Altera FPGA in safety application

Question

Hello,

We plan to build a FPGA based system for a safety relevant application. Has anyone experience with the certification of such a system? Is there any general advices that you could give me?

Then some specific questions:

- What kind of failures can happen in an FPGA? Particularly can it be that an hardware failure goes undetected (i.g. defect logic unit) and that one part of the design simply gives a wrong response while the rest is working fine?

- What about redundancy? can it be considered safe to have twice the same design in one FPGA for redundancy or do we have to use another chip? So far I think that only the second option is safe but I would like your advices on that. I already checked the design separation feature of the Cyclone III LS but using shuch an expensive device is not an option. Is there any partition methodology for a normal cyclon device to make functions as independant as possible?

- What about megafunctions such as RAM, are they easily certifiable in a safety relevant application or will we have to implement our own IP core (particularly we may need DPRAMs)? I hope you guys can help me to see a little bit clearer in this topic. We have already experience in certifying software but this is the first time we will have to do it with an FPGA.

Thank you.

altera_forum · Answer

I have read stuff on Altera website stating these things cant be used for "life support" systems.

altera_forum · Answer

Life support is a different category. For a safety application it's usually sufficient to detect an error reliably and shutdown the monitored system. For a life support system, e.g. a pacemaker or an respiration apparatus it's not an option...

In my opinion, a safety application involving FPGA can be analysed similar to other digital logic applications, e.g. processor based. However, failure probability of complex devices is still calculated based on the transistor count.

altera_forum · Answer

Hi thanks both of you for your answers,

--- Quote Start ---

Life support is a different category. For a safety application it's usually sufficient to detect an error reliably and shutdown the monitored system.

--- Quote End ---

Exactly.

--- Quote Start ---

In my opinion, a safety application involving FPGA can be analysed similar to other digital logic applications, e.g. processor based. However, failure probability of complex devices is still calculated based on the transistor count.

--- Quote End ---

Well the main difference between an FPGA and a processor based system we considered so far is the following:

In a processor, if the CPU itself has an hardware failure, nothing will work anymore (there is no parallelism in processor). Therefore we only need to check periodically that the program memory is still consistant and to monitor the processor with a watchdog to be sure the system is working. Well at least this is what we do normally and it is fine.

Now with an FPGA, the problem might well be that only parts of the device are broken. e.g. a simple logic element. The system would still work, give a result, but this result could be false and we would not detect it. I know it is highly hypotetical but from my understanding of FPGA it could actually happen, right? I just would have liked to be sure I understand it well.

altera_forum · Answer

You're assumptions about processor failure mechanisms won't convince a safety auditor, I think. You can also imagine many kinds of failure that are undetectable by a watchdog circuit.

But I assume, that hardware redundancy (using separate FPGAs) is necessary, if the device operation can't be supervized otherwise.

altera_forum · Answer

--- Quote Start ---

But I assume, that hardware redundancy (using separate FPGAs) is necessary, if the device operation can't be supervized otherwise.

--- Quote End ---

Thanks, this is the one of the direction that might have been followed I think, even maybe without hardware redundancy but internal design redundancy. Our customers have now decided for a slightly different approach that I am not allowed to discuss here, sorry.

Thanks again for your expertise.

Forum Discussion

Altera FPGA in safety application

7 Replies

Recent Discussions

Does direct connection of two AXI4 Masters to DDR Slave support auto-arbitration on Agilex 5?

Agilex5 Engineering Silicon

Arria 10: Remote Update Watchdog unpredicted behavior

MAX 10. No 3.0 V Schmitt Trigger I/O standard

CYCLONE 10LP Decouple capacitors