XILINX CONFIDENTIAL

.

Dr. Giulio Corradi (Senior System Architect ISM – Xilinx GmbH – Xilinx Inc.)

Mrs. Sylvia Waldhausen(Project Leader TÜV SÜD Rail GmbH)

Qualification of a Tool Chain for FPGA Development for IEC 61508 and ISO26262

Tool Qualification Symposium 2014; April 9 - 10 2014

Validas AG

München, Germany

XILINX CONFIDENTIAL

.

Disclaimer

© Copyright 2011 Xilinx, Inc. All rights reserved. Xilinx, the Xilinx logo, and other designated brands included herein are trademark of Xilinx in the United States and other countries. All other trademarks are the property of their respective owners.

This file contains confidential and proprietary information of Xilinx, Inc. and is protected under U.S. and international copyright and other intellectual property laws.

 DISCLAIMER

This disclaimer is not a license and does not grant any rights to the materials distributed herewith. Except as otherwise provided in a valid license issued to you by Xilinx, and to the maximum extent permitted by applicable law: (1) THESE MATERIALS ARE MADE

AVAILABLE "AS IS" AND WITH ALL FAULTS, WITHOUT ANY REPRESENTATION, WARRANTY, ASSURANCE OR GUARANTEE REGARDING THE ACCURACY, SUCCESS, OUTCOME, OR PERFORMANCE OF THE MATERIALS AND EXPRESSLY EXCLUDE ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and (2) Xilinx shall not be liable

(whether in contract or tort, including negligence, or under any other theory of liability) for any loss or damage of any kind or nature related to, arising under or in connection with these materials, including for any direct, or any indirect, special, incidental, or

consequential loss or damage (including loss of data, profits, goodwill, or any type of loss or damage suffered as a result of any action brought by a third party) even if such damage or loss was reasonably foreseeable or Xilinx had been advised of the possibility of the

same. 

CRITICAL APPLICATIONSXilinx products are not designed or intended to be fail-safe, or for use in any application requiring fail-safe performance, such as life-

support or safety devices or systems, Class III medical devices, nuclear facilities, applications related to the deployment of airbags, or any other applications that could lead to death, personal injury, or severe property or environmental damage (individually and

collectively, "Critical Applications"). Customer assumes the sole risk and liability of any use of Xilinx products in Critical Applications, subject only to applicable laws and regulations governing limitations on product liability. 

 THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS PART OF THIS DOCUMENT AT ALL TIMES.

Page 2

XILINX CONFIDENTIAL

.

Page 3

Xilinx Technology Evolution

Programmable Logic DevicesEnables Programmable

‘Logic’

FPGA

Logic

ALL Programmable DevicesEnables Programmable

Systems ‘Integration’

FPGAAMS

FPGA

AMSAMBA

ARM

AlgorithmsLogicSW mP AMSIO

Protocols

3D-IC

SerDes

SerDes

XILINX CONFIDENTIAL

.

Page 4

WHAT IS XILINX ALL PROGRAMMABLE?Accelerating Design Creation, Debug and Simplifying Reuse

Artix™-7Virtex®-7

Kintex™-7

Scalable Array of Logic, DSP, MemoryAnalog, Transceivers, Clock Systems

XST

ngdbuild

map

par

trce

bitgen

Coregen

EDK

SysGen

3rd party

ISE Tool chain Vivado Tool chain

AXI4 (data)

AXI4

Streaming

AXI4

AXI4 Lite

AXI4 Lite

AXI4 Lite

AXI4

AXI4 LiteProcessor

AXI

Interconnect

Block

AXI DDR3

Mem Ctrl

DMA

Timer

IntCtrl.

Flash Int.

TEMAC

AXI

Interconnect

Block

Plug & Play IP

Processors

FPGADSP

A/D

ALL Programmable Platform

ZYNQ-7000®

XILINX CONFIDENTIAL

.

Xilinx FPGA and Functional Safety ChallengesEnabling immunity to common mode failures at the silicon level

Page 5

Bit Flipped!

Basic SEU Detection

Integrated BRAM ECC

Robust System Test

Accurate FIT Rate Calculation

Configuration ECC

Dual Core Fault Tolerant

XADC Monitor

XILINX CONFIDENTIAL

.

