Reliability of Antifuse-Based Field Programmable Gate Arrays for Military and Aerospace Applications
The differentiating structure in an antifuse?based field programmable gate array (FPGA) is, obviously, the antifuse. This two?terminal device, which is used as the configuration element in this programmable microcircuit, must be highly reliable for critical applications. This paper will briefly review the structures of different types of antifuses, the reliability history, and the efforts and results from hardening this programmable element. The antifuses must be shown reliable in both the programmed and unprogrammed states. In the programmed state, currents will flow through the structure. In the unprogrammed state, there are several reliability issues. First, the element must be stable over time under the full military temperature and voltage operating conditions; that is, time dependent dielectric breakdown (TDDB) is not a concern for military and aerospace systems that have long service lives. Secondly, the element must be reliable in the circuit; that is, normal operations such as handling with exposure to some level of ESD and soldering operations, where high temperatures are seen. Lastly, the biased, unprogrammed antifuse must be reliable to heavy ion irradiation. The reliability analysis will focus on the 0.25 ¬m SX-S devices, designed for space use, with hardened antifuses. Issues with antifuses for smaller geometry processes will also be discussed.
Antifuse?based FPGAs are high-density devices, with integration levels from 104 to 105 gates per microcircuit. The reliability of this class of programmable microcircuit will be examined. The discussion will start out with the basics of how reliability is determined for this device. That is, how are the devices tested, the fault coverage, and how that is achieved. Following this introduction, a summary of the reliability of different products, spanning over a decade of experience, will be presented. In particular, we shall present data showing the reliability of the devices as a function of product life and product introduction. This will quantitatively show the level of risk, for critical systems, of using newer technologies vs. older, more established devices. To put the reliability of this class of programmable devices in perspective, the failure rate for devices will be compared with historical measures, starting with the earliest microcircuits built in the 1960s for Apollo and continuing through the decades, as the industry's gained experience and increased integration levels.
Unlike traditional microcircuits, the design of the device is completed by the end user and programmed in the laboratory. Additionally, while systems comprised of traditional circuits are designed with only the simplest computer?aided engineering (CAE) tools such as programs that generate netlist, the designs of FPGAs require an extensive suite of sophisticated software. The field reliability of the device is now dependent not solely on the skills of the device designers and engineer, but the intellectual property embedded in CAE tools as well as the models that they operate on, and the tool users experience. The tool suite for military and aerospace FPGAs typically consists of:
Logic synthesis
Simulation
Optimization
Placement and routing
Parameter extraction
Timing analysis
Programming and verification
The impact of these tools on field reliability will be discussed.
Introduction
With the advent of FPGAs the system designer is actually responsible in part for the design of the integrated circuit and its SEU tolerance. In this design process he must use software tools and logic modules with which he probably only has a limited understanding. In this paper we will present the various levels of reliability that must be dealt with to produce a reliable product.
Antifuse
Antifuse based FPGAs are founded on a device (antifuse) that is not based on mainstream technology and therefore the manufacturer of such a part bears a bigger burden in reliability testing than do companies using purely mainstream technologies. The first antifuse technology used in FPGAs was the ONO (oxide, nitride, oxide) antifuse shown in Figure 1 and Figure 2. The first concern is that the dielectric must sustain Vcc across it for the life of the part without shorting. This needs accelerated testing known as TDDB (time dependant dielectric breakdown). The time to breakdown is measured for various voltages far exceeding the normal operating voltage. The time to failure can then be determined by extrapolating the TDDB curve (Figure 3). HTOL (High Temperature Operating Life) is also performed, which is an industry standard. This check typically tests the quality of the dielectric and verifies the TDDB testing. Secondly, the programmed antifuse must sustain a large number of AC logic pulse currents through it without significantly increasing its resistance. This is similar to electro-migration in metal lines. The conductive filament is shown in Figure 4. In the case of ONO this conductive filament actually reduces its resistance with increasing current stress (Figure 5). To verify that this holds true for long times at high temperature, antifuses were stressed at their programming current at 250 C until failure as shown in Figure 6. Failure analysis (Figure 7) showed that the limitation was the standard contact to poly-silicon and not the antifuse filament itself.
