Upload
skylar-pelton
View
248
Download
11
Tags:
Embed Size (px)
Citation preview
XILINX CONFIDENTIAL
.
Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.)
Mrs. Sylvia Waldhausen(Project Leader TÜV SÜD Rail GmbH)
Qualification of a Tool Chain for FPGA Development for IEC 61508 and ISO26262
Tool Qualification Symposium 2014; April 9 - 10 2014
Validas AG
München, Germany
XILINX CONFIDENTIAL
.
Disclaimer
© Copyright 2011 Xilinx, Inc. All rights reserved. Xilinx, the Xilinx logo, and other designated brands included herein are trademark of Xilinx in the United States and other countries. All other trademarks are the property of their respective owners.
This file contains confidential and proprietary information of Xilinx, Inc. and is protected under U.S. and international copyright and other intellectual property laws.
DISCLAIMER
This disclaimer is not a license and does not grant any rights to the materials distributed herewith. Except as otherwise provided in a valid license issued to you by Xilinx, and to the maximum extent permitted by applicable law: (1) THESE MATERIALS ARE MADE
AVAILABLE "AS IS" AND WITH ALL FAULTS, WITHOUT ANY REPRESENTATION, WARRANTY, ASSURANCE OR GUARANTEE REGARDING THE ACCURACY, SUCCESS, OUTCOME, OR PERFORMANCE OF THE MATERIALS AND EXPRESSLY EXCLUDE ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and (2) Xilinx shall not be liable
(whether in contract or tort, including negligence, or under any other theory of liability) for any loss or damage of any kind or nature related to, arising under or in connection with these materials, including for any direct, or any indirect, special, incidental, or
consequential loss or damage (including loss of data, profits, goodwill, or any type of loss or damage suffered as a result of any action brought by a third party) even if such damage or loss was reasonably foreseeable or Xilinx had been advised of the possibility of the
same.
CRITICAL APPLICATIONSXilinx products are not designed or intended to be fail-safe, or for use in any application requiring fail-safe performance, such as life-
support or safety devices or systems, Class III medical devices, nuclear facilities, applications related to the deployment of airbags, or any other applications that could lead to death, personal injury, or severe property or environmental damage (individually and
collectively, "Critical Applications"). Customer assumes the sole risk and liability of any use of Xilinx products in Critical Applications, subject only to applicable laws and regulations governing limitations on product liability.
THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS PART OF THIS DOCUMENT AT ALL TIMES.
Page 2
XILINX CONFIDENTIAL
.
Page 3
Xilinx Technology Evolution
Programmable Logic DevicesEnables Programmable
‘Logic’
FPGA
Logic
ALL Programmable DevicesEnables Programmable
Systems ‘Integration’
FPGAAMS
FPGA
AMSAMBA
ARM
AlgorithmsLogicSW mP AMSIO
Protocols
3D-IC
SerDes
SerDes
XILINX CONFIDENTIAL
.
Page 4
WHAT IS XILINX ALL PROGRAMMABLE?Accelerating Design Creation, Debug and Simplifying Reuse
Artix™-7Virtex®-7
Kintex™-7
Scalable Array of Logic, DSP, MemoryAnalog, Transceivers, Clock Systems
XST
ngdbuild
map
par
trce
bitgen
Coregen
EDK
SysGen
3rd party
ISE Tool chain Vivado Tool chain
AXI4 (data)
AXI4
Streaming
AXI4
AXI4 Lite
AXI4 Lite
AXI4 Lite
AXI4
AXI4 LiteProcessor
AXI
Interconnect
Block
AXI DDR3
Mem Ctrl
DMA
Timer
IntCtrl.
Flash Int.
TEMAC
AXI
Interconnect
Block
Plug & Play IP
Processors
FPGADSP
A/D
ALL Programmable Platform
ZYNQ-7000®
XILINX CONFIDENTIAL
.
Xilinx FPGA and Functional Safety ChallengesEnabling immunity to common mode failures at the silicon level
Page 5
Bit Flipped!
Basic SEU Detection
Integrated BRAM ECC
Robust System Test
Accurate FIT Rate Calculation
Configuration ECC
Dual Core Fault Tolerant
XADC Monitor
XILINX CONFIDENTIAL
.
