FPGAs for mission-critical applications
Most FPGA technologies fail to address key mission-critical design requirements, but anti-fuse-based architectures succeed, providing essential attributes such as radiation resistance and design security.
Today's high-density FPGAs offer designers an opportunity to quickly create customized components for optimum performance and rapid deployment of mission-critical systems. But for military and aerospace applications, memory-based FPGA technology is known to fall short in addressing several important requirements, including radiation resistance and design security. Anti-fuse FPGA technology successfully addresses these requirements to bring the advantages of programmable logic to mission-critical system design.
Many developers understand that mission-critical systems must be designed for reliable operation in extreme environmental conditions, but find that most FPGA technologies are hard-pressed to meet these needs. Further, there are other requirements that can be just as critical in determining a device's suitability for mission-critical service where most FPGA technologies fall short. Our discussion will focus on three of these other key requirements: nonvolatile configuration, reliable operation in a radiation environment, and design security (Table 1).
Trio of factors affect critical apps
The requirement for nonvolatile configuration arises from the high probability of power interruptions in mission-critical mil-aero applications. Replacing live system components during maintenance or repair, lapses when switching from line to battery power, and brownouts can all trigger a need for the system to recover from power interruptions. A nonvolatile system configuration simplifies the recovery process, eliminating the need to reload system settings and parameters. This makes system recovery quicker and less error-prone than when the configuration must be reloaded, increasing system availability to perform its mission.
Additionally, with the end of the Cold War, the need for mil-aero systems to operate in radiation environments has faded from general awareness. This requirement does not just come from the need to survive nuclear events, however. Even in daily operation, mission-critical systems might be exposed to high radiation levels. The radiation comes in the form of cosmic rays and solar wind along with the high-energy secondary particles these sources generate at high altitudes (see Figure 1).
While the radiation flux is typically not high enough to damage semiconductor devices, it does have an impact on system operation. The radiation's typical effect is a Single Event Upset (SEU): a localized energy spike capable of changing the bit value of a memory cell. Such a change could wreak havoc with system operation if it occurs in a critical location within the FPGA.
Design security is a third requirement of mission-critical system design, particularly military systems. If designs are not secure, enemies can quickly erase any technical advantages that such designs provide by reverse engineering and cloning captured equipment for their own use. Systems might also embed sensitive information such as passwords, encryption keys, and frequency-hopping algorithms. Extracting such information from a captured system would allow an enemy to create equipment that can intercept and interpret coded communications or generate mimicry signals to confound command and control activity. Designs that are difficult, expensive, and time consuming to reverse engineer can prevent such compromises by delaying results until they are no longer useful.
Comparing FPGA technologies
These neglected design requirements are of particular importance when utilizing FPGA technology to develop mission-critical systems. Using FPGA devices gives developers design flexibility and integration levels comparable to using ASICs, but at much lower cost and with more immediate availability. Not every FPGA technology suits the needs of mission-critical design, however.
Many FPGAs fail the nonvolatility requirement, for instance, because they have SRAM as their basis. An internal logic connection in these FPGAs depends on an SRAM cell to hold a switch transistor on or off (Figure 2). The data stored in memory thus determines the FPGA's configuration, but the SRAM cell will lose its data when it loses power.
The SRAM-based FPGA needs to receive configuration data at power-up to prepare it for system operation. The typical approach is to employ a small, external, nonvolatile memory source such as a serial EEPROM to hold the configuration data. Upon power-up, the FPGA retrieves data from the EEPROM and configures itself for operation. Depending on the memory's size and the clock rate at which the FPGA can retrieve data, the FPGA might require several hundred milliseconds following power-up to become ready for use. The rest of the system must wait until the FPGA is ready in order to become fully operational.
The SRAM approach to programmable logic also has several unfortunate design attributes. One is that the circuit needed at each connection point is fairly large, requiring multiple transistors to form the SRAM cell and resulting in lowered interconnect density. The interconnect capacitance of the switch transistor adds to the FPGA's dynamic power dissipation, increasing junction temperatures and lowering device reliability, and the leakage current of the large memory cell wastes power even when not clocking.
One nonvolatile approach to programmable logic has a similar switch structure but uses an EEPROM cell rather than SRAM to hold the configuration. This approach solves the volatility problem but still shares many other attributes with SRAM-based FPGAs. The architecture still requires a switch transistor at each connection point, limiting interconnect density and signal speed through the connection.