Utilizing the antifuse in space necessitated the testing of the part under heavy ion bombardment. It was shown that this thin ONO could be ruptured (SEDR) when a LET 53 ion passed through it with 5.6 megavolts/centimeter E-Field was applied (Figure 8). To achieve good reliability in this environment, it was necessary to thicken the ONO above that used in commercial parts. This resulted in longer programming times. This would not be tolerable for large commercial runs, but for the small quantities used in space this is quite acceptable.
With the advent of amorphous-silicon metal to metal antifuses, this allows higher performance and density. However the reliability must be verified again. Figure 9 shows a cross-section of a metal to metal antifuse. The TDDB curve is shown in Figure 10. At low fields this curve actually turns up as the leakage of amorphous silicon prevents the aging effects of trapped charge as seen ONO. Hence the TDDB for amorphous silicon is extremely good. Care must be taken in this measurement as high frequency voltage spikes can cause an erroneous rupture. While switch off of programmed antifuses is not a concern for ONO, it is for amorphous silicon. A programmed filament as shown in Figure 11, can open up if current equal to its programming current is passed through it (Figure 12). This process has been carefully studied and the SX and SXA FPGAs have been designed very conservatively to limit the current through the antifuse during operation. For this reason amorphous silicon antifuse parts go through a reliability test at -55C and high voltage to increase the current stress in the filament (LTOL, low temperature operating life). To further test the guard band, parts are programmed at various low programming currents and placed on LTOL to determine the failure point. As can be seen in Figure 12 the SX and SXA parts are greatly over designed in this respect. The SXA parts were further tested for SEDR and found to be excellent as shown in Figure 13 with no failures within the operating spec voltage.
.
ESD/PID
ESD is always a concern for integrated circuits, and especially in antifuse based ICs. For this reason no antifuses are connected to any pin. In this way Actel parts can exceed 2000 volts on each pin, or Class 2 ESD. A closely related phenomena known as PID (process induced damage) was pioneered on the 1010 product. It was discovered that antifuses could be damaged in process by Ion Implanters and Plasma Etchers. These equipment could apply approximately 20 volts on metal lines during processing, thus damaging or destroying antifuses. Antifuses proved to be especially susceptible to this as the ONO BVG had to be lower than the gate oxide BVG. This showed up as sort yield fails and antifuse stress failures (Figure14). As a result Actel lead the effort at the wafer foundries in detecting and curing this problem. All Actel products are also tested for this effect with stress tests at wafer sort and final test to assure that no such defect leaves the factory.
Soldering
Packaging and soldering temperature cycling places stress on the die. This is a concern as this can place stress on bond wires, metalization and via structures, as well as antifuses. Solder reflow effects are therefore emulated by a standard 'preconditioning' flow performed prior to submitting units for reliability testing. Preconditioning is an inherent requirement for qualification. Failure analysis is performed on any units that fail the Preconditioning step.
Summary of reliability as a function of product life and product introduction
Actel's FIT rate comprehends all failure modes including 168hr HTOL/LTOL which some may consider as infant mortality. HTOL testing is based upon programmed units as it is necessary to do life testing as the devices will be used in the field. It is worth noting that units used to generate the ORT (Ongoing Reliability Testing) data are not processed through an 883B equivalent flow, i.e. no burn-in was performed on blank units prior to the gathering of this data. For units processed through a military flow requiring some burn-in, we would expect a significant improvement in the FIT rate.