2x GigEwith DMA

2x USBwith DMA

2x SDIOwith DMA

Static Memory ControllerQuad-SPI, NAND, NOR

Dynamic Memory ControllerDDR3, DDR2, LPDDR2

AMBA® Switches

I/OMUX

MIO

ARM® CoreSight™ Multi-core & Trace Debug

512 KB L2 Cache

NEON™/ FPU Engine

Cortex™-A9 MPCore™32/32 KB I/D Caches

NEON™/ FPU Engine

Cortex™-A9 MPCore™32/32 KB I/D Caches

Snoop Control Unit (SCU)

Timer Counters 256 KB On-Chip Memory

General Interrupt Controller DMA Configuration

2x SPI

2x I2C

2x CAN

2x UART

GPIO

Processing System

AMBA® Switches

AMBA® Switches

AMBA® Switches

Zynq®-7000 All Programmable SoCsThe World’s First All programmable system on chip

ProgrammableLogic:

System Gates,DSP, RAM

XADC PCIe

Multi-Standards I/Os (3.3V & High Speed 1.8V)

Mu

lti-

Sta

nd

ard

s I/O

s (3

.3V

& H

igh

Sp

eed

1.8

V)

Multi Gigabit Transceivers

M_AXI_GP0/1S_AXI_GP0/1EMIO

Page 6

S_AXI_HP0

S_AXI_HP1

S_AXI_HP2

S_AXI_HP3

S_AXI_ACP

XILINX CONFIDENTIAL

.

Technical convenience– Diversity is embedded naturally– Safety functions requires often ad-hoc design, FPGA offer it– Redundancy easily implementable– Safe upgradability in case of later modification via Design Preservation

Product convenience– Behaves like an ASIC but is a standard product “proven in use”– Can scale with the application– More than 15 years of published quarterly reliability reports– Every chip is individually tested, always.

Robust Technology Reliability– Enhanced Design For Reliability (DFR) achieving FIT < 15 – Neutron Test

Page 7

WHY XILINX IN SAFETY APPLICATIONS

XILINX CONFIDENTIAL

.

Page 8

WHERE IN SAFETY LOOP

Sensor

CONTROL UNIT

Final Element

PROCESS

transmission transmission

Logic Solver

FPGA

FPGA / ZYNQ

Final Element

PROCESS

transmission transmission

Logic Solver

XILINX CONFIDENTIAL

.

Reduce System Cost and Risk for Functional Safety Designs– Fewer components, lower risk of obsolescence– Design Isolation and Verification flows (IDF/IVT) reduce effort

for subsequent certification of evolving implementations

Reduce development and certification time and risk– Safety Manual and qualified tools lowers barrier of entry– Reduces time and risk for assessor interaction and education

Increase productivity– Safe-/Non-Safe integration and updates to non-safe

functions

Proven compliance

•IEC61508•ISO26262

Xilinx Solves Functional Safety Challenges

Page 9

XILINX CONFIDENTIAL

.

qualified safety data package – Qualified tools - ISE 14.2 – and methodology for safety designs with Xilinx FPGA– Safety Manual, certificate and test report

• V-Model, QM and reliability data for devices

– Isolation Design Flow and Isolation Verification Flow• Integrate but separate safe and non-safe applications in one device• Reduce effort and risk of subsequent certifications

SEU mitigation IP– Provides detection and correction of configuration upsets

Tools for FIT rate analysis– FIT Rate calculator, Essential and Critical Bit analysis – reduce FIT rate consideration for

safety applications

Power analysis tools

Xilinx and supply chain committed to quality and quality management– ISO9000/QML/TL9000/TS16494

Xilinx Deliverables for Functional Safety

Page 10

IEC 61508 SIL1 to SIL3

ISO 26262 ASIL-A to ASIL-D

XILINX CONFIDENTIAL

.

