Chapter 1

GLUE LOGIC VALIDATION IMPLEMENTED ON VIRTEX II PRO FPGA FOR A MISSILE SUBSYSTEM
CHAPTER 1 INTRODUCTION
1.1BRIEF DESCRIPTION OF CCSC
Command Control and Signal Conditioner (CCSC) is one of the critical subsystems in a missile system. It is an onboard system, which is required to function with high reliability in safety critical environment. It receives commands from On board computer (OBC) over 1553 bus, interprets and in turn activates corresponding IO devices such as ADC, DAC, digital IO etc. It reports status to the OBC.CCSC has Relay drivers, Signal conditioner channels (for electrical and pressure monitoring), analog IO and status monitoring through Digital IO. The CCSC generates the coil supply for driving the relays using two separate isolated supplies (S &B). The CCSC unit is configured as a Remote Terminal (RT) on 1553B data bus. The entire CCSC software resides in EEPROM. The CCSC, as a remote terminal accepts commands from the Bus Controller through 1553B Communication link. On power ON, the system enters into Flight mode (default mode) and waits for a 1553 message from the bus controller. Depending on the message format, as defined in the ICD, CCSC activates corresponding IO devices such as ADC, DAC, digital IO etc and reports status to OBC.
ECE Department, GITAM University
CHAPTER 2 ARCHITECTURE
2.1 AVIONICS ARCHITECTURE OF A MISSILE SYSTEM
B-0
MIL1553B
PL-BUS
LC
INT
B-3 MIL1553B
OBC
INS
CCSC-4
PCM-2
B-2 MIL1553B
B-1
MIL1553B STAGE-2
STAGE-1
CCSC-3
PCM-1
CPIF-II
CPIF-I
CCSC-2
CCSC-1
Figure 2.1: Avionics Architecture of a missile system
The Avionics System of a missile system is based on distributed architecture. This is a two stage flight vehicle with OBC (On Board Computer), RINS (Inertial Navigation System), CCSCs (Command Control and Signal Conditioner), CPIF (Control Plant Interface) and PCM (Pulse Code Modulator). Fig-2.1.1 shows the distributed architecture for a missile system with various sub-systems on MIL-STD-1553 bus. This system is configured using multiple on-board intelligent systems connected over four MIL-STD-1553 buses referred as PL bus (B1), S2 bus(B2), S1 bus (B3) and LC bus (B4). OBC is the Bus controller for three buses B1, B2 and B3 and manages all transactions on the respective bus. RINS, CCSC-IV and PCM-II connected on Pay Load bus and CCSC-III, CPIF and PCM-I connected on bus B2 are configured as Remote Terminals (RT). CCSC-I, CCSC-II and CPIF-I are connected on B3 and are configured as RT. Launch Computer (LC) configured as BC communicates with OBC over B4 bus.
2.2 SYSTEM DESIGN APPROACH

Figure 2.1 represents the System Block diagram. It contains Relay Package, Signal Conditioning Package (SCP) and Intelligent Unit. This document gives complete details of the intelligent unit part of the system. Figure 2.2 represents the Functional Block diagram of the Digital part of the system. The processor used is PowerPC 405 core embedded in Virtex-II Pro FPGA. The PPC405 is a 32-bit implementation of the PowerPC embedded environment architecture that is derived from the PowerPC architecture. Specifically, the PPC405 is an embedded PowerPC 405D5 processor core. The PowerPC architecture provides a software model that ensures compatibility between implementations of the PowerPC family of microprocessors. The PowerPC architecture defines parameters that guarantee compatible processor
implementations at the application program level, allowing broad flexibility in the development of derivative PowerPC implementations that meet the requirements.
Figure 2.2: System Block Diagram
Figure 2.3: Functional Block Diagram of the Digital Part of the System
2.3 VIRTEX-II PRO FPGA

The Virtex-II Pro Platform FPGA solution is the most technically sophisticated silicon and software product development in the history of the programmable logic industry. The goal was to revolutionize system architecture from the ground up. To achieve that objective, the best circuit engineers and system architects from IBM, Mindspeed, and Xilinx co-developed the world's most advanced Platform FPGA silicon product. Leading teams from top embedded systems companies worked together with Xilinx software teams to develop the systems software and IP solutions that enabled this new system architecture paradigm. The result is the first Platform FPGA solution capable of implementing high performance systemon-a-chip designs previously the exclusive domain of custom ASICs, yet with the flexibility and low development cost of programmable logic.
The Virtex-II Pro family marks the first paradigm change from programmable logic to programmable systems, with profound implications for leading-edge system architectures in networking applications, deeply embedded systems, and digital signal processing systems. It allows custom user-defined system architectures to be synthesized, next-generation connectivity standards to be seamlessly bridged, and complex hardware and software systems to be co-developed rapidly with insystem debug at system speeds.
The Virtex-II Pro family is the first FPGA family to incorporate both serial transceiver technology and a hard processor core within a general-purpose FPGA device. This is significant for new high-bandwidth embedded processing applications such as packet processing, where both high device I/O bandwidth and high performance processor cores are needed together. The Virtex-II Pro devices are the industry's first FPGAs in a 0.13-micron process. The nine-layer metal, all-copper, low-k process technology is among the most advanced in the semiconductor industry. The combination of advanced Active Interconnect architecture and advanced process technology makes the Virtex-II Pro family the highest performance FPGA in the world.
The Virtex-II Pro family provides a powerful new paradigm for network processing where low latency is required, such as storage area networks, wireless infrastructure, and voice-over-IP networks. The digital convergence phenomenon drives the need for packet routing based on type and priority. For example, live voice and video data packets require
significantly lower latency than data file packets. New data networking applications must now handle higher bandwidth traffic as well as more complex types of prioritized packets. In many cases, Virtex-II Pro devices can offer higher overall performance than other solutions, including specialized network processors (NPs). Using the Virtex-II Pro architecture, the most common packets may be quickly read and routed using FPGA logic, without incurring the lengthy software runtime needed by NPs. The FPGA logic interrupts the PowerPC processor core only when processor instructions are needed for special packet types. For example, packets may be stored into a 16 KB dual-port memory area accessible by both the FPGA logic and the PowerPC 405 on-chip memory (OCM) port, allowing rapid change of control and packet disposition. By using the FPGA logic to process the most common packet types while the processor core handles the more specialized ones as a slave to the logic, the Virtex-II Pro architecture can provide higher overall performance than NPs, as well as more sophisticated processing capabilities than FPGA logic alone.
Compared to a full-custom ASIC, the Virtex-II Pro solution eliminates the need for exhaustive verification during development, and allows hardware-software debug at system speeds rather than at slow software simulation speeds. In addition, the Virtex-II Pro features of signal integrity, pre-engineered clocking capabilities, and an abundance of soft IP cores, significantly reduce development time. The Virtex-II Series offers significantly lower development costs than ASICs, due to lower tool costs, lower third-party IP costs, and absence of NRE costs. The Virtex-II Series also increases engineering productivity by accelerating hardware availability for software development and increasing software debug speed. In addition, the availability of powerful development tools enables straightforward retargeting of other embedded processors into the PowerPC platform.
The Virtex-II Series offers significantly more flexibility than fixed chip sets and ASSPs, allowing end user product differentiation and future-proofing. For a design requirement that can generally be met either by ASSPs or by Virtex-II Platform FPGAs, the initial design investment for an FPGA implementation may be higher. However, the advantages for Platform FPGA implementations include customizing of functionality, ease of design reuse, ability to fix design bugs, differentiation of user end products, and ownership and control of the entire system. These are important advantages in highly competitive markets where ASSPs have standing errata lists and unpredictable future availability. In
contrast, properly developed Platform FPGA designs are soft designs that may be readily maintained and reused as needed. Therefore, FPGA methodologies can provide system manufacturers with greater competitive advantage in the short term, and greater ownership and control over their products in the long term.
Input Path: The Virtex-II Pro IOB input path routes input signals directly to internal logic and / or through an optional input flip-flop or latch, or through the DDR input registers. An optional delay element at the D-input of the storage element eliminates pad-to-pad hold time. The delay is matched to the internal clock-distribution delay of the Virtex-II Pro device, and when used, assures that the pad-to-pad hold time is zero. Each input buffer can be configured to conform to any of the low-voltage signaling standards supported. In some of these standards the input buffer utilizes a user-supplied threshold voltage, VREF. The need to supply VREF imposes constraints on which standards can be used in the same bank. Output Path: The output path includes a three-state output buffer that drives the output signal onto the pad. The output and / or the 3-state signal can be routed to the buffer directly from the internal logic or through an output / three-state flip-flop or latch, or through the DDR output / three-state registers. Each output driver can be individually programmed for a wide range of low-voltage signaling standards. In most signaling standards, the output High voltage depends on an externally supplied VCCO voltage. The need to supply VCCO imposes constraints on which standards can be used in the same bank. I/O Banking: Some of the I/O standards described above require VCCO and VREF voltages. These voltages are externally supplied and connected to device pins that serve groups of IOB blocks, called banks. Consequently, restrictions exist about which I/O standards can be combined within a given bank.
Eight I/O banks result from dividing each edge of the FPGA into two banks, as shown in Figure. Each bank has multiple VCCO pins, all of which must be connected to the same voltage. This voltage is determined by the output standards in use.
Figure 2.4: I/O Banks Some input standards require a user-supplied threshold voltage (VREF), and certain user-I/O pins are automatically configured as VREF inputs. Approximately one in six of the I/O pins in the bank assume this role. VREF pins within a bank are interconnected internally, thus only one VREF voltage can be used within each bank. However, for correct operation, all VREF pins in the bank must be connected to the external reference voltage source. The VCCO and the VREF pins for each bank appear in the device pinout tables. Within a given package, the number of VREF and VCCO pins can vary depending on the size of device. In larger devices, more I/O pins convert to VREF pins. Since these are always a superset of the VREF pins used for smaller devices, it is possible to design a PCB that permits migration to a larger device if necessary. All VREF pins for the largest device anticipated must be connected to the VREF voltage and not used for I/O. In smaller devices, some VCCO pins used in larger devices do not connect within the package. These unconnected pins can be left unconnected externally, or, if necessary, they can be connected to VCCO to permit migration to a larger device.
2.3.1 VIRTEX-II PRO FEATURES

