TIMA Lab. Research Reports

5 downloads 51128 Views 2MB Size Report
electronic equipment involved in safety critical applications (automotive, avionics, ... efforts and costs, including qualification testing and certification (to meet.
ISSN 1292-862

TIMA Lab. Research Reports Preliminary Validation of an Approach Dealing with Processor Obsolescence

L. ANGHEL**, R. VELAZCO*, S. SALEH* S. DESWAERTES*, A. EL MOUCARY*

* TIMA Laboratory, 46 avenue Félix Viallet 38000 Grenoble France

ISRN TIMA--RR-03/08-03--FR Communication to 9th IEEE IOLTS, Kos Island, Greece, Jul. 2003

TIMA Laboratory, 46 avenue Félix Viallet, 38000 Grenoble France

Preliminary Validation of an Approach Dealing with Processor Obsolescence L. Anghel, R. Velazco, S. Saleh, S. Deswaertes, A. El Moucary TIMA Laboratory, Grenoble, France , @imag.fr Abstract Processor obsolescence is a big concern affecting most equipments involved in safety critical applications (automotive, aerospace, nuclear plants, military applications…). Indeed, such applications are active years longer than was originally anticipated. A method for validating the solution consisting in the replacement of a processor not anymore available into the market by its emulated version by means of an FPGA is presented in this paper. The Motorola 6800 processor is used as test vehicle to illustrate the key aspects of the explored validation plan. Significant experimental results and their impact on the HDL description will be discussed.

1. Introduction Processor obsolescence is becoming an increasingly complex problem for users of industrial embedded computers[1]. Obsolescence of electronic components concerns basically electronic equipment involved in safety critical applications (automotive, avionics, nuclear plants, military applications…). The desired life time for these electronic systems is many times longer than the obsolescence cycle for the electronic components used in the systems. In fact, these applications can be active years longer than it was originally anticipated and their operational life can be considerably longer than the business life expectancy of many of the component suppliers. The result is that many systems are face to problems generally reported as Diminishing Manufacturing Sources and Material Shortages (DMSMS) [2]. In the last years, spare parts for several safety critical applications began to be unavailable in the market and presently they cannot be obtained anymore. This situation could be seen also in new systems, built with more recent parts. In this context, these applications are expensive to maintain, because they continuously require additional processing elements and software but also memory parts to face requirement evolutions. Typical solutions to cope with DMSMS/obsolescence problems exist. Companies can make stocks of components during the component’s life, or find parts in secondary markets. Other solutions consist in performing component redesign or cloning, or redesigning at the circuit board system or system level in order to eliminate the need for a specific component. None of these

approaches may be reasonable when dealing with a single obsolete component, because of the corresponding increase of the final ownership cost. The main drawback of such solutions is the huge engineering design efforts and costs, including qualification testing and certification (to meet reliability/safety requirements) in case of critical applications. Revision of the software is also costly, sometimes exceeding the original time required for hardware design. A very flexible and low cost replacement solution, other than component-by-component replacement basis, consists in emulating the obsolete microelectronic parts by means of programmable logic devices such as FPGAs. During this process, design tools are used to capture the functionality of the obsolete parts at different description levels and to characterize them. Indeed, high level models can be developed in an appropriate language from the description of the circuit datasheet, and used further to replace targeted obsolete processors. Basically, the existing design remains unchanged, and rather than being implemented in a set of integrated circuits, it is implemented in a modern device - a field programmable gate array (FPGA). This solution has many advantages over the other solutions. First of all, the emulation will mitigate future obsolescence. Indeed, most of the active components on a given board system may be replaced by a single FPGA, thus eliminating also the obsolescence problems associated with the no-longer used parts. Even if the specific FPGA components used become obsolete, as the implemented design emulating the obsolete parts will remain in HDL (Hardware Description Level) and can be re-implemented in a newer FPGA. Another advantage consists in the reliability improvement of the emulated version. Predicted reliability can be dramatically increased, primarily due to the significant reduction of part counts on a retargeted card system, because many board system functionalities can be implemented in a single hardware design. Finally, through the proposed emulation technique almost any further functionality can be added easily to a given design in the future. The problem related with this emulation strategy to cope with circuit obsolescence is how to prove that the emulated version is equivalent to the original hardware one, and these in term of functionality, performances and signal integrity. In reference [3] we proposed a processor replacement methodology, consisting in creating a HDL model of legacy processor, emulating the HDL description on a FPGA component, and proving functional and timing equivalences between the two versions. Figures 1 and 2 summarize the replacement methodology. The idea is to develop a VHDL model and a test program from the information contained in the original datasheet (figure 1) and to validate the VHDL model through logic simulation. The set of input/output vectors obtained in this first step will be applied to the original circuit and to the emulated one, after the FPGA oriented synthesis, to prove functional and timing equivalences (figure 2).

