in [21], Fern´andez-Le´on discusses the results of an audit of FPGA-
based designs conducted by the European Space Agency, which revealed that
the overall design methodology and quality control app li ed to these designs
were often poorly defined and in some cases even risky or negligent.
Taking these issues into account, designers of FPGA-ba sed systems of-
ten borrow stand ar d s and g u i d el i n es from more traditional technologies and
adapt them to the needs of FPGA-based development. Moreover, because of
the lack of specific regulations and standards, a number of guidelines, such
as [65, 5, 56], and lessons learned from research and industrial project s, such
as [17, 21, 2 8 ], have been publ i sh ed over t h e years.
Our work intends to present a brief overview of the existing standards
for the use of FPGAs in safety-related systems, and, in general , har d ware-
based systems developm ent, and to survey proposed techniques, guidelines
and lessons learned about the design, verification and valid at i on of FPGA-
based safety-critical systems. This wo r k is meant for both practitioners and
researchers working in the field of design and verification of FPGA-based
safety-critical systems. In p ar t i cu l a r, practitioners could exploit the present
work to get a quick overview of the existing standards as well as to enrich their
background through l esso n s learned from industrial and research projects
4
involving the development of FPGA-based systems. On the other hand,
researchers approaching the novel design and verifi cat i on t echniques cou l d
obtain from the present work a first picture of the existing trends.
Since the design of an FPGA-based system has many steps in common
with the ASIC design flow and since there is n ot yet a comprehensive and
specific standard for the development of FPGA-based systems, in the fol-
lowing sections we report general information, requirements and guidelines
specific of ASIC designs but also applicable to FPGA d e si gn s, and, when
available, activities and requirements specifi c of the FPGA design flow.
The remainder of this p aper is organized as follows: in Section 2 we
briefly describe the main features of the FPGA technology; in Section 3 we
quickly review the standards in force for FPG As in safety-critical application
fields; in Section 4, we present a survey of the research proposals, guide-
lines and lessons learned for FPGA-based system design and verification in
safety-critical application fields; Section 5 presents the main techniques for
the analysis of the effects o f radiation on SRAM-based FPGA systems; Sec-
tion 6 repor t s on some published case studies; Secti on 7 discusses open i ssues;
finally, Section 8 concludes the paper.
2 The FPGA Technology
An FPGA is a prefabricated array of programmable blocks, interconnected
by a programmable routing architecture and surrounded by programmable
input/output blocks. Figure 1 shows the basic architect u r e of an FPGA chip.
Programmable blocks may be simple combinatorial logic (Soft Logic Blocks)
or memories, multiplexers, ALUs and other kinds of prefabricated circuitry
(Hard Logic Blocks). Logic blocks may be programmed to implement a cer-
tain functionality, the routing architecture may be programmed to intercon-
nect various bl ocks, and I/O pa d s may be program m ed to ensure off-chip
connections.
The purpose of the logic block i s to p r ovide the basic computational
and storage elem ent for the construction of t h e complete logic system. The
programmable routi n g architectu r e, composed of wires and p r ogr a m m ab l e
switches, provid es connections among logic blocks and I/O blocks to complete
a user-designed circuit. Finally, the I/O architect u r e is composed of I/O pads
disposed along the perimeter of the FPGA device, each one implementing one
or more communication standards.
5