Guaranteed over the full military temperature range (55C to +125C) or full industrial temperature range (40C to +100C) High-Performance Platform FPGA Solution, Including two IBM PowerPC RISC processor blocks Select RAM Memory Hierarchy Arithmetic Functions o Dedicated 18-bit x 18-bit multiplier blocks o Fast look-ahead carry logic chains Flexible Logic Resources o Up to 66,176 internal registers/ latches with Clock Enable o Up to 66,176 look-up tables (LUTs) or cascadable variable (1 to 16 bits) shift registers o Wide multiplexers and wide-input function support o Horizontal cascade chain and Sum-of-Products support o Internal three-state busing High-Performance Clock Management Circuitry o Eight Digital Clock Manager (DCM) modules Precise clock deskew Flexible frequency synthesis High-resolution phase shifting
o 16 global clock multiplexer buffers in all parts Active Interconnect Technology o Fourth-generation segmented routing structure o Fast, predictable routing delay, independent of fanout o Deep sub-micron noise immunity benefits Select IO Ultra Technology o Up to 996 user I/Os o Twenty-two single-ended standards and ten differential standards
o
Programmable LVCMOS sink/source current (2 mA to 24 mA) per I/O
o XCITE Digitally Controlled Impedance (DCI) I/O

10
o PCI / PCI-X support o Differential signaling - 512 Mb/s Low-Voltage Differential Signaling I/O with current mode drivers - On-chip differential termination - Bus LVDS I/O - Hyper Transport (LDT) I/O with current driver buffers - Built-in DDR input and output registers Proprietary high-performance Select Link technology for communications between Xilinx devices - High-bandwidth data path - Double Data Rate (DDR) link - Web-based HDL generation methodology CMOS Latch-Based In-System Configuration o Fast Select MAP configuration o Triple Data Encryption Standard (DES) security option (bitstream encryption) o IEEE 1532 support o Partial reconfiguration o Unlimited reprogrammability o Read back capability Supported by Xilinx Integrated Software Environment (ISE) Software o Integrated VHDL and Verilog design flows o Chip Scope Integrated Logic Analyzer 0.13 m Nine-Layer Copper Process with 90 nm High- Speed Transistors 1.5V (VCCINT) core power supply, dedicated 2.5V VCCAUX auxiliary and VCCO I/O power supplies IEEE 1149.1 Compatible Boundary-Scan Logic Support Flip-Chip and Wire-Bond Ball Grid Array (BGA) Packages in Standard 1.00 mm Pitch.
11
2.4 THE PROCESSOR

The new design is based on Xilinx Virtex II Pro FPGA (XC2VP40FF-1152). It has an embedded Power PC 405 processor along with UART, Timer and BRAM etc. Considering the above cores, the FPGA with embedded processor can offer a compact solution. Apart from the soft cores, FPGA can accommodate extra logic. This optimizes the board space. The IBM PowerPC 405 processor core used in the Virtex-II Pro family is the highest performance embedded core available in FPGAs. The PowerPC architecture is used in many markets including communications, industrial control, test and measurement systems, and other performance-oriented markets. It is currently the most popular processor architecture in embedded applications. Each of the larger devices incorporates one or two small yet powerful IBM PowerPC 405 processor cores, each capable of more than 300 MHz clock frequency and 420 Dhrystone MIPS. While the processor cores occupy a small area of the die, they provide tremendous system flexibility where they are used.
The PowerPC 405 cores are fully embedded within the FPGA fabric, where all processor nodes are controlled by the FPGA routing resources. This provides the utmost architectural capability, where complex applications may be efficiently divided between high-speed logic implementation and high-flexibility software implementations. For example, a packet processing application using only the FPGA logic today for high-speed packet routing may be augmented to include a slave high-performance processor for exception handling or in-system statistics monitoring. In contrast, using a separate processor externally requires hundreds of additional interface pins, which degrades system performance and significantly increases FPGA I/O requirements and overall board costs. Compared to other processor architectures, the PowerPC 405 core in most cases allows higher performance and more powerful capabilities, and thus can be used to accelerate preproduction of performance-sensitive applications.
12
2.4.1 FEATURES OF PPC405 PROCESSOR

The main features of the PowerPC 405 processor are: A fixed-point execution unit fully compatible with the PowerPC UISA (User Instruction Set Architecture): 32-bit architecture, containing thirty-two 32-bit general-purpose registers (GPRs). 64-bit time base. Timers: Programmable Interval Timer (PIT), Fixed Interval timer (FIT) and Watchdog timer (all are synchronous with the time base). Five-stage pipeline with single-cycle execution of most instructions, including loads and stores. Hardware multiply/divide for faster integer arithmetic (4-cycle multiply, 35-cycle divide). Support for unaligned loads and unaligned stores to cache arrays, main memory and on-chip memory (OCM). Integrated Instruction-cache: 64KB, 2-way set associative, eight words (32 bytes) per cache line. Integrated Data-cache: 64KB, 2-way set associative, eight words (32 bytes) per cache line. Support for on-chip memory (OCM) that can provide memory-access performance identical to a cache hit.
13
The following are the resources present on the Main and Child cards of the CCSC. The two cards are interfaced using a 111 pin Air-borne stackable connector. Table 2.1: Design Specifications Design Features Processor Memory PPC405 32MB (PROM) 256K x 32 (FLASH) 256K x 32 (SRAM) 32K x 8 (NVRAM) 3 Nos. 8 Nos. One RS422 Channel One MIL-STD_1553B using DDC BU-61688 30 DOPs (Opto isolated) 32 Channels(Optically isolated) 34 DOPs (Opto isolated) 32 Channels (Optically isolated) 15 Single-ended Channels (Opto isolated) 7 Differential Channels (Electrical channels) DAC SCP channels 4 Channels 8 Pressure Channels
Main Card Specifications
Timer (Programmable 16 bit Timers) Interrupts UART Channels Bus DOPs DIPs DOPs DIPs
Child Card Specifications
ADC
14
The Memory mapping of the resources is shown in the following table. Table 2.2: Memory Mapping S. No. 1. 2. 3. 4. 5. 6. 7. 8. Resource ADC DAC DIPS1 DIPS2 DOPS SRAM FLASH NVRAM Memory 0x7C000000-0x7C00FFFF 0x77000000-0x7700FFFF 0x40040000-0x4004FFFF 0x40020000-0x4002FFFF 0x75600000-0x7560FFFF 0x42000000-0x4203FFFF 0x7EE00000-0x7EE0FFFF 0x7C020000-0x7C02FFFF
Four CCSC units are required in the actual Missile, one in the Payload Stage (PL), one in the Closed Inter Stage (CIS), and the other two in Stage-1 Base Shroud (BS) as shown in the figure 2.1. Hence one generalized CCSC unit is designed and used in all the stages accordingly. The required input/output interfaces for CCSC are shown in Table 2.3. Table 2.3: Resources Resources DOPS DIPS ADCs DACs SCP
CCSC
64 30: Main Card 34: Child Card
64 32: Main Card
22 15:Single-ended
04
8 Channels (Pressure)
32: Child Card 07: Differential
CCSC is designed as a two card configuration. DIPs and DOPs are placed in the Main card and ADC, DAC are placed in the Child card. These two cards cater full I/O requirements
15
of PPL, CIS and BS with SCP channels placed on the Child card. The two cards are interfaced through a 111-pin stackable connector.
2.5 SIGNAL CONDITIONING PACKAGE (SCP)

The unit includes a Signal Conditioning Package HMC1446. It has 8 conditional channels, out of which 4 channels are buffered through OP471 buffer and brought to external connector and the other 4 channels are brought to external connector without buffering. Signal Conditioning Package provides an interface between sensors or transducers and
systems it serves. It provides 10V excitation to transducers or sensors, amplifies the signals, shift the levels to the desired value and provides analog outputs in a form suitable and acceptable to the telemetry system.
Specifications: Power Supply Input Output : DC-DC 28V input and 15V output. : From sensors or transducers or analog electrical voltages. : -2.5V at no signal. +2.5V at the rated signal.
16
CHAPTER 3 CCSC RESOURCES

3.1 MEMORY RESOURCES
The CCSC consists of SRAM interface, FLASH interface, PROM interface and NVRAM interface. The following sections describe each memory interface in detail.
3.1.1 SRAM MEMORY INTERFACE

SRAM is interfaced to the PLB on 32 bit data bus using two IDT71V416L (256K x 16). It consists of 18 address lines and 32 data lines. The address lines and data lines are interfaced to PLB through SRAM controller implemented in FPGA which runs dedicated lines for address, data and control signals. SRAM controller implements all the interface logic required to generate the control signals Chip Enable (CE), Output Enable (OE), Write Enable (WR), High Byte Enable (BHE) and Low Byte Enable (BLE) signals.
Figure 3.1: Block Diagram of SRAM Memory Interface

17
3.1.2 IDT71V416L
Features: 256K x 16 advanced high-speed CMOS Static RAM JEDEC Centre Power / GND pin out for reduced noise. Equal access and cycle times Commercial and Industrial: 10/12/15ns One Chip Select plus one Output Enable pin Bidirectional data inputs and outputs directly LVTTL-compatible Low power consumption via chip deselect Upper and Lower Byte Enable Pins Single 3.3V power supply Available in 44-pin, 400 mil plastic SOJ package and a 44-pin, 400 mil TSOP Type II package and a 48 ball grid array,9mm x 9mm package.
Figure 3.2: Functional Block Diagram of IDT71V416L
18
Description: The IDT71V416 is a 4,194,304-bit high-speed Static RAM organized as 256K x 16. It is fabricated using IDTs high-performance, high-reliability CMOS technology. This state-ofthe-art technology, combined with innovative circuit design techniques, provides a costeffective solution for high speed memory needs. The IDT71V416 has an output enable pin which operates as fast as 5ns, with address access times as fast as 10ns. All bidirectional inputs and outputs of the IDT71V416 are LVTTL-compatible and operation is from a single 3.3V supply. Fully static asynchronous circuitry is used, requiring no clocks or refresh for operation.
3.1.3 FLASH INTERFACE