2x GigEwith DMA
2x USBwith DMA
2x SDIOwith DMA
Static Memory ControllerQuad-SPI, NAND, NOR
Dynamic Memory ControllerDDR3, DDR2, LPDDR2
AMBA® Switches
I/OMUX
MIO
ARM® CoreSight™ Multi-core & Trace Debug
512 KB L2 Cache
NEON™/ FPU Engine
Cortex™-A9 MPCore™32/32 KB I/D Caches
NEON™/ FPU Engine
Cortex™-A9 MPCore™32/32 KB I/D Caches
Snoop Control Unit (SCU)
Timer Counters 256 KB On-Chip Memory
General Interrupt Controller DMA Configuration
2x SPI
2x I2C
2x CAN
2x UART
GPIO
Processing System
AMBA® Switches
AMBA® Switches
AMBA® Switches
Zynq®-7000 All Programmable SoCsThe World’s First All programmable system on chip
ProgrammableLogic:
System Gates,DSP, RAM
XADC PCIe
Multi-Standards I/Os (3.3V & High Speed 1.8V)
Mu
lti-
Sta
nd
ard
s I/O
s (3
.3V
& H
igh
Sp
eed
1.8
V)
Multi Gigabit Transceivers
M_AXI_GP0/1S_AXI_GP0/1EMIO
Page 6
S_AXI_HP0
S_AXI_HP1
S_AXI_HP2
S_AXI_HP3
S_AXI_ACP
XILINX CONFIDENTIAL
.
Technical convenience– Diversity is embedded naturally– Safety functions requires often ad-hoc design, FPGA offer it– Redundancy easily implementable– Safe upgradability in case of later modification via Design Preservation
Product convenience– Behaves like an ASIC but is a standard product “proven in use”– Can scale with the application– More than 15 years of published quarterly reliability reports– Every chip is individually tested, always.
Robust Technology Reliability– Enhanced Design For Reliability (DFR) achieving FIT < 15 – Neutron Test
Page 7
WHY XILINX IN SAFETY APPLICATIONS
XILINX CONFIDENTIAL
.
Page 8
WHERE IN SAFETY LOOP
Sensor
CONTROL UNIT
Final Element
PROCESS
transmission transmission
Logic Solver
FPGA
FPGA / ZYNQ
Final Element
PROCESS
transmission transmission
Logic Solver
XILINX CONFIDENTIAL
.
Reduce System Cost and Risk for Functional Safety Designs– Fewer components, lower risk of obsolescence– Design Isolation and Verification flows (IDF/IVT) reduce effort
for subsequent certification of evolving implementations
Reduce development and certification time and risk– Safety Manual and qualified tools lowers barrier of entry– Reduces time and risk for assessor interaction and education
Increase productivity– Safe-/Non-Safe integration and updates to non-safe
functions
Proven compliance
•IEC61508•ISO26262
Xilinx Solves Functional Safety Challenges
Page 9
XILINX CONFIDENTIAL
.
qualified safety data package – Qualified tools - ISE 14.2 – and methodology for safety designs with Xilinx FPGA– Safety Manual, certificate and test report
• V-Model, QM and reliability data for devices
– Isolation Design Flow and Isolation Verification Flow• Integrate but separate safe and non-safe applications in one device• Reduce effort and risk of subsequent certifications
SEU mitigation IP– Provides detection and correction of configuration upsets
Tools for FIT rate analysis– FIT Rate calculator, Essential and Critical Bit analysis – reduce FIT rate consideration for
safety applications
Power analysis tools
Xilinx and supply chain committed to quality and quality management– ISO9000/QML/TL9000/TS16494
Xilinx Deliverables for Functional Safety
Page 10
IEC 61508 SIL1 to SIL3
ISO 26262 ASIL-A to ASIL-D
XILINX CONFIDENTIAL
.
