Flexibility in Responding to Run Time Bugs

Introduction

Flexibility is one of the key advantages of FPGAs for which they are chosen in many system designs. This need for flexibility extends to the infrastructure support of the reset circuitry. For example, to prevent the software from unnecessarily disabling a system, the reset circuitry must allow the option of continued operation of the FPGA while the processor resets. Altera SoC FPGAs are equipped with a variety of reconfiguration options to best manage the needs of design-specific circumstances.

Key aspects of this paper are highlighted in an on-line video, “Memory Protection and Responding to Run Time Software Bugs”, which can be found at www.altera.com/socarchitecture.

Choices in CPU and FPGA Reset

In earlier, two-chip processor plus FPGA solutions, if the processor crashes, the FPGA continues to operate while the processor's watchdog timer resets the processor and the system recovers as gracefully as possible. A properly architected SoC FPGA supports the same “independent” behavior and also provides the option to reconfigure the FPGA, if desired. It should not, however, mandate the FPGA to reconfigure in all cases, unless that is the desired behavior, as specified by the system designer.

In many cases, it may be critical for the FPGA logic to continue to monitor and respond to external stimuli while the processor resets itself. Therefore, it is important to inspect how the FPGA reconfiguration is handled in this circumstance.

As shown in Table 1, the reset circuitry in Altera SoC FPGAs matches historical usage. The reset circuitry for the processor and FPGA operate independently, although both optionally communicate reset events to each other. The developer decides how the FPGA portion should respond to a CPU reset. This can be by simply resetting portions of the configured FPGA logic, completely reconfiguring the FPGA, or by completely ignoring it. In SoC FPGAs from Vendor B, the FPGA logic is always reconfigured when a CPU reset occurs.

<table>
<thead>
<tr>
<th>Table 1: CPU Reset in SoC FPGAs</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Function/Feature</strong></td>
</tr>
</tbody>
</table>
| FPGA Response to CPU Reset | User defined:  
  Reset flip-flops in FPGA logic as specified in user design, or  
  Reconfigure the FPGA logic, or  
  No response | FPGA ALWAYS reconfigured |
**Application Example: Wireless Digital Radio Front Ends**

For one example of why this is important, in high availability systems such as Digital Radio Front Ends (DRFEs) it is paramount to ensure that there is no interruption to the radio service. Typically, the digital data path is implemented within the FPGA supporting continuous streaming of radio IQ data to users while the processor subsystem is used for operations and management functions. Shutting down the entire device for a CPU reset would be highly detrimental to the radio service. The ability to be able to reset the processor subsystem to handle undesired software resets without being forced to take the radio out of service while having to reconfigure the FPGA data path allows operators to maximize availability.

**Fail-Safe Booting and Configuration**

Being fully-programmable, single-chip systems, SoC FPGAs must successfully boot the processor and configure the FPGA before becoming fully functional. SoC FPGAs provide a fail-safe recovery method in case of a boot or configuration failure. This is a crucial feature for systems that support remote, in-field system updates. As summarized in Table 2, SoC FPGAs provide “fail-safe” recovery should there be a physical defect during configuration. The SoC FPGA automatically loads an alternative configuration image if a Cyclical Redundancy Check (CRC) error occurs either in the configuration header or in the configuration image itself.

Altera SoC FPGAs provide additional fail-safe recovery for other logic defects. After boot, the boot loader software sets a bit indicating a successful configuration. If the boot loader fails to set the bit, a watchdog timer triggers a warm reset to restart the boot process. At restart, the processor sees that the previous boot attempt failed and chooses the last known good image.

**Table 2: Fail-Safe Processor Boot/FPGA Configuration in SoC FPGA Devices**

<table>
<thead>
<tr>
<th>Function/Feature</th>
<th>Altera SoC FPGA</th>
<th>Vendor B</th>
</tr>
</thead>
<tbody>
<tr>
<td>Fail-Safe Reboot on Physical Boot Defect</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Fail-Safe Reboot on Logical Boot Defect</td>
<td>Yes</td>
<td>No</td>
</tr>
</tbody>
</table>

**Conclusion**

FPGAs are often chosen for their flexibility, and a one-size-fits-all approach has never applied. This extends to flexibility in reset for continuous, reliable operation. only Altera SoC FPGAs offer the user a choice of resetting flip-flops in FPGA logic, reconfiguring FPGA logic, or no response, as deemed appropriate.

**Want to Learn More?**

For more examples on how your system can benefit from Altera SoC FPGA flexibility options, consult the “Architecture Matters: Choosing the Right SoC FPGA for Your Application” white paper:

http://design.altera.com/SoCweb