The Flash memory is used to store the application software. Flash is interfaced to the PLB on a 32 bit data bus using two S29AL004D (256K x 16) devices. The 18 address and 32 data lines are interfaced to PLB through Flash controller implemented in FPGA which runs dedicated lines for address, data and control signals. FLASH controller implements all the interface logic required to generate CE, OE, WR, BYTE, RESET, READY or BUSY (RY/BY) signals.
Figure 3.3: Block Diagram of FLASH Interface
19
3.1.4 S29AL004D
Performance Characteristics: High performance Access times as fast as 70 ns Ultra low power consumption (typical values at 5 MHz) 200 nA Automatic Sleep mode current 200 nA standby mode current 9 mA read current 20 mA program/erase current Cycling Endurance: 1,000,000 cycles per sector typical Data Retention: 20 years typical
Figure 3.4: Logic Symbol of S29AL004D
20
Figure 3.5: Block Diagram of S29AL004D
Description: The S29AL004D is a 4 MBit, 3.0 volt-only Flash memory organized as 524,288 bytes or 262,144 words. The device is offered in 48-ball FBGA, 44-pin SO, and 48-pin TSOP packages. The word-wide data (x16) appears on DQ15DQ0; the byte-wide (x8) data appears on DQ7DQ0. This device requires only a single, 3.0 volt VCC supply to perform read, program, and erase operations. A standard EPROM programmer can also be used to program and erase the device. This device is manufactured using Spansions 200nm process technology, and offers all the features and benefits of the AM29LV400B and MBM29LV400T/BC, which were manufactured using 320nm process technology. The standard device offers access times of 70 and 90ns, allowing high speed microprocessors to operate without wait states. To eliminate bus contention the device has separate chip enable (CE), write enable (WE) and output enable (OE) controls. The device
21
requires only a single 3.0 volt power supply for both read and writes functions. Internally generated and regulated voltages are provided for the program and erase operations. The device is entirely command set compatible with the JEDEC single-power supply Flash standard. Commands are written to the command register using standard microprocessor write timings. Register contents serve as input to an internal state-machine that controls the erase and programming circuitry. Write cycles also internally latch addresses and data needed for the programming and erase operations. Reading data out of the device is similar to reading from other Flash or EPROM devices. Device programming occurs by executing the program command sequence. This initiates the Embedded Program algorithman internal algorithm that automatically times the program pulse widths and verifies proper cell margin. The Unlock Bypass mode facilitates faster programming times by requiring only two write cycles to program data instead of four. Device erasure occurs by executing the erase command sequence. This initiates the Embedded Erase algorithman internal algorithm that automatically preprograms the array (if it is not already programmed) before executing the erase operation. During erase, the device automatically times the erase pulse widths and verifies proper cell margin. The host system can detect whether a program or erase operation is complete by observing the RY/BY pin, or by reading the DQ7 (Data Polling) and DQ6 (toggle) status bits. After a program or erase cycle is completed, the device is ready to read array data or accept another command. The sector erase architecture allows memory sectors to be erased and reprogrammed without affecting the data contents of other sectors. The device is fully erased when shipped from the factory. Hardware data protection measures include a low VCC detector that automatically inhibits write operations during power transitions. The hardware sector protection feature disables both program and erases operations in any combination of the sectors of memory. This can be achieved in-system or via programming equipment. The Erase Suspend feature enables the user to put erase on hold for any period of time to read data from, or program data to, any sector that is not selected for erasure. True background erase can thus be achieved. The hardware RESET pin terminates any operation in progress and resets the internal state machine to reading array data. The RESET pin may be tied to the system reset circuitry.
22
A system reset would thus also reset the device, enabling the system microprocessor to read the boot-up firmware from the Flash memory. The device offers two power-saving features. When addresses are stable for a specified amount of time, the device enters the automatic sleep mode. The system can also place the device into the standby mode. Power consumption is greatly reduced in both these modes. Spansions Flash technology combines years of Flash memory manufacturing experience to produce the highest levels of quality, reliability and cost effectiveness. The device electrically erases all bits within a sector simultaneously via Fowler-Nordheim tunnelling. The data is programmed using hot electron injection.
Advantages: Single power supply operation Manufactured on 200nm process technology Flexible sector architecture Unlock Bypass Program Command Top or bottom boot block configurations available Embedded Algorithms Compatibility with JEDEC standards Sector Protection features
3.1.5 BOOTROM INTERFACE

The Boot Code is stored in the PROM. When the FPGA is in Master Serial mode, the FPGA automatically loads the configuration bit stream in bit-serial form from BOOTROM synchronized by the configuration clock (CCLK) generated by the FPGA. A serial data line, a clock line (CCLK), and two control lines (INIT and DONE) are required to configure the FPGA. The PROM_CF pin is connected to the FPGAs PROG_B (or PROGRAM) input. With CF (Configuration Pulse) High, a short access time after CE and OE are enabled, data is available on the PROM_DATA (D0) pin that is connected to the FPGA DATA_IN (DIN) pin. New data is available in a short access time after each rising clock edge. The FPGA generates the appropriate number of clock pulses to complete the configuration.
23
Figure 3.6: Block Diagram of BOOTROM Interface
3.1.6 NVRAM INTERFACE

The Simtek STK 14C88-M (32K x 8) is a fast Static RAM with a non-volatile, electrically erasable PROM element incorporated in each static memory cell. The SRAM can be read and written an unlimited number of times, while independent non-volatile data resides in EEPROM. Data transfers from SRAM to the EEPROM (the store operation) can take place automatically on power down. Transfers from EEPROM to the SRAM cell (the recall operation) take place automatically on restoration of power. Initiation of store and recall cycles can also be software controlled by entering specific read sequences.
Figure 3.7: Block Diagram of NVRAM Interface
24
3.1.7 STK 14C88-M

Features: Non-volatile Storage without Battery Problems 35ns and 45ns Access Times Hands-off Automatic STORE with External 68mF Capacitor on Power Down STORE to EEPROM Initiated by Hardware, Software or Auto Store on Power Down RECALL to SRAM Initiated by Software or Power Restore 10mA Typical ICC at 200ns Cycle Time Unlimited READ, WRITE and RECALL Cycles 100,000 STORE Cycles to EEPROM 10-Year Data Retention in EEPROM Single 5V + 10% Operation Not Sensitive to Power On/Off Ramp Rates No Data Loss from Undershoot 32-Pad LCC and 32-Pin 300 mil CDIP Packages
Figure 3.8: Block Diagram of STK14C88M
25
Description: The Simtek STK14C88-M is a fast static RAM with a non volatile, electrically erasable PROM element incorporated in each static memory cell. The SRAM can be read and written an unlimited number of times, while independent non volatile data resides in EEPROM. Data transfers from the SRAM to the EEPROM (the STORE operation) can take place automatically on power down. A 68mF or larger capacitor tied from VCAP to ground guarantees the STORE operation, regardless of power-down slew rate or loss of power from hot swapping. Transfers from the EEPROM to the SRAM (the RECALL operation) take place automatically on restoration of power. Initiation of STORE and RECALL cycles can also be software controlled by entering specific read sequences. A hardware STORE may be initiated with the HSB pin. The STK14C88-M has two separate modes of operation: SRAM mode and nonvolatile mode. In SRAM mode, the memory operates as a standard fast static RAM. In nonvolatile mode, data is transferred from SRAM to EEPROM (the STORE operation) or from EEPROM to SRAM (the RECALL operation). In this mode SRAM functions are disabled. The STK14C88-M is a high-speed memory and so must have a high frequency bypass capacitor of approximately 0.1mF connected between VCAP and VSS, using leads and traces that are as short as possible. As with all high-speed CMOS ICs, normal careful routing of power, ground and signals will help prevent noise problems.
SRAM Read: The STK14C88-M performs a READ cycle whenever E and G are low and W and HSB are high. The address specified on pins A0-14 determines which of the 32,768 data bytes will be accessed. When the READ is initiated by an address transition, the outputs will be valid after a delay of tAVQV (READ cycle #1). If the READ is initiated by E or G, the outputs will be valid at tELQV or at tGLQV, whichever is later (READ cycle #2). The data outputs will repeatedly respond to address changes within the tAVQV access time without the need for transitions on any control input pins, and will remain valid until another address change or until E or G is brought high, or W or HSB is brought low.
SRAM Write: A WRITE cycle is performed whenever E and W are low and HSB is high. The address inputs must be stable prior to entering the WRITE cycle and must remain stable until
26
either E or W goes high at the end of the cycle. The data on the common I/O pins DQ0-7 will be written into the memory if it is valid tDVWH before the end of a W controlled WRITE or tDVEH before the end of an E controlled WRITE. It is recommended that G be kept high during the entire WRITE cycle to avoid data bus contention on common I/O lines. If G is left low, internal circuitry will turn off the output buffers tWLQZ after W goes low.
Power-up recall: During power up, or after any low-power condition (VCAP < VRESET), an internal RECALL request will be latched. When VCAP once again exceeds the sense voltage of VSWITCH, a RECALL cycle will automatically be initiated and will take tRESTORE to complete. If the STK14C88-M is in a WRITE state at the end of power-up RECALL, the SRAM data will be corrupted. To help avoid this situation, a 10K Ohm resistor should be connected either between W and system VCC or between E and system VCC.
Software Non-volatile Store: The STK14C88-M software STORE cycle is initiated by executing sequential E controlled READ cycles from six specific address locations. During the STORE cycle an erase of the previous non-volatile data is first performed, followed by a program of the nonvolatile elements. The program operation copies the SRAM data into non-volatile memory. Once a STORE cycle is initiated, further input and output are disabled until the cycle is completed. Because a sequence of READs from specific addresses is used for STORE initiation, it is important that no other READ or WRITE accesses intervene in the sequence, or the sequence will be aborted and no STORE or RECALL will take place. The software sequence must be clocked with E controlled READs. Once the sixth address in the sequence has been entered, the STORE cycle will commence and the chip will be disabled. It is important that READ cycles and not WRITE cycles be used in the sequence, although it is not necessary that G be low for the sequence to be valid. After the tSTORE cycle time has been fulfilled, the SRAM will again be activated for READ and WRITE operation.
Software Non-volatile Recall: A software RECALL cycle is initiated with a sequence of READ operations in a manner similar to the software STORE initiation.
27
Internally, RECALL is a two-step procedure. First, the SRAM data is cleared, and second, the non-volatile information is transferred into the SRAM cells. After he tRECALL cycle time the SRAM will once again be ready for READ and WRITE operations. The RECALL operation in no way alters the data in the EEPROM cells. The non-volatile data can be recalled an unlimited number of times.
Auto store Operation: The STK14C88-M can be powered in one of three modes. During normal Auto Store operation, the STK14C88-M will draw current from VCCX to charge a capacitor connected to the VCAP pin. This stored charge will be used by the chip to perform a single STORE operation. After power up, when the voltage on the VCAP pin drops below VSWITCH, the part will automatically disconnect the VCAP pin from VCCX and initiate a STORE operation. A charge storage capacitor having a capacity of between 68mF and 220mF ( 20%) rated at 6V should be provided. In system power mode, both VCCX and VCAP are connected to the +5V power supply without the 100mF capacitor. In this mode the Auto Store function of the STK14C88-M will operate on the stored system charge as power goes down. The user must, however, guarantee that VCCX does not drop below 3.6V during the 10ms STORE cycle. If an automatic STORE on power loss is not required, then VCCX can be tied to ground and +5V applied to VCAP .This is the Auto Store Inhibit mode, in which the Auto Store function is disabled. If the STK14C88-M is operated in this configuration, references to VCCX should be changed to VCAP throughout this data sheet. In this mode, STORE operations may be triggered through software control or the HSB pin. It is not permissible to change between these three options on the fly. In order to prevent unneeded STORE operations, automatic stores as well as those initiated by externally driving HSB low will be ignored unless at least one WRITE operation has taken place since the most recent STORE or RECALL cycle. Software initiated STORE cycles are performed regardless of whether a WRITE operation has taken place. An optional pull-up resistor is shown connected to HSB. This can be used to signal the system that the Auto Store cycle is in progress.
28
Figure 3.9: Auto Store, System Power and Auto Store Inhibit Modes
3.2 BU61688 INTERFACE

The BU61688 operates with 5V TTL logic levels and the FPGA interface is 3.3V CMOS level. The data, address and control lines of BU61688 are interfaced through LPT buffers which cater for both 3.3 CMOS and 5V TTL logic levels. The direction signals for transceiver and all control signals are generated in the 1553 controller. The 1553 controller is connected to the Onboard Peripheral Bus (OPB).
Figure 3.10: Block Diagram of 1553B Interface
29
3.2.1 RT ADDRESS CONFIGURATION

It contains internal RT address latches and bidirectional data buffers to provide direct interface to the host processor bus. The RT address can be programmed through software and hardware also. The RT address of the CCSC is configurable through jumper which is brought to the connector. These address lines from BU61688 are buffered using a level buffer (P174LPT16244) and brought out to the external connector.
3.2.2 BU61688
Features: 5 Volt Only Fully Integrated MIL-STD-1553 A/B STANAG 3838 Compliant Terminals One-Square-Inch Package Smallest BC/RT/MT in the industry Hardware and Software Compatible with BU-61580 ACE Series Flexible Processor/Memory Interface Bootable RT Option 4K x 16 or 64K x 16 Shared RAM Automatic BC Retries Programmable BC Gap Times Programmable Illegalization Simultaneous RT/Monitor Mode Operates From 10/12 /16 / 20 MHz Clock
30
Figure 3.11: Block Diagram of BU61688 Description: The BU-61588 Mini-ACE and BU-61688 Mini-ACE Plus integrates two 5-volt-only transceivers, protocol, memory management, processor interface logic, and 4K x 16, or 64K x 16* words of RAM in a choice of pin grid array (PGA), quad flat pack or gull lead packages. The Mini-ACE is packaged in a 1.0 square inch, low profile, co fired ceramic multi-chipmodule (MCM) package making it the smallest integrated MIL-STD-1553 BC/RT/MT in the industry. The Mini-ACE provides full compatibility to DDCs BU-61580 and BU-65170 Advanced Communication Engine (ACE). As such, the Mini-ACE includes all the hardware and software architectural features of the ACE. The Mini-ACE contains internal address latches and bidirectional data buffers to provide a direct interface to a host processor bus. The memory management scheme for RT mode provides three data structures for buffering data. These structures, combined with the Mini-ACEs extensive interrupt capability, serve to ensure data consistency while off-loading the host processor. The Mini-ACE Plus can optionally boot-up as a RT with the Busy bit set for 1760 applications. The Mini-ACE BC
31
mode implements several features aimed at providing an efficient real-time software interface to the host processor including automatic retries, programmable inter message gap times, automatic frame repetition, and flexible interrupt generation. The advanced architectural features of the Mini-ACE, combined with its small size and high reliability, make it an ideal choice for demanding military and industrial processor-to-1553 applications.
Interface to MIL-STD-1553 bus: Connections for both direct (short stub) and transformer (long stub) coupling, as well as the nominal peak-to-peak voltage levels at various points (when transmitting), are indicated in the diagram.
Figure 3.12: Mini-ACE Interface to MIL-STD-1553 bus
32
3.2.3 LPT BUFFER

Features: Compatible with LVT and LCX families of products Supports 5V Tolerant Mixed signal Mode Operation Input can be 3V or 5V Output can be 3V or connected to 5V bus
Advanced low power CMOS operation Excellent output drive capability (balanced drives-24mA sink and source) Pin compatible with industry standard double-density pinouts Low ground bounce outputs Hysteresis on all inputs Industrial temperature range: -40C to +85C Multiple centre pins and distributed pins minimize switching noise
Figure 3. Logic Block Diagram of LPT buffer Description: The P174LLPT16244 is a 16-bit buffer/line driver designed for driving high capacitive memory loads. With its balanced-drive characteristics, this high-speed and low
33
power device provides lower ground bounce, transmission line matching of signals, fewer line reflections and lower EMI and RFI effects. This makes it ideal for driving on-board buses and transmission lines. The P174LPT16244 can be driven from either 3.3V or 5.0V devices allowing this device to be used as a translator in a mixed 3.3/5.0V system.
3.3 UART, TIMER AND PIC INTERFACE

UART core is implemented in the FPGA and the TX and RX lines from the UART are brought out. Timer core and PIC core are also implemented in the FPGA and are interfaced to the OPB bus.
Figure 3.13: Block Diagram of UART Interface The EIA Standard RS-422-A entitled Electrical Characteristics of Balanced Voltage Digital Interface Circuits defines the characteristics of RS-422 interface circuits. Figure 1.4 is a typical RS-422 four-wire interface. Notice that five conductors are used. Each generator or driver can drive up to ten (10) receivers. The two signalling states of the line are defined as follows: a. When the A terminal of the driver is negative with respect to the B terminal, the line is in a binary 1 (MARK or OFF) state. b. When the A terminal of the driver is positive with respect to the B terminal, the line is in a binary 0 (SPACE or ON) state.
34
RS-422 systems require a dedicated pair of wires for each signal, a transmit pair, a receive pair and an additional pair for each handshake/control signal used Devices
configured for four wire communications bring out A and B connections for both the transmit and the receive pairs. The user can connect the transmit lines to the receive lines to create a two wire configuration. The interface circuit may operate without the signal ground connection, but may sacrifice reliability and noise.
RS-422 system software differs little from the familiar point-to-point RS-232 communication systems. RS-422 is often used to simply extend the distance between nodes over the capabilities of RS-232.When selecting or writing software for RS-422 systems the
35
designer should be aware of the signals being used by the hardware in the system. Many RS422 systems do not implement the hardware handshake lines often found in RS-232 systems due to the cost of running additional conductors over long distances.
3.4 DISCRETE INPUT CHANNELS

The card has 64 channels of Discrete Inputs. Isolation is provided using high speed opto couplers. The opto-couplers provide the necessary protection for the FPGA. The status is read by the control logic.
Figure 3.14: Block Diagram of DIP Interface
3.5 RELAY COMMAND GENERATION

The unit has 64 DOPs to avoid unwanted Pyro-Firing during Power On, Complementary logic is used for relay command generation i.e., DOPs which are coming from FPGA are opto-isolated by positive and negative logic alternatively. Each relay is operated by issuing Digital Output. L6221AD device is used as relay driver.
3.5.1 POSITIVE RELAY COMMAND LOGIC

The DOPs coming from FPGA are connected to anode of the Photo diode of the opto coupler through a 330 Ohm resistor. Whenever the FPGA DOP voltage exceeds the cut-in voltage of the diode, the diode conducts and output will be high and the Relay driver is switched on. This occurs only when it is enabled through CPLD.
36
Figure 3.15: Positive Relay Command Logic
Table 3.1: Truth Table for Positive Relay Command Logic
FPGA_DOP Logic 0 Logic 1
RELAY Logic 0 (OFF) Logic 1 (ON)
3.5.2 NEGATIVE RELAY COMMAND LOGIC

The DOPs coming from FPGA are connected to cathode of the Photo diode of the opto coupler. Whenever the FPGA DOP voltage is at the 0V, the diode conducts and output will be high and the Relay driver is switched on. After FPGA power on initialization, the FPGA_DOP CMD line is initialized to logic 1.
37
Figure 3.16: Negative Relay Command Logic
Table 3.2: Truth Table for Negative Relay Command Logic
FPGA_DOP Logic 0 Logic 1
RELAY Logic 1 (ON) Logic 0 (OFF)
3.5.3 L6221AD
Features: Four non inverting inputs with enable Output voltage up to 50V Output current up to 1.8A Very low saturation voltage TTL compatible inputs Integral fast recirculation diodes
38
Figure 3.17: Block Diagram of L6221AD
Description: The L6221 monolithic quad darlington switch is designed for high current, high voltage switching applications. Each of the four switches is controlled by a logic input and all four are controlled by a common enable input. All inputs are TTL-compatible for direct connection to logic circuits. Each switch consists of an open-collector darlington transistor plus a fast diode for switching applications with inductive device loads. The emitters of the four switches are commoned. Any number of inputs and outputs of the same device may be paralleled. When inductive loads are driven by L6221AD, a zener diode in series with the integral free-wheeling diodes increases the voltage across which energy stored in the load is discharged and therefore speeds the current decay. For reliability it is suggested that the zener is chosen so that Vp + Vz < 35 V. The reasons for this are twofold: 1) The zener voltage changes in temperature and current. 2) The instantaneous power must be limited to avoid the reverse second breakdown.
39
Figure 3.18: L6221AD driven with inductive loads
3.5.4 OPTOCOUPLER
Features: Current Transfer Ratio (CTR: min. 50% at IF = 5 mA, VCE = 5 V) High input-output isolation voltage (Viso = 3750 Vrms) High collector-emitter voltage (VCEO = 80 V) Response time (tr: typ., 4 ms at VCE = 2 V, IC = 2 mA, RL = 100 W) Mini-flat package (2.0 mm profile) in tape and reel package
Figure 3.19: Functional and Schematic of opto-coupler
40
Description: The HCPL-181 contains a light emitting diode optically coupled to a phototransistor. It is packaged in a 4-pin mini-flat SMD package with a 2.0 mm profile. The small dimension of this product allows significant space saving. The package volume is 30% smaller than that of conventional DIP type. Input-output isolation voltage is 3750 Vrms. Response time, tr, is typically 4 ms and minimum CTR is 50% at input current of 5 mA.
Applications: I/O interfaces for computers System appliances, measuring instruments Signal transmission between circuits of different potentials and impedances Feedback circuit in power supply
3.6 WATCHDOG TIMER

The Watchdog Timer function forces the WDS signal active low when the strobe input does not have the transition (toggling pulse) within the pre-determined time period (100ms). The FPGA generates the toggling pulse.
3.7 RESET LOGIC