Product Reliability
The most common defect in any MOS integrated circuit that results in a field failure is gate oxide breakdown. This is usually tested for by stress testing (applying a voltage larger than spec). Stress testing always results in yield loss and no manufacturer wants to apply more stress than absolutely necessary. The temptation is always to stress at the lowest possible voltage to maximize yield. Actel parts though are by their very design required to withstand very large voltages during programming, even the low voltage gates. Thus very few gate oxide failures have ever been reported on Actel parts.
Manufacturers often post their ongoing reliability tests on their web sites. Figure 15 is a typical example. This one shows 15 years of Actel data combined with previous technology. The FIT rate of the Apollo onboard computer is a testament to the care taken by the Apollo team. Note that the older the Actel product the lower the FIT rate. As shown in Figure 16, this is really due to the fact that the it takes a long time to collect this data and so the plotted FIT is reflecting the limited data and not real defects. This data also notes an interesting trend in that only the oldest parts showed any defects. These defects were actually via failures dating from the early days of multilevel metalization. As the industry gained experience with multilevel metalization these problems were cured. The subsequent generations have not had these problems so the reliability is now actually better than it has ever been. This, combined with the higher level of integration today, has made systems much more reliable (Figure 17). The current production technology is only a scaled version of that which was developed 10 years ago and as such is very mature. However, the industry is beginning to introduce new technologies, namely Copper and Low K dielectric. These will bring with them new defects as well and their subsequent learning curve.
Fault Coverage
These very high integration levels exacerbate the testing problem. In a gate array or full custom circuit, logic can be buried very deep in a system making it difficult to test every possible logic state. In Figure 18 one can see that a large gate array that yields a very respectable 50% and has an outstanding 95% fault coverage has a defect rate of 3%, a normally unacceptable number for a merchant product. Hence the customer must put a great deal of effort into any custom design to insure adequate testing. FPGAs, on the other hand, are fully tested before personalization. All of the logic modules are tested in each state and all of the interconnect is verified to be continuous with no shorts. The key tests which allow Actel FPGA's to be fully testable are described below:
1) A shift register circles the periphery of the chip that can be loaded and read back during testing. The various shift register patterns are used to ensure that different portions of the internal circuits are fully functional.
2) All vertical and horizontal tracks are tested for continuity and shorts.
3) All horizontal and vertical pass transistors are tested for leakage and functionality.
4) The clock buffers are fully tested by driving with the clock pins and reading the proper levels at the side of the array.
5) There exist two special pins noted as Probe A and Probe B, which by use of the shift register, can be made to address the output of every logic module inside the array to ensure functionality. Every logic module in the blank FPGA is fully tested.
6) Through Probe A and Probe B, numerous other functional tests are allowed on a blank FPGA such as verification of the Input and Output buffer on every I/O.
7) Test modes exist to drive all output buffers to low, high or tri-state for testing. Thus Vol, Voh, Iol, Ioh standby current, and leakage tests are performed
8) There exists one or two dedicated columns on the FPGA which are transparent to the customer but allow Actel to program antifuses connecting inputs and outputs of modules into what is known as the "binning circuit". The programming is performed at conditions identical to those utilized by the programmer while programming a customer design. This allows Actel to ensure functionality of programmed antifuses and guarantee speed performances of the FPGA.
9) There are numerous tests to ensure that the programming circuitry is fully functional to ensure >90% programming yield. The programming circuitry is exercised at levels slightly greater than the programming conditions used by the programmer.
10) There are special high voltage devices used to isolate low voltage logic from the elevated voltages during programming. No low voltage logic will be exposed to any high voltage signals during testing.
11) There are tests to ensure that all antifuses are un-programmed and to ensure reliability and quality of the antifuse in the FPGA. These proven electrical screens to ensure antifuse reliability are performed prior to and after the tests that exercise the programming conditions of the FPGA. It is also important to note that the architectural design of the FPGA ensures the minimal stress on antifuses.
