# Dynamic Partial Reconfiguration for Fault-Tolerance in automotive ECUs

384.157 Labor SoC Design, WS 2018



Constantin Schieber 1228774
Rupert Schorn 1325700
Andreas Hirtenlehner 1327273
Peter Schober 1355178

March 5, 2019

# Contents

| 1 | Intro                     | Introduction |                                                                  |     |  |  |
|---|---------------------------|--------------|------------------------------------------------------------------|-----|--|--|
|   | 1.1                       | Design       | Overview                                                         | 1   |  |  |
|   | 1.2                       | Requir       | red tools, IPs and packages                                      | 5   |  |  |
| 2 | Cortex M1 on Xilinx       |              |                                                                  |     |  |  |
|   | 2.1                       | Usage        | of Cortex M1 in Vivado $\hdots$                                  | 6   |  |  |
|   |                           | 2.1.1        | Code via Memory Initialization File                              | 6   |  |  |
|   | 2.2                       | How to       | o mbed OS                                                        | 6   |  |  |
| 3 | Communication Protocol    |              |                                                                  |     |  |  |
|   | 3.1                       | Protoc       | col                                                              | 7   |  |  |
|   | 3.2                       | Bus m        | onitor                                                           | 8   |  |  |
| 4 | Test setup                |              |                                                                  |     |  |  |
|   | 4.1                       | Comm         | unication link                                                   | 9   |  |  |
|   | 4.2                       | ECU,         | THS and MCU                                                      | 9   |  |  |
|   | 4.3                       | Fallba       | ck unit                                                          | 9   |  |  |
| 5 | Partial Reconfiguration 1 |              |                                                                  |     |  |  |
|   | 5.1                       | Limita       | ations imposed by partial reconfiguration                        | 10  |  |  |
|   |                           | 5.1.1        | No block diagram support                                         | 10  |  |  |
|   |                           | 5.1.2        | Global synthesis / implementation runs are mandatory             | 10  |  |  |
|   |                           | 5.1.3        | processor configuration access port (PCAP) / internal configura- |     |  |  |
|   |                           |              | tion access port (ICAP) on the Zynq-7000                         | 11  |  |  |
|   |                           | 5.1.4        | ICAP primitive instantiation                                     | 11  |  |  |
|   |                           | 5.1.5        | Read from SD-Card                                                | 11  |  |  |
|   | 5.2                       | Integra      | ation Overview                                                   | 12  |  |  |
|   |                           | 5.2.1        | Packaged IP                                                      | 12  |  |  |
|   |                           | 5.2.2        | Loading the Partial Reconfiguration (PR) module                  | 12  |  |  |
| 6 | Resi                      | ults         |                                                                  | 13  |  |  |
| 7 | Conclusion                |              |                                                                  |     |  |  |
|   | 7 1                       | Future       | a Work                                                           | 1.4 |  |  |

#### Abstract

In this lab, fail-safe mechanisms for Electronic Control Units (ECUs) are explored on the basis of PR in Field Programmable Gate Arrays (FPGAs). The introduced design contains typical characteristics of an automotive system. Communication between the different sub-systems is realized by a specific link (including protocol) and connects the FPGA to the ECUs that handle operations during normal conditions. ECUs are monitored by a bus monitor in the FPGA for nominal operation characteristics and can be replaced by the instantiation of the very same ECU within the FPGA in case of failure.

### 1 Introduction

Our ECUs are based on ARM Cortex-M1/M3 controllers. Both of them became recently available as an IP-package for Xilinx based FPGAs. By using a common hardware base and a common software middleware we were able to streamline the development of the control-software which enables a faster development process for new applications and reduces the overhead of their functional verification.

### 1.1 Design Overview

The assumed system consists of three regular separate control units that are connected through a communication link. Figure 1.1 shows the basic components of the assumed design.



Figure 1.1: Basic concept for Failsafe ECU

The realized scenario reads a throttle position and controls an engine after some data conversion. The ECU is responsible for gathering the throttle position data, measured and provided by the throttle sensor (THS). After the ECU converts the throttle position data into engine control data, it forwards these data to the motor control unit (MCU), which is responsible for controlling the engine. A fourth unit acts as a fallback unit in case of a failure of one of the regular control units. This fallback unit is realized by using

PR in an FPGA. Figure 1.2 displays a sequence diagram assuming normal operation. In this case, the fallback unit doesn't have to perform any active functionality, it just has to passively monitor the data transfer on the communication link to detect possible errors.