The DS1831A multi supply monitor and reset monitors up to four system voltages. 5V supply, 3.3V (or 3V) supply, and two additional user configurable voltage monitors. DS1831 power for internal operation comes from the higher voltage level of the 3.3V input or the 5V input. DS1831 maintains power on reset duration for user configurable times of 10 ms, 100ms, or 1s. Tolerance (TOL) and Time Delay (TD) inputs allow user configuration of the DS1831A for multiple applications. The TOL inputs configure the tolerance for the specified output and the TD inputs configure the reset time delays. The DS1831A (multi supply monitor and reset) generates three kinds of reset signals: 1. Power on Reset (asserts resets during power transients). 2. Pushbutton reset input for system override. 3. Watchdog timer for software monitoring.
41
3.7.1 DS1831A
Features: 5V power-on reset 3.3 (or 3V) power-on reset 2 referenced comparators with separate outputs for monitoring additional supplies Internal power is drawn from higher of either the IN5V input or the IN3.3V input Excellent for systems designed to operate with multiple power supplies Asserts resets during power transients Pushbutton reset input for system override Maintains reset for user configurable times of 10 ms, 100 ms, or 1 sec Watchdog timer for software monitoring (DS1831A) Precision temperature-compensated voltage reference and voltage sensor Operating Temperature of -40C to +85C
Figure 3.20: Block Diagram of DS1831A
42
Power Monitor: The DS1831 provides the functions of detecting out-of-tolerance conditions on a 3.3 (or 3) volt and 5 volt power supply and warning a processor based system of impending power failure. When an input is detected as out-of-tolerance on either voltage input the RST for that supply will be forced active low. When that input returns to a valid state the associated RST will remain active for the time delay selected with the associated TD input and then return to an inactive state until the next input out-of-tolerance condition. On power-up both resets are kept active for the selected reset time after the associated power supply input has reached the selected tolerance. This allows the power supply and system power to stabilize before RST is released. All internal operating current for the DS1831A will be supplied by either the IN3.3V or IN5V input which ever has the highest voltage level.
Tolerance Select: The DS1831A provides 2 TOL inputs for individual customization of the DS1831 to specific application requirements. If the TOL for the 5 volt supply is tied to the 5 volt input a 5% tolerance is selected. If the TOL is connected to ground a 10% tolerance is selected or if it is left unconnected a 15% tolerance is selected. If the TOL for the 3.3 volt supply is tied to the 3.3 volt input a 5% tolerance is selected, a 10% tolerance is selected if it is connected to ground, and a 20% tolerance is selected if the input is left unconnected. These tolerance conditions are set at power up and can only be changed by power cycling the device.
Reset time-delay Select: The DS1831 provides 2 TD inputs for individual customization of reset time-delays and an additional one for the DS1831A watchdog. TD inputs select time delays for the IN5V and IN3.3V resets outputs and the Watchdog on the DS1831A. These allow the selection of minimum delays of 10 ms, 100 ms, and 1000 ms. Wiring an individual reset output to the push-button input of the other voltage reset allows custom reset timings or allows for the sequencing of the reset outputs. These timedelays are set at power-up and cannot be changed after the device reaches an in-tolerance condition.
43
Pushbutton Reset: The DS1831 provides 3 pushbutton inputs for manual reset of the device. Pushbutton inputs for the 3.3 volt reset, 5 volt reset, and a master pushbutton reset input; provide multiple options for system control. The 3.3 volt pushbutton reset and 5 volt pushbutton resets provide a simple manual reset for the associated reset output; while the master pushbutton reset forces all resets and NMI outputs active low. The 5 volt reset pushbutton input and the 3.3 volt reset pushbutton input provide manual reset control input for each associated reset output. When the output associated with a pushbutton input is not active, a pushbutton reset can be generated by pulling the associated PBRST pin low for at least 20 s. When the pushbutton is held low the reset will be forced active and will remain active for a reset cycle after the pushbutton is released.
Figure 3.21: Pushbutton Reset circuit of DS1831A A master pushbutton reset cycle can be started if at least one voltage input (IN5V, IN3.3V, IN1, or IN2) is in tolerance and at least 1 output is active. A master pushbutton reset is generated by pulling the MPBRST pin low for at least 20 s. When the pushbutton is held low all outputs are forced active and will remain active for a reset or NMI time delay after the pushbutton is released. The Master Pushbutton input is pulled high through an internal 100 k pull up resistor and debounced via internal circuitry. The 5 volt and 3.3 volt pushbutton reset inputs are pulled high through an internal 100 k pull up resistor to the voltage input, which is associated with that pushbutton. The master pushbutton is pulled to the greater of the IN5V and IN3.3V inputs.
44
Watchdog Timer: The watchdog timer function (DS1831A only) forces the WDS signal active (low) when the ST input does not have a transition (high-to-low or low-to-high) within the predetermined time period. The timeout period is determined by the condition of the TDWD pin. If TDWD is connected to ground the minimum watchdog time-out would be 10 ms, TD floating would yield a minimum time-out of 100 ms, and TDWD connected to VCC would provide a time-out of 1000 ms minimum. Time-out of the watchdog starts when at least one of the RST outputs becomes inactive (high). If a transition occurs on the ST input pin prior to time-out, the watchdog timer is reset and begins to time-out again. If the watchdog timer is allowed to time-out, then the WDS output is pulsed active for a minimum of 100 s. The WDS output is an open-drain output and must be pulled up externally. In most applications this output would be connected to one of the Pushbutton inputs and would not require an external pull-up resistor. The value of the resistors is not critical in most cases but must be set low enough to pull the output to a high state. A common value used is 10 ks. If a WDS output is connected to a pushbutton input an additional pull-up resistor can be used (to improve speed of transitions) but is not required. The ST input can be derived from many microprocessor outputs. The most typical signals used are the microprocessor address signals, data signals, or control signals. When the microprocessor functions normally, these signals would, as a matter of routine, cause the watchdog to be reset prior to time-out. To guarantee that the watchdog timer does not timeout, a transition must occur at or less than the minimum times. The DS1831A watchdog function cannot be disabled. The watchdog strobe input must be strobed to avoid a watchdog time-out however the watchdog status output can be disconnected yielding the same result.
45
Figure 3.22: Watchdog timer circuit of DS1831A
3.8 DAC INTERFACE

The unit houses 4 Analog Outputs realized using quad output Digital to Analog Converters. The DACs are realized using AD8420 with 12 bit resolution. The Digital data is sent through a serial interface and all the digital lines are opto-isolated. The serial data input contains the channel number and data. The data is presented to the input SDI on the rising edge of a 10 MHz clock. Necessary glue logic is implemented in the FPGA. The converted output is available at the connector. The fourth channel is given as a loop back to the ADC through the differential multiplexer.
Figure 3.23: Block Diagram of DAC Interface
46
3.8.1 DAC8420
Features: Guaranteed monotonic over temperature Excellent matching between DACs Unipolar or bipolar operation Buffered voltage outputs High speed serial digital interface Reset-to-zero scale or midscale Wide supply range, +5 V only to 15 V Low power consumption (35 mW maximum) Available in 16-Lead PDIP, SOIC, and CERDIP packages
Description: The DAC8420 is a quad, 12-bit voltage-output DAC with serial digital interface in a 16-lead package. Utilizing BiCMOS technology, this monolithic device features unusually high circuit density and low power consumption. The simple, easy-to-use serial digital input and fully buffered analog voltage outputs require no external components to achieve a specified performance. The 3-wire serial digital input is easily interfaced to micro-processors running at 10 MHz with minimal additional circuitry. Each DAC is addressed individually by a 16-bit serial word consisting of a 12-bit data word and an address header. The user-programmable reset control CLR forces all four DAC outputs to either zero scale or midscale, asynchronously overriding the current DAC register values. The output voltage range, determined by the inputs VREFHI and VREFLO, is set by the user for positive or negative unipolar or bipolar signal swings within the supplies, allowing considerable design flexibility.
47
Figure 3.24: Functional Block Diagram of DAC8420
The DAC8420 is available in 16-lead PDIP, SOIC, and CERDIP packages. Operation is specified with supplies ranging from +5 V only to 15 V, with references of +2.5 V to 10 V, respectively. Power dissipation when operating from 15 V supplies is less than 255 mW (maximum) and only 35 mW (maximum) with a +5 V supply.
Theory of Operation: The DAC8420 is a quad, voltage-output 12-bit DAC with a serial digital input capable of operating from a single 5 V supply. The straightforward serial interface can be connected directly to most popular microprocessors and microcontrollers, and can accept data at a 10 MHz clock rate when operating from 15 V supplies. A unique voltage reference structure ensures maximum utilization of the DAC output resolution by allowing the user to set the zero-scale and full-scale output levels within the supply rails. The analog voltage outputs are fully buffered, and are capable of driving a 2 k load. Output glitch impulse during major code transitions is a very low 64 nV-s (typ).
48
Digital Interface Operation: The serial input of the DAC8420, consisting of CS, SDI, and LD, is easily interfaced to a wide variety of microprocessor serial ports. While CS is low, the data presented to the input SDI is shifted into the internal serial-to-parallel shift register on the rising edge of the clock, with the address MSB first; data LSB last, as shown in Table 6 and in the timing diagram (Figure 2). The data format, shown in Table 8, is two bits of DAC address and two dont care fill bits, followed by the 12-bit DAC data-word. Once all 16 bits of the serial dataword have been input, the load control LD is strobed and the word is parallel-shifted out onto the internal data bus. The two address bits are decoded and used to route the 12-bit data-word to the appropriate DAC data register.
Operation of CS and CLK: The control pins CLK and CS require some attention during a data load cycle. Since these two inputs are fed to the same logical OR gate, the operation is in fact identical. The user must take care to operate them accordingly to avoid clocking in false data bits. In the timing diagram, CLK must be halted high or CS must be brought high during the last high portion of the CLK following the rising edge that latched in the last data bit. Otherwise, an additional rising edge is generated by CS rising while CLK is low, causing CS to act as the clock and allowing a false data bit into the serial input register. The same issue must also be considered in the beginning of the data load sequence.
Using CLR and CLSEL: The clear (CLR) control allows the user to perform an asynchronous reset function. Asserting CLR loads all four DAC data-word registers, forcing the DAC outputs to either zero scale (0x000) or midscale (0x800), depending on the state of CLSEL as shown in Table 6. The clear function is asynchronous and totally independent of CS. When CLR returns high, the DAC outputs remain latched at the reset value until LD is strobed, reloading the individual DAC data-word registers with either the data held in the serial input register prior to the reset or with new data loaded through the serial interface.
49
Table 3.3: DAC Address Word Decode Table
Programming the Analog Outputs: The unique differential reference structure of the DAC8420 allows the user to tailor the output voltage range precisely to the needs of the application. Instead of spending DAC resolution on an unused region near the positive or negative rail, the DAC8420 allows the user to determine both the upper and lower limits of the analog output voltage range. Thus, as shown in Table 9 and Figure 30, the outputs of DAC A through DAC D range between VREFHI and VREFLO, within the limits specified in the Specifications section. Note also that VREFHI must be greater than VREFLO.
Figure 3.25: Output Voltage Ranging Program
Applications: Software controlled calibration Servo controls Process control and automation ATE
50
3.9 ADC INTERFACE

