1. Field of the Invention
The present invention relates to programming in programmable logic devices, and specifically to a programming method in these devices to enable system recovery after power failure.
2. Description of the Related Art
Many complex digital systems use logic that can be reprogrammed. For example, a system may contain a microprocessor, memory, I/O interface circuitry, and a programmable logic device (PLD) to control key logic functions. A PLD allows the logic functions to be changed for bug fixes, system upgrades, enhancements, or system customization. Preferably, a PLD in such a system is in-system programmable (ISP), thereby providing the capability of reprogramming the device in the field within the system, rather than requiring the system to be shipped back to the factory. The new programming data (also referred to herein as configuration data) for the PLD can be contained on a floppy disk to be read by a CPU and supplied to the PLD by a download cable or by any other means well known in the art.
FIG. 1 illustrates a prior art method used to program an ISP PLD. To invoke an ISP mode in the PLD, a special command is issued to the PLD in step 101. The PLD is completely erased in step 102 to maximize programming uniformity. In step 103, the address is set to zero. The programming addresses and data are then downloaded by programming the current address and configuration data (step 104), incrementing the address (step 105), and determining whether the programming is done (step 106). Steps 104-106 are repeated until all the configuration bits of the PLD are programmed. Finally, the ISP mode is exited in step 107, thereby allowing the new programming data to reconfigure the device for its new logic function in step 108.
However, this field programming method is susceptible to power failures that can damage the system. Specifically, because the upgrade is done in the field where the electrical environment is not as stable as the factory, there is a chance that the programming process can be interrupted by a power outage. In the case of a power outage during programming, the PLD is only partially programmed and thus may contain an internally inconsistent configuration that can cause system damage. For example, the user's configuration data may provide that a particular output signal driving a tristate bus is disabled by another signal in the design. However, in a partially programmed PLD, the disable signal may not be implemented, thereby causing the signal to be driving at the wrong time. Other equally undesirable behavior can easily be possible for a partially programmed PLD. Therefore, after the PLD is powered up after a power failure, it may enter into an irreparable destructive state in the system before the full and correct configuration data is programmed into it.
Therefore, there is a need to provide a method of programming during field upgrades that guards against system damage caused by a power failure or other disturbances during in-system programming.