Page 11

IEC61508 and the Safety Life CycleMitigation of risk to a defined tolerance Safety life cycle has 16 phases

roughly divided– Phases 1-5 address analysis– Phases 6-13 address realization – Phases 14-16 address operation

Central to the standard is risk identification and mitigation– Risk is a function of frequency of

the hazardous event and consequence severity

– Zero risk can never be reached– Safety must be considered from

the beginning– Non-tolerable risks must be

reduced

11 Other risk reduction measures

Specification and Realisation

1 Concept

2Overall scope

Definition

3 Hazard & Risk Analysis

4Overall Safety Requirements

5Overall Safety

Requirements Allocation

15Overall Modification

& Retrofit

16 Decommissioning or disposal

12Overall Installation &

Commissioning

13Overall Safety

Validation

14Overall operation,

maintenance and repair

9 E/E/PE system safety

requirements specification

Realization

10 E/E/PESafety-related

systems

Realization

OverallInstallation &

Commissioning Planning

6 7 8Overall Operation & Maintenance

Planning

Overall Safety

Validation Planning

Overall Planning

Back to appropriate Overall Safety Lifecycle phase

Xilinx plays here

XILINX CONFIDENTIAL

.

REDUNDANCY SCHEMES

XILINX CONFIDENTIAL

.

REDUNDANCY SCHEMES FPGA

Output 1

Reset

Reset

Output 1

Output 2Output 2

FPGA Ready

Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock

Firmware / Hardware Interlock

Hardware Interlock

SafetyFunction

Power Sequencer

FPGA

Hardware Permissive

I/O & CoreVoltages

Input2Input1

XILINX CONFIDENTIAL

.

Page 14

System Monitor

FPGA

Safety Function

Sep

arat

ion

Non-Safety Function

Safety Function

Separation

ANNEX E – Table E2 ON CHIP REDUNDANCY

XILINX CONFIDENTIAL

.

Test Coverage and Characterization

Page 15

XILINX CONFIDENTIAL

.Page 16

SAFETY STANDARDS – WHERE XILINX PLAYS

IEC61508 generic

IEC60601 medical

ISO26262 Automotive

IEC60730 Home

Appliances

IEC61800 Power Drive

Systems

IEC62061 machinery

IEC60987 Nuclear

IEC62138 Nuclear

SOFTWARECATEGORY

B OR C

IEC60880 Nuclear

SOFTWARECATEGORY

A

IEC62425 Railway Systems

IEC62279 SW Railway Signaling

EN50128 SW Railway Signaling

EN50129 Railway Systems

EN50126 Railway RAMS

IEC61511 Process Industry

HW/SW HW SW System Process

ECSS Q60-02

Spatial

DO-254 Avionics

XILINX CONFIDENTIAL

.

Assess the failure rate– Reliability modeling is needed to assess the failure rate or probability of

failure on demand (PFD) of the safety-related element or elements in question. This can then be compared with the target set in Step 3. • UG116 (Xilinx Reliability Data)• FIT Calculator Spreadsheet (Xilinx tool)• Common Cause Failures (CCF)

Quantitative assessment of the safety-related system

Qualitative assessment against the SILs

Assess the systematic failures (software, process, design)– . The various requirements for limiting systematic failures are more onerous as

the SIL increases. These cover many of the life-cycle activities.

• ISE Toolchain = Xilinx Qualified no need of assessment

• IDF Isolation Design Flow = Xilinx Qualified no need of assessment

Page 17

XILINX CONFIDENTIAL

.

ASSESMENT…the procedure requires methods

Page 18

For reference only

XILINX CONFIDENTIAL

.

Page 19

COMMON MODE CAUSES

Configuration Memory

FPGA

Power Supply

Reset & Power

SequencingClock COMMON

MODE CAUSE

I/O Banks

Different banks

Duplicated Clock

SEM IP

Readback

Power sequencer

Dual Supply

Mitigation

XILINX CONFIDENTIAL

.

FIT RATE CALCULATOR EXAMPLE(LX9 – Ethernet Powerlink for Motor Control)

XILINX CONFIDENTIAL

.

REDUNDANCY SCHEMES

Page 21

XILINX CONFIDENTIAL

.

REDUNDANCY SCHEMES

Output 1

Reset

Reset

Output 1

Output 2Output 2

FPGA Ready

Power Sequencer feeds Hardware Interlock directly to block FPGA outputs until power is stable Power Sequencer feeds FPGA to guarantee reliable reset operation during power-up and brown outs Hardware Permissive feeds Hardware Interlock directly to block FPGA outputs until permitted Hardware Permissive feeds FPGA to hold off outputs while blocked by the Hardware Interlock

Firmware / Hardware Interlock

Hardware Interlock

SafetyFunction

Power Sequencer

FPGA

Hardware Permissive

I/O & CoreVoltages

Input2Input1

Page 22

XILINX CONFIDENTIAL

.