The system consists of 22 analog input channels (15 single-ended and 7 Differential). The ADCs are realized using AD977A which is a 16 bit ADC with serial interface having inbuilt reference voltage.
The necessary glue logic is implemented in the FPGA. The channel selection is accomplished using the single-ended and differential multiplexers. The analog inputs from the anti-aliasing filters (Bandwidth of 50Hz for single ended channels 0-12 and 7 differential channels; Bandwidth of 5Hz for single ended channels 13-14) are first given to Overvoltage Protector (ADG467), Differential Multiplexer (ADG527), Single-ended Multiplexer (ADG526) and Buffer (OP42) before giving to the ADC. All the digital interfaces to ADC are opto-isolated. During the conversion, the ADC, outputs the converted result in the form of 16 bit serial data (MSB first) corresponding to the conversion (n-1). The output data is obtained in synchronization to the internal data clock generated by the ADC.
Figure 3.26: Block Diagram of ADC Interface
3.9.1AD977A
Features: Fast 16-Bit ADC 100 kSPS Throughput RateAD977 200 kSPS Throughput RateAD977A Single 5 V Supply Operation Power Dissipation 100 mW Max
51
Power-Down Mode 50 W Input Ranges: Unipolar: 0 V10 V, 0 V5 V and 0 V4 V Bipolar: 10 V, 5 V and 3.3 V
Choice of External or Internal 2.5 V Reference High Speed Serial Interface On-Chip Clock 20-Lead Skinny DIP or SOIC Package 28-Lead Skinny SSOP Package
Description: The AD977A is a high speed, low power 16-bit A/D converter that operates from a single 5 V supply. The AD977A has a throughput rate of 200 kSPS whereas the AD977 has a throughput rate of 100 kSPS. Each part contains a successive approximation, switched capacitor ADC, an internal 2.5 V reference, and a high speed serial interface. The ADC is factory calibrated to minimize all linearity errors. The AD977A is specified for full scale bipolar input ranges of 10 V, 5 V and 3.3 V, and unipolar ranges of 0 V to 10 V, 0 V to 5 V and 0 V to 4 V. The AD977A is comprehensively tested for ac parameters such as SNR and THD, as well as the more traditional dc parameters of offset, gain and linearity. The AD977A is controlled by two signals: R/C and CS. When R/C is brought low, with CS low, for a minimum of 50 ns, the input signal will be held on the internal capacitor array and a conversion n will begin. Once the conversion process does begin, the BUSY signal will go low until the conversion is complete. Internally, the signals R/C and CS are ORd together and there is no requirement on which signal is taken low first when initiating a conversion. The only requirement is that there be at least 10 ns of delay between the two signals being taken low. After the conversion is complete the BUSY signal will return high and the AD977/AD977A will again resume tracking the input signal. Under certain conditions the CS in can be tied Low and R/C will be used to determine whether you are initiating a conversion or reading data. On the first conversion, after the AD977A is powered up, the DATA output will be indeterminate. Conversion results can be clocked serially out of the AD977A using either an internal clock, generated by the AD977A, or by using an external clock. The AD977A is configured
52
for the internal data clock mode by pulling the EXT/INT pin low. It is configured for the external clock mode by pulling the EXT/INT pin high.
Figure 3.27: Functional Block Diagram of AD977A The AD977A is ideally suited for traditional dc measurement applications supporting a microprocessor, and ac signal processing applications interfacing to a digital signal processor. The AD977A is designed to interface with a general purpose serial port or I/O ports on a microcontroller. A variety of external buffers can be used with the AD977A to prevent digital noise from coupling into the ADC.
Advantages: 1. Fast Throughput The AD977/AD977A is a high speed, 16-bit ADC based on a factory calibrated switched capacitor architecture. 2. Single-Supply Operation The AD977/AD977A operates from a single 5 V supply and dissipates only 100 mW max. 3. Comprehensive DC and AC Specifications In addition to the traditional specifications of offset, gain and linearity, the AD977A is fully tested for SNR and THD.
53
3.9.2 ADG467
Features: Fault and overvoltage protection up to 40 V Signal paths open circuit with power off Signal path resistance of RON with power on
44 V supply maximum ratings Low on resistance: 62 typical 1 nA maximum path current leakage +25C Low RON match (5 maximum) Low power dissipation 0.8 W typical Latch-up proof construction
Description: The ADG467 is an octal channel protector. The channel protector is placed in series with the signal path. The channel protector protects sensitive components from voltage transience in the signal path regardless if the power supplies are present or not. For this reason, the channel protectors are ideal for use in applications where correct power sequencing cannot always be guaranteed (for example, hot insertion rack systems) to protect analog inputs. This is described further, and some example circuits are given in the Applications Information section. Each channel protector has an independent operation and consists of an N-channel MOSFET, a P-channel MOSFET, and an N-channel MOSFET, connected in series. The channel protector behaves just like a series resistor during normal operation, that is, (VSS + 1.5 V) < VIN < (VDD 1.5 V). When a channels analog input exceeds the power supplies (including VDD and VSS = 0 V), one of the MOSFETs switches off, clamping the output to either VSS + 1.5 V or VDD 1.5 V. Circuitry and signal source protection is provided in the event of an overvoltage or power loss. The channel protectors can withstand overvoltage inputs from 40 V to +40 V. See the Circuit Information section.
54
The ADG467 can operate off both bipolar and unipolar supplies. The channels are normally on when power is connected and open circuit when power is disconnected. With power supplies of 15 V, the on resistance of the ADG467 is 62 typical with a leakage current of 1 nA maximum. When power is disconnected, the input leakage current is approximately 0.5 nA typical. The ADG467 is available in an 18-lead SOIC package and a 20-lead SSOP package.
Figure 3.28: Functional Block Diagram of ADG467 The ADG467 is ideal for use in applications where input overvoltage protection is required and correct power supply sequencing cannot always be guaranteed. The overvoltage protection ensures that the output voltage of the channel protector does not exceed the threshold voltages set by the supplies (see the Circuit Information section) when there is an overvoltage on the input. When the input voltage does not exceed these threshold voltages, the channel protector behaves like a series resistor (62 typical). The resistance of the channel protector does vary slightly with operating conditions. The power sequencing protection is provided by the channel protector, which becomes a high resistance device when the supplies to the channel protector are not connected. Under this condition, all transistors in the channel protector are off and the only currents that flow are leakage currents, which are at the microampere level.
Advantages: 1. Fault Protection. The ADG467 can withstand continuous voltage inputs from 40 V to +40 V. When a fault occurs due to the power supplies being turned off or due to an overvoltage being applied to the ADG467, the output is clamped. When power is turned off, current is limited to the microampere level.
55
2. Low Power Dissipation. 3. Low RON. 62 typical. 4. Trench Isolation Latch-Up Proof Construction. A dielectric trench separates the p- and nchannel MOSFETs thereby preventing latch-up.
Applications: ATE equipment Sensitive measurement equipment Hot insertion rack systems
3.9.3 ADG526A AND ADG527A

Features: 44 V supply maximum rating VSS to VDD analog signal range Single- or dual-supply specifications Wide supply ranges (10.8 V to 16.5 V) Microprocessor compatible (100 ns pulse) WR Extended plastic temperature range (40C to +85C) Low leakage (20 pA typical) Low power dissipation (28 mW maximum) Available in PDIP, CERDIP, SOIC, and PLCC packages Superior alternative to DG526 and DG527
Description: The ADG526A and ADG527A are CMOS monolithic analog multiplexers with 16 single channels and dual 8 channels, respectively. On-chip latches facilitate microprocessor interfacing.
56
Figure 3.29: Block Diagrams of ADG526A and ADG527A
The ADG526A switches one of 16 inputs to a common output, depending on the state of four binary addresses and an enable input. The ADG527A switches one of eight differential inputs to a common differential output, depending on the state of three binary addresses and an enable input. Both devices have TTL and 5 V CMOS logic-compatible digital inputs. The ADG526A and ADG527A are designed on an enhanced LC2MOS process that gives an increased signal capability of VSS to VDD and enables operation over a wide range of supply voltages. The devices can comfortably operate anywhere in the 10.8 V to 16.5 V single- or dual-supply range. These multiplexers also feature high switching speeds and low RON.
Advantages: 1. Single- or Dual-Supply Specifications with a Wide Tolerance: The devices are specified in the 10.8 V to 16.5 V range for both single and dual supplies. 2. Easily Interfaced: The ADG526A and ADG527A can be easily interfaced with microprocessors. The signal latches the state of the address control lines and the enable line. The WR RS RS can be tied to the microprocessor reset pin. signal clears both the address and enable data in the latches, resulting in no output (all switches off).
57
3. Extended Signal Range: The enhanced LC2MOS processing results in a high breakdown and an increased analog signal range from VSS to VDD. 4. Break-Before-Make Switching: Switches are guaranteed break-before-make so that input signals are protected against momentary shorting. 5. Low Leakage: Leakage currents in the range of 20 pA make these multiplexers suitable for high precision circuits. Applications: Data acquisition systems Communication systems Automatic test equipment Microprocessor controlled systems
3.9.4 OP42
Features: Fast - Slew Rate is 50V/s Min - Settling- time (0.01%) is 1s Max - Gain-Bandwidth Product is typically 10 MHz Precise - Common-mode Rejection is 88dB Min - Open-Loop Gain is 500V/mV Min - Offset Voltage is 750V Max - Bias Current 200pA Max Excellent Radiation Hardness
58
Figure 3.30: Circuit of OP-42 Description: The OP42 is a fast precision JFET input operational amplifier. Similar in speed to the OP-17, the OP-42 offers a symmetric 58 V/s slew rate and is internally compensated for unity-gain operation. OP-42 speed is achieved with a supply current of less than 6mA. Unity gain stability, a wide full-power bandwidth of 900 KHz, and a fast settling-time of 800ns to 0.01% make the Op-42 an ideal output amplifier for fast digital-to-analog converters. Equal attention was given to both speed and precision in the OP-42 design. Its tight 750V maximum input offset voltage combined with well-controlled drift of less than 10V/C eliminates the need for external nulling in many circuits. The OP-42s common mode rejection of 88dB minimum over a 11V input voltage range is exceptional for a highspeed amplifier. High CMR combined with a minimum 500 V/mV gain into 10K load ensure excellent linearity in both non-inverting and inverting gain configurations. The low input bias and offset currents provided by the JFET input stage suit the Op-42 for use in highspeed sample and hold circuits, peak detectors and log amplifiers. Excellent radiation hardness characteristics make the OP-42 ideal for military and aerospace applications. For driving a high-speed ADC this opamp is very useful. The OP-42s open-loop output resistance is approximately 50. When feedback is applied around the amplifier, output resistance decreases in proportion to open-loop gain divided by closed-loop gain (AVOL/AVCL). Output impedance increases as open loop-gain rolls-off with frequency. High speed analog-to-digital converters require low source impedances at high frequency.
59
Output impedance at 1MHz is typically 5 for an OP-42 operating at unity-gain. If lower output impedances are required, an output buffer may be placed at the output of the Op-42. The OP-42 is an excellent choice for a DAC output amplifier, since its high speed and fast settling time allow quick transitions between codes, even for full-scale changes in output level. The DAC output capacitance appears at the operational amplifier inputs, and must be compensated to ensure optimal settling speed.
60
CHAPTER 4 SYSTEM VALIDATION

