SEU Mitigation Section of Stratix III Handbook (英語版・PDF)

SEU Mitigation Section of Stratix III Handbook (英語版・PDF)
Section IV. Design Security and Single
Event Upset (SEU) Mitigation
This section provides information on Design Security and Single Event Upset (SEU)
Mitigation in Stratix® III devices.
■
Chapter 14, Design Security in Stratix III Devices
■
Chapter 15, SEU Mitigation in Stratix III Devices
Revision History
Refer to each chapter for its own specific revision history. For information on when
each chapter was updated, refer to the Chapter Revision Dates section, which appears
in the full handbook.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
IV–2
Stratix III Device Handbook, Volume 1
Section IV: Design Security and Single Event Upset (SEU) Mitigation
Revision History
© March 2010 Altera Corporation
14. Design Security in Stratix III Devices
SIII51014-1.5
Introduction
This chapter provides an overview of the design security feature and its
implementation on Stratix® III devices using advanced encryption standard (AES) as
well as security modes available in Stratix III devices.
As Stratix III devices start to play a role in larger and more critical designs in
competitive commercial and military environments, it is increasingly important to
protect the designs from copying, reverse engineering, and tampering. Stratix III
devices address these concerns and are the industry’s only high-density,
high-performance devices with both volatile and non-volatile security feature
support. Stratix III devices have the ability to decrypt configuration bitstreams using
the AES algorithm, an industry standard encryption algorithm that is FIPS-197
certified. They also have a design security feature that utilizes a 256-bit security key.
Altera® Stratix III devices store configuration data in static random access memory
(SRAM) configuration cells during device operation. Because SRAM memory is
volatile, SRAM cells must be loaded with configuration data each time the device
powers-up. It is possible to intercept configuration data when it is being transmitted
from the memory source (flash memory or a configuration device) to the device. The
intercepted configuration data could then be used to configure another device.
When using the Stratix III design security feature, the security key is stored in the
Stratix III device. Depending on the security mode, you can configure the Stratix III
device using a configuration file that is encrypted with the same key, or for board
testing, configured with a normal configuration file.
The design security feature is available when configuring Stratix III devices using the
fast passive parallel (FPP) configuration mode with an external host (such as a
MAX® II device or microprocessor), or when using fast active serial (AS) or passive
serial (PS) configuration schemes. However, the design security feature is also
available in remote update with fast AS configuration mode. The design security
feature is not available when you are configuring your Stratix III device using Joint
Test Action Group (JTAG)-based configuration. For more information, refer to
“Supported Configuration Schemes” on page 14–5.
Stratix III Security Protection
Stratix III device designs are protected from copying, reverse engineering, and
tampering using configuration bitstream encryption.
Security Against Copying
The security key is securely stored in the Stratix III device and cannot be read out
through any interfaces. In addition, as configuration file read-back is not supported in
Stratix III devices, the design information cannot be copied.
© May 2009
Altera Corporation
Stratix III Device Handbook, Volume 1
14–2
Chapter 14: Design Security in Stratix III Devices
AES Decryption Block
Security Against Reverse Engineering
Reverse engineering from an encrypted configuration file is very difficult and time
consuming because the Stratix III configuration file formats are proprietary and the
file contains million of bits which require specific decryption. Reverse engineering the
Stratix III device is just as difficult because the device is manufactured on the most
advanced 65-nm process technology.
Security Against Tampering
The non-volatile keys are one-time programmable. Once the tamper protection bit is
set in the key programming file generated by the Quartus® II software, the Stratix III
device can only be configured with configuration files encrypted with the same key.
f
For more information about why this feature is secured, refer to the Design Security in
Stratix III Devices white paper.
AES Decryption Block
The main purpose of the AES decryption block is to decrypt the configuration
bitstream prior to entering data decompression or configuration.
Prior to receiving encrypted data, you must enter and store the 256-bit security key in
the device. You can choose between a non-volatile security key and a volatile security
key with battery backup.
The security key is scrambled prior to storing it in key storage in order to make it
more difficult for anyone to retrieve the stored key using de-capsulation of the device.
Flexible Security Key Storage
Stratix III devices support two types of security key programming: volatile and
non-volatile. Table 14–1 shows the differences between volatile keys and non-volatile
keys.
Table 14–1. Security Keys Options
Options
Volatile Key
Non-Volatile Key
Key programmability
Reprogrammable and erasable
One-time programmable
External battery
Required
Not required
Key programming method (1)
On-board
On and off board
Design protection
Secure against copying and
reverse engineering
Secure against copying and
reverse engineering. Tamper
resistant if tamper protection
bit is set.
Note to Table 14–1:
(1) Key programming is carried out using JTAG interface.
You can program the non-volatile key to the Stratix III device without an external
battery. Also, there are no additional requirements to any of the Stratix III power
supply inputs.