Page 23

Validated FPGA

Development Process

Verification Process

Output

Test

FPGA Safety Requirements specification

Code generation

FPGA Architecture

Module design

FPGA design behavioural modelling

Module testing

Synthesis, Placement and routing

Post layout simulation

Module integration testing

Validation TestingE/E/PES safety requirements specification

E/E/PES Architecture

Verification of complete FPGA

DEVELOPMENT LIFECYCLE – IEC61508

XILINX CONFIDENTIAL

.

LEVELS OF CRITICALITY (taken from IEC61508-Part 4)

XILINX CONFIDENTIAL

.

FPGA design flow overview

XILINX CONFIDENTIAL

.

HW-COSIM completes the IEC61508 V model(adds double verification (a) Xilinx Libraries and (b) Chip execution

Design Synthesis

Design Verification

Design Implementation

Device Programming

Functional Simulation (RTL simulation)

Functional Simulation (with back-annotation)

Static Timing Analysis

Debug / In-Circuit Verification

Schematic Editor

Power Analysis

Equivalence Checking

Timing Constraints

Logical / Physical Synthesis

Functional Simulation (Gate level simulation)

Power Estimation

Equivalence Checking

I/O Assignment

Floorplanning

Place & Route

Bitstream Generation

Programming

Design Creation

IP Blocks RTL Coding

RTL + Timing Constraints Screening

Technology Libraries

Lib

Lib

Chip

Prob_failure_Library * Prob_failure_Chip_Hwcosim < Prob_failure_Library

XILINX CONFIDENTIAL

.

IP QUALITY - XILINX VERIFICATION INITIATIVE (XVI)

Page 27

Verification

Sign-off

Validation

Delivery verification

Static checks

DUT

• Xilinx Verification Initiative (XVI)• Standardization for logical and functional

quality for IC Design and IP development

•Open Verification Methodology•A methodology to improve design and verification efficiency, verification data portability and tool, and VIP interoperability

•A Class reference manual accompanied by an open-source SystemVerilog base class library implementation and a User Guide..

XILINX CONFIDENTIAL

.

IP QUALITY - XVI

Page 28

•Open Verification Methodology• Transaction coverage: coverage

definition on the user‐controlled parameters usually defined in the transaction class & controlled through sequences.

• Error coverage: coverage definition on the pre‐defined error injection scenarios

• Protocol coverage: AXI Handshake coverage

• Flow coverage: covers various features like, outstanding, inter‐leaving, write data before write address etc

Test Coverage at Multiple Levels

XILINX CONFIDENTIAL

.

IDF (Isolation Design Flow)

XILINX CONFIDENTIAL

.

A two-parts design flow to ensure functional separation– ISOLATION– ISOLATION VERIFICATION

Approved by NSA (US national security agency)

Approved by TUV-SUED – For IEC61508– And ISO26262

Use planahead and floorplanning

WHAT IS IT?

Case Random Failure Systematic Failure Diagnostic Coverage SIL 3 IEC 61508-7 (clause)SEU Mitigated - High R A.3, A.7, A.8Complete hardware redundancy MItigated - High R A.7.3 Diverse hardware Mitigated Mitigated High R A.7.3 & B.1.4Information redundancy Mitigated High R A.7.6Code protection High M A.6.2Increase of interference immunity Mitigated Mitigated High M A.11.3

ISOLATION AND TRUSTED ROUTING

Page 30

XILINX CONFIDENTIAL

.

Synthesis

Translation

Mapping

Placement and Routing

Configuration Bitstream

Generation

IVTUCF Mode

IVTNCD Mode

UCF Isolation Analysis Report

UCF Floor Plan Diagram

NCD Isolation Analysis Report

NCD User Tile Diagram

Hardware Description Language

ISE Settings

NCD

*

FPGA Development Flow IDF Extras

Floor Planning Constraints

Floor Plan(PlanAhead)

Page 31

How works the Design Flow

STANDARD FLOW INDIPENDENT VERIFICATION ASSURANCE

XILINX CONFIDENTIAL

.

Page 32

Design Preservation…manage the design

Use previous implementation results to preserve QoR for unchanged blocks• Imported Partitions are copied and pasted• Implemented Partitions are placed and routed

Initial Run Incremental Run

XILINX CONFIDENTIAL

.

