Firmware in Safety Critical Subsystems

摘要

Complex Programmable Logic Devices (CPLDs) and Field Programmable Gate Arrays (FPGAs) arecomplex electronic devices that blur the border between hardware and software. These devices aresometimes simply referred to as Firmware. Although Firmware devices are considered hardware, they aredesigned and programmed like software. For good or bad, these Firmware devices are rapidly replacingmicroprocessors and discrete circuitry for control over High / Moderate Risk safety critical functions.These devices are routinely touted to be more reliable than CPUs and discrete circuitry. Some will arguethat older circuitry can be safely re-hosted into a single firmware device and still meet safety requirements.The question that must be asked is if these firmware devices are typically touted as having a reliabilityvalue greater than 1x10-6, are these devices safe to use stand-alone for control over high or moderate risksafety critical functions? This simple question can only be knowledgably answered when the system safetyengineer understands how these devices work, but more importantly how they fail.This paper provides information on how firmware devices work internally, their associated internal/externalfailure modes, and internal/external mitigation techniques. In particular, Single Event Upsets within thesedevices will be discussed with possible mitigations to prevent these worst-case failures from occurring.Lastly, the question as to whether firmware devices can be used stand-alone for control over safety criticalfunctions will be addressed.