The EEPROM cell works by holding a charge on a floating gate to keep the switch transistor turned on or off. The floating gate receives or loses its charge when a high-voltage programming signal drives electrons onto or off of the gate by tunneling through an oxide layer. In normal operation, the gate has no discharge path available, thus making the FPGA configuration nonvolatile.
An alternative approach to providing nonvolatility is to use anti-fuse technology. The anti-fuse is an amorphous silicon via at each configurable circuit junction in the FPGA. Unprogrammed, the via is an insulator and there is no connection at that site. Programming the via by applying a high voltage to it changes its state to become a conductor, thus making a connection at that site. The physical state of the vias therefore holds the FPGA's configuration. The state change is permanent, making the anti-fuse FPGA nonvolatile. Because no transistors are involved in maintaining the logic connection, interconnect density is high and there is no leakage current. Interconnect capacitance is low, reducing dynamic power.
Aside from the issue of volatility, the need to operate in a radiation environment is a second strike against memory-based FPGA technologies. Highly energetic particles passing through an active semiconductor device create temporary ionization paths through the silicon. These pathways can briefly short circuit transistors, creating the transient pulses called SEUs.
In SRAM, an SEU can invert the state of an individual bit, which the memory circuit will then maintain. In an EEPROM, the SEU can discharge the floating gate, causing a permanent bit change. While memory used in processor applications often includes error correction and detection to handle such events, the configuration memory of FPGAs has no such protection. An SEU can thus introduce a persistent logic change in a memory-based FPGA.
The anti-fuse FPGA has no such vulnerability. The energy of an SEU is not high enough to program a via, and the transient pulses have no significant effect on the logic. Tests conducted at NASA/Goddard have shown no errors in anti-fuse FPGA operation at radiation energies as high as 193 MeV, while memory devices begin exhibiting bit errors as low as 100 MeV.
Anti-fuse FPGAs also address design security more effectively than memory-based FPGAs. To completely characterize a programmed FPGA, two pieces of information are required: the configuration details and the underlying structure. Configuration details are the easiest to capture in memory-based FPGAs. With live systems, passive probing can capture programming data as it moves into an SRAM-based FPGA during configuration. Electron probing can determine the charge states of EEPROM configuration cells when the circuit is active. Both approaches are relatively quick to perform and inexpensive to implement.
Determining the logic structure of the FPGA requires more effort, but reverse engineering approaches are available that can extract a device's design details for under $100,000. The approach is to strip away each layer of a logic device, one at a time, using plasma (for passivation and oxide layers) or chemical (for metal layers) etching, then take a high-resolution photograph as each layer is revealed (Figure 3). The photographs allow reconstruction of the mask sets used to fabricate the device. This then permits the device to be analyzed or even cloned.
Investigating the programming of an anti-fuse FPGA, however, requires much more elaborate measures. This results in part because the programmable element lies within a multi-layer structure, so surface scanning is ineffective. Also, there are no signals or stored charges to probe; program storage is a structural change that affects resistance, not an accumulation of charge.
Only physical examination will show the programming state of the anti-fuses, and the layer-stripping method will not work effectively. The cross-section of the altered region in the anti-fuse is too small to observe from above, so the only way to reliably see the structure is from the side (see again Figure 3). Obtaining this view requires the use of a Focused Ion Beam (FIB) to create a trench in the device, then milling the edge to expand the trench in steps. Taking photographs at each step allows creation of a 3-D image of the circuit. This procedure requires expensive equipment, however, and is prohibitively time consuming without foreknowledge of where to look. Even with foreknowledge, the number of anti-fuses requiring examination makes the task impractical. The time required to reverse engineer programmed anti-fuse FPGAs ‚Äì such as QuickLogic's QL1P075 and QL1P100 ‚Äì makes them, in effect, absolutely secure.
Anti-fuse satisfies mission-critical needs
The design security needs of mil-aero applications, along with radiation resistance and nonvolatility, are often neglected in literature, but cannot be ignored by designers. When seeking the benefits of FPGAs in design, developers habitually look for devices that address mil temp operation, but they should also consider the base technology's ability to address the aforementioned needs. Of the FPGA technologies, anti-fuse programmability is the only one that meets all the requirements of mission-critical designs.
1. NASA presentation, "Atmospheric Ionizing Radiation (AIR): Analysis, Results, and Lessons Learned From the June 1997 ER-2 Campaign," Edited by J. W. Wilson, I. W. Jones, and D. L. Maiden, Langley Research Center, Hampton, Virginia; and P. Goldhagen, DOE Environmental Measurements Laboratory, New York, New York, Feb. 2003.