Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC PAS 61906-2005 – Nuclear Instrumentation: CAMAC Firmware Management and Upgrade Procedures
💡 As a Publicly Available Specification (PAS), IEC PAS 61906 addresses a critical gap in the CAMAC ecosystem: the management of firmware in microprocessor-based and FPGA-based CAMAC modules, including secure software download protocols.
1. Introduction and Motivation
IEC PAS 61906-2005 addresses the growing need for standardized firmware management procedures in CAMAC modules that incorporate microprocessors, FPGAs, CPLDs, or other field-programmable logic devices. As CAMAC systems evolved from purely hardwired logic to software-defined instrumentation, the ability to update module firmware without removing modules from the crate became an operational necessity. However, without standardized procedures, firmware updates risked introducing incompatible configurations, data corruption, or safety-significant errors in nuclear instrumentation applications.
This PAS defines a standardized approach to firmware identification, version control, download protocols, and verification procedures for CAMAC modules. It applies to all CAMAC modules containing programmable logic or embedded processors that are field-upgradeable via the CAMAC dataway or auxiliary interfaces.
⚠ Firmware management in nuclear safety applications carries special significance. The PAS emphasizes that any firmware modification to a module used in a safety-related application must be subject to the same configuration management, verification, and validation requirements as a hardware modification. This includes maintaining a firmware baseline, documenting changes through a formal revision process, and re-qualifying the module’s safety function after any firmware update.
2. Firmware Identification and Version Control
2.1 Module Identification Register
The PAS defines a standardized Module Identification Register (MIR) that must be implemented in each programmable CAMAC module. The MIR is a read-only register, accessible via a standard CAMAC F(0) read command, containing four 24-bit words: the manufacturer ID code, the module type/part number, the hardware revision level, and the firmware version number. The firmware version uses a major.minor.patch format (8 bits each within a 24-bit word), where a major version change indicates functional incompatibility, a minor version change indicates new features with backward compatibility, and a patch version indicates bug fixes with no functional changes.
2.2 Firmware Image Validation
Before any firmware download is accepted, the module must validate the integrity of the firmware image. The standard specifies the use of a 32-bit cyclic redundancy check (CRC-32) computed over the entire firmware image. The CRC value is embedded in the firmware file header and verified by the module’s bootloader before programming begins. Additionally, the standard recommends but does not require digital signature verification using public-key cryptography for modules used in safety-related applications. The firmware image header must contain: image length, CRC-32 checksum, target module type, target hardware revision range, firmware version, and a timestamp.
| Field | Size (bytes) | Description | Mandatory |
|---|---|---|---|
| Image magic number | 4 | 0xC0DAACDA (CAMAC signature) | Yes |
| Image length | 4 | Total firmware image size in bytes | Yes |
| CRC-32 checksum | 4 | IEEE 802.3 CRC-32 of image body | Yes |
| Target module type | 4 | Part number of compatible module | Yes |
| Hardware revision range | 4 | Min/max compatible HW revision | Yes |
| Firmware version | 4 | Major.Minor.Patch (1 byte each) | Yes |
| Timestamp | 4 | UNIX epoch seconds | Yes |
| Digital signature | 64-256 | RSA/ECDSA signature (optional) | No |
| Image body | Variable | Encrypted or plain binary data | Yes |
3. Firmware Download Protocol
3.1 Download Modes
The PAS defines three firmware download modes: Mode A (full-image replacement) where the entire firmware image is erased and rewritten — used for major upgrades and initial programming; Mode B (delta update) where only modified memory sectors are updated — used for minor revisions and patches to minimize downtime; and Mode C (dual-image swap) where the module contains two firmware image banks, allowing the new firmware to be programmed into the inactive bank while the module continues operating on the current image, followed by a warm reset to activate the new image. Mode C is specifically recommended for safety-critical applications because it provides a fallback to the previous image if the new image fails to boot.
3.2 Error Recovery and Fallback
A critical aspect of the download protocol is error recovery. If a download is interrupted (power loss, communication failure, CRC mismatch), the module bootloader must revert to a known-good firmware image. For Mode A and B downloads, this requires a protected bootloader region that is not erased during the update process. For Mode C dual-image systems, the boot sequence automatically falls back to the previously active image if the new image fails CRC verification after programming. The PAS specifies a maximum programming time of 60 seconds for any individual firmware download operation, after which the module must report a timeout error and revert to the previous state.
✅ Engineering Insight: The dual-image (Mode C) approach, while more expensive in terms of memory cost, is strongly recommended for modules performing safety or control functions. The additional flash memory cost (typically 10-15% of module cost) is far outweighed by the reduction in operational risk. Nuclear utilities have reported that Mode C capability reduces firmware-related system downtime by approximately 70% compared to systems requiring full-image replacement for every update.
4. Configuration Management and Documentation
The PAS requires that each CAMAC module’s firmware be traceable to a configuration management system that records: the module serial number, current and historical firmware versions, installation dates, modification justifications, and validation test results. For each firmware release, the module manufacturer must provide a release note documenting all changes, known issues, compatibility information, and installation procedures. The standard also specifies that the module shall provide a firmware update counter register that increments each time the firmware is modified, accessible via CAMAC F(1) read command, providing an auditable record of update activity.
5. Frequently Asked Questions
Q1: Can IEC PAS 61906 be applied to non-CAMAC modules?
A: While the PAS is written specifically for CAMAC modules, the firmware management principles it defines — including the Module Identification Register format, CRC validation, and dual-image update architecture — are applicable to any modular instrumentation system used in nuclear applications, including VME and PXI systems.
Q2: Is digital signature verification required for safety-related firmware updates?
A: The PAS recommends but does not require digital signatures. However, nuclear regulatory bodies in some countries (particularly the US NRC and French ASN) now mandate cryptographic firmware authentication for safety-related I&C systems under their digital modification requirements.
Q3: What happens if a firmware download fails mid-transfer?
A: The module bootloader reverts to the previous firmware image. For Mode C (dual-image) systems, this fallback is automatic. For Mode A systems, a protected bootloader ensures that the module can still accept a new download attempt.
Q4: How long does a typical CAMAC firmware update take?
A: A full-image download for a typical FPGA-based CAMAC module (1-4 MB firmware image) takes 30-60 seconds over the CAMAC dataway. Dual-image swaps require an additional 5-10 seconds for bank switching and reboot. Delta updates typically complete in under 15 seconds.