Guaranteeing Programming
In antifuse FPGAs it is not possible to test that every antifuse will program, therefore a small percentage will fail programming. They are however guaranteed to be 100% functional once programmed. This is achieved by: testing that the required antifuse is in fact programmed, that no nets are left floating, and that there are no shorts between nets. The Actel programming algorithm serially identifies each antifuse requiring programming and applies a voltage in pulses to program the antifuse. A soak "overprogram" step is performed to ensure that the antifuse is fully programmed and the resistance of the antifuse is uniform across the chip. During programming, the programmer has the ability to ensure that each identified antifuse to be programmed is fully programmed and only that antifuse is programmed else it identifies the part as a programming failure. There are numerous tests performed before and after every antifuse is blown to ensure correct functionality after programming. A standby-ICC measurement is recorded pre-programming and post programming to ensure that the chip ICC characteristics have not changed due to programming. Through the extensive electrical tests and screens performed during regular production testing at Actel in combination with the extensive tests performed during programming, Actel is able to ensure functionality and reliability of its programmed FPGA.
CAE Tools
CAE tools, while very reliable in translating RTL code to a logic design, still require that care must be taken to produce a functionally reliable design. Current VHDL Code is much like Assembler Code, far more efficient than coding in Binary, but easy to create many bugs. Behavior Level Code would be far less prone to bugs, but not particularly efficient in silicon use or fast in speed. These tools are not yet available and not likely to be used until Silicon area and speed is not a premium in design. As a result a designer in the high reliability space market must be aware of the idiosyncrasy of the VHDL version he is using as well as the target FPGA. As an example, a designer may wish to insert a logic delay to account for clock skew. The VHDL code will happily delete the delay as redundant. The designer must make sure this stays in by using the preserve attribute.
Another problem area is using combinatorial circuits as clocks to registers. The HDL coding style can avoid this. The coding style can steer the logic mapping tools to infer FFs with built in Enable functions. For example, the following Verilog code will synthesize to a two-input AND gate the output of which will clock the register.
module gatedFF(Q, Data, Clock, Enable);
input Clock, Data, Enable;
output Q;
reg Q;
wire GC;
assign = (Clock && Enable);
always @(posedge GC)
begin
Q = Data;
end
endmodule
Once you rewrite the Verilog in the following way, the tools are able to infer the Enable-FF.
module enableFF(Q, Data, Clock, Enable);
input Clock, Data, Enable;
output Q;
reg Q;
always @(posedge Clock)
begin
if (Enable)
Q = Data;
end
endmodule
The synthesis methodology can help you instantiate the special CLKINT or CLKBUF drivers for high fanout and clock signals. This will avoid the synthesis tool building a buffer tree that will adversely affect the timing and area of the design.
Register duplication is not a problem with Synopsys tools. While using Synplify, there is an option to turn this feature off.
Another area of concern is generating a design tolerant to SEU. For instance a user may wish to make a flip flop utilizing two or even 4 combinatorial modules and a logic optimizer may collapse it to a more efficient design which is not SEU immune. It may generate multiple pipelines to optimize speed, but may generate SEU sensitive designs that may have possible illegal states. Synthesis tools have improved over the years, but care still needs to be taken when using them.
The default logic design technique, using standard commercial sequential elements (S-FFs), produces designs that are most susceptible to SEU (single event upset) effects. There are two unique techniques (the CC-FF and the TMR technique) that can eliminate the SEU sensitivity and improve the SEU rate on Actel's radiation-hardened FPGAs. In addition, a fully synchronous design methodology creates a more stable circuit with shorter debug time for timing verification and it is also easier to migrate between process geometries and architectures.
CC-FF Technique
The CC-FF technique avoids the S-FF portion of the sequential element and uses combinatorial cells with feedback to implement storage. The Macro Library Guide lists all the macros that are implemented by combinatorial cells. The ACT 1, 40MX and RH1020 family of devices do not have S-FFs and only use the CC-FF design technique.
The synthesis methodology also supports the CC-FF technique.