The aim of the overall safety-validation is to prove that a function incorporated in a control system fulfills the specified safety requirements. In practice this means that the designer/assessor shall demonstrate that the control system has such an integrity that the enduser may trust the resulting function to be sufficiently safe and robust for its intended use. In the context of the present field of application, the following characteristics of a control system are addressed: - Hardware safety integrity - Systematic safety integrity - HDL safety integrity
These three properties are strictly dependent on the system design process (including documentation) and the resulting functionality of the control system (architectural design and detailed design). This may be defined as the functional safety by e.g. the two following specifications: - The system functional properties specification (proven by validation) - The system detailed design specification (proven by verification and test)
The specifications listed above are used only to enlighten some aspects concerning the validation process. In a realistic design both specifications are included in the system design specification. The aim of the test and verification is to prove that the system conforms to the detailed design specification, i.e. that the current implementation corresponds to the intended design. Several aspects are considered during the verification such as the correctness of the synthesis result, the layout correspondence with the HDL description or the correctness of rule-checks. During the verification the functional correspondence with the technical specifications is also considered. The aim of the validation is to prove that the application conforms to the specification of the functional properties of the system, i.e. that the function of the system is correct and sufficient according to the specified requirements. Such functional properties may be the system behavior at fault, the conditions for reaching a safestate or the level of fault tolerance. The validation process also considers if implemented measures for fault monitoring/control are sufficient for their intended purpose. An example of
61
this is to validate an implemented volatile memory test algorithm. A validation is commonly a mixture of theoretical analysis techniques and functional tests in order to assure that a specific function is valid for its intended use. The above mentioned approaches are included and required in the safety validation process. There exist various techniques to test the design. Some performs a formal proof of functionality others simulate behavior on input stimuli.
4.1 FORMAL VERIFICATION METHODS

Formal methods are applicable for proving that all functionality has been maintained during the design transformation. Some of these are: a) Static property check: makes a formal proof to verify that the signal properties are correct for all possible input sequences. This is still a new technology, but carries high expectations for the future. The goal is to specify the circuit behavior in terms of signal behavior through a signal property specification. The compliance of the design with the signal property specification can be verified formally. Ideally the signal property specification could make the link between the design specification and HDL, but the signal property specification cannot replace the design specification. It can only complement it. b) Formal equivalence check: makes a formal proof that the RTL HDL has been transformed correctly. The RTL and the gate netlist are checked for full logical equivalence. The successful usage of the formal equivalence check relies on a correct RTL HDL design. c) LVS (Layout versus schematic): compares the layout primitives with those found in the gate netlist. This check ensures that the gate netlist is fully implemented by the layout. Successful use of LVS requires a correct gate netlist. d) Static timing analysis: analyses that all timing requirements for all gates in the design are fulfilled. This check requires that the timing for wires between gates are modeled, either extracted from the layout or estimated. An implementation of a verification flow using the above techniques ensures the RTL to layout transformation quite well. However, the first link from the design specification to the RTL is the weak point, as it relies on human interpretation of the specification, either as a signal property specification or as test benches. This is why the verification plan must focus on how to test and verify the RTL at a satisfactory level.
62
4.2 DYNAMIC VERIFICATION METHODS

Apart from the static property check some methods are: a) Simulation: test cases and test benches are developed to test the design functionality. This should simulate the reaction of the design to correct and wrong inputs, thus simulating both correct behavior and error handling. b) Dynamic property check: uses the signal property specification to assert a warning if a signal property has been violated. Relies on HDL test bench. c) Random test bench: generates random input (within some constraints) and simulates it with the design. This is used to stimulate the design with more or less obvious data to reveal well hidden bugs. This makes the creation of RTL test benches and test data easy, but the debugging of a possible failure can be quite difficult. This method verifies the design stability and robustness but does not directly verify its correct behavior. d) Fault injection: injects an error in a signal (change the signal value) and simulate its consequence. The method tests the robustness and failure immunity of the design, but should only be applied in areas where this is an important feature. e) Code coverage: characterizes the completeness of the RTL test bench by counting the number of times selected lines of code or constructs have been visited when running the test bench. Gives a statistical measure of how well the test bench simulates the design. f) Semi formal methods: based on coverage measures, formal methods are used to try to activate difficult areas of the design. This method relies on coverage metrics, which could be obtained from the test benches or from experience. g) Trial FPGA implementation: enables real time running of the design in its environment. Especially nice when the target is an ASIC.
4.3 DETAILED VERIFICATION PLAN

It is apparent that the creation of proper test benches is crucial to ensure a correct design, which demands a well prepared verification plan. This plan could cover: a) Detailed specification of the test cases and test benches that should be run to verify the correct behavior of the design on normal input stimuli. b) Detailed specification of the test cases and test benches that should be run to verify the correct behavior of the design on erroneous input stimuli.
63
c) Detailed specification on how the safety critical parts of the design are verified. d) How the design should be tested, i.e. the mix of test benches using different methods. e) Which tests should be done and at which level. Run time grows rapidly when performing gate netlist level simulations. f) When is the design tested well enough. A design can be tested infinitely, but when is the test satisfactory. g) How to handle the possible interaction with application software. h) How to model the environment and interactions. i) Plan for review of test benches.
The test benches have to be reviewed just like the design itself. Much of the behavior of the design is built in the test benches, and it is equally important that the functionality of the test benches is as correct as the functionality of the design. For the design validation it is as important that the design and the test benches are well documented and delivered for control.
4.4 METHODS FOR VALIDATION

These methods verify that the required design and verification processes have been followed. Three methods are mentioned addressing the procedure of documentation system validation (DSV), the design process validation (DPV) and the design verification validation (DVV). The documentation system is verified by inspections and walkthroughs and reviews in order to show compliance with the requirements concerning documentation.
Under following sub-sections methods for reviewing, verifying and validating the design and verification process carried out during the system design and verification.
4.4.1 WALKTHROUGHS (SYSTEM DESIGN REVIEW)

It reveals discrepancies between the specification and the implementation and to describe the general functionality of the control system for a designer or an assessor.
In walkthrough methods the designers and assessors manually go through the system design (process and verification) together and check the correctness and functionality.
64
Usually some test cases, checklists and guidelines are used in this process. Specified functions of the safety-related system draft are examined and evaluated to ensure that the safety-related system complies with the requirements given in the specification. Doubts and potential weak points concerning the realization and use of the product are documented so that they may be resolved.
The result of the walkthrough procedure is a supplement and often an introductive input to most of the validation techniques and methods mentioned in this report. The result as such may not be sufficient to motivate fulfillment of specific requirements to be validated.
4.4.2 INSPECTION (REVIEWS AND ANALYSIS)

It inspects that relevant requirements have been fulfilled and describes specified functions of the safety-related system, the design documentation system and the design verification system are examined and evaluated to ensure that the safety-related system conforms to relevant requirements. The inspection shall be carried out using formalized and structured techniques such as checklists based on the overall safety requirements. Any deviations found shall be documented and resolved. The result of this method is the documentation fulfillment of relevant requirements.
4.4.3 FAGAN INSPECTIONS

This method reveals mistakes and faults in all phases of the HDL development. A formal audit on quality assurance documents aimed at finding mistakes and faults. The inspection procedure consists of five stages: planning, preparation, inspection, rework and follow up. Each of these stages has its own separate objective. The complete system design process (specification, design, coding and testing/verification) must be inspected. In the process the programmer reads the source code to a group who asks questions and analyses the program by using a checklist.
The result shows conformity to the requirements for the HDL design, implementation and verification
65
4.4.4 CHECKLISTS
To use a formal and structured approach for the system safety validation the design process and system verification process.
A worksheet is established containing references to relevant requirements. Each requirement is accompanied with a set of concise questions that forms the criteria for success for that particular requirement. Checklists are also useful for the designer during the design and verification process in order to make sure that no relevant requirement is disregarded.
All results in the checklists are well justified by comments/remarks and references to other documentation. The final judgment of each requirement should be stated as a pass or fail conclusion. The use of such checklists simplifies the final conclusion on overall conformity. The checklist often forms the basis for inspections.
4.5 METHODS FOR STATIC ANALYSIS

Static analysis techniques aim to theoretically prove that particular requirements are fulfilled or point out the parts of the design that shall be subject to further dynamic analyses and functional tests.
4.5.1 FBA (FUNCTIONAL BLOCK ANALYSIS)

It extracts the safety-related parts of the subsystem and to provide the analyst with knowledge on how different parts (modules) of a subsystem interact.
The FBA method produces a graphical presentation of the parts of the subsystem subject to further detailed analysis. This method is usually the first to be performed in a safety validation. Several persons may/should be involved in the analysis performance process. The performers of the analysis may select different graphical representations and/or system levels depending on what kind of system is analyzed.
The result of the method is not necessarily restricted to either software or hardware. It shall rather give an overview of the complete function. Great care should be taken when performing the FBA as the result will not only incorporate safety-related parts of the
66
subsystem but will also exclude parts not considered to be safety-related. It is important that no part of the subsystem that may affect the safety function is excluded. One method of analyzing HDL is to use equivalent hardware circuit diagrams. This method has several advantages: - The process of drawing the result of FBA is often automated (i.e. the possibility of illustrating the VHDL code as a circuit diagram is commonly integrated in the development tool) - The ASIC under consideration will be transparent due to its surrounding electronics - The FBA will clearly display the level of separation (redundancy) between channels - The FBA will prepare for other static analysis methods such as data flow diagrams and FMEA - The FBA may be hierarchically presented. This is necessary for more complex systems
4.5.2 DFA (DATA FLOW ANALYSIS)

It determines exactly which parts of the system affecting a safety-related data path and which data variables/signals are involved in the occurrence of a single safety-related event resulting from the alternation of the system input signals.
A graphical representation of the data flow from input signals to safety-related output signals is produced. The data flow analysis is independent of the conditions involved in the chain of events but considers only information carrying signals. One safety function usually contains several data flows.
The result of this analysis technique gives information about e.g. - Information stored in the system which affects the safety function - Implemented data diversity/redundancy - Allocation of safety-related information in the system - Conformance with the system specification
67
4.5.3 SSA (SIGNAL SEQUENCE ANALYSIS)