Page 11
IEC61508 and the Safety Life CycleMitigation of risk to a defined tolerance Safety life cycle has 16 phases
roughly divided– Phases 1-5 address analysis– Phases 6-13 address realization – Phases 14-16 address operation
Central to the standard is risk identification and mitigation– Risk is a function of frequency of
the hazardous event and consequence severity
– Zero risk can never be reached– Safety must be considered from
the beginning– Non-tolerable risks must be
reduced
11 Other risk reduction measures
Specification and Realisation
1 Concept
2Overall scope
Definition
3 Hazard & Risk Analysis
4Overall Safety Requirements
5Overall Safety
Requirements Allocation
15Overall Modification
& Retrofit
16 Decommissioning or disposal
12Overall Installation &
Commissioning
13Overall Safety
Validation
14Overall operation,
maintenance and repair
9 E/E/PE system safety
requirements specification
Realization
10 E/E/PESafety-related
systems
Realization
OverallInstallation &
Commissioning Planning
6 7 8Overall Operation & Maintenance
Planning
Overall Safety
Validation Planning
Overall Planning
Back to appropriate Overall Safety Lifecycle phase
Xilinx plays here
XILINX CONFIDENTIAL
.
REDUNDANCY SCHEMES
XILINX CONFIDENTIAL
.
REDUNDANCY SCHEMES FPGA
Output 1
Reset
Reset
Output 1
Output 2Output 2
FPGA Ready
Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock
Firmware / Hardware Interlock
Hardware Interlock
SafetyFunction
Power Sequencer
FPGA
Hardware Permissive
I/O & CoreVoltages
Input2Input1
XILINX CONFIDENTIAL
.
Page 14
System Monitor
FPGA
Safety Function
Sep
arat
ion
Non-Safety Function
Safety Function
Separation
ANNEX E – Table E2 ON CHIP REDUNDANCY
XILINX CONFIDENTIAL
.
Test Coverage and Characterization
Page 15
XILINX CONFIDENTIAL
.Page 16
SAFETY STANDARDS – WHERE XILINX PLAYS
IEC61508 generic
IEC60601 medical
ISO26262 Automotive
IEC60730 Home
Appliances
IEC61800 Power Drive
Systems
IEC62061 machinery
IEC60987 Nuclear
IEC62138 Nuclear
SOFTWARECATEGORY
B OR C
IEC60880 Nuclear
SOFTWARECATEGORY
A
IEC62425 Railway Systems
IEC62279 SW Railway Signaling
EN50128 SW Railway Signaling
EN50129 Railway Systems
EN50126 Railway RAMS
IEC61511 Process Industry
HW/SW HW SW System Process
ECSS Q60-02
Spatial
DO-254 Avionics
XILINX CONFIDENTIAL
.
Assess the failure rate– Reliability modeling is needed to assess the failure rate or probability of
failure on demand (PFD) of the safety-related element or elements in question. This can then be compared with the target set in Step 3. • UG116 (Xilinx Reliability Data)• FIT Calculator Spreadsheet (Xilinx tool)• Common Cause Failures (CCF)
Quantitative assessment of the safety-related system
Qualitative assessment against the SILs
Assess the systematic failures (software, process, design)– . The various requirements for limiting systematic failures are more onerous as
the SIL increases. These cover many of the life-cycle activities.
• ISE Toolchain = Xilinx Qualified no need of assessment
• IDF Isolation Design Flow = Xilinx Qualified no need of assessment
Page 17
XILINX CONFIDENTIAL
.
ASSESMENT…the procedure requires methods
Page 18
For reference only
XILINX CONFIDENTIAL
.
Page 19
COMMON MODE CAUSES
Configuration Memory
FPGA
Power Supply
Reset & Power
SequencingClock COMMON
MODE CAUSE
I/O Banks
Different banks
Duplicated Clock
SEM IP
Readback
Power sequencer
Dual Supply
Mitigation
XILINX CONFIDENTIAL
.
FIT RATE CALCULATOR EXAMPLE(LX9 – Ethernet Powerlink for Motor Control)
XILINX CONFIDENTIAL
.
REDUNDANCY SCHEMES
Page 21
XILINX CONFIDENTIAL
.
REDUNDANCY SCHEMES
Output 1
Reset
Reset
Output 1
Output 2Output 2
FPGA Ready
Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock
Firmware / Hardware Interlock
Hardware Interlock
SafetyFunction
Power Sequencer
FPGA
Hardware Permissive
I/O & CoreVoltages
Input2Input1
Page 22
XILINX CONFIDENTIAL
.
