Altera FPGA Design Security Industrial Chip System Verification Method

Many industrial fields such as industrial automation, logistics, and smart grids require that machinery and products be safe and have passed functional safety certification. When developing machinery and equipment that must comply with safety standards around the world, flexibility and the increasing cost of safety are very important determining factors.

在这些应用中，安全要求产生了新的机械开发过程，增加了电子设备的复杂度，一般会导致显著增加硬件成本，延长了产品面市时间。工业芯片系统能够帮助工程师在获得IEC 61508产品认证过程中节省18个月的设计时间。具有Altera FPGA等经过认证的器件意味着，设计人员可以充分发挥FPGA的灵活性优势，不用担心这些器件能否用于安全应用。

Design Challenges

如果公司计划将产品销售到需要符合当地安全规章制度的国家，这些国家要求有功能安全评估人员的认证，例如，新的机械建造规范(2006/42/EG)，这是产品出口到欧洲必须满足的要求，那么，这些公司必须在整个设计过程中采用安全方法，这样才能参与竞争。工厂操作人员需要对机械设备进行安全操作，以提高效能，例如，在部分机械设备还在工作时对设备进行维护，显著缩短开机和停机时间等。

When a company decides to develop a safety product, it must consider safety as a core system function. Historically, safety functions have been added to the system through other functions such as redundant controllers or communication modules, combined with circuits to monitor the system. Compared with designing safety applications optimized for safety and cost competitiveness from the beginning, these built-in safety components are added as an afterthought to the system concept, significantly increasing costs, being inflexible and unable to be updated.

Design challenges in developing safety applications include:
• Adopting a “safety” design approach and safety concepts.
• Requires more engineering effort (time and skills), resulting in delayed product launch and increased total cost of ownership.
• Engineering management, collecting data from all system components and documenting engineering according to safety regulations.

The key to successful design is to use proven design methodologies, qualified tools and components as part of the product, and consider safety issues from the beginning of product development.

Typical application steps
If security issues are not considered, the five typical design steps for developing a specific application include:
• Architecture development
• Component selection
• Application design implementation
• Integration and testing
• Release

The first step is the product architecture, as shown in Figure 1. For a typical motor control application such as a drive, the design steps divide the system into parts such as system control, communication, and real-time motor control functions. For example, for the control and real-time parts of the system, the architecture selects software implementation, and for the communication part determines the use of a hardware/software approach to support real-time industrial Ethernet communication protocols.

Figure 1. Architecture development

The next step is to select components (Figure 2). Once the decision is made, the control software may run on a standard application processor, the real-time motor control portion may be implemented on a digital signal processor (DSP), and the communication portion of the system may be implemented using an FPGA-based approach. Using FPGAs, the system can flexibly implement various industrial Ethernet standards such as Ethernet/IP, EtherCat, PROFINET, or SERCOS III in the same interchangeable devices. With the flexible communication architecture, the standard hardware platform can be customized to easily meet the end user's special protocol requirements.

Figure 2. Component selection

After determining how to partition and selecting components, the design team can start development work for their respective applications. Then, they integrate the components into a complete system, test the system functions, and release the product.

Increased safety
If you develop a functional safety design according to product requirements, you need to enhance other engineering stages, as shown in the yellow part of Figure 3.

Figure 3. Additional design steps based on safety steps

The purpose of designing safety applications is to obtain functional safety certification, such as IEC 61508, which leads to increasingly complex engineering. The IEC 61508 specification covers the entire safety lifecycle from the development of specific applications to the withdrawal of products from the market. Following the steps and processes of safety standards, it is necessary to simplify communication with assessors to ensure that safety goals, concepts, processes and solutions are clearly understood and safety requirements are met.

Engineering Kick-off and Risk Analysis
During the Engineering Kick-off and Risk Analysis phase, the safety scope is determined based on the general requirements of the application. For the implementation phase, the required and achievable Safety Integrity Level (SIL) of the application is determined, organized and documented as a basis for risk analysis and assessment. Risk analysis is the basis for later measurements, it demonstrates an understanding of the product boundaries and is closely related to the product scope definition. It is the basis for the required SIL, the detailed definition of the safety functions, and the product documentation framework. This needs to be done at the component level as well as the system level.

Architecture Development
Designers then develop the architecture to meet the functional and safety requirements. They refine the safety requirements, document certain functions that will be implemented during the operation and maintenance phases, and determine the strategies that need to be taken to verify that the safety requirements can be met.

Safety requirements specification
For safety drives, the engineering scope may include several aspects, such as determining whether drive parameters are within the permitted range or whether a safety I/O signal is a critical event. The most basic safety feature of a drive is "safe shutdown" (STO), which disconnects the power supply to the motor in a safe manner. This process may also include communicating with the entire automation system that a safety event has occurred and must be evaluated within a certain time period, for example, shutting down the entire application in a series of steps.

Validation and Certification
Planning Development of a validation plan includes controlled failure insertion methods to test the system, perform other monitoring, observe the system, and compare current parameters to predetermined parameters and allowable values.

Component Selection, Component, IP and Tool Qualification
Typical projects have a component selection step, but the designer should ensure that the components and IP functions are suitable for the safety application. It is important to consider the residual error probability, which is the basis for calculating the total failure probability (FIT) of the product and the final SIL. This can be achieved by collecting device and design tool data for widely used products, so that there will be no systematic errors and it can be used reliably (for example, for IP), and by using error probability reports and reliability information of semiconductor products such as processors or FPGAs.

