Programmable Devices
CPLDs, FPGAs, SoC FPGAs, Configuration, and Transceivers
21600 Discussions

Altera FPGA in safety application

Altera_Forum
Honored Contributor II
‎09-28-2009 07:26 AM
2,150 Views

Hello, 

 

We plan to build a FPGA based system for a safety relevant application. Has anyone experience with the certification of such a system? Is there any general advices that you could give me? 

 

Then some specific questions:  

- What kind of failures can happen in an FPGA? Particularly can it be that an hardware failure goes undetected (i.g. defect logic unit) and that one part of the design simply gives a wrong response while the rest is working fine? 

 

- What about redundancy? can it be considered safe to have twice the same design in one FPGA for redundancy or do we have to use another chip? So far I think that only the second option is safe but I would like your advices on that. I already checked the design separation feature of the Cyclone III LS but using shuch an expensive device is not an option. Is there any partition methodology for a normal cyclon device to make functions as independant as possible? 

 

- What about megafunctions such as RAM, are they easily certifiable in a safety relevant application or will we have to implement our own IP core (particularly we may need DPRAMs)? I hope you guys can help me to see a little bit clearer in this topic. We have already experience in certifying software but this is the first time we will have to do it with an FPGA. 

 

Thank you.
0 Kudos

Link Copied

7 Replies
Altera_Forum
Honored Contributor II
‎09-29-2009 06:46 PM
711 Views

I have read stuff on Altera website stating these things cant be used for "life support" systems.

0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-29-2009 09:30 PM
711 Views

Life support is a different category. For a safety application it's usually sufficient to detect an error reliably and shutdown the monitored system. For a life support system, e.g. a pacemaker or an respiration apparatus it's not an option... 

 

In my opinion, a safety application involving FPGA can be analysed similar to other digital logic applications, e.g. processor based. However, failure probability of complex devices is still calculated based on the transistor count.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-30-2009 06:31 AM
711 Views

Hi thanks both of you for your answers, 

 

 

--- Quote Start ---  

Life support is a different category. For a safety application it's usually sufficient to detect an error reliably and shutdown the monitored system.  

--- Quote End ---  

 

Exactly. 

 

 

--- Quote Start ---  

 

In my opinion, a safety application involving FPGA can be analysed similar to other digital logic applications, e.g. processor based. However, failure probability of complex devices is still calculated based on the transistor count. 

--- Quote End ---  

 

Well the main difference between an FPGA and a processor based system we considered so far is the following: 

In a processor, if the CPU itself has an hardware failure, nothing will work anymore (there is no parallelism in processor). Therefore we only need to check periodically that the program memory is still consistant and to monitor the processor with a watchdog to be sure the system is working. Well at least this is what we do normally and it is fine. 

 

Now with an FPGA, the problem might well be that only parts of the device are broken. e.g. a simple logic element. The system would still work, give a result, but this result could be false and we would not detect it. I know it is highly hypotetical but from my understanding of FPGA it could actually happen, right? I just would have liked to be sure I understand it well.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-30-2009 08:40 AM
711 Views

You're assumptions about processor failure mechanisms won't convince a safety auditor, I think. You can also imagine many kinds of failure that are undetectable by a watchdog circuit. 

 

But I assume, that hardware redundancy (using separate FPGAs) is necessary, if the device operation can't be supervized otherwise.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-30-2009 09:15 AM
711 Views

 

--- Quote Start ---  

 

But I assume, that hardware redundancy (using separate FPGAs) is necessary, if the device operation can't be supervized otherwise. 

--- Quote End ---  

 

 

Thanks, this is the one of the direction that might have been followed I think, even maybe without hardware redundancy but internal design redundancy. Our customers have now decided for a slightly different approach that I am not allowed to discuss here, sorry. 

 

Thanks again for your expertise.
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-30-2009 01:56 PM
711 Views

Have a look at: 

http://www.altera.com/literature/an/an357.pdf
0 Kudos
Copy link
Altera_Forum
Honored Contributor II
‎09-30-2009 04:43 PM
711 Views

the reliability report may be useful too: 

 

http://www.altera.com/literature/rr/rr.pdf 

 

i would think that failure related to i/o and power would far exceed internal failure.
0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.