Stratix III Device Handbook, Volume 1
© May 2009 Altera Corporation
Chapter 14: Design Security in Stratix III Devices
Stratix III Design Security Solution
14–3
VCCBAT is a dedicated power supply for volatile key storage and not shared with other
on-chip power supplies, such as VCCIO or VCC. VCCBAT continuously supplies power to
the volatile register regardless of the on-chip supply condition.
Table 14–2. Key Retention Time of Coin-Cell Type Batteries used for Volatile Key Storage
Battery
Typical
Worst-case (1)
35mAh
49 years
6 years
1000mAh
1429 years
190 years
Note to Table 14–2:
(1) Worst-case refers to worst-case process and 100°C junction temperature.
1
After power-up, you need to wait 100 ms (PORSEL = 0) or 12 ms (PORSEL = 1) before
beginning the key programming to ensure that VCCBAT is at its full rail.
1
As an example, here are some lithium coin-cell type batteries used for volatile key
storage purposes: BR1220 (-30° to +80°C) and BR2477A (-40°C to +125°C).
f
For more information about battery specifications, refer to the DC and Switching
Characteristics of Stratix III Devices chapter in volume 2 of the Stratix III Device
Handbook.
Stratix III Design Security Solution
Stratix III devices are SRAM-based devices. To provide design security, Stratix III
devices require a 256-bit security key for configuration bitstream encryption.
To carry out secure configuration, complete the following steps. Figure 14–1 also
describes secure configuration.
1. Program the security key into the Stratix III device.
Program the user-defined 256-bit AES keys to the Stratix III device through the
JTAG interface.
2. Encrypt the configuration file and store it in the external memory.
Encrypt the configuration file with the same 256-bit keys used to program the
Stratix III device. Encryption of the configuration file is done using the Quartus II
software. The encrypted configuration file is then loaded into external memory,
such as a configuration or flash device.
3. Configure the Stratix III device.
At system power-up, the external memory device sends the encrypted
configuration file to the Stratix III device.
© May 2009
Altera Corporation
Stratix III Device Handbook, Volume 1
14–4
Chapter 14: Design Security in Stratix III Devices
Security Modes Available
Figure 14–1. Design Security (Note 1)
Stratix III FPGA
User-Defined
AES Key
Step 1
Key Storage
AES
Decryption
Step 3
Encrypted
Step 2
Configuration
File
Memory or
Configuration
Device
Note to Figure 14–1:
(1) Step 1, Step 2, and Step 3 correspond to the procedure detailed in the “Stratix III Design Security Solution” section.
Security Modes Available
There are several security modes available on the Stratix III device, which are
described as follows:
Volatile Key
Secure operation with volatile key programmed and required external battery—this
mode accepts both encrypted and unencrypted configuration bitstreams. Use the
unencrypted configuration bitstream support for board-level testing only.
Non-Volatile Key
Secure operation with one time programmable (OTP) security key programmed—this
mode accepts both encrypted and unencrypted configuration bitstreams. Use the
unencrypted configuration bitstream support for board-level testing only.
Non-Volatile Key with Tamper Protection Bit Set
Secure operation in tamper resistant mode with OTP security key programmed—only
encrypted configuration bitstreams are allowed to configure the device.
Tamper protection disables JTAG configuration with unencrypted configuration
bitstream.
Stratix III Device Handbook, Volume 1
© May 2009 Altera Corporation
Chapter 14: Design Security in Stratix III Devices
Supported Configuration Schemes
14–5
1
Setting the tamper protection bit disables test mode in Stratix III devices. This process
is irreversible and prevents Altera from carrying-out failure analysis if test mode is
disabled. Contact Altera Technical Support to set the tamper protection bit.
1
You can perform Boundary Scan testing or use the SignalTap II logic analyzer to
analyze functional data with the tamper-protection bit set programmed into the
Stratix III FPGA.
No Key Operation
Only unencrypted configuration bitstreams are allowed to configure the device.
Table 14–3 summarizes the different security modes and the configuration bitstream
supported for each mode.
Table 14–3. Security Modes Supported
Mode (1)
Volatile key
Non-volatile key
Non-volatile key with
tamper protection bit set
Function
Configuration File
Secure
Encrypted
Board-level testing
Unencrypted
Secure
Encrypted
Board-level testing
Unencrypted
Secure (tamper resistant) (2)
Encrypted
Notes to Table 14–3:
(1) In No key operation, only unencrypted configuration file is supported.
(2) The tamper protection bit setting does not prevent the device from being reconfigured.
Supported Configuration Schemes
The Stratix III device supports only selected configuration schemes, depending on the
security mode you select when you encrypt the Stratix III device.
Figure 14–2 shows the restrictions of each security mode when encrypting Stratix III
devices.