THS: Throttle Sensor MCU: Motor Control Unit ECU: Electronic Control Unit FBU: Fallback Unit

Figure 1.2: Sequence diagram for normal operation

The fallback unit has to monitor all transferred data on the bus and detect any failures (e.g. timeout, error flags, ...). Once an error is detected, a certain partial reconfiguration is triggered by the bus monitor module, which is part of the fallback unit. After the reconfiguration is finished, the fallback unit completely takes over the functionality of the faulty component. Due to the fail silent assumption, the faulty device will not affect the behaviour of the system. Figure 1.3 shows a sequence diagram including a faulty MCU. The bus monitor detects that the MCU is running into a timeout and triggers a PR to take over its functionality. After finishing the reconfiguration, normal operation takes over again (see figure 1.2), but the fallback unit serves as MCU now.



THS: Throttle Sensor MCU: Motor Control Unit

ECU: Electronic Control Unit FBU: Fallback Unit

Figure 1.3: Sequence diagram for MCU failure



Figure 1.4: Zedboard and STM32 hardware setup

### 1.2 Required tools, intellectual properties (IPs) and packages

- Vivado 2018.3 (with Partial Reconfiguration license)
- Keil Microcontroller Development Kit (Windows only)
- ARM Cortex M1 IP for Vivado
- UART IP by Martin Mosbeck
- ARM Mbed OS

### 2 Cortex M1 on Xilinx

Description of the setup of the Cortex M1 core. [1] [2]

### 2.1 Usage of Cortex M1 in Vivado

Only global implementation / synthesis runs are permitted to obtain a working bitstream. If OOC (Out of Context) runs are used, everything except for the Cortex M1 will work fine. The Cortex M1 will enter a hard-fault state which does not allow recovery. This is indicated by a high bit on the *Lockup* port of the processor.

Also trivial, follow tutorial that is provided on ARM Website and adapt to own needs.

### 2.1.1 Code via Memory Initialization File

To update the Memory Initialization File for a core, a new package with the updated bram\_a7.hex file in the corresponding core (/cores/cm1\_\*/m1\_for\_arty\_a7.srcs/sources\_1/imports/m1\_for\_arty\_a7/m1\_for\_arty\_a7/[3]) has to be generated and the IP in the block design has to be updated.

#### 2.2 How to mbed OS

To achieve a common code base for the application code, Mbed OS, a real-time operating system (RTOS) from ARM, was used (Fig 2.1). Since there is no support for the Xilinx Cortex M1 core, the board support package (BSP) provided by Xilinx was ported to Mbed OS [4]. The port includes the RTOS kernel and the GPIO and UART modules. The firmware for our FPGA design [3] can be found on GitHub [5]. For using Mbed OS with a new design, the BSP has to be exported from the Vivado SDK and copied to /mbed-os/targets/TARGET\_Xilinx/TARGET\_XC7Z020/device/standalone\_bsp/ in [5].



Figure 2.1: Software structure.

### 3 Communication Protocol

This section describes the communication protocol used for command and data exchange between bus participants. Further, the bus monitor module, which is part of the fallback unit (FBU) is explained.

### 3.1 Protocol

In our approach a simple master-slave protocol was defined to enable communication between the master (ECU, FBU) and the slaves (THS, MCU, FBU). The protocol consists of command and data packets, each of them contains just one byte. No error protection measures were taken into account. Each bus participant needs a unique address. Since this design just contains three control units, two bits as address field are sufficient. Figure 3.1 shows the composition of a control and data packets.



Figure 3.1: Composition of control and data packets

A control packet is indicated by two leading zeroes, followed by destination address (DEST) and source address (SRC). The last two bits (CTRL) determine a further classification of the control packet, as shown in table ??.

A control packet can be used to request data, send an acknowledge or indicate errors. Only the master is able to send a request data command, the remaining control packet classifications can be used by the slaves, too.

A data packet starts with the destination address (DEST), followed by a 6 bit wide data

| $\mathbf{C}'$ | $\overline{\Gamma}$ RL | Function     |
|---------------|------------------------|--------------|
| 0             | 0                      | Request data |
| 0             | 1                      | Acknowledge  |
| 1             | 0                      | Error 1      |
| 1             | 1                      | Error 2      |

Table 3.1: Control packet classification

field (DATA). It can be sent by the master and by slaves (if a request data command was received previously). If sent by a master, the slave has to answer with an acknowledge.

