1.6.4 System Controller

In PolarFire devices, the system controller manages device and memory initialization, programming operations, and handles the system service requests. After power-on-reset or device reset (DEVRST_N) events, the system controller performs the initialization sequence of the I/O banks, FPGA fabric, and hard IP blocks.

For high-reliability applications, such as avionics applications, the system controller must be held in suspend mode after the completion of device initialization to protect the device from unintended device programming or zeroization of the device due to SEUs.

The system controller suspend mode is designed to provide an SEU immune reset state for the system controller. The system controller reset generation circuitry is designed with a triple modular redundancy (TMR) self-refreshing latch to provide SEU immunity. In this mode, the system controller is held in reset while its output ports to the rest of the system are forced to known and well-determined states.

The following figure shows the system controller reset generation circuitry.
Figure 1-3. System Controller Suspend Mode

The following table lists the System Controller ports and description.

Table 1-2. System Controller Ports and Description
PortDirectionDescription
SUSPEND_MODE_RESET_NOutput (Internal)Active-Low signal to reset the TMR SR Latch. Sourced from a system register.
SUSPEND_MODE_ACTIVATE_NOutput (Internal)Active-low signal to set the TMR SR Latch. Sourced from a system register.
SUSPEND_MODE_ENABLEOutput (Internal)Enable signal for suspend mode. Sourced from device configuration flash bit.
SC_RESET_NInput (Internal)System controller reset signal. This is activated after the FORCE signal.
FORCEInput (Internal)Indicates that all the outputs must be switched to suspend mode.
SYSCTRL_RESET_STATUS (SUSPEND_EN)Output (To FPGA Fabric)Direct connection of FORCE signal to the FPGA fabric indicates that FORCE is asserted, and the system controller is in suspend mode.

If SYSCTRL_RESET_STATUS = 1, the system controller suspend mode is enabled.

If SYSCTRL_RESET_STATUS = 0, the system controller suspend mode is disabled.

SYSCTRL_ACTIVITY (ACTIVE)Output (To FPGA Fabric)Signal to the FPGA fabric that represents the logical OR of the System Controller HTRANS signals. This must always be low when the system controller is in suspend mode. When not in suspend mode, this signal toggles at a variable frequency.
System controller suspend mode is controlled by a flash bit (SC_SUSPEND_MODE_DISABLE), which is set during device programming, and is not accessible either by external pin or from within the design. It is only accessed by the programming file loaded into the device, during programming. Since the SC_SUSPEND_MODE_DISABLE control bit is stored as a flash cell, it is immune to SEUs.
  • If SC_SUSPEND_MODE_DISABLE = 1, the system controller suspend mode is disabled.
  • If SC_SUSPEND_MODE_DISABLE = 0, the system controller suspend mode is enabled.

The suspend mode will be activated if enabled by the factory flash bit (SC_SUSPEND_MODE_DISABLE = 0) and the external JTAG reset is active. The system controller becomes active if the device is power-cycled or if a device reset (DEVRST_N) is applied, but it returns to suspend mode after the initialization sequence is completed. To restore normal operation, the device must be reprogrammed with the system controller suspend mode turned off (SC_SUSPEND_MODE_DISABLE = 1).

After the device has entered the suspend mode, the system controller is held in reset and cannot provide any system services and reprogramming services. For a full listing of device feature availability in suspend mode and for more information of system controller operation in suspend mode, see PolarFire Family System Services User Guide .

To facilitate reprogramming of the device, the JTAG_TRST_N pin is used to gate the internal FORCE signal and releases the system controller from reset. In a safety-critical environment, JTAG_TRST_N must be asserted low to prevent JTAG circuitry from affecting the I/Os due to SEUs. Releasing JTAG_TRST_N pulls the system controller out of reset and allows the device to be reprogrammed. When a programming mode instruction is loaded, the system controller sends a pulse on SUSPEND_MODE_RESET_N to clear the TMR latch so that the device can re-execute a normal boot sequence after programming is completed. Reprogramming via the system controller SPI (SC_SPI) interface is also possible. The external host must control JTAG_TRST_N. Asserting JTAG_TRST_N = 1 restores only JTAG and SPI SLAVE programming modes. All other features disabled by system controller suspend mode remain disabled.

The state of the system controller can be monitored by the FPGA fabric logic by reading the state of the SYSCTRL_RESET_STATUS (SUSPEND_EN) signal and SYSCTRL_ACTIVITY (ACTIVE) signal. Libero software provides a macro (SC_STATUS) for system controller status monitoring from fabric logic.

Confirmation of the state of the system controller suspend bit in the user design can be obtained by reviewing the Design_Initialization_Data_Memories_Configuration_Report generated by the Libero SoC tool.

System controller suspend mode can be enabled in the following two methods:
  • Libero SoC Design tool GUI: Project > Project Settings > Device Settings
  • Design .tcl file: add -adv_options {SYSTEM_CONTROLLER_SUSPEN_MODE:1} to the "set_device" tcl command

If the device is programmed with System Controller suspend mode enabled, the System Controller enters into suspend mode after completing device initialization (after DEVICE_INIT_DONE and AUTOCALIB_DONE gets asserted). The state of the system controller controlled PF_INIT_MONITOR outputs can be preserved during system controller suspend mode by enabling the "Latch system controller outputs" option in the PF_INIT_MONITOR IP configuration GUI.