© May 2009
Altera Corporation
Stratix III Device Handbook, Volume 1
14–6
Chapter 14: Design Security in Stratix III Devices
Supported Configuration Schemes
Figure 14–2. Stratix III Security Modes - Sequence and Restrictions
Volatile Key
No Key
Non-Volatile Key
Unencrypted
Configuration File
Unencrypted or
Encrypted
Configuration File
Unencrypted or
Encrypted
Configuration File
Non-Volatile Key
with
Tamper-Protection
Bit Set
Encrypted
Configuration File
Table 14–4 shows the configuration modes allowed in each of the security modes.
Table 14–4. Allowed Configuration Modes for Various Security Modes (Note 1) (Part 1 of 2)
Security Mode
Configuration
File
Allowed Configuration Modes
No key
Unencrypted
All configuration modes that do not engage the design security feature.
Secure with volatile key
Encrypted
■
Passive serial with AES (and/or with decompression)
■
Fast passive parallel with AES (and/or with decompression)
■
Remote update fast AS with AES (and/or with decompression)
■
Fast AS (and/or with decompression)
Board-level testing with
volatile key
Unencrypted
All configuration modes that do not engage the design security feature.
Secure with non-volatile
key
Encrypted
■
Passive serial with AES (and/or with decompression)
■
Fast passive parallel with AES (and/or with decompression)
■
Remote update fast AS with AES (and/or with decompression)
■
Fast AS (and/or with decompression)
Board-level testing with
non-volatile key
Unencrypted
Stratix III Device Handbook, Volume 1
All configuration modes that do not engage the design security feature.
© May 2009 Altera Corporation
Chapter 14: Design Security in Stratix III Devices
Supported Configuration Schemes
14–7
Table 14–4. Allowed Configuration Modes for Various Security Modes (Note 1) (Part 2 of 2)
Configuration
File
Security Mode
Secure in tamper
resistant mode using
non-volatile key with
tamper protection set
Encrypted
Allowed Configuration Modes
■
Passive serial with AES (and/or with decompression)
■
Fast passive parallel with AES (and/or with decompression)
■
Remote update fast AS with AES (and/or with decompression)
■
Fast AS (and/or with decompression)
Note to Table 14–4:
(1) There is no impact to the configuration time required compared to unencrypted configuration modes except fast passive parallel with AES
(and/or decompression) which requires DCLK of 4× the data rate.
1
The design security feature with encrypted configuration file is available in all
configuration methods, except JTAG. Therefore, use the design security feature in FPP
mode (when using external controller, such as a MAX II device or a microprocessor
and a flash memory), or in fast AS and PS configuration schemes.
Table 14–5 summarizes the configuration schemes that support the design security
feature both for volatile and non-volatile key programming.
Table 14–5. Design Security Configuration Schemes Availability
Configuration Scheme
Configuration Method
Design Security
FPP
MAX II device or
microprocessor and flash
memory
v (1)
Fast AS
Serial configuration device
v
PS
MAX II device or
microprocessor and flash
memory
v
Download cable
v
JTAG (2)
MAX II device or
microprocessor and flash
memory
Download cable
—
Notes to Table 14–5:
(1) In this mode, the host system must send a DCLK that is 4× the data rate.
(2) JTAG configuration supports only unencrypted configuration file.
Use the design security feature with other configuration features, such as compression
and remote system upgrade features. When you use compression with the design
security feature, the configuration file is first compressed and then encrypted using
the Quartus II software. During configuration, the Stratix III device first decrypts and
then decompresses the configuration file.
© May 2009
Altera Corporation
Stratix III Device Handbook, Volume 1
14–8
Chapter 14: Design Security in Stratix III Devices
Conclusion
Conclusion
The need for design security is increasing as devices move from glue logic to
implementing critical system functions. Stratix III devices address this concern by
providing built-in design security. These devices not only offer high density, fast
performance, and cutting-edge features to meet your design needs, but also protect
your designs against IP theft and tampering of your configuration files.
Chapter Revision History
Table 14–6 shows the revision history for this document.
Table 14–6. Chapter Revision History
Date and Revision
Changes Made
Summary of Changes
May 2009,
version 1.5
Updated “Flexible Security Key Storage” and “Non-Volatile Key with Tamper
Protection Bit Set” sections.
—
February 2009,
version 1.4
■
Updated “Flexible Security Key Storage” section.
■
Removed “Referenced Documents” section.
■
Updated “Non-Volatile Key with Tamper Protection Bit Set” section.
■
Added Table 14–2.
■
Updated New Document Format.
■
Updated “Introduction” section.
■
Updated “Flexible Security Key Storage” section.
■
Updated Table 14–1 and Table 14–4.
■
Updated “Security Modes Available” section.
■
Added new section “Referenced Documents”.
■
Added live links for references.