Page 23
Validated FPGA
Development Process
Verification Process
Output
Test
FPGA Safety Requirements specification
Code generation
FPGA Architecture
Module design
FPGA design behavioural modelling
Module testing
Synthesis, Placement and routing
Post layout simulation
Module integration testing
Validation TestingE/E/PES safety requirements specification
E/E/PES Architecture
Verification of complete FPGA
DEVELOPMENT LIFECYCLE – IEC61508
XILINX CONFIDENTIAL
.
LEVELS OF CRITICALITY (taken from IEC61508-Part 4)
XILINX CONFIDENTIAL
.
FPGA design flow overview
XILINX CONFIDENTIAL
.
HW-COSIM completes the IEC61508 V model(adds double verification (a) Xilinx Libraries and (b) Chip execution
Design Synthesis
Design Verification
Design Implementation
Device Programming
Functional Simulation (RTL simulation)
Functional Simulation (with back-annotation)
Static Timing Analysis
Debug / In-Circuit Verification
Schematic Editor
Power Analysis
Equivalence Checking
Timing Constraints
Logical / Physical Synthesis
Functional Simulation (Gate level simulation)
Power Estimation
Equivalence Checking
I/O Assignment
Floorplanning
Place & Route
Bitstream Generation
Programming
Design Creation
IP Blocks RTL Coding
RTL + Timing Constraints Screening
Technology Libraries
Lib
Lib
Chip
Prob_failure_Library * Prob_failure_Chip_Hwcosim < Prob_failure_Library
XILINX CONFIDENTIAL
.
IP QUALITY - XILINX VERIFICATION INITIATIVE (XVI)
Page 27
Verification
Sign-off
Validation
Delivery verification
Static checks
DUT
• Xilinx Verification Initiative (XVI)• Standardization for logical and functional
quality for IC Design and IP development
•Open Verification Methodology•A methodology to improve design and verification efficiency, verification data portability and tool, and VIP interoperability
•A Class reference manual accompanied by an open-source SystemVerilog base class library implementation and a User Guide..
XILINX CONFIDENTIAL
.
IP QUALITY - XVI
Page 28
•Open Verification Methodology• Transaction coverage: coverage
definition on the user‐controlled parameters usually defined in the transaction class & controlled through sequences.
• Error coverage: coverage definition on the pre‐defined error injection scenarios
• Protocol coverage: AXI Handshake coverage
• Flow coverage: covers various features like, outstanding, inter‐leaving, write data before write address etc
Test Coverage at Multiple Levels
XILINX CONFIDENTIAL
.
IDF (Isolation Design Flow)
XILINX CONFIDENTIAL
.
A two-parts design flow to ensure functional separation– ISOLATION– ISOLATION VERIFICATION
Approved by NSA (US national security agency)
Approved by TUV-SUED – For IEC61508– And ISO26262
Use planahead and floorplanning
WHAT IS IT?
Case Random Failure Systematic Failure Diagnostic Coverage SIL 3 IEC 61508-7 (clause)SEU Mitigated - High R A.3, A.7, A.8Complete hardware redundancy MItigated - High R A.7.3 Diverse hardware Mitigated Mitigated High R A.7.3 & B.1.4Information redundancy Mitigated High R A.7.6Code protection High M A.6.2Increase of interference immunity Mitigated Mitigated High M A.11.3
ISOLATION AND TRUSTED ROUTING
Page 30
XILINX CONFIDENTIAL
.
Synthesis
Translation
Mapping
Placement and Routing
Configuration Bitstream
Generation
IVTUCF Mode
IVTNCD Mode
UCF Isolation Analysis Report
UCF Floor Plan Diagram
NCD Isolation Analysis Report
NCD User Tile Diagram
Hardware Description Language
ISE Settings
NCD
*
FPGA Development Flow IDF Extras
Floor Planning Constraints
Floor Plan(PlanAhead)
Page 31
How works the Design Flow
STANDARD FLOW INDIPENDENT VERIFICATION ASSURANCE
XILINX CONFIDENTIAL
.
Page 32
Design Preservation…manage the design
Use previous implementation results to preserve QoR for unchanged blocks• Imported Partitions are copied and pasted• Implemented Partitions are placed and routed
Initial Run Incremental Run
XILINX CONFIDENTIAL
.
