A programmable logic device (PLD) is designed to be user-programmable so that users may implement logic designs of their choice. Programmable logic circuits of a PLD comprise gates that are configurable by a user of the circuit to implement a circuit design of the user. One type of PLD is the Complex Programmable Logic Device, or CPLD. A CPLD includes two or more “function blocks” connected together and to input/output (I/O) resources by an interconnect switch matrix. Each function block of the CPLD includes a two-level AND/OR structure similar to that used in a Programmable Logic Array (PLA) or a Programmable Array Logic (PAL) device. In some CPLDs, configuration data is stored on-chip in non-volatile memory, then downloaded to volatile memory as part of an initial configuration sequence.
Another type of PLD is a field programmable gate array (FPGA). In a typical FPGA, an array of configurable logic blocks (CLBs) is coupled to programmable input/output blocks (IOBs). The CLBs and IOBs are interconnected by a hierarchy of programmable routing resources. These CLBs, IOBs, and programmable routing resources are customized by loading a configuration bitstream, typically from off-chip memory, into configuration memory cells of the FPGA. For both CPLDs and FPGAs, the functionality of the device is controlled by configuration data bits of a configuration bitstream provided to the device for that purpose. The configuration data bits may be stored in volatile memory (e.g., static memory cells, as in FPGAs and some CPLDs), in non-volatile memory (e.g., FLASH memory, as in some CPLDs), or in any other type of memory cell.
PLDs also have different “modes” depending on the operations being performed on them. A specific protocol allows a programmable logic device to enter into the appropriate mode. Typical PLDs have internal blocks of configuration memory that specify how each of the programmable cells will emulate the user's logic. During a “program” mode, a configuration bitstream is provided to non-volatile memory, such as a read-only memory (ROM) (e.g., a programmable ROM (PROM), an erasable PROM (EPROM), or an electrically erasable PROM (EEPROM)) either external or internal to the programmable logic device. Each address is typically accessed by specifying its row and column addresses. During system power up of a “startup” mode, the configuration bits are successively loaded from the non-volatile memory into static random access memory (SRAM) configuration latches of a configuration logic block.
However, for a PLD to function properly, it is necessary that the data loaded into a memory is not corrupted. Certain applications of programmable logic devices, such as military, aerospace, and high-reliability communications, must be able to continue operating in the presence of a small number of configuration bit errors even when the likelihood of such an occurrence is extremely low. A Single Event Upset (SEU) relates to a configuration bit flip due to cosmic radiation, for example, while a Single Event Transient (SET) is a transient voltage pulse on routing resources that may be large enough to cause logic level upsets. Triple module redundancy (TMR) is a technique for ensuring that a circuit functions even if one of the circuits is not operating properly, where a majority vote of the remaining two circuits will ensure that the output of the circuit is correct. If an SEU or SET upsets a state machine, the state machine will resynchronize with its redundant partners after the upset is corrected through configuration memory scrubbing. Therefore, state logic can operate uninterrupted in the presence of SEUs and SETS.
However, implementing a circuit in triple module redundancy can be a difficult task. Therefore, verifying that a circuit implemented using triple module redundancy operates correctly is important. TMR circuits are typically verified through simulation. Conventional methods for simulating TMR designs involve running the simulation of the three redundant circuits normally, then “breaking” one design domain by tying the clock signal coupled to the design domain to ground. If the circuit behaves correctly, this shows that redundant circuitry is working correctly. Next, the clock signal to another design domain is tied to ground, causing the circuit to stop functioning. This is repeated for each redundant circuit. It is expected that the output will be correct after the first clock domain is broken, but that the output will be incorrect after the second clock domain is broken during this test. However, the deficiency with this conventional method is that it will not reveal missing or incorrectly connected feedback voters. That is, the simulation will give the same result regardless of whether feedback voters are present or not, since the feedback voters serve to synchronize state logic after the error condition has been corrected. Accordingly, conventional methods for verifying a circuit implemented in triple module redundancy only show whether the overall design redundancy and the final stage of output voters are correctly implemented.
Accordingly, there is a need for an improved method of and system for verifying a design implemented in triple module redundancy.