October 2008,
version 1.3
May 2008,
version 1.2
October 2007,
version 1.1
November 2006,
version 1.0
Initial Release.
Stratix III Device Handbook, Volume 1
—
—
—
Minor update
—
© May 2009 Altera Corporation
15. SEU Mitigation in Stratix III Devices
SIII51015-1.7
This chapter describes how to use the error detection cyclical redundancy check
(CRC) feature when a Stratix® III device is in user mode and recovers from CRC
errors. The purpose of the error detection CRC feature is to detect a flip in any of the
configuration CRAM bits in Stratix III devices due to a soft error. By using the error
detection circuitry, you can continuously verify the integrity of the configuration
CRAM bits.
In critical applications such as avionics, telecommunications, system control, and
military applications, it is important to be able to do the following:
■
Confirm that the configuration data stored in a Stratix III device is correct.
■
Alert the system to the occurrence of a configuration error.
1
The error detection feature has been enhanced in the Stratix III device family. In
addition, the error detection and recovery time for single event upset (SEU) in
Stratix III devices is reduced compared to Stratix II devices.
1
For Stratix III devices, use of the error detection CRC feature is provided in the
Quartus® II software version 6.1 and onwards.
1
Stratix III devices only support the error detection CRC feature at 1.1 V for VCCL. This
feature is not supported in Stratix III devices operating at 0.9 V for VCCL.
Dedicated circuitry is built into Stratix III devices and consists of a CRC error
detection feature that can optionally check for SEUs continuously and automatically.
This section describes how to activate and use the error detection CRC feature when
your Stratix III device is in user mode and describes how to recover from
configuration errors caused by CRC errors.
f
Information about SEU is located on the Products page of the Altera® website at
www.altera.com.
f
For more information regarding the test methodology for the enhanced error
detection in Stratix III, refer to AN 539: Test Methodology of Error Detection and Recovery
using CRC in Altera FPGA Devices.
f
For more information, refer to the Robust SEU Mitigation with Stratix III FPGAs White
Paper.
Using CRC error detection for the Stratix III family has no impact on fitting or
performance of your device.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
15–2
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Fundamentals
Error Detection Fundamentals
Error detection determines if the data received through a medium is corrupted during
transmission. To accomplish this, the transmitter uses a function to calculate a
checksum value for the data and appends the checksum to the original data frame.
The receiver uses the same calculation methodology to generate a checksum for the
received data frame and compares the received checksum to the transmitted
checksum. If the two checksum values are equal, the received data frame is correct
and no data corruption occurred during transmission or storage.
The error detection CRC feature uses the same concept. When Stratix III devices have
been configured successfully and are in user mode, the error detection CRC feature
ensures the integrity of the configuration data.
1
There are two CRC error checks. One always runs during configuration, the second
optional CRC error check runs in the background in user mode. Both CRC error
checks use the same CRC polynomial but different error detection implementations.
For more information, refer to “Configuration Error Detection” and “User Mode Error
Detection”.
Configuration Error Detection
In configuration mode, a frame-based CRC is stored within the configuration data
and contains the CRC value for each data frame.
During configuration, the Stratix III device calculates the CRC value based on the
frame of data that is received and compares it against the frame CRC value in the data
stream. Configuration continues until either the device detects an error or
configuration is complete.
In Stratix III devices, the CRC value is calculated during the configuration stage. A
parallel CRC engine generates 16 CRC check bits per frame and stores them into
CRAM. The CRAM chain used for storing CRC check bits is 16 bits wide; its length is
equal to the number of frames in the device.
User Mode Error Detection
Stratix III devices have built-in error detection circuitry to detect data corruption by
soft errors in the CRAM cells. This feature allows all CRAM contents to be read and
verified to match a configuration-computed CRC value. Soft errors are changes in a
CRAM’s bit state due to an ionizing particle.
The error detection capability continuously computes the CRC of the configured
CRAM bits and compares it with the pre-calculated CRC. If the CRCs match, there is
no error in the current configuration CRAM bits. The process of error detection
continues until the device is reset (by setting nCONFIG low).
As soon as the device transitions into user mode, you can enable the error detection
process if you enable the CRC error detection option. The internal 100-MHz
configuration oscillator is divided down by a factor of 2 to 256 (at powers of 2) to be
used as the clock source during the error detection process. Set the clock divide factor
in the option setting in the Quartus II software.
Stratix III Device Handbook, Volume 1
© March 2010 Altera Corporation
Chapter 15: SEU Mitigation in Stratix III Devices
User Mode Error Detection
15–3
A single 16-bit CRC calculation is done on a per-frame basis. Once it has finished the
CRC calculation for a frame, the resulting 16-bit signature is hex 0000 if there are no
detected CRAM bit errors in a frame by the error detection circuitry and the output
signal CRC_ERROR is 0. If a CRAM bit error is detected by the circuitry within a frame
in the device, the resulting signature is non-zero. This causes the CRC engine to start
searching the error bit location.