è Synplify provides an attribute called syn_radhardlevel that can specify the register implementation to be "cc" at any level of a module, an architecture or an individual register of the design.
è Similarly, a Synopsys script called sequential_combinatorial is provided to implement this technique.
TMR Technique
Triple module redundancy (TMR) is a well-known technique for SEU mitigation. Instead of a single FF, TMR uses three FFs leading to a majority gate voting circuit. If one FF is flipped to the wrong state, the other two override it and the correct value is propagated to the rest of the circuit. The cost of this method is three to four times the area and twice the delay required for S-FF implementations.
The synthesis methodology also supports the TMR technique.
è Synplify attribute syn_radhardlevel can specify the register implementation to be "tmr" or "tmr_cc" at any level of a module, architecture, or an individual register of the design.
è Another Synopsys script called sequential_triple_voting is provided to implement this technique.
These techniques are, however, not needed with the RT54SX-S family which have self-refreshing TMR built into every register. This family of devices is practically ion proof, making the job of the designer much simpler.
New devices such as the SXS devices are made with the idea of taking advantage of past lessons. Antifuse devices have isolation transistors to keep programming voltages out of the logic circuits. During normal operation a charge pump drives these gates high to pass a logic signal. During power-up the logic is going through indeterminate states causing a power drain and an output spike. The new devices put all modules in a predetermined state until the charge pump has reached operating voltage and then all modules will immediately switch to the correct state. The outputs are tri-stated until the correct state is reached and then enabled. Additionally the outputs can be programmed to have a 50ua sink to ground or Vcc until the outputs are enabled. Slew control has also been added to the outputs to minimize ground bounce problems. These parts also contain triple module redundancy such that SEU does not have to be considered by the designer. The JTAG TRST pin, which should always be programmed and grounded in space, is programmed before leaving the factory so that it is not inadvertently left unprogrammed by the user.
Synchronous Design Methodology
Synchronous design should always be used when designing with FPGAs. Many customers have utilized the design by test methodology often adding logic delays until a design functions. These often fail if the Vt of the transistors change causing slight changes in timing, something likely to happen in space. Often designers believe they are using synchronous design, but allow asynchronous design in innocuous areas. Additionally the timing analysis available in Actel tools is conservative and should always be used, particularly static timing analysis.
Fully synchronous designs follow certain basic rules. All registers that share the same data path , should be connected to a common clock network of the FPGA. Every element on the same clock should be triggered on the same clock edge to remove any dependencies on the duty cycle of the clock. If data must cross between multiple clock domains, the data must be re-synchronized between these domains using one or two registers to ensure that the data is always in a known state.
Common practices of clock gating, derived-clock and divided-clock situations violate these synchronous design principles. The enable function of the register can be employed in each of these situations to become fully synchronous. Other asynchronous situations of feedback loops, one-shots, data sampling, preset and clear should also be replaced with circuits that change only with the system clock.
User Testing
Testing of systems is also a critical area. This paper is not covering this, but there is one particular point users need to be aware of. Flip flops will remember their last state upto 24 hours. If power up is critical, always set the flip flops to the opposite state of the desired state for approximately one hour before power down followed by the power up sequence. In this manner the flip flop will power up in the wrong state to facilitate valid initialization testing. Also signals sent to the FPGA to initiate a power on reset should not be applied until the power supplies reach spec voltage, otherwise the logic modules may not be active.
Summary
Devices and CAE tools have improved a lot in the last 30 years and continue to improve. Additionally the very high levels of integration have made systems far more reliable. Ultimately the reliability of a specific design rests with the system designer and software engineers. Integrated circuits and CAE tools benefit from the heavy use by multiple users, which improve the quality of these systems. The user on the other hand has the problem of designing systems that may be used only once in a hostile radiation environment and failure may not be an option. This often may be the weakest link, and therefore the user must take care to know the products he uses and utilize sound design practice.
|