Final Results - View of Final Isolated Design in PlanAhead and FPGA Editor

Page 33

Device Utilization

Registers 18%

LUT 35%

SLICE 57%

I/O 23%

RAMB 59%

DSP48 55%

PLL 16%

BUFG 31%

Time to Implement

2 hrs.

Unroutes 0

Timing Score

0

PlanAhead FPGA Editor

XILINX CONFIDENTIAL

.

IDF Logical and . Physical Ownership

Page 34

Physical Ownership

Isolated Region B(reg_B.vhd)

Isolated Region D(reg_D.vhd)

Isolated Region A(reg_A.vhd)

Isolated Region C(reg_C.vhd)

● DCM

FENCE

F E N C E

FENCE ● BUFG

clock_gen.vhd

top_design.vhd

Logical Ownership

reg_A.vhd

reg_B.vhd

reg_C.vhd

reg_D.vhd

XILINX CONFIDENTIAL

.

Isolation Design Flow (IDF) is the software methodology that allows for physically isolating one module from another.– Methodology backed by significant schematic analysis and software

verification (IVT) to ensure elimination of single points of failurePage 35

Isolated Design Flow General Introduction

Global Logic Route(Clock Tree)

F E N C E

Isolated Region B(reg_B.vhd)

Isolated Region D(reg_D.vhd)

Isolated Region A(reg_A.vhd)

Isolated Region C(reg_C.vhd)

FENCE

Intra-Region Route

Inter-Region Route

Intra-Region Route

XILINX CONFIDENTIAL

.

IVT – UCF ModePackage Pin Checks

Must have at least one row or column isolation between pin groups

Package pin layout has three adjacency violations

Note: Three Violations in two locations not visible in device view

J21

H20

R23

P23

A

B

A B

R24

Typical Package Layout

Page 36

XILINX CONFIDENTIAL

.

LOCK-STEP

Diversity

XILINX CONFIDENTIAL

.

DIVERSITY

Page 38

• PL + PS• PL +

Microblaze +PS• PL + PS +

MB_Lock_Step

PS

PL

Microblaze

Microblaze Lock-Step

XILINX CONFIDENTIAL

.

Lock-step architecture two processors the master and the checker execute the same code being strictly synchronized.

Master access to the system memory and drives all system outputs.

Checker continuously executes the instructions fetched by the master processor.

The outputs produced by the checker, both addresses and data, feed the compare logic (monitor).

The compare logic checks the consistency of their Master and Checker data, address and control lines.

Disagreement on the value of any pair of duplicated bus lines reveals a fault on either CPU without giving the chance to identify the faulty CPU.

LOCK-STEP CONCEPT

XILINX CONFIDENTIAL

.

Lockstep Microblaze Block Diagram

XILINX CONFIDENTIAL

.

LOCK-STEP XILINX IMPLEMENTATION

The fault tolerance features included in MicroBlaze:– Enabled with C_FAULT_TOLERANT– Error Detection for internal block RAMs,– Support for Error Detection and Correction (ECC) in LMB block RAMs.– All soft errors in block RAMs are detected and corrected

Protected parts– Instruction and Data Cache– MMU Unified Translation Look-Aside– Branch Target Cache– Exception Handling

Scrubbing Support– To ensure that bit errors are not accumulated in block RAMs, they must be

periodically scrubbed– Microblaze_scrub() is the function to check memory integrity

XILINX CONFIDENTIAL

.

LOCK-STEP

APPLICATIONS

XILINX CONFIDENTIAL

.

Lockstep Microblaze Block Diagram

SPARTAN 6 LX150T Development Board

SPARTAN 6 LX150T FGG676-3

Peripherals Isolated Function(Peripherals Top)

Primary Microblaze Isolated Function

(MB0 Top)

MicroblazeD/I LMBRAMs

Data

Instr

Secondary Microblaze Isolated Function

(MB1 Top)

MicroblazeD/I LMBRAMs

Data

Instr

DDR3-SDRAM I/F

Sys Reset

Primary Microblaze Comparator

Isolated Function (MB0 Comparator Top)

MicroblazeComparator

Secondary Microblaze Comparator

Isolated Function (MB0 Comparator Top)