Error detection in Stratix III devices calculates CRC check bits for each frame and
pulls the CRC_ERROR pin high when it detects bit errors in the chip. Within a frame, it
can detect all single-bit, double-bit, and three-bit errors. The probability of more than
three CRAM bits being flipped by an SEU event is very low. In general, for all error
patterns the probability of detection is 99.998%.
The CRC engine reports the bit location and determines the type of error for all
single-bit errors and over 99.641% of double-adjacent errors. The probability of other
error patterns is very low and the report of the bit flips error location is not
guaranteed by the CRC engine.
You can also read-out the error bit location through the Joint Test Action Group
(JTAG) and the core interface. You must shift these bits out through either the JTAG
instruction, SHIFT_EDERROR_REG, or the core interface before the CRC detects the
next error in another frame. If the next frame also has an error, you have to shift these
bits out within the amount of time of one frame CRC verification. You can choose to
extend this time interval by slowing down the error detection clock frequency, but this
slows down the error recovery time for the SEU event. Refer to Table 15–6 on
page 15–10 for the minimum update interval for Stratix III devices. If these bits are not
shifted out before the next error location is found, the previous error location and
error message is overwritten by the new information. The CRC circuit continues to
run, and if an error is detected, you must decide whether to complete a
reconfiguration or to ignore the CRC error.
The error detection logic continues to calculate the CRC_ERROR and 16-bit signatures
for the next frame of data regardless if any error has occurred in the current frame or
not. You must monitor these signals and take the appropriate actions if a soft error
occurs.
Error detection circuitry in Stratix III devices uses a 16-bit CRC-ANSI standard (16-bit
polynomial) as the CRC generator.
The computed 16-bit CRC signature for each frame is stored in registers within the
core. The total storage register size is 16 (number of bits per frame) × the number of
frames.
The Stratix III device error detection feature does not check memory blocks and I/O
buffers. These memory blocks support parity bits that are used to check the contents
of memory blocks for any error. The I/O buffers are not verified during error
detection because these bits use flip-flops as storage elements that are more resistant
to soft errors compared to CRAM cells.
The M144K TriMatrix memory block has a built-in error correction code block that
checks and corrects errors in the block. However, for logic array blocks (LABs) that are
used as MLAB memory blocks, they are ignored during error detection verification.
Thus, the CRC_ERROR signal may stay solid high or low depending on the error status
of the previous checked CRAM frame.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
15–4
Chapter 15: SEU Mitigation in Stratix III Devices
User Mode Error Detection
f
For more information about error detection in the Stratix III TriMatrix memory blocks,
refer to the TriMatrix Embedded Memory Blocks in Stratix III Devices chapter.
In order to provide testing capability of the error detection block, a JTAG instruction
EDERROR_INJECT is provided. This instruction can change the content of the 21-bit
JTAG fault injection register, used for error injection in Stratix III devices, hence
enabling testing of the error detection block.
1
You can only execute the EDERROR_INJECT JTAG instruction when the device is in
user mode.
Table 15–1 lists the EDERROR_INJECT JTAG instruction.
Table 15–1. EDERROR_INJECT JTAG Instruction
1
JTAG Instruction
Instruction Code
Description
EDERROR_INJECT
00 0001 0101
This instruction controls the 21-bit JTAG fault
injection register, which is used for error
injection.
You can only execute the EDERROR_INJECT JTAG instruction at error detection
frequency 50 MHz. Refer to “Error Detection Timing” on page 15–9 for instructions
about how to set the error detection frequency in the Quartus II software. For the
testing of the CRC detection block with the frequency lower than 50 MHz, contact
Altera Technical Support at www.altera.com/support.
You can create Jam™ files (.jam) to automate the testing and verification process. This
allows you to verify the CRC functionality in-system, on-the-fly, without having to
reconfigure the device. You can then switch to the CRC circuit to check for real errors
induced by an SEU.
You can introduce a single error, double errors, or double errors adjacent to each other
to the configuration memory. This provides an extra way to facilitate design
verification and system fault tolerance characterization. Use the JTAG fault injection
register with EDERROR_INJECT instruction to flip the readback bits. The Stratix III
device is then forced into error test mode.
The content of the JTAG fault injection register is not loaded into the fault injection
register during the processing of the last and the first frame. It is only loaded at the
end of this period.
1
You can only introduce error injection in the first data frame, but you can monitor the
error information at any time.
For more information about the JTAG fault injection register and fault injection
register, refer to“Error Detection Registers” on page 15–7.
Stratix III Device Handbook, Volume 1
© March 2010 Altera Corporation
Chapter 15: SEU Mitigation in Stratix III Devices
User Mode Error Detection
15–5
Table 15–2 lists how the fault injection register is implemented and describes error
injection.