### 3.2 Bus monitor



Figure 3.2: Bus monitor interfacing

### 4 Test setup

This section describes the used evaluation boards and bus transceivers for the test setup. Further, the used communication protocol is explained.

### 4.1 Communication link

What Peripherals were used (Cortex M1/M3 Boards, which ones).

How to program / use them (only brief).

How are they connected to the Bus?

IIC and UART here or in next section.

### 4.2 ECU, THS and MCU

How is it set up?

Made assumptions?

Document used / invented protocol.

### 4.3 Fallback unit

### 5 Partial Reconfiguration

This section reasons about design choices and encountered obstacles during the development process.

### 5.1 Limitations imposed by partial reconfiguration

PR does impose some limitations on the design process, a brief description of the encountered limitations and how they were handled is given in the following.

#### 5.1.1 No block diagram support

The PR workflow as implemented by Xilinx in Vivado does not allow the Reconfigurable Partition (RP) to be present in a block diagram. Only hdl files are eligible for the PR process.

To solve this problem without the loss of comfort that is provided by the usage of block diagrams (mainly the connection of different signals between modules) we decided to transfer our Cortex Module into an IP-Package. This IP-Package can then be instantiated as a register-transfer-level (RTL) module alongside an existing block diagram. Only the signal connections between the IP and the block diagram have to be declared manually then.



Figure 5.1: Enable PR by the separation of the block diagram and the RP

Due to this, the originally planned AXI-Bus interface for the RP needs to be connected manually. This has proven to be very error-prone in earlier evaluation steps and was then replaced by an interface that only exposed required signals. An AXI-Bus interface may very well work though, as it probably failed due to other, unrelated errors.

#### 5.1.2 Global synthesis / implementation runs are mandatory

PR works with global synthesis and implementation runs only. This imposes restrictions on the naming of files within packages. While out-of-context (OOC) runs allow the same instance names for different IPs a global run requires distinct file and instance names for everything that is included in the project.

Global synthesis and implementation runs are also necessary to include the memory initialization file for the Cortex processor.

### 5.1.3 PCAP / ICAP on the Zynq-7000

As the Zynq-7000 was used for the prototyping process our first choice was the usage of the PCAP for writing partial bitstreams to the FPGA as it is the most straight forward (and well documented) way for this platform.

Due to design considerations (scaling well for production vs fast prototyping) a switch to using the ICAP was made. For this, the PCAP needs to be actively deactivated after the boot of the processing system ([6], page 218).

#### 5.1.4 ICAP primitive instantiation

Instantiation of the ICAP as a hardware primitive in VHDL is documented in the 7series libraries guide ([7], page 178). For completeness sake, the component definition is listed below as it does not exist directly in the documentation. The comments the generic parameters that were used in this project.

```
component ICAPE2 is
  generic (
                  : std_logic_vector(31 downto 0); -- X"23727093"
      DEVICE_ID
      ICAP_WIDTH : string; -- "X32"
      SIM_CFG_FILE_NAME : string -- "None"
6);
  port (
      O
            : out std_logic_vector(31 downto 0);
      CLK
            : in std_logic;
9
      CSIB : in std_logic;
            : in std_logic_vector(31 downto 0);
      RDWRB : inout std_logic
13 );
14 end component ICAPE2;
```

#### 5.1.5 Read from SD-Card

The SD-Card was used to provide a bootable image with the default configuration and all partial bitstreams. Reads from the SD-Card may fail, resulting in a non-functioning or only partially functioning system. The following steps should be performed to trouble-shoot the problem.

- If the system is working in its original configuration and only fails the partial reconfiguration, the file names of the bitstreams should be checked. Only a maximum of 8 characters (+3 for the extension) for the file name are permitted by default.
- Slow (e.g. overwriting everything with zeros) reformat of the SD-Card may be tried.

• Smaller SD-Card should be tried.

### 5.2 Integration Overview

Due to our problems with the AXI-Bus it was decided to put all relevant peripheral communication into the RP. This eliminates the need of implementing an AXI-Interface at the cost of an increased size of the RP.

The following modules are included in the RP:

- AXI-GPIO
- AXI-UartLite
- Cortex M1



Figure 5.2: Data path for loading a partial bitstream

[8], [9] Usage of ICAP. How is the Zynq still used - Loading images and binary blobs from sd card into DDR. What is partially reconfigured - Cortex, uart, IIC. Why not use AXI?