MicroblazeComparator

MB Interrupt Cntrlr

MB Debug Module/

Chipscope(Debug Only)

Lockstep Master Bus

(Debug Only)

Timer

Timebase

BRAM

RS232 I/F

Board Push Buttons I/F

Linear FlashI/F

Board Dip Switches I/F

Board LED I/F

128 MB DDR3-SDRAM

8 LEDs

USB/RS232 Converter

3 Push Buttons

32 MB Parallel Flash

8 DIP Switches

AXI4

AXI4LITE

Reset

AXI Full Bus

AXI Outputs

Comparator Errors

MB0 Outputs

MB Interrupts

MB1 Outputs

AXI Lite Full Bus

AXI Lite Outputs

Page 43

XILINX CONFIDENTIAL

.

Current Floorplan

Page 44

XILINX CONFIDENTIAL

.

LOCK-STEP MOTOR CONTROL

Diego Quagreda (QDESYS) + Trevor Hardcastle (Xilinx)

APPLICATIONS

XILINX CONFIDENTIAL

.

7 Functionally and Physically Isolated Functions.1. First MicroBlaze (Primary)

• Existing MicroBlaze with local instruction and data memory2. Second MicroBlaze (Secondary)

• New MicroBlaze that is exact copy of the first, with its own local instruction and data memory.

3. First MicroBlaze Comparator• Compares outputs of First and Second MicroBlazes cycle for cycle.• Error output is routed to on-board LED connection.• Comparator is added to the design.

4. Second Microblaze Comparator (Redundant to First)• Compares outputs of First and Second MicroBlazes cycle for cycle.• Error output is routed to on-board LED connection.• Comparator is added to the design.

5. Microblaze Peripherals• Contains the existing AXI interconnect and all the basic and Command and

Control AXI peripherals.6. Avnet Motor FMC Driver and 2 FOC Cores.

• Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board.• Existing components grouped together.

7. NetMot Board Driver and 2 FOC Cores.• Contains the FMC driver and 2 FOCs for the Avnet Motor Control Board.• Existing components grouped together.

The LX150T Design

Page 46

XILINX CONFIDENTIAL

.

Updated LX150T Design Block Diagram

Page 47

XILINX CONFIDENTIAL

.

XAPP1086– Developing Secure and Reliable Single FPGA Designs With Xilinx 7 Series FPGAs using

Isolation Design Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1086-secure-single-fpga-using-7s

-idf.pdf

WP412– The Xilinx Isolation Design Flow for Fault-Tolerant Systems – http://www.xilinx.com/support/documentation/white_papers/wp412_IDF_for_Fault_Tolerant_Sys.pdf

UG116– Xilinx quarterly device reliability report– http://www.xilinx.com/support/documentation/user_guides/ug116.pdf

Dual-Core Lock-Step Motor Control via Isolation Design Flow– (send e-mail to giulio.corradi@xilinx.com, michael.zapke@xilinx.com)

References

XILINX CONFIDENTIAL

.

XAPP 1085 – 7-series Isolation Design Flow Lab using ISE Design Suite 14.4 – http://www.xilinx.com/support/documentation/application_notes/xapp1085-7s-isolation-design-flow-ise-14-4.pdf

XAPP1104 – Implementation of a Fail-Safe Design in the Spartan-6 Family – http://www.xilinx.com/support/documentation/application_notes/xapp1104_S6FailSafe_Design.pdf

XAPP1105 – Single Chip Crypto Lab Using PR/ISO Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1105_V5SCC_PRISO.pdf

XAPP1134 – Developing Secure Designs Using the Virtex-5 Family

XAPP1145 – Developing Secure Designs with the Spartan-6 Family Using the Isolation

Design Flow– http://www.xilinx.com/support/documentation/application_notes/xapp1145_S6Secure_Designs.pdf

References

XILINX CONFIDENTIAL

.

Integration in one device and redundancy by isolation is no contradiction

Xilinx povide a TÜV-certified solution for Functional Safety according to IEC 61508 and ISO 26262 with the Isolation Design Flow

Over 15 years of published quarterly reliability reports and FIT the rate calculator tool from Xilinx let you determine the reliability safely

Summary

Follow Xilinx on:

facebook.com/XilinxInc twitter.com/XilinxInc youtube.com/XilinxInc