Table 15–2. Fault Injection Register and Error Injection
Bit
Bit[20..19]
Bit[18..8]
Bit[7..0]
Description
Error Type
Byte Location of
the Injected Error
Error Byte Value
Depicts the location
of the injected error
in the first data
frame.
Depicts the location
of the bit error and
corresponds to the
error injection type
selection.
Error Type (1)
Error Injection Type
Bit[20]
Bit[19]
0
1
Single byte error injection
1
0
Double-adjacent byte error injection
0
0
No error injection
Content
Note to Table 15–2:
(1) Bit[20] and Bit[19] cannot both be set to 1 as this is not a valid selection. The error detection circuitry decodes it as no error injection.
1
After the test completes, Altera recommends that you reconfigure the device.
Automated Single Event Upset Detection
Stratix III devices offer on-chip circuitry for automated checking of single-event upset
detection. Some applications that require the device to operate error-free in
high-neutron flux environments require periodic checks to ensure continued data
integrity. The error detection CRC feature ensures data reliability and is one of the
best options for mitigating SEU.
You can implement the error detection CRC feature with existing circuitry in
Stratix III devices, eliminating the need for external logic. The CRC_ERROR pin reports
a soft error when configuration CRAM data is corrupted and you would have to
decide whether to reconfigure the device or to ignore the error.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
15–6
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Pin Description
Error Detection Pin Description
Depending on the type of error detection feature you choose, you will need to use
different error detection pins to monitor the data during user mode. The different
error detection pins available are described in the following sections.
CRC_ERROR Pin
Table 15–3 lists the CRC_ERROR pin.
Table 15–3. CRC_ERROR Pin Description
Pin Name
Pin Type
Description
Active high signal that indicates the error detection circuit has detected errors in
the configuration CRAM bits. This pin is optional and is used when the error
detection CRC circuit is enabled. When the error detection CRC circuit is
disabled, it is a user I/O pin.
I/O, output, or
open-drain
output (optional)
CRC_ERROR
The CRC error output, when using the WYSIWYG function, is a dedicated path to
the CRC_ERROR pin. By default, the Quartus II software sets the CRC_ERROR
pin as a dedicated output.
If CRC_ERROR is used as a dedicated output, make sure VCCIO of the bank where
the pin resides meets the input voltage specification of the system receiving the
signal. Optionally, you can set this pin to be an open-drain output by enabling the
option in the Quartus II software from the Error Detection CRC tab of the
Device & Pin Options dialog box.
Using this pin as open-drain provides advantage on voltage leveling. To use this
pin as open-drain, tie the pin to VCCPGM through a 10-k resistor. Alternatively,
depending on the voltage input voltage specification of the system receiving the
signal, you can tie the pull-up resistor to a different pull-up voltage.
1
f
WYSIWYG is a design primitive that corresponds to device features and can be
directly instantiated into your RTL design.
The CRC_ERROR pin information for Stratix III devices is reported in Device Pin-Outs
on the Literature page of the Altera website (www.altera.com).
Stratix III Device Handbook, Volume 1
© March 2010 Altera Corporation
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Block
15–7
Error Detection Block
You can enable the Stratix III device error detection block in the Quartus II software
(refer to“Software Support” on page 15–11). This block contains the logic necessary to
calculate the 16-bit CRC signature for the configuration CRAM bits in the device.
The CRC circuit continues running even if an error occurs. When a soft error occurs,
the device sets the CRC_ERROR pin high. Two types of CRC detection check the
configuration bits:
■
1
The CRAM error checking ability (16-bit CRC) during user mode, for use by the
CRC_ERROR pin.
■
For each frame of data, the pre-calculated 16-bit CRC enters the CRC circuit
right at the end of the frame data and determines whether or not there is an
error.
■
If an error occurs, the search engine starts to find the location of the error.
■
You can shift the error messages out through the JTAG instruction or core
interface logic while the error detection block continues running.
■
The JTAG interface reads out the 16-bit CRC result for the first frame and also
shifts the 16-bit CRC bits to the 16-bit CRC storage registers for test purposes.
■
You can deliberately introduce single error, double errors, or double errors
adjacent to each other to configuration memory for testing and design
verification.
The “Error Detection Registers” section focuses on the first type, the 16-bit CRC only
when the device is in user mode.
■
The 16-bit CRC that is embedded in every configuration data frame.
■
During configuration, after a frame of data is loaded into the Stratix III device,
the pre-computed CRC is shifted into the CRC circuitry.
■
At the same time, the CRC value for the data frame shifted-in is calculated. If
the pre-computed CRC and calculated CRC values do not match, nSTATUS is
set low. Every data frame has a 16-bit CRC; therefore, there are many 16-bit
CRC values for the whole configuration bitstream. Every device has different
lengths of the configuration data frame.
