AN 999: Drive-on-Chip with Functional Safety Design Example: Agilex™ 7 Devices

Download PDF
ID 823627
Date 7/04/2024
Public
Document Table of Contents
Document Table of Contents x
1. About the Drive-on-Chip with Functional Safety Design Example for Agilex™ 7 Devices 2. Getting Started 3. Rebuilding the Drive-on-Chip Design 4. Functional Description of the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices 5. HPS Channel Safety Software 6. Drive-on-Chip Design Recommendations and Disclaimers 7. Document Revision History for AN 999: Drive-on-Chip with Functional Safety Design Example for Agilex 7 Devices
1. About the Drive-on-Chip with Functional Safety Design Example for Agilex™ 7 Devices x
1.1. Features of the Drive-on-Chip with Functional Safety Design Example for Agilex 7 Devices 1.2. About the Safety Concept 1.3. Other Drive-on-Chip Design Documents
1.2. About the Safety Concept x
1.2.1. High-Level Block Diagram of the Drive-On-Chip with Functional Safety Design Example
2. Getting Started x
2.1. Software Requirements for the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices 2.2. Hardware Requirements for the Safe Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices 2.3. Downloading and Installing the Design 2.4. Installing Python 2.5. Creating an SD Card Image 2.6. Setting Up your Development Board for the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices 2.7. Debugging and Monitoring the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices with Python GUI 2.8. Looking into the Drive-On-Chip Output
2.3. Downloading and Installing the Design x
2.3.1. Design Directory Structure
2.7. Debugging and Monitoring the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices with Python GUI x
2.7.1. GUI Safety Function Tab for the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices
3. Rebuilding the Drive-on-Chip Design x
3.1. Generating the Platform Designer System 3.2. Generating and Building the NiosV/g BSP for the Drive-On-Chip Design Example 3.3. Compiling the Hardware in the Intel Quartus Prime Software 3.4. Modifying the Motor Control Software Application 3.5. Generating .jic and .rbf files After Hardware Modifications 3.6. Recreate an SD Card Image 3.7. Modifying the HPS Safety Function Application
4. Functional Description of the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices x
4.1. Drive-on-Chip Related Subsystems 4.2. HPS Safety Subsystem 4.3. Safety Subsystem 4.4. Shared Memory Subsystem 4.5. External Safety Logic 4.6. Hardware Subsystem 4.7. Voltage Thresholds 4.8. IP Input and Output Signals 4.9. Registers
4.3. Safety Subsystem x
4.3.1. Safety Block 4.3.2. Quadrature Encoder Pulse 4.3.3. Interval Timer
4.3.1. Safety Block x
4.3.1.1. Safety Function Block 4.3.1.2. Cross-Comparison Block
5. HPS Channel Safety Software x
5.1. Meta Layer and Yocto Build 5.2. HPS Channel Speed Monitoring Safety Application
5.1. Meta Layer and Yocto Build x
5.1.1. Layer Configuration Files 5.1.2. Board Support Package Recipes (recipes-bsp)
5.2. HPS Channel Speed Monitoring Safety Application x
5.2.1. Main (hps_safe_channel.c) 5.2.2. Speed Estimation Thread (speed_estmation.c/.h) 5.2.3. Printing Thread (print_safety.c/.h) 5.2.4. Safety Function Application (srt.c/.h) 5.2.5. Access to Devices 5.2.6. Core Isolation and Core Affinity
1. About the Drive-on-Chip with Functional Safety Design Example for Agilex™ 7 Devices
2. Getting Started
3. Rebuilding the Drive-on-Chip Design
4. Functional Description of the Drive-On-Chip with Functional Safety Design Example for Agilex 7 Devices
5. HPS Channel Safety Software
6. Drive-on-Chip Design Recommendations and Disclaimers
7. Document Revision History for AN 999: Drive-on-Chip with Functional Safety Design Example for Agilex 7 Devices

4.8. IP Input and Output Signals

The signals connect various blocks in the Drive-On-Chip for Functional SafetyDesign Example for Agilex 7 devices.
Table 7.  Drive-on-chip Safety Interface Signals
Port name Polarity Description
clk Input Clock. Asynchronous to any other clock
reset_n Input Active low reset. Asynchronous to any other resets.
reset_safety_n_i Input Reset to get out of the safe state
reset_safety_n_o Output Reset to get out of the safe state
reset_safety_mem_n_o Output Extension of reset_safety_n for memory safe state clearance
qep_count [31 : 0] Input Quadrature encoder pulse IP counter input
timer_pulse Input Time-out signal from the Interval timer block
quad_error (_p, _n) Output Quadrature encoder pulse error feed to the external safety logic.
fpga_is_safe (_p, _n) Output Overspeed detection. Traduced to safe status.
fpga_compare_good_p(_p, _n) Output Result of comparison of HPS and FPGA payloads
compare_timeout Output FPGA finite state machine timeout asserted
heartbeat_fusa Output The heartbeat signal of FuSa block 1 toggle once every safety cycle period to indicate correct functionality.
heartbeat_timer Output The heartbeat signal of interval time toggle once every safety cycle period to indicate correct functionality.
AXI Lite Interface - -
APB Interface - -
Table 8.  Drive-on-chip Safety Function Interface Signals
Port name Polarity Description
clk Input Clock. Asynchronous to any other clock
reset_n Input Active low reset. Asynchronous to any other resets.
reset_safety_n Input Reset to get out of the safe state
generate_bit Input Enable the heartbeat generation
timeout_pulse Input Time-out signal from the Interval timer block
qep_count [31 : 0] Input Quadrature encoder pulse IP counter input
qep_error Input

Error input. Assert when you detect a quadrature decode error (overspeed. If A and B both change during the same clock cycle or if the encoder error input (E) is asserted.

quad_error (_p, _n) Output Quadrature encoder pulse Error feed to the external safety logic.
fpga_is_safe (_p, _n) Output Overspeed detection: traduced to safe status.
over_speed Output Asserted if the calculated speed in the speed estimator is over the threshold
over_speed_led Output Over_speed negated, routed to a board LED
heartbeat_fusa Output The heartbeat signal of FUSA block 1 toggle once every safety cycle period to indicate correct functionality.
heartbeat_timer Output The heartbeat signal of timer block 1 toggle once every safety cycle period to indicate functionality.
payload [31 : 0] Type t_safety_payload defined in pkg_doc_safety.sv
AXI Lite Interface - -
Table 9.  AXI to APB block Interface Signals (Platform Designer Block)
Port name Polarity Description
s_axi_aclk Input Clock. Asynchronous to any other clock
s_axi_aresetn Input Active low reset. Asynchronous to any other resets.
reset_safety_n Input Reset to get out of the safe state
AXI Lite Interface - -
APB Interface - -
Table 10.  Heartbeat Generator Interface Signals
Port name Polarity Description
clk Input Clock
generateBit Input Control signal to toggle the state of heartbeat output. Input may be derived from comparison function output or timeout pulse.
heartbeat Output Singular bit to indicate the heartbeat. Indicates overall block functionality.
Table 11.  Speed Estimator block Interface Signals
Port name Polarity Description
clk Input Clock
reset Input Reset
qep_count [31 : 0] Input Quadrature encoder pulse IP counter input
qep_error Input

Error input. Asserted when a quadrature decode error (overspeed) is detected. If A and B both change during the same clock cycle or if the encoder error input (E) is asserted.

over_speed Output Singular bit to indicate whether the current estimated speed is beyond a parameterizable threshold.
led_signal Output Singular bit to be sent to an active low LED to represent the status of over_speed.
motor_speed_filtered Output

Custom variable type, t_speed.