Final Results - View of Final Isolated Design in PlanAhead and FPGA Editor
Page 33
Device Utilization
Registers 18%
LUT 35%
SLICE 57%
I/O 23%
RAMB 59%
DSP48 55%
PLL 16%
BUFG 31%
Time to Implement
2 hrs.
Unroutes 0
Timing Score
0
PlanAhead FPGA Editor
XILINX CONFIDENTIAL
.
IDF Logical and . Physical Ownership
Page 34
Physical Ownership
Isolated Region B(reg_B.vhd)
Isolated Region D(reg_D.vhd)
Isolated Region A(reg_A.vhd)
Isolated Region C(reg_C.vhd)
● DCM
FENCE
F E N C E
FENCE ● BUFG
clock_gen.vhd
top_design.vhd
Logical Ownership
reg_A.vhd
reg_B.vhd
reg_C.vhd
reg_D.vhd
XILINX CONFIDENTIAL
.
Isolation Design Flow (IDF) is the software methodology that allows for physically isolating one module from another.– Methodology backed by significant schematic analysis and software
verification (IVT) to ensure elimination of single points of failurePage 35
Isolated Design Flow General Introduction
Global Logic Route(Clock Tree)
F E N C E
Isolated Region B(reg_B.vhd)
Isolated Region D(reg_D.vhd)
Isolated Region A(reg_A.vhd)
Isolated Region C(reg_C.vhd)
FENCE
Intra-Region Route
Inter-Region Route
Intra-Region Route
XILINX CONFIDENTIAL
.
IVT – UCF ModePackage Pin Checks
Must have at least one row or column isolation between pin groups
Package pin layout has three adjacency violations
Note: Three Violations in two locations not visible in device view
J21
H20
R23
P23
A
B
A B
R24
Typical Package Layout
Page 36
XILINX CONFIDENTIAL
.
LOCK-STEP
Diversity
XILINX CONFIDENTIAL
.
DIVERSITY
Page 38
• PL + PS• PL +
Microblaze +PS• PL + PS +
MB_Lock_Step
PS
PL
Microblaze
Microblaze Lock-Step
XILINX CONFIDENTIAL
.
Lock-step architecture two processors the master and the checker execute the same code being strictly synchronized.
Master access to the system memory and drives all system outputs.
Checker continuously executes the instructions fetched by the master processor.
The outputs produced by the checker, both addresses and data, feed the compare logic (monitor).
The compare logic checks the consistency of their Master and Checker data, address and control lines.
Disagreement on the value of any pair of duplicated bus lines reveals a fault on either CPU without giving the chance to identify the faulty CPU.
LOCK-STEP CONCEPT
XILINX CONFIDENTIAL
.
Lockstep Microblaze Block Diagram
XILINX CONFIDENTIAL
.
LOCK-STEP XILINX IMPLEMENTATION
The fault tolerance features included in MicroBlaze:– Enabled with C_FAULT_TOLERANT– Error Detection for internal block RAMs,– Support for Error Detection and Correction (ECC) in LMB block RAMs.– All soft errors in block RAMs are detected and corrected
Protected parts– Instruction and Data Cache– MMU Unified Translation Look-Aside– Branch Target Cache– Exception Handling
Scrubbing Support– To ensure that bit errors are not accumulated in block RAMs, they must be
periodically scrubbed– Microblaze_scrub() is the function to check memory integrity
XILINX CONFIDENTIAL
.
LOCK-STEP
APPLICATIONS
XILINX CONFIDENTIAL
.