Application Design Implementation
Complex system functions such as communication protocols, memory interface IP for FPGAs, or Altera Nios® II embedded processor IP embedded in FPGAs, typically used to run software stacks for industrial Ethernet protocols in drive applications, all require security application analysis, testing, and certification.

Functionality/Diagnostics
In addition to implementing the application, certain features must be built into the design. These designs require basic parameter monitoring features such as clock and power as well as complex features such as data monitoring, observing the output of pulse width modulation (PWM) to ensure that the system is operating properly. They also require features that can automatically detect errors and bring the system to a safe state. Basic functions include ensuring that memory contents have not been changed due to external influences on the design, monitoring the system clock to ensure that the design is driven within the set system parameters (or errors due to failure of external components), and that the power supply is operating properly.

Integration and testing
Integrate each component into the safety drive solution and test it to achieve the expected system functions and provide the set safety functions. Through safety verification, ensure that the required safety features can function during operation, for example, ensure that external factors have no adverse effects on the designed safety functions and accidental disabling will not affect the system.

Safety verification, certification and release
Throughout the process, close cooperation with the assessors is required to ensure that the assessments conducted during the development process are reasonable and provide appropriate safety functions. Finally, the assessors certify the safety functions of the product and the product can be launched to the market.

Adding pre-certified safety functions
Semiconductor suppliers such as Altera provide certain steps to help achieve this process, reducing the investment in safety application development. For example, immediately using semiconductor data, IP, development processes and design tools that have been pre-certified for functional safety can significantly shorten the entire product development process, as shown in Figure 4.

Figure 4. Design steps with pre-certification security steps

Altera has invested nearly two years to achieve product certification. Altera's SIL 3 (SIL3) functional safety data package includes certification of Altera tools, IP, and device data by assessment agency TÜ Rheinland, shortening and simplifying the development of safety applications compliant with IEC 61508. Pre-certified design flows and tools, as well as pre-certified embedded systems and diagnostic intellectual property (IP) reduce certification risks for safety-critical industrial applications, such as servo and inverter drives, safety I/O and PLCs, and automation controllers.

The test and application data of IP and design tools as well as device reliability data are summarized and sorted out to simplify functional safety verification. The company adopts the design method (V-Flow) approved by TÜV Rheinland to meet the special needs of FPGA design. The functional safety package includes the necessary diagnostic functions and is designed as FPGA IP. Functional safety package users benefit from Altera's early investment in TÜV and can save the same time in engineering investment.

Safety Driver Example
This driver example with safety I/O uses Altera's certified FPGA design tool Quartus II software 9.0 SP2 and the recommended design method to implement this application example. In addition, as shown in Figure 5, this application uses two FPGAs instead of an external processor and DSP. The application is partitioned into several Nios II soft-core processor cores. The first Nios II soft-core processor provides communication stack support, the second handles system control, and the third Nios II processor is integrated into the motor control module. The motor control algorithm is partitioned, and its software part runs on the Nios II processor. The hardware module developed specifically for this application accelerates the implementation of the motor control loop. The external safety controller provides the redundancy required for SIL3 applications.

Figure 5. Two-chip FPGA implementation of a secure driver

This solution combines a safety controller and a fieldbus controller in one FPGA, using Altera's SOPC Builder system integration tool to integrate a Nios II soft-core processor, other communication IP blocks, as well as encoder interfaces and memory interfaces.

Silicon-Driven Security
For low-level monitoring of critical and commonly used diagnostic tasks in FPGAs, this example uses Altera’s safety-certified diagnostic IP blocks. These diagnostic IPs are designed to meet the IEC 61508 specification and perform the following commonly used diagnostic functions:
• Cyclic Redundancy Check (CRC) calculations—used in many systems, especially in fieldbus applications.
• Extracted Clock Check—this core checks for the presence and frequency of the system clock.
• SEU Check Controller—this block uses the built-in soft error checking hardware in the device to monitor changes caused by soft errors.

Since these hard-core IPs are implemented in the FPGA logic area, the system processor no longer has to bear these tasks. In terms of certification methods, Altera used the IEC specification to analyze the FPGA design method and related requirements. From this analysis, Altera formed a tool flow document. The central theme of this tool flow is the description of the FPGA V-Flow developed by Altera, as shown in Figure 6.

Figure 6. Tool flow

V-Flow and its related documents map all the steps of Altera FPGA safety application design to the IEC specification to meet its requirements. In addition, it explains which design steps use which Altera tools. It refers to certain chapters in the IEC specification to guide users to develop safety applications according to the appropriate development steps.

This includes the certification documents and data required by the assessor, in a format that fully complies with the IEC 61508 specification, so it is easy for the assessor to process them. Providing these documents in the correct format saves a lot of documentation work for safety engineering. In the included reliability report, Altera has performed extensive analysis of the reliability statistics of Altera FPGAs, including all the information required to calculate the FIT rate.

By reusing the drive system concept that complies with the pre-certified two-chip approach, the typical application development process can usually be accelerated according to the certified design method, design flow, tools and IP. The certification process is accelerated because the reliability data of the components can be used immediately and the provided format is easily integrated into all documents for safety certification. In safety design and system design, designers can take full advantage of the flexible FPGA design integration capabilities. Since safety has become one of the key requirements of specific applications, it is included in the entire concept and achieved by meeting cost and product time-to-market targets.