It determines the logical conditions and required sequence of events that enable input signals to affect a safety-related output.
The HDL code and the detailed result of the FBA are studied and a graph is produced with emphasis on showing all conditions that have to be fulfilled before any input is allowed to affect a safety-related output. By manually parsing the HDL and interpreting the code as circuit primitives (such as gates, multiplexers, registers) the code may be drawn as a circuit diagram that displays the functionality at the level of granularity required for the analysis purpose. Only specifically interesting parts of the design should be considered.
A graphical presentation of the relationship between different signal conditions used to illustrate and clarify specific safety-related sequences of events and condition consistency.
4.5.4 STDA (STATE TRANSITION DIAGRAM ANALYSIS)

It analyzes a sequence performed by the system focusing only on the system conditions for state transitions due to safety-related signals regardless of the source of individual signals.
Studying the safety-related parts of the control system and constructing a graphical state transition diagram that includes all safety-related states and all other states that have the possibility of transiting to the safety-related states. The state transition diagram shall model the system control structure. A recommendation is to apply the technique at a sufficiently high system level.
The result of this analysis gives - The order of interlocking events for initiating a safety-related action - The conditions for the above mentioned events - Possibilities of entering fail-safe states
This analysis technique is very suitable for HDL realized subsystems as any sequence process will be implemented as a physical state machine in the hardware.
68
4.5.5 FMEA (FAILURE MODES AND EFFECTS ANALYSIS)

It identifies the possible sources of failure in the system components and to determine the consequences in terms of system behavior due to the occurrence of these failures.
Failure modes and effects analysis is a bottom-up method that analyses potential failure modes and their causes and effects on system performance. To be able to perform an FMEA a predefined fault model has to be selected. The fault model defines how the system elements may fail in operation and how extensive the FMEA will become. The FMEA is not necessarily restricted to electronic hardware. It may be apply as well on e.g. firmware, communication protocols, mechanic systems, pneumatic systems or hydraulic systems.
4.5.5.1 DEFINING THE SCOPE OF THE ANALYSIS

Because the FMEA is a detailed analysis it usually becomes large. It is therefore necessary to extract only the parts of the system that are relevant for the analysis. The easiest way is to create a functional block diagram of the system and reduce the non safety-related blocks (FBA). The functional block diagram gives an overview of the system at a high system level. It is important to carefully study all interfaces between the blocks so that no safety-related signal is forgotten and thereby excluding a safety-related part from the analysis. The result of the functional block diagram reduction should be documented and motivated.
4.5.5.2 DETERMINING THE SYSTEM SUCCESS/FAILURE CRITERIA

The requirement for fault tolerance is defined by a product standard or as a result of a risk analysis and is often very general. It is recommended to translate the requirement into a criterion that is precisely defined for the actual safety functions in the system to be analyzed. It is also important to distinguish the different operational states of the system and how the requirement applies.
69
4.5.5.3 DEFINING THE FAILURE MODEL

The following aspects should be considered and documented before engaging the analysis: - The environment in which the system is to be used - The failure mode behavior with respect to time (transient, intermittent, permanent) - The type of failure mode to be analyzed (random single failure, common cause failure, differential cause failure) - The applicability of failure modes (may some failure modes be excluded, this is often mentioned in the product standards or component specific data sheets)
The failure model does not necessarily concern single components. An FMEA may as well be performed at a higher system level using failure modes that involve a group of components within subsystems.
4.6 METHODS FOR DYNAMIC ANALYSIS

This proves that the particular requirements are fulfilled by testing specific properties of a physical prototype or product. These techniques are used for the validation of a complete subsystem to show that the functional requirements concerning the system properties are fulfilled. The methods and techniques in this section are referred to as FIT (Fault Injection Testing) and SPT (System Property Testing). Dynamic method performance depends on the tool in use.
This analysis results the requirements for the system behavior or system properties are fulfilled. The result is limited to the extent of the specification of the actual dynamic test procedure.
4.6.1 SIMULATION/TEST BENCHES

The VHDL design tools provide powerful means for simulating operation of all parts in a VHDL design and are therefore suitable in most stages of the design process. One example is the verification of state transitions in the V-model. Such tests shall be planned and performed according to the requirements. Test benches are VHDL models that act as the circuit surrounding electronic in the VHDL simulation tool and that generate input signals
70
and handle the corresponding output signals. These are very useful in order to verify functional compliance with the system specification. The part of the design subject to the test bench is, from the test bench point of view treated as a black box. The detailed test bench design should be planned concurrently with the design. - The verification result depends on the test bench design - The results are retrieved from the simulator ideal environment which may lack influential factors from the physical environment (such as at-speed-failures, specific environmental stresses or degradation in the circuit construction process)
4.6.2 ASIC EMULATION

ASIC emulation is similar to microprocessor emulation and is performed by applying an emulator pod to the application hardware platform and connecting that pod to a VHDL simulator environment. The emulation is a circuit simulation where the test bench in fact is the physical application platform.
4.6.3 FAULT INJECTION

Fault injection is a means of failure analysis where the fault is injected into the hardware and the consequence of the failure is directly analyzed in operation. There are several different means for injecting failures into the design and then analyzing the result of the failures. Different types of fault insertion are presented in the following sections.
4.6.3.1 DESIGN
The fault is injected by design modifications, e.g. forcing a signal to a certain value. The consequence of the fault is analyzed by simulation, emulation or during normal operation (when using ISP programmable logic). It is important to correctly restore the design after having analyzed a fault. This way of inserting the fault is passive. The inserted fault is a permanent fault.
71
4.6.3.2 SABOTEURS
A saboteur is a more or less complex device that injects a fault as a function of its input parameters, i.e. the fault injection is conditional. Examples of saboteurs may be: - Replacing a certain package in a communication process with an faulty package - Forcing the value in a register at a certain time - Varying the persistence and moment of occurrence for a single fault
The saboteur may also be connected to the test bench and hence allowing automated parametrical fault injection. When using saboteurs the following should be considered, - The effect on the normal operation of the system shall be minimized (e.g. a saboteur may prolong the delay-time and hence faulty enhancing the system ability of detecting the fault injected) - It is important that the saboteur is correctly removed from the design after use. The injected faults from a saboteur may be permanent, intermittent or transient and affect all functional system levels of the design.
4.6.3.3 ENVIRONMENTAL INFLUENCES

Additional to the required environmental tests further tests may be used for fault injection. Examples of environmental fault injection may be: - Transient voltage injection on the system inputs (Power supply, Clock signal, I/O etc.) - Heavy ion injection (injects a large amount of stochastic single point failures at a given time period)
These methods require a sample of the implemented system and the tests are not applicable if using e.g. a prototype implemented in a fine grained FPGA. The repeatability of these tests is low for detected failures and it is difficult to localize the fault that causes the failure. These methods should primary be used on designs in which the safety function depends on the FPGA and as complement to all other methods mentioned above.
72
CHAPTER 5 RESULTS
73
Figure 5.1: Result of Memory Resources and DIPs
74
Figure 5.2: Result of ADC
75
Figure 5.3: Result of DAC
76
Figure 5.3: Result of 1553B
77
Figure 5.4: Result of DOPs
78
Figure 5.5: Result of FLASH and NVRAM and PROM
79
BIBLIOGRAPHY
[1] http://www.analog.com [2] Virtex-II Pro and Virtex-II Pro X FPGA User Guide (v4.2), November 2007 [3] QPro Virtex-II Pro 1.5V Platform FPGAs Reference Manual (v2.1), July 2011 [4] Reconfigurable Computing: The Theory and Practice of FPGA-Based Computation Edited by Scott Hauck and Andre DeHon [5] The Designers Guide to VHDL by Peter J. Ashenden, Second Edition.
[6] Guideline for Design and Safety Validation of Safety-Critical Functions Realized with Hardware Description Language by Andreas Sderberg, Jacques Hrard and Lars Bo Mortensen
80

Chapter 1

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Chapter 1

Caricato da

Copyright:

Formati disponibili

GLUE LOGIC VALIDATION IMPLEMENTED ON VIRTEX II PRO FPGA FOR A MISSILE SUBSYSTEM

ECE Department, GITAM University

Figure 2.1: Avionics Architecture of a missile system

ECE Department, GITAM University

2.2 SYSTEM DESIGN APPROACH

ECE Department, GITAM University

Figure 2.2: System Block Diagram

ECE Department, GITAM University

ECE Department, GITAM University

2.3 VIRTEX-II PRO FPGA

ECE Department, GITAM University

ECE Department, GITAM University

2.3.1 VIRTEX-II PRO FEATURES

Programmable LVCMOS sink/source current (2 mA to 24 mA) per I/O

o XCITE Digitally Controlled Impedance (DCI) I/O

ECE Department, GITAM University

2.4 THE PROCESSOR

ECE Department, GITAM University

2.4.1 FEATURES OF PPC405 PROCESSOR

ECE Department, GITAM University

Main Card Specifications

Child Card Specifications

ECE Department, GITAM University

64 30: Main Card 34: Child Card

64 32: Main Card

32: Child Card 07: Differential

ECE Department, GITAM University

2.5 SIGNAL CONDITIONING PACKAGE (SCP)

ECE Department, GITAM University

CHAPTER 3 CCSC RESOURCES

3.1.1 SRAM MEMORY INTERFACE

Figure 3.1: Block Diagram of SRAM Memory Interface

Figure 3.2: Functional Block Diagram of IDT71V416L

ECE Department, GITAM University

3.1.3 FLASH INTERFACE

Figure 3.3: Block Diagram of FLASH Interface

ECE Department, GITAM University

Figure 3.4: Logic Symbol of S29AL004D

ECE Department, GITAM University

Figure 3.5: Block Diagram of S29AL004D

ECE Department, GITAM University

ECE Department, GITAM University

3.1.5 BOOTROM INTERFACE

ECE Department, GITAM University

Figure 3.6: Block Diagram of BOOTROM Interface

3.1.6 NVRAM INTERFACE

Figure 3.7: Block Diagram of NVRAM Interface

ECE Department, GITAM University

3.1.7 STK 14C88-M

Figure 3.8: Block Diagram of STK14C88M

ECE Department, GITAM University

ECE Department, GITAM University

ECE Department, GITAM University

3.2 BU61688 INTERFACE

Figure 3.10: Block Diagram of 1553B Interface

ECE Department, GITAM University

3.2.1 RT ADDRESS CONFIGURATION

ECE Department, GITAM University

Figure 3.12: Mini-ACE Interface to MIL-STD-1553 bus

ECE Department, GITAM University

3.2.3 LPT BUFFER

ECE Department, GITAM University

3.3 UART, TIMER AND PIC INTERFACE