Lockstep Microblaze Block Diagram
SPARTAN 6 LX150T Development Board
SPARTAN 6 LX150T FGG676-3
Peripherals Isolated Function(Peripherals Top)
Primary Microblaze Isolated Function
(MB0 Top)
MicroblazeD/I LMBRAMs
Data
Instr
Secondary Microblaze Isolated Function
(MB1 Top)
MicroblazeD/I LMBRAMs
Data
Instr
DDR3-SDRAM I/F
Sys Reset
Primary Microblaze Comparator
Isolated Function (MB0 Comparator Top)
MicroblazeComparator
Secondary Microblaze Comparator
Isolated Function (MB0 Comparator Top)
MicroblazeComparator
MB Interrupt Cntrlr
MB Debug Module/
Chipscope(Debug Only)
Lockstep Master Bus
(Debug Only)
Timer
Timebase
BRAM
RS232 I/F
Board Push Buttons I/F
Linear FlashI/F
Board Dip Switches I/F
Board LED I/F
128 MB DDR3-SDRAM
8 LEDs
USB/RS232 Converter
3 Push Buttons
32 MB Parallel Flash
8 DIP Switches
AXI4
AXI4LITE
Reset
AXI Full Bus
AXI Outputs
Comparator Errors
MB0 Outputs
MB Interrupts
MB1 Outputs
AXI Lite Full Bus
AXI Lite Outputs
Page 43
XILINX CONFIDENTIAL
.
Current Floorplan
Page 44
XILINX CONFIDENTIAL
.
LOCK-STEP MOTOR CONTROL
Diego Quagreda (QDESYS) + Trevor Hardcastle (Xilinx)
APPLICATIONS
XILINX CONFIDENTIAL
.
7 Functionally and Physically Isolated Functions.1. First MicroBlaze (Primary)
• Existing MicroBlaze with local instruction and data memory2. Second MicroBlaze (Secondary)
• New MicroBlaze that is exact copy of the first, with its own local instruction and data memory.
3. First MicroBlaze Comparator• Compares outputs of First and Second MicroBlazes cycle for cycle.• Error output is routed to on-board LED connection.• Comparator is added to the design.
4. Second Microblaze Comparator (Redundant to First)• Compares outputs of First and Second MicroBlazes cycle for cycle.• Error output is routed to on-board LED connection.• Comparator is added to the design.
5. Microblaze Peripherals• Contains the existing AXI interconnect and all the basic and Command and
Control AXI peripherals.6. Avnet Motor FMC Driver and 2 FOC Cores.
• Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board.• Existing components grouped together.
7. NetMot Board Driver and 2 FOC Cores.• Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board.• Existing components grouped together.
The LX150T Design
Page 46
XILINX CONFIDENTIAL
.
Updated LX150T Design Block Diagram
Page 47
XILINX CONFIDENTIAL
.
XAPP1086– Developing Secure and Reliable Single FPGA Designs With Xilinx 7 Series FPGAs using
Isolation Design Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1086-secure-single-fpga-using-7s
-idf.pdf
WP412– The Xilinx Isolation Design Flow for Fault-Tolerant Systems – http://www.xilinx.com/support/documentation/white_papers/wp412_IDF_for_Fault_Tolerant_Sys.pdf
UG116– Xilinx quarterly device reliability report– http://www.xilinx.com/support/documentation/user_guides/ug116.pdf
Dual-Core Lock-Step Motor Control via Isolation Design Flow– (send e-mail to [email protected], [email protected])
References
XILINX CONFIDENTIAL
.
XAPP 1085 – 7-series Isolation Design Flow Lab using ISE Design Suite 14.4 – http://www.xilinx.com/support/documentation/application_notes/xapp1085-7s-isolation-design-flow-ise-14-4.pdf
XAPP1104 – Implementation of a Fail-Safe Design in the Spartan-6 Family – http://www.xilinx.com/support/documentation/application_notes/xapp1104_S6FailSafe_Design.pdf
XAPP1105 – Single Chip Crypto Lab Using PR/ISO Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1105_V5SCC_PRISO.pdf
XAPP1134 – Developing Secure Designs Using the Virtex-5 Family
XAPP1145 – Developing Secure Designs with the Spartan-6 Family Using the Isolation
Design Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1145_S6Secure_Designs.pdf
References
XILINX CONFIDENTIAL
.
Integration in one device and redundancy by isolation is no contradiction
Xilinx povide a TÜV-certified solution for Functional Safety according to IEC 61508 and ISO 26262 with the Isolation Design Flow
Over 15 years of published quarterly reliability reports and FIT the rate calculator tool from Xilinx let you determine the reliability safely
Summary
Follow Xilinx on:
facebook.com/XilinxInc twitter.com/XilinxInc youtube.com/XilinxInc