Error Detection Registers
There is one set of 16-bit registers in the error detection circuitry that stores the
computed CRC signature. A non-zero value on the syndrome register causes the
CRC_ERROR pin to be set high. Figure 15–1 shows the block diagram of the error
detection circuitry, syndrome registers, and error injection block.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
15–8
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Block
Figure 15–1. Error Detection Block Diagram
16-Bit CRC
Calculation and Error
Readback bit
stream with
expected CRC
included
Syndrome
Search Engine
Error Detection
State Machine
8
Register
Control Signals
30
16
Error Message
CRC_ERROR
Register
46
Error Injection Block
Fault Injection
Register
JTAG Update
User Update
Register
Register
JTAG Shift
User Shift
Register
Register
JTAG Fault
Injection Register
JTAG TDO
General Routing
Table 15–5 lists the registers shown in Figure 15–1.
Table 15–4. Error Detection Registers (Part 1 of 2)
Register
Description
Syndrome Register
This register contains the CRC signature of the current frame through the error detection
verification cycle. The CRC_ERROR signal is derived from the contents of this register.
Error Message
Register
This 46-bit register contains information about the error type, location of the error, and the actual
syndrome. The types of errors and location reported are single and double adjacent bit errors. The
location bits for other types of errors are not identified by the Error Message Register. You can
shift out the content of the register through the JTAG SHIFT_EDERROR_REG instruction or to
the core through the core interface.
JTAG Update Register
This register is automatically updated with the contents of the Error Message Register one cycle
after the 46-bit register content is validated. It includes a clock enable which needs to be asserted
prior to being sampled into the JTAG Shift Register. This requirement ensures that the JTAG
Update Register is not being written into by the contents of the Error Message Register at exactly
the same time that the JTAG Shift Register is reading its contents.
User Update Register
This register is automatically updated with the contents of the Error Message Register, one cycle
after the 46-bit register content is validated. It includes a clock enable which needs to be asserted
prior to being sampled into the User Shift Register. This requirement ensures that the User Update
Register is not being written into by the contents of the Error Message Register at exactly the
same time that the User Shift Register is reading its contents.
Stratix III Device Handbook, Volume 1
© March 2010 Altera Corporation
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Timing
15–9
Table 15–4. Error Detection Registers (Part 2 of 2)
Register
Description
JTAG Shift Register
This register is accessible by the JTAG interface and allows the contents of the JTAG Update
Register to be sampled and read out by the JTAG instruction SHIFT_EDERROR_REG.
User Shift Register
This register is accessible by the core logic and allows the contents of the User Update Register to
be sampled and read by the user logic.
JTAG Fault Injection
Register
This 21-bit register is fully controlled by the JTAG instruction EDERROR_INJECT. This register
holds the information of the error injection that you want in the bitstream.
Fault Injection Register
The content of the JTAG Fault Injection Register is loaded in this 21-bit register when it is being
updated.
Error Detection Timing
When the CRC feature is enabled through the Quartus II software, the device
automatically activates the CRC process upon entering user mode, after
configuration, and after initialization is complete.
If an error is detected within a frame, CRC_ERROR is driven high at the end of the error
location search, and after the Error Message Register gets updated. At the end of this
cycle, the CRC_ERROR pin is pulled low for a minimum 32 clock cycles. If the next
frame also contains an error, the CRC_ERROR is driven high again after the Error
Message Register gets overwritten by the new value. You can start to unload the error
message on each rising edge of CRC_ERROR pin. The error detection runs until the
device is reset.
Error detection circuitry runs off an internal configuration oscillator with a divisor
that sets the maximum frequency. Table 15–5 lists the minimum and maximum error
detection frequencies.
Table 15–5. Minimum and Maximum Error Detection Frequencies
Device Type
Error Detection
Frequency
Maximum Error
Detection Frequency
Minimum Error Detection
Frequency
Valid Exponents (n)
Stratix III
100 MHz / 2n
50 MHz
390 kHz
1, 2, 3, 4, 5, 6, 7, 8
You can set a lower clock frequency by specifying a division factor in the Quartus II
software (refer to “Software Support” on page 15–11). The divisor is a power of two
(2), where n is between 1 and 8. The divisor ranges from 2 through 256. Refer to
Equation 15–1.
Equation 15–1.
100MHzError detection frequency = ------------------n
2
1
© March 2010
The error detection frequency reflects the frequency of the error detection process for
a frame because the CRC calculation in Stratix III devices is done on a per-frame basis.
Altera Corporation
Stratix III Device Handbook, Volume 1
15–10
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Timing
You must monitor the error message to avoid missing information in the Error
Message Register. The Error Message Register is updated whenever an error occurs.