#### 5.2.1 Packaged IP

The PR IP was packaged according to the guide in [10]. To avoid naming conflicts, all block designs of the different IPs need to be named differently before this process.

#### 5.2.2 Loading the PR module

The module is loaded through the PR-Controller IP that is provided by Vivado. This module is connected via the AXI memory interface and loads the partial bitstream from DDR. At start-up, the partial bitstreams are loaded form the SD-Card into the DDR through the Zynq Processing System (PS) as it already needs to be used for the deactivation of the PCAP. Figure 5.2 shows how the different modules and memory entities are related to each other.

# 6 Results

### 7 Conclusion

This work has explored the possibility of using partial reconfiguration in FPGAs to provide efficient redundancy in an automotive system. Instead of providing a redundant hardware entity for every critical module, one single FPGA provides dynamic redundancy for each of these modules. To avoid over-commitment with regards to resource usage (space and power) partial reconfiguration is used. By using the newly available Cortex M1 IPs, a streamlined software development process is possible. The same software can be executed on the cores in the FPGA as well as on the actual hardware with minimal adaptions in the build-process. This reduces the amount of testing and tool-chain adaptions that need to be performed. We demonstrated these concepts on the Zynq-7000 and with three Cortex M1 Central Processing Units (CPUs) that were connected with a bus.

### 7.1 Future Work

Based on this work a more heterogeneous set of critical hardware could be provided with redundancy. A good first step would be to include the Cortex M3 CPU that couldn't be included in this project due to time constraints. The bus monitor could be extended with a more sophisticated fault detection algorithm, which could also mean to employ a more sophisticated bus protocol. Measurements with regards to the system performance (e.g. time to reconfigure, time to detect fault, time to mitigate fault, power usage ...) should be considered also. Furthermore the Mbed OS port could be extended by other hardware modules. A first draft for the Timer and I2C modules ia already implemented.

### **Bibliography**

- $[1] ARM, "Arm® Cortex®-M1 DesignStart^{TM} FPGA-Xilinx edition User Guide," \\ 2018. [Online]. Available: https://static.docs.arm.com/100211/0001/arm_cortex_m1_designstart_fpga_xilinx_edition_ug_100211_0001_00_en.pdf?_ga=2. \\ 121336076.523725493.1550477241-1711067005.1549732081$
- [2] —, "Cortex-M1 Technical Reference Manual." [Online]. Available: https://static.docs.arm.com/ddi0413/d/DDI0413D\_cortexm1\_r1p0\_trm.pdf
- [3] C. Schieber, R. Schorn, A. Hirtenlehner, P. Schober, "FPGA Design Repository," 2019. [Online]. Available: https://github.com/SoC-Lab/zedboard cortex m1
- [4] A. Hirtenlehner, "Mbed OS Port for Xilinx Cortex M1," 2019. [Online]. Available: https://github.com/andi-h/mbed-os/tree/XC7Z020
- [5] C. Schieber, R. Schorn, A. Hirtenlehner, P. Schober, "MCU Firmware Repository,"2019. [Online]. Available: https://github.com/SoC-Lab/Firmware
- [6] Xilinx, "Zynq 7000 Technical Manual," 2018. [Online]. Available: https://www.xilinx.com/support/documentation/user\_guides/ug585-Zynq-7000-TRM.pdf
- [7] —, "7series libraries guide," 2018. [Online]. Available: https://www.xilinx.com/support/documentation/sw\_manuals/xilinx2012\_2/ug953-vivado-7series-libraries.pdf
- [8] —, "Vivado Design Suite User Guide: Partial Reconfiguration (UG909)," 2018. [Online]. Available: https://www.xilinx.com/support/documentation/sw\_manuals/xilinx2018\_3/ug909-vivado-partial-reconfiguration.pdf
- [9] —, "Vivado Design Suite Tutorial: Partial Reconfiguration (UG947)," 2018. [Online]. Available: https://www.xilinx.com/content/dam/xilinx/support/documentation/sw\_manuals/xilinx2018\_3/ug947-vivado-partial-reconfiguration-tutorial.pdf
- [10] —, "ug1118-vivado-creating-packaging-custom-ip.pdf." [Online]. Available: https://www.xilinx.com/support/documentation/sw\_manuals/xilinx2017\_2/ug1118-vivado-creating-packaging-custom-ip.pdf