! " Figure 1. Proposed strategy to generate the set of input/output vectors for obsolescence.

FPGA Synthesis

Prototype, single device

Figure 2. Comparison of the outputs of the original circuit with the FPGA emulated version. At the heart of most of the microelectronic applications, out-of-date processors (microcontrollers, microprocessor, DSP, etc.) constitute the biggest bottleneck concerning obsolescence. Thus, in this paper, we will address only processors, the approach being illustrated by its application to an 8 bits microprocessor: the Motorola 6800. This component is presently included in some equipment of French nuclear plants. When the control equipment of the nuclear plants were designed, the company bought components for 20 years, and now this stock is almost exhausted. In this case, the company decided that the only viable solution for the future of this equipments is to replace obsolete parts. In next sections, are presented results obtained by applying the approach presented above to the 6800 Motorola processor.

2. Hardware and Software Tools to Cope with Processor Obsolescence To assess the equivalence between the emulated version and the original one, it must be used a dedicated test platform allowing both to exercise the two versions of the processor by

running appropriate test programs, and to compare the input/output values of both versions at a suitable temporal granularity. The main problem entailed by the proposed replacement strategy is the wide scope of targeted circuits, requiring the availability of a hardware platform having enough flexibility to lower timing and cost efforts to implement any suitable architecture. A tester platform, the socalled THESIC+ (Testbed for Harsh Environnement Studies on Integrated Circuits), previously developed at TIMA for radiation testing purposes [4] appeared as meeting the requirements pointed out in previous section for processor obsolescence. Using this system, suitable architectures were implemented for both configurations to be compared: the one built around the referenced 6800 processor and the FPGA emulated one. THESIC tester is the main platform used to investigate both functional and timing equivalences. The 6800 processor has been redesigned by the partner company1 by means of a VHDL RTL level encoding, after analyzing the functional and performance characteristics from the datasheet and from the original 6800 processor. As for the validation software, the VHDL test bench should be written for the digital component to simulate the functionality of the module. The test vectors in the test bench are based on the vectors and truth tables specified in system technical documentation. In this case, for the test bench needed to validate the functional and timing equivalences, we have generated a special functional test program, which exercises all the possible combinations of the addressing modes and operation modes. The execution of this program is supposed to provide a “pathology” of possible errors in the VHDL description. Detailed analysis of this pathology should allow us to go to low level simulation to identify the faulty blocks, and then to propose appropriate corrections. In this way we are able not only to detect errors in the functional and timing behaviour, but also to test any combination of execution scenarios.

2.2. The GAPT Test Method The GAPT (Automatic Tool for Test Program Generation) test method was developed in the earlier 80’s [5] to cope with the processor test and diagnosis without taking into consideration the structural information (electrical schemes, topology, etc.). The GAPT generator starts from the processor’s instruction set and automatically derives pseudo-exhaustive test programs for different blocks of the processor, this without any kind of assumption about the nature of errors. Two types of tests programs can be generated with GAPT: - The control path test consisting in the verification of all representative instructions of the processor. Each instruction is tested and verified by a so-called “elementary module” containing an initialisation sequence of all registers, execution of the instruction to be tested and at the end, the observation of all register’s contents. Random and deterministic data can be used for the initialization phase. - The data path test consisting in the verification of all arithmetic circuits, programmable registers and buses interconnexions. Within this test only the block behaviour is verified, not a particular instruction. In this test, the source registers are initialized with deterministic or random data, and those registers memorising the results are observed. 1

EDF- Electricité de France

Figure 3 presents an overview of the GAPT software tool. To summarize, note that GAPT generates test programs in assembly language, taking into account a processor description including the architecture and the instruction set, and the choice of random or determinist data. Microprocessor Architecture & instructions set

Test type

GAPT

Determinist and random data

Assembly language

Figure 3. GAPT structure Note that instruction related with program sequencing (jump, call) and software interruptions are tested separately.

3. Functional validation of the Motorola 6800 emulated version The functional validation has been done on the VHDL RTL model of the 6800 Motorola processor provided by the partner company. The first test bench used for validation was a matrix multiplication program. With this test bench, logic simulations have been carried out according to the replacement methodology presented in [3]. No errors have been observed by simulating this test bench.

3.1. Functional validation with pseudo-exhaustive testing Pseudo exhaustive test sequences have been generated with GAPT and applied to the original 6800 processor and to the FPGA emulated version. The equivalence between the two versions can be proved through a comparison of the outputs obtained from the execution of elementary modules generated with GAPT. The used test program exercised ALL the possible combinations of the processor instruction opcodes with all available addressing modes. The elementary module begins with a initialization sequence of all register units (there are 5 registers in the case of 6800 Motorola processor), the execution of the selected instruction, and finishes with the observation of all register units. This ensures a complete instruction set coverage. Moreover, in case of the detection of an erroneous behaviour, the location and correction of any possible VHDL design errors responsible for erroneous results will be facilitated. Note that in the case of 6800 Motorola processor, loading and storing the value of the status register (CCR) implies that data existing in the register CCR will be automatically transferred to the register A of the processor, thus altering the ancient value of the register A. Moreover, loading and

storing values in and from the register A will update all bits of CCR register. This features were taken into account for the initialization and observation steps of the GAPT generator. The initialization and observation steps, usually achieved by means of Load and Store instructions, were replaced in the case of the 6800, by transfers performed from/to the software stack by means of suitable instructions (RTI and SWI). The elementary modules generated by GAPT will be, as follows: - The initialization step will be replaced by loading in the memory stack the initialization values of the registers. Then a RTI (return to interrupt) is executed, that results in loading all registers with suitable values. - The instruction to be tested is executed. - The observation step starts by a SWI (software interrupt) instruction that push into the external stack all the register values, thus avoiding the corruption of data in CCR or any general purpose register. The generated program was run on both the original 6800 and the emulated version, and erroneous results were observed concerning the register CCR. The analysis of the observed “pathology” allowed to identify a design error on the 1st and 2nd most significant bits of CCR register. The 1st and 2nd most significant bits manifests themselves as SA0 fault. In table 1 are presented some combinations of values used to put in evidence the observed errors. As tested before, the 6800 instruction set allows accessing the CCR register only through the accumulator register A. We can observe the SA0 fault when trying to force FH (1111b) or 5H(0101b) in the 4 most significant bits of the CCR register. While reading the value stored in this register the observed values were respectively BH(1011b) and 1H(0001). Table 1. Comparison between forced and observed values in register CCR. Controlled value in Observed value from CCR CCR 5A 1A FF BF A5 A5 00 00 The analysis pointed out that this error were produced by an erroneous VHDL synthesis model of the 6800 description. This error has not been observed by other application or test bench program. In fact, this fault never manifests itself as an error because it concerns the 7th and 6th bits of the CCR register which are never used in applications (S and X flags). Even if the consequences of this error are not easy to be forecasted (the error concerns unused bits of the condition register), it is important to note that it must be taken into account for future evolution of the software applications which could need extra interruption bit, to upgrade the interruption capabilities. In addition to this error, from the comparison of outputs issued from both versions other differences between the original 6800 and the emulated version have been detected. They concern the following instructions:

-

TSX and TXS (responsible for saving/loading the content of the register X on the SP register). The execution of this instruction revealed erroneous results, presented in table 2. Table 2. Test results for TXS and TSX.

Instruction TSX : (SP)+1 TXS : (X) - 1

X SP

Expected results (original 6800) 1EFF 1AFF

Erroneous results from emulated version 1EFE 1B00

-

DAA (decimal adjustment of the value stored in register A). This instruction updates CCR register. The execution of DAA instruction on both 6800 versions showed a design error in the proposed VHDL model. In fact, the execution of this instruction did not modify the content of A register, and modified the CCR values in an unexpected way.

-

CPX instruction with all addressing modes. This instruction performs a comparison of the value contained in the X register with a memory location, and updates the flags. The execution of this instruction modified the CCR content in an erroneous way.

A very interesting error came form the execution of a sequence of instructions. For example, several instructions (ASL, ASR, DEC, INC, LSR, NEG, ROL, ROR, STS, STX, TST) followed by SWI instruction are not executed correctly as the 8 most significant bits of the PC register have not been transferred into the Memory Stack. After the detection of the errors, we performed a detailed investigation of the VHDL model, to localize and properly correct the errors. 3.2. Timing validation of the Motorola 6800 emulated version Timing comparison entails the simultaneous execution of the test program by both the original 6800 processor and the emulated FPGA version, and the online monitoring of outputs to detect potential differences (unexpected transient faults or global erratic behaviours). For this simulation steps we have performed a first simulation of the placed and routed FPGA netlist with timing information (SDF - standard delay file), the results being consistent with those expected. In the near future, we will check the timing equivalences by a board level comparison at clock cycle granularity. The hardware platform for such a test is still under development.

Conclusion and Perspectives In this paper we discussed the validation plan adopted to prove the equivalence between the original 6800 Motorola processor with the subsequent emulated version. The validation of the VHDL model addresses both the functional and timing aspects. Design errors for the emulated version were detected as the consequence of the execution of the pseudo-exhaustive test program automatically generated.

In the close future, an important effort for this project will focus on assessing the transient fault sensitivity of the 6800 emulated version by means of radiation testing and transient faults simulation. This is motivated by the fact that the 6800 emulated version (FPGA component) used to replaced the original one is manufactured using an advanced submicron technology, being thus potentially sensitive to radiation present in the atmosphere. Moreover, the nuclear environment in which this part will operate entails the certification process to meet nuclear environment requirements. Bibliography [1] G. Zell Porter, “An Economic Method for Evaluating Electronic Component Obsolescence Solutions,” White Paper, Boeing Information Space & Defense Systems, 1998. [2] Rob Holmes, “Getting off the Obsolescence Treadmill” White Paper, Titan Systems Corporation, Advanced Products & Design Division. [3]R.Velazco, L. Anghel, S. Saleh, “A Methodology for Test Replacement Solutions of Obsolete Processors”, in the Proceeding of IOLTS 2003, Kos, Greece. [4] F. Faure, P. Peronnard, R. Velazco "THESIC+: A Flexible System For SEE Testing", Proceedings of Radiations And its Effects on Components and Systems (RADECS' 02), Padoue (Italy), 19-20, september 2002, pp. 231-234. [5]R. Velazco and C. Bellon, Software and hardware tools for microprocessor functional testing, Proc. of International Test Conference, Philadelphia, (USA), pp. 804-810, octobre 1984.