The minimum interval time between each update for the Error Message Register
depends on the device and the error detection clock frequency. Table 15–6 lists the
estimated minimum interval time between each update for the Error Message
Register for Stratix III devices.
Table 15–6. Minimum Update Interval for Error Message Register
(Note 1)
Device
Timing Interval (s)
EP3SL50
9.8
EP3SL70
9.8
EP3SL110
14.8
EP3SL150
14.8
EP3SL200
19.8
EP3SE260
19.8
EP3SL340
21.8
EP3SE50
9.8
EP3SE80
14.8
EP3SE110
14.8
Note to Table 15–6:
(1) These timing numbers are preliminary.
The CRC calculation time for the error detection circuitry to check from the first until
the last frame depends on the device and the error detection clock frequency.
Table 15–7 lists the estimated time for each CRC calculation with minimum and
maximum clock frequencies for Stratix III devices. The minimum CRC calculation
time is calculated by using the maximum error detection frequency with divisor factor
1 while the maximum CRC calculation time is calculated by using the minimum error
detection frequency with divisor factor 8.
Table 15–7. CRC Calculation Time
Stratix III Device Handbook, Volume 1
Device
Minimum Time (ms)
Maximum Time (s)
EP3SL50
52.00
14.36
EP3SL70
52.00
14.36
EP3SL110
110.00
30.38
EP3SL150
110.00
30.38
EP3SL200
212.00
58.72
EP3SL260
212.00
58.72
EP3SL340
270.00
74.87
EP3SE50
59.00
16.41
EP3SE80
113.00
31.28
EP3SE110
113.00
31.28
© March 2010 Altera Corporation
Chapter 15: SEU Mitigation in Stratix III Devices
Error Detection Timing
15–11
Software Support
The Quartus II software, starting with version 6.1, supports the error detection CRC
feature for Stratix III devices. Enabling this feature generates the CRC_ERROR output
to the optional dual purpose CRC_ERROR pin.
The error detection CRC feature is controlled by the Device and Pin Options dialog
box in the Quartus II software.
Enable the error detection feature using CRC by performing the following steps:
1. Open the Quartus II software and load a project that uses a Stratix III device.
2. On the Assignments menu, click Settings. The Settings dialog box is shown.
3. In the Category list, select Device. The Device page is shown.
4. Click Device and Pin Options. The Device and Pin Options dialog box is shown
(Figure 15–2).
5. In the Device and Pin Options dialog box, click the Error Detection CRC tab.
6. Turn on Enable error detection CRC (Figure 15–2).
Figure 15–2. Enabling the Error Detection CRC Feature in the Quartus II Software
7. In the Divide error check frequency by box, enter a valid divisor as documented
in Table 15–5 on page 15–9.
1
The divide value divides the frequency of the configuration oscillator output clock
that clocks the CRC circuitry.
8. Click OK.
© March 2010
Altera Corporation
Stratix III Device Handbook, Volume 1
15–12
Chapter 15: SEU Mitigation in Stratix III Devices
Recovering From CRC Errors
Recovering From CRC Errors
The system that contains the Stratix III device must control the device reconfiguration.
After detecting an error on the CRC_ERROR pin, strobing the nCONFIG signal low
directs the system to perform the reconfiguration at a time when it is safe for the
system to reconfigure the device.
When the data bit is rewritten with the correct value by reconfiguring the device, the
device functions correctly.
While soft errors are uncommon in Altera devices, certain high-reliability applications
may require a design to account for these errors.
Chapter Revision History
Table 15–8 lists the revision history for this chapter.
Table 15–8. Chapter Revision History
Date
Version
Changes Made
Updated for the Quartus II software version 9.1 SP2 release:
March 2010
1.7
May 2009
1.6
February 2009
1.5
October 2008
1.4
May 2008
October 2007
1.3
1.2
May 2007
1.1
November 2006
1.0
Stratix III Device Handbook, Volume 1
■
Updated Table 15–6.
■
Minor text edits.
Updated “User Mode Error Detection” and “CRC_ERROR Pin” sections.
■
Updated “Error Detection Timing” section.
■
Removed “Referenced Documents”, Critical Error Detection”, and “CRITICAL
ERROR Pin” sections.
■
Updated “Introduction” and “Referenced Documents” sections.
■
Updated New Document Format.
■
Updated “Configuration Error Detection”, “User Mode Error Detection”, and “Error
Detection Timing” sections.
■
Updated Table 15–3, Table 15–6, and Table 15–7.
■
Updated Figure 15–2 and Figure 15–3.
■
Minor edits to Table 15–3.
■
Added new section “Referenced Documents”.
■
Added live links for references.
■
Minor edits to page 2, 3, 4, and 14.
■
Updated Table 15–5.
Initial Release.
© March 2010 Altera Corporation
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement