Abstract Fundamentals of Digital The concept ofdesigning forreliability willbe introduced along with abrief Engineering: ovcr,,iew ofreliability, redundancy andtraditional methods offaulttolerance ispresented, asapplied tocurrent logic devices The fundamentals of advanced circuit design andanalysis techniques willbe theprimary focus The introduction willcover thedefinitions ofkeydevice parameters andhow Designing for Reliability analysis isused Ioprove circuit correctness Basic design techniques suchas synchronous vs asynchronous design, melastable stateresolution time/arbiter design, andfinite slatemachine st_cture/implementation willbe reviewed A Micro-Course Advanced topics will beexplored suchasskew-tolerant circuit design, the useoftriple-modular redundancy andcircuit hazards, device transients and prevenlntive circuitdesign, lock-up states infinite statemachines generated bylogic synthesizers, device transient characteristics, radiation mitigation techniques, worst-case analysis, theuse oftiming analyzers andsimulators, andothers Case studies and lessons learned from spaceflight designs will begiven asexamples May2I,2001 This Seminar • This is a seminar, not aclass - Two Way Conversation - Basic Theory Introduction - Lessons Learned - Case Studies for Discussion • Present Your Own Case Studies for Discussion and Future Inclusion • Under Development - First Time This Seminar Is Given - Not All Topics Are Fully Developed - What Areas Are Useful? Guide Development. Reliability Reliability Motivation - A Case Study (1961) Motivation - A Case Study (1986) Itappears that there are enormous differences of opinion as to the First,Ibelievethat this nation should commit itself to probability of afailure with loss of vehicle and of human life. The estimates range from roughly I in I00 to 1in 100,000. The higher achieving the goal, before this decade is out, of ! figures come from the working engineers, and the very low figures landing a man on the moon and returning himsafely from management, What are the causes and consequences of this to the earth, lack of agreement? Since 1part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose Speei_1MessagetotheCongn.'ssonU_gentNationalNeeds PresidentlohnFKennedy only one, we could properly ask "What is the cause of Ddivcn_dinpersonbefore ajointsessionofCongress management's fantastic faith in the machinery?'" May25.1961 g RPF¢.v;ma,'mR,eporlof_¢ PRESIDENTIALCOMMISSIONontheSpaceShuRl¢ I ChallengerAccident,Volume2Appendi.xF-Persona/Observation sonRetiabilit._of I Shunl¢,Iun¢6th,1086 Reliability Increasing Reliability Motivation - A Case Study (2001) When discussing the impact of the high observed FIT • Fault Prevention rate for the FPGAs, the IAT asked Lockheed Martin - Eliminate Faults "What's the reliability allocation?" Lockheed Martin - In Practice, Reduce Probability of Failure toan responded, +'tlelI if Iknow." Acceptable Level The IAT followed up by stating that it appeared that • Fault Tolerance there has been no calculation of the probability of mission success. Lockheed Martin concurred and JPL - Faults Are Expected added: "No programmatic requirement for reliability - Use Redundancy numbers." •AdditionalHardware, So.rare, Time F_n the Ma.,_Od':ssey F'I_A Independent A_sm'ncnt Team, Apnt 2,2001 Conventional Techniques for High- Conventional Techniques for High- Reliable Spaceborne Digital Systems Reliable Spaceborne Digital Systems (cont'd) • UseofConservative DesignPractices - Derating, Simplicity,WideTolerances • ThermalCyclingandVibrationTestingofAllCompleted • PartsStandardization Assemblies • 100%ScreeningofPartsandAssemblies, IncludingThorough • Establishmentofanefficientfieldservice feedbacksystemto Bum-in reportonequipmentfailures intheField • DetailedLaboratoryAnalyses andCon'ectiveActionforAll • DesignoftheEquipment toMinimizeStressDuring FailedParts AssemblyandtoFacilitateReplacementofFailed • UseofExtreme CareinManufacture ofParts Components • ThoroughQualification ofPartsandManufacturingProcesses XAS3,SPA(I _\"kHIC_ EI'II:]SI('*NCI_.ITI]RIA (GI..fD kNQE AND (ON'_/,OI + _ll'.'R(I:_Bt?,)RXE DIGFfA" ,'OMPL [ER SYSq-E' IS-_,P-_;_7;, t What We Will Do What We Will Not Do • Cover Basic Concepts • Provide Exhaustive Coverage • Present Data and Design Techniques - We only have afew hours • Case Studies - Too much material - Solutions for Previous Missions • Solve All Problems - Mistakes from Previous Missions - Goal isto make you think • Not discuss "Morn and Apple Pie" [well, at least minimize it] 2 The Lessons of Designing for Reliability "... we must not repeat the errors of the past. This is blocking and tackling, not rocket science." Dan Goldin, April 27, 2000. Barto's Law: Every circuit is considered guilty until proven innocent. Termination of Special Pins Special Pins • MODE pin (test program mode). • Vpe pin (programming voltage). • TRST* (Reset toJTAG TAP controller) *TCLK (provides clock to TAP controller) A Very Basic Topic But A Source of Frequent Failures and Problems • SDI, DCLK (varies for each device type) , Others MODE Pin - Test, Debug and MODE Pin Programming Control • Left Floating I Y'"_ - Devicecanbenon-functional I ..... I - Highcurrents - Uncontrolled l/O • Tied High During Test - Working devicestopped functioning - Powersupply risetimekey I ....... I MODE Pin - Test, Debug and IEEE JTAG 1149.1 TCLK Programming Control iflj ! il _"J [ _ itl I t l t,t The CLK pin may turn into anoutputdriving low, clamping the oscillator's outputatalogic "0'. The TAP controller can not reset and restore YO operation. Most FPGAs donot have the optional TRST* