Systems and methods for detecting a failure event in a field programmable gate array by Herath, Jeffrey A. & Ng, Tak-Kwong
(12) United States Patent
Ng et al.
(54) SYSTEMS AND METHODS FOR DETECTING
A FAILURE EVENT IN A FIELD
PROGRAMMABLE GATE ARRAY
(75) Inventors: Tak-Kwong Ng, Yorktown, VA (US);
Jeffrey A. Herath, Yorktown, VA (US)
(73) Assignee: The United States of America as
represented by the Administrator of
the National Aeronautics and Space
Administration, Washington, DC (US)
(*) Notice: Subject to any disclaimer, the term of this
patent is extended or adjusted under 35
U.S.C. 154(b) by 388 days.
(21) Appl. No.: 11/531,703
(22) Filed:	 Sep.14, 2006
(65)	 Prior Publication Data
US 2007/0198892 Al	 Aug. 23, 2007
Related U.S. Application Data
(60) Provisional application No. 60/774,810, filed on Feb.
1, 2006.
(51) Int. Cl.
GOIR 31128 (2006.01)
H03M 13100 (2006.01)
G06F 11/00 (2006.01)
G06F 7138 (2006.01)
(1o) Patent No.:	 US 7,590,904 B2
(45) Date of Patent:	 Sep. 15, 2009
(52)	 U.S. Cl . ....................... 714/725; 714/724; 714/732;
714/754; 714/48; 326/37; 326/39
(58) Field of Classification Search ................. 714/725,
714/724, 732, 754; 326/37, 39
See application file for complete search history.
(56) References Cited
U.S. PATENT DOCUMENTS
	
6,237,124 131*	 5/2001 Plants ........................ 714/763
	
6,560,743 132 * 	 5/2003 Plants ........................ 714/763
	
7,263,631 132 * 	 8/2007 VanBuren .................... 714/15
7,310,759 131* 12/2007 Carmichael et al.......... 714/725
2004/0078103 Al*	 4/2004 Marshall et al ................ 700/87
2006/0020774 Al*	 1/2006 Ramos et al . ............... 712/226
2007/0176627 Al*	 8/2007 Ng et al . ....................... 326/14
* cited by examiner
Primary Examiner John 7 Tabone, Jr.
(74) Attorney, Agent, or Firm Helen M. Galus; Barry V.
Gibbens
(57) ABSTRACT
An embodiment generally relates to a method of self-detect-
ing an error in a field programmable gate array (FPGA). The
method includes writing a signature value into a signature
memory in the FPGA and determining a conclusion of a
configuration refresh operation in the FPGA. The method
also includes reading an outcome value from the signature
memory.
20 Claims, 2 Drawing Sheets
100
CONTROLLER	 CONFIGURATION
11.5	 MEMORY	 FPGA CORE
EEPROM	 105
SDEM	 SIG120	 125	 MEMORY
130
https://ntrs.nasa.gov/search.jsp?R=20090042856 2019-08-30T08:25:01+00:00Z
Ca
T-
0
LL
U.S. Patent	 Sep. 15, 2009	 Sheet 1 of 2	 US 7,590,904 B2
U.S. Patent
	
Sep. 15, 2009	 Sheet 2 of 2	 US 7,590,904 B2
200
IDLE STATE	 1	 f A
205
I	 WRITE KEY VALUE INTO
SIGNATURE MEMORY 210
INITIATE CONFIGURATION
SCRUBBING	 215
PrAn THI= VALUE OF THE
SIGNATURE MEMORY	 220
N	 Y
UNEXPECTED
VALUE
7	 225
NO ERROR	 A	 ERROR
235
230
FIG. 2
US 7,590,904 B2
1
	
2
SYSTEMS AND METHODS FOR DETECTING 	 often involve environments where radiation is present.
A FAILURE EVENT IN A FIELD	 Reprogrammable FPGAs currently available on the market
PROGRAMMABLE GATE ARRAY
	
	
can be very susceptible to a single event upset (SEU). SEUs
maybe defined as radiation-induced errors in microelectronic
CLAIM OF BENEFIT OF PROVISIONAL 	 5 circuits caused when charged particles (usually from the
APPLICATION
	
	
radiation belts or from cosmic rays) lose energy by ionizing
the medium through which they pass, leaving behind a wake
Pursuant to 35 U.S.C. § 119, the benefit of priority from the	 of electron-hole pairs. SEUs are transient soft errors and are
provisional patent application having U.S. Ser. No. 60/774, 	 non-destructive. A reset or rewriting of the device results in
810, filed on Feb. 1, 2006, is claimed for this non-provisional io normal device behavior thereafter. An SEU may occur in
application.	 analog, digital, or optical components, or may have effects in
surrounding interface circuitry. SEUs typically appear as
ORIGIN OF THE INVENTION	 transient pluses in logic or support circuitry, or as bit flips in
memory cells or registers. Also possible is a multiple-bit SEU
The invention described herein was made by employees of 15 in which a single ion hits two or more bits causing simulta-
the United States Government and may be manufactured and 	 neous errors. Multiple-bit SEU is a problem for single-bit
used by or for the Government of the United States of 	 error detection and correction (EDAC) where it is impossible
America for governmental purposes without the payment of 	 to assign bits within a word to different chips (e.g., a problem
any royalties thereon or therefor. 	 for Dynamic Random Access Memory (DRAMs) and certain
20 SRAMs). A severe SEU is the single-event functional inter-
FIELD OF THE INVENTION	 rupt (SEFI) in which an SEU in the device's control circuitry
places the device into a test mode, halt, or undefined state. The
This invention relates generally to field programmable gate	 SEFI halts normal operations, and requires system level
arrays (FPGA), more particularly, for detecting a failure event 	 recovery.
in the FPGA.	 25	 The current state of the art approach to SEU is to refresh the
configuration while the FPGA is operating. When using this
DESCRIPTION OF THE RELATED ART	 approach, it may be essential to detect the loss of configura-
tion while the FPGA is operating in a radiation environment,
A field-programmable gate array (FPGA) is a semiconduc- 	 allowing the system to initiate a configuration recovery. More
tor device containing programmable logic components and 30 particularly, the conventional solution to detect loss of con-
programmable interconnects. The programmable logic com- 	 figuration access involves using external circuitry to read the
ponents can be programmed to duplicate the functionality of	 frame address register (FAR) and write another value to the
basic logic gates (such as AND, OR, XOR, NOT) or more 	 FAR. Writing to the FAR alters the value stored in the cyclic
complex combinatorial functions such as decoders or simple 	 redundancy checks registers. The system then reads the
math functions. In most FPGAs, these programmable logic 35 Cyclic Redundancy Check (CRC) and compares the reading
components (or logic blocks, in FPGA parlance) also include 	 to an expected value. A conflict in the values indicates a loss
memory elements, which may be simple flip-flops or more 	 of configuration access, allowing the external circuitry to
complete blocks of memories. 	 initiate a configuration access recovery.
Programmable logic circuits (e.g., field programmable	 This solution has drawbacks and disadvantages. For
gate arrays (FPGAs)) are widely used in digital system 40 example, additional circuitry is employed to facilitate this
designs. Programmable logic circuits are comprised of an 	 series of operations, increasing the complexity and the num-
array of unconnected logic elements that can be programmed 	 ber of components, the board space, and the power for the
(i.e., configured) to form a complex logic circuit to accom- 	 implementation. Moreover, the addition of components is
plish a prescribed function. Most programmable logic cir- 	 likely to reduce the overall reliability.
cuits employ fuses, anti-fuses, or custom designed metal 45
mask levels to configure the logic elements. Once configured,	 SUMMARY
the resulting logic circuit design is permanent ("firm") and
cannot be altered later.	 An embodiment of the current invention generally relates
Reconfigurable (or "reprogrammable") logic circuits can 	 to a method of self-detecting an error in a field programmable
be changed to form a different logic function on demand. 50 gate array (FPGA). The method includes writing a signature
Reconfigurable logic circuits generally employ a bi-stable 	 value into a signature memory in the FPGA and determining
data storage element (e.g., a data latch or a Static Random	 a conclusion of a configuration refresh operation in the
Access Memory (SRAM) cell) within which the logic con- 	 FPGA. The method also includes reading an outcome value
figuration data is stored. Depending on whether a logical
	 from the signature memory.
"one" or logical "zero" data is stored in the data storage 55	 Another embodiment pertains generally to a method of
element, the logic, configuration interface gate or device con- 	 self-detecting an error in a radiative environment. The
nected to the data storage element's output is either on or off. 	 method includes writing a key value into a signature memory
In that way, blocks of previously unconnected logic elements	 that is flushed during a configuration refresh and initiating a
are connected and the logic circuit is configured. Selectively 	 configuration refresh. The method also includes determining
changing the data stored in some of the data storage elements 6o an error status in response to the value stored in the signature
allows one to reconfigure the logic circuits when desired. 	 in response to the configuration refresh.
Reconfigurable logic circuits offer a significant advantage 	 Yet another embodiment relates generally to a system for
over one-time programmable "firm" logic circuits in that the 	 self-detecting errors in a radiative environment. The system
hardware can be changed even after the digital system has	 includes an FPGA core configured to be programmed with a
been deployed for many years. 	 65 user defined function, and a memory configured to store the
Since reprogrammable FPGAs are versatile, they are often 	 user defined function. The system also includes a configura-
found in aerospace applications. Aerospace applications 	 tion memory configured to interface with the FPGA core, to
US 7,590,904 B2
3
provide configuration access memory space and application
memory space, and a controller configured to execute a con-
figuration refresh operation that reloads the user defined func-
tion from the memory into the FPGA core. The system further
includes a self-detecting error module configured to write a 5
key value into the configuration memory, which is flushed
during the configuration refresh operation, and to determine
an error status in response to the value stored in the configu-
ration memory, inresponse to the configuration refresh opera-
tion. The controller is also configured to initiate the self io
detecting error module.
Yet another embodiment relates generally to a system for
self-detecting errors in a radiative environment. The system
includes an electrically erasable programmable read only
memory (EEPROM) and a field programmable gate array 15
(FPGA) device. The FPGA device further comprises an
FPGA core configured to be programmed with a user defined
function and a memory configured to store the user defined
function. The system also includes a configuration memory
configured to interface with the FPGA core to provide con- 20
figuration access memory space and application memory
space and a controller configured to execute configuration
refresh operation that reloads the user defined function from
the memory into the FPGA core. The system further includes
a self-detecting error module configured to write a key value 25
into the configuration memory that is flushed during the con-
figuration refresh operation, and to determine an error status
in response to the value stored in the configuration memory in
response to the configuration refresh operation. The control-
ler is also configured to initiate the self-detecting error mod- 30
ule.
BRIEF DESCRIPTION OF THE DRAWINGS
Various features of the embodiments can be more fully 35
appreciated, as the same become better understood with ref-
erence to the following detailed description of the embodi-
ments, considered in connection with the accompanying fig-
ures, in which:
FIG. 1 is a schematic representation illustrating an exem- 40
plary embodiment of a self-detecting error module in a sys-
tem; and
FIG. 2 is a flowchart illustrating an exemplary flow dia-
gram implemented by the self-detecting error module in
accordance with an embodiment of the current invention. 	 45
DETAILED DESCRIPTION OF EMBODIMENTS
For simplicity and illustrative purposes, the principles of
the present invention are described by referring mainly to 50
exemplary embodiments thereof. However, one of ordinary
skill in the art would readily recognize that the same prin-
ciples are equally applicable to, and can be implemented in,
all types of field programmable gate arrays, and that any such
variations do not depart from the true spirit and scope of the 55
present invention. Moreover, in the following detailed
description, references are made to the accompanying fig-
ures, which illustrate specific embodiments. Electrical,
mechanical, logical and structural changes may be made to
the embodiments without departing from the spirit and scope 60
of the present invention. The following detailed description
is, therefore, not to be taken in a limiting sense and the scope
of the present invention is defined by the appended claims and
their equivalents.
Embodiments relate generally to systems and methods for 65
self-detecting a loss of configuration in a reprogrammable
FPGA without the use of any additional circuitry. More par-
4
ticularly, embodiments of a self-detecting error module may
be configured to determine whether a single event error has
corrupted a configuration refresh operation. A reprogram-
mable FPGA typically includes a configuration memory
which can either be used to control the configuration of the
reprogrammable FPGA, or the configuration memory may be
used as application memory. This configuration memory is
often referred to as distributed memory. A configuration
refreshing operation typically clears the contents of the dis-
tributed memory, which is the reason why this memory is not
normally used in applications requiring configuration
refreshes.
The self-detecting error module may be configured to write
a unique key into a portion of the configuration memory, i.e.,
the signature memory. For example, a 16x1 bit memory may
represent the signature memory. The self-detecting error
module may then determine the conclusion of the configura-
tion refresh operation. Subsequently, the self-detecting error
module may execute a read operation from the signature
memory. If the self-detecting error module determines that
the signature memory contains an expected value, such as all
zeroes, all ones or a predefined value, the configuration
refresh is a successful operation. If the self-detecting error
module determines that the signature contains an unexpected
value that is different from a predefined user value, the con-
figuration refresh operation is a failure.
FIG. 1 illustrates an exemplary embodiment of a self-
detecting error module 125 in a system 100. It should be
readily apparent to those of ordinary skill in the art that the
system 100 depicted in FIG. 1 represents a generalized sche-
matic illustration and that other components may be added or
existing components may be removed or modified. Moreover,
the system 100 as well as the self-detecting error module 125
may be implemented using software components, hardware
components, or combinations thereof.
As shown in FIG. 1, system 100 includes an FPGA core
105, a configuration memory 110, a controller 115, and an
Electrically Erasable Programmable Read-Only Memory
(EEPROM) 120. The FPGA core 105 may be configured to
include programmable logic components and programmable
logic interconnects as known to those skilled in the art. The
FPGA core 105 may be configured to implement user defined
functions, e.g., combinatorial logic functions.
The FPGA core 105 may be configured to interface with a
configuration memory 110, which may interface with a con-
troller 115. The controller 115 may be configured to control
and manage the system 100. More particularly, the controller
115 may initiate configuration refresh operation which
reloads the user defined function for the system 100. One
intended use for the system 100 is in radiative environments
where single event upsets (SEUs) may occur. The controller
115 may initiate the configuration refresh operation periodi-
cally based on the anticipated levels of radiation.
The controller 115 may also be configured to interface with
an Electrically Erasable Programmable Read-Only Memory
(EEPROM) 120. The EEPROM 120 may be configured to
store a copy of the user-defined function for the system 100.
The controller 115 may then initiate configuration refresh
operations from the data stored in the EEPROM 120. Various
embodiments may implement the EEPROM 120 with a con-
ventional memory such as a DRAM.
In some embodiments, the controller 115 may implement a
self-detecting error module 125. The functions of the self-
detecting error module 125 may be implemented through
software, hardware or combinations thereof. The self-detect-
ing error module 125 may be configured to write a key value
into an area of the configuration memory 110, i.e., the signa-
US 7,590,904 B2
5
ture memory. The key (or signature) value can be a string of
bits, for example, "1011111011101111" for a 16 bit memory
word. The self-detecting error module 125 may be configured
to initiate writing the key value periodically with a user-
defined period based on anticipated levels of radiation or in
response to an event.
The self-detecting error module 125 may be further con-
figured to determine the end of a configuration refresh opera-
tion. For example, the controller 115 may set a flag that the
configuration refresh operation concluded. Accordingly, the
self-detecting error module 125 may determine whether or
not this flag has been set.
The self-detecting error module 125 may be configured to
execute a read of the signature memory 130 in response to the
end of the configuration refresh operation. The self-detecting
error module 125 may then determine the value of the content
stored in the signature memory 13 0. If the value of the content
is the expected value, e.g., all zeroes, all ones, or a predefined
value, the self-detecting error module 125 may set a flag that
no errors were detected in the configuration refresh operation.
The self-detecting error module 125 may be configured to set
a no-error status or flag for the current configuration with the
controller 115 in some embodiments. Otherwise, if the value
of the content in the signature memory 130 is an unexpected
value, i.e., differs from a predefined expected value, the self-
detecting error module 125 may set a flag or set the status that
an error occurred in the configuration refresh operation. In
some embodiments, the self-detecting error module 125 may
set an error status for the configuration refresh operation. The
controller 115 may initiate another refresh operation or the
error may be reported for later analysis.
Accordingly, the self-detecting error module provides a
mechanism for a system to self-detect errors without addi-
tional circuitry. Thus, reliability may be enhanced without
additional components and power requirements.
FIG. 2 illustrates an exemplary flow diagram 200 imple-
mented by the self-detecting error module 125 in accordance
with an embodiment. It should be readily apparent to those of
ordinary skill in the art that the flow diagram 200 depicted in
FIG. 2 represents a generalized schematic illustration, and
that other steps may be added or existing steps may be
removed or modified.
As shown in FIG. 2, the self-detecting error module 125
may be configured to be in an idle state, as in step 205. The
self-detecting error module 125 may be invoked when the
system 100 is powered on.
In step 210, the self-detecting error module 125 may be
configured to write a key or signature value into a reserved
area of the configuration memory 110, i.e., the signature
memory 130. The key value may be a string of bits as wide as
the word size of the configuration memory 110, for example
16 bits. Thus, an exemplary key value may be
"1011100100011101." The self-detecting error module 125
may move to this step in response to a periodic timer based on
the anticipated radiation level in the operating environment of
the system 100. In other embodiments, the self-detecting
error module 125 may initiate this step in response to an event
such as a temperature rising above a threshold temperature.
In step 215, the self-detecting error module 125 may indi-
cate to the controller 115 to initiate a configuration refresh
operation. More particularly, the self-detecting error module
125 may set a flag or status that indicates that the key value
has been written into the signature memory 130. The control-
ler 115 may then proceed with the configuration refresh
operation of reloading the user-defined function stored in the
EEPROM 120.
6
In step 220, the self-detecting error module 125 may be
configured to read the content of the signature memory 130 in
response to the conclusion of the configuration refresh opera-
tion. More particularly, the controller 115 may set a flag or set
5 a status that indicates that the configuration refresh operation
has concluded. The self-detecting error module 125 may
monitor this flag.
In step 225, the self-detecting error module 125 may deter-
mine whether or not the contents of the signature memory 130
io contain the expected value. More particularly, during a suc-
cessful configuration refresh operation, all of the configura-
tion memory 110, including the signature memory 130,
should be flushed and the contents of the memory space
should be the expected value. Thus, if a non-expected value
15 exists, the unexpected value is an indication of an error most
likely caused by a SEU.
In step 230, if the self-detecting error module 125 deter-
mines that the contents of the signature memory 130 is the
expected value, the self-detecting error module 125 may set a
20 no-error-flag or set a clear status for the controller 115 to
indicate that no error had occurred in the configuration
refresh operation.
Otherwise, in step 235, if the self-detecting error module
125 determines that the contents of the signature memory 130
25 contains an unexpected value, the self-detecting error module
125 may set an error flag or set an error status with the
controller 115 to indicate an error in the configuration refresh
operation. Subsequently, the self-detecting error module 125
may return to the idle state of step 205. In some embodiments,
so the controller 115 maybe configured to re-initiate a configu-
ration refresh operation in response to the setting of the error
flag or error status in the previous configuration refresh opera-
tion.
Certain embodiments may be performed as a computer
35 program. The computer program may exist in a variety of
forms both active and inactive. For example, the computer
program can exist as a software program (or multiple soft-
ware programs) comprised of program instructions in source
code, object code, executable code or other formats; firmware
40 program(s); or hardware description language (HDL) files.
Any of the above can be embodied on a computer readable
medium, which includes storage devices and signals, in com-
pressed or uncompressed form. Exemplary computer read-
able storage devices include conventional computer system
45 Random Access Memory (RAM), Read-Only Memory
(ROM), Erasable Programmable ROM (EPROM), Electri-
cally Erasable Programmable ROM (EEPROM), and mag-
netic or optical disks or tapes.
Exemplary computer readable signals, whether modulated
50 using a carrier or not, are signals which a computer system
hosting or running the present invention may be configured to
access. Such signals may include those downloaded through
the Internet or other networks. Concrete examples of the
foregoing include distribution of an executable software pro-
55 gram (or multiple programs) of the computer program on a
CD-ROM or via Internet download. In a sense, the Internet
itself, as an abstract entity, is a computer readable medium.
The same is true of computer networks in general.
While the invention has been described with reference to
60 the exemplary embodiments thereof those skilled in the art
will be able to make various modifications to the described
embodiments without departing from the true spirit and
scope. The terms and descriptions used herein are set forth by
way of illustration only and are not meant as limitations. In
65 particular, although the method has been described by
examples, the steps of the method may be performed in a
different order than illustrated or simultaneously. Those
US 7,590,904 B2
7
skilled in the art will recognize that these and other variations
are possible within the spirit and scope as defined in the
following claims and their equivalents.
What is claimed is:
1. A method of self-detecting an error in a field program-
mable gate array (FPGA) having an FPGA core configured to
implement a user-defined function, a configuration memory
having a portion designated as a signature memory, and an
electrically-erasable programmable read-only memory (EE-
PROM) device configured for storing a copy of the user-
defined function, the method comprising:
writing a key value into the signature memory from a
self-detecting error module within the FPGA in
response to a timer-based event, wherein the key value is
a string of bits different from the user-defined function;
initiating a configuration refresh operation in response to
writing the key value, wherein the configuration refresh
operation loads the user-defined function from the
EEPROM device to the configuration memory and
flushes the signature memory;
determining a conclusion of the configuration refresh
operation;
reading an outcome value from the signature memory in
response to a conclusion of the configuration refresh
operation;
comparing the outcome value to an expected value; and
setting an error flag when the outcome value is not equal to
the expected value.
2. The method of claim 1, further comprising setting the
configuration refresh operation as being successful in
response to the outcome value being equal to the expected
value.
3. The method of claim 1, further comprising initiating
another configuration refresh operation in response to the
outcome value not being equal to the expected value.
4. The method of claim 1, wherein the timer-based event is
based on one of an anticipated radiation level and a threshold
temperature of a radiative environment.
5. A computer readable medium including at least one
storage device on which is stored executable code suitable for
performing the method of claim 1, the at least one storage
device including at least one of: a Random Access Memory
(RAM) device, a Read-Only Memory (ROM) device, an
Erasable Programmable ROM (EPROM) device, an Electri-
cally Erasable Programmable ROM (EEPROM) device, a
disk, and a tape.
6. A method of self-detecting an error in a field program-
mable gate array (FPGA) operating in a radiative environ-
ment, the method comprising:
writing a key value into a signature memory portion of a
configuration memory from a self-detecting error mod-
ule within the FPGA in response to a timer-based event,
the timer-based event being based at least in part on a
threshold value of the radiative environment, wherein
the key value is flushed from the signature memory
during a configuration refresh operation;
initiating the configuration refresh operation in response to
writing the key value into the signature memory, and
wherein the configuration refresh operation loads a user-
defined function into the configuration memory for
functional control of an FPGA core, the user-defined
function being different from the key value;
reading an outcome value stored in the signature memory
after the configuration refresh operation has concluded;
and
8
comparing the outcome value to an expected value after the
configuration refresh operation to thereby determine an
error status.
7. The method of claim 6, further comprising determining
5 the error status as no error in response to the outcome value
being the expected value.
8. The method of claim 6, further comprising determining
the error status as an error in response to the outcome value
being an unexpected value.
10 9. The method of claim 6, further comprising determining
an end of the configuration refresh operation.
10. The method of claim 6, wherein the threshold value of
the radiative environment is one of an anticipated threshold
radiation level and a threshold temperature.
15 11. A system for self-detecting errors in a field program-
mable gate array (FPGA) operating in a radiative environ-
ment, the system comprising:
an FPGA core configured to be programmed with a user-
defined function;
20 a memory device configured to store the user-defined func-
tion, the memory device being external to the FPGA
core;
a configuration memory within the FPGA that is config-
ured to interface with the FPGA core to provide configu-
25	 ration access memory space and application memory
space;
a controller configured to execute a configuration refresh
operation that reloads the user-defined function from the
memory device into the configuration memory; and
so a self-detecting error module within the FPGA that is con-
figured to write a key value into a signature memory
portion of the configuration memory in response to a
timer-based event;
35 wherein the key value is different from the user-defined
function and is flushed from the signature memory dur-
ing the configuration refresh operation, wherein the
writing of the key value initiates the execution of the
configuration refresh operation, and wherein the self-
40 detecting error module is further configured to deter-
mine an error status by comparing an outcome value
stored in the signature memory after the configuration
refresh operation has concluded with an expected value
in the configuration memory.
45 12. The system of claim 11, wherein the self-detecting
error module determines the error status as no error in
response to the outcome value being the expected value in the
configuration memory.
13. The system of claim 11, wherein the self-detecting
50 error module determines the error status as an error in
response to the outcome value being an unexpected value in
the configuration memory.
14. The system of claim 11, wherein the self-detecting
error module determines an end to the configuration refresh
55 operation.
15. The system of claim 11, wherein the self-detecting
error module is configured to write the key value periodically
in response to the timer-based event.
16. A system for self-detecting errors in a radiative envi-
60 ronment, the system comprising:
a memory device adapted for storing a copy of a user-
defined function for controlling the system;
an FPGA core configured to interface with an EEPROM
and being programmable with the user-defined function;
65	 a controller configured to initiate a configuration refresh
operation which loads the user-defined function into a
configuration memory, the controller having a self-de-
US 7,590,904 B2
9
tecting error module adapted to self-detect the errors
without additional circuitry; and
a signature memory configured to store a key value pro-
vided from the self-detecting error module, wherein the
key value is a predefined string of bits different than the
user-defined function, and wherein the self-detecting
error module is configured to read the signature memory
in response to an end of the configuration refresh opera-
tion;
wherein the configuration refresh operation reloads the
user-defined function from the EEPROM device into the
FPGA core;
wherein the self-detecting error module writes the key
value in the signature memory flushed during the con-
figuration refresh operation, and
wherein the self-detecting error module is configured to
determine an error status by comparing an outcome
10
value stored in the signature memory to an expected
value after the configuration refresh operation.
17. The system of claim 16, wherein the self-detecting
error module determines the error status as no error in
5 response to the outcome value being equal to the expected
value in the signature memory.
18. The system of claim 16, wherein the self-detecting
error module determines the error status as an error in
response to the outcome value being an unexpected value.
io 19. The system of claim 16, wherein the self-detecting
error module determines an end to the configuration refresh
operation.
20. The system of claim 16, wherein the self-detecting
error module is configured to write the key value periodically
15 in response to a periodic timer.