quad_error (_p, _n) Output Complementary bits (p = 1’b0, n = 1’b1) to represent whether a quadrature error is detected. Entirely based of the input qep_error.
fpga_is_safe (_p, _n) Output Complementary bits (p = 1’b1, n = 1’b0) to represent that FPGA is overall safe, in respect to over_speed.
APB Interface - -
Table 12.  Payload Generator block Interface Signals
Port name Polarity Description
clk Input Clock
reset_n Input Reset
reset_safety_n Input Reset to get out of the safe state
speed_rpm Input Incoming signal from the speed estimator module, which indicates the current estimated speed of the motor. Type t_speed
over_speed Input Singular bit to indicate whether the current estimated speed is beyond a threshold.
generate_pulse Input Control signal to create a valid payload and increment an internal sequence counter when asserted.
fpga_payload Output Created using a custom defined struct, t_safety_payload, which has the properties overspeed, speed and sequence. The design assigns these properties.
Table 13.  Cross-comparison Function block Interface Signals
Port name Polarity Description
clk Input Clock
reset_n Input Reset
reset_safety_n Input Reset to get out of the safe state
start Input Assert to start the FPGA safe channel cycle by the Interval timer every safety response time.
fpga_payload Input

Type t_safety_payload

Overspeed, speed in rpm, sequence number.

generate_fpga Output Indicates to the safety function block to return a valid payload from the speed estimation.
compare_good(_p,_n) Output Output asserted if the HPS payload and FPGA payload in memory are consistent.
compare_timeout Output FPGA finite state machine timeout asserted
APB Interface - -
Table 14.  Quadrature Encoder Pulse block Interface Signals
Port name Polarity Description
clk Input Clock
reset_n Input Reset
QEP_A Input Quadrature pulse from motor (model)
QEP_B Input Quadrature pulse from motor (model)
QEP_I Input Index pulse, per complete revolution
QEP_E Input Encoder Error input. 1 indicates that the motor’s encoder detects a fault and the design cannot rely on the quadrature signals.
QEP_error Output

Error output. Asserted when a quadrature decode error (overspeed) is detected. If A and B both change during the same clock cycle or if the encoder error input (E) is asserted.

Only deasserted when you write a 1 to the reset_quad_error bit in the control register via the Avalon bus.

QEP_count [31 : 0 ] Output Quadrature encoder pulse IP counter output
Avalon Interface - Avalon bus byte addressing but only full word accesses supported.
Table 15.  External Safety Logic Interface Signals
Port name Polarity Description
esl_clk Input Clock. Asynchronous to any other clock
esl_reset Input Reset. Independent to any other reset
clk_hps Input HPS clock
clk_fpga Input FPGA clock
Heartbeat_timer Input Heartbeat signal of the timer that toggles once every safety cycle period to indicate correct behavior
Heartbeat_fusa Input Heartbeat signal of FUSA block 1 that toggles once every safety cycle period to indicate correct behavior
Quad_error (_p, _n) Input

Indicates that the quadrature encoder pulse detects a quadrature error.

(_p = ‘0’, _n = ‘1’)
FPGA_safe (_p, _n) Input Indicates that the FPGA detects the motor speed as safe (_p = ‘1’, _n = ‘0’)
FPGA_compare (_p, _n) Input Indicates that the FPGA cross comparison function detects the FPGA and HPS payloads as the same (_p = ‘1’, _n = ‘0’)
HPS_safe (_p, _n) Input Indicates that the HPS detects the motor speed as safe (_p = ‘1’, _n = ‘0’)
HPS_compare (_p, _n) Input Indicates that the HPS cross comparison function detects the FPGA and HPS payloads as the same (_p = ‘1’, _n = ‘0’)
compare_timeout Input FPGA finite state machine timeout asserted
CRAM_good (_p, _n) Input Indicates that no fault is detected in the FPGA’s CRAM(_p = ‘1’, _n = ‘0’)
power_good (_p, _n) Input Indicates that the voltage monitor block measures the power rails within the acceptable range (_p = ‘1’, _n = ‘0’)
current_rsp_temp Input Variable of parameterizable bits that indicates the current temperature measured by the hardware block.
safe_state (_p, _n) Output Control signal from the external safety logic to the power control to the motor to put the motor into a safe state (_p = ‘1’, _n = ‘0’)
Table 16.  Hardware block Interface Signals
Port name Polarity Description
hw_clk Input Clock. Asynchronous to any other clock
hw_reset Input Reset. Independent to any other reset
pwr_good (p, n) Output Complementary bits to represent that power is functional as intended, all voltages measured are within safe limits.
temp_good (p, n) Output Complementary bits to represent measured temperatures are safe, within limits.
cram_good (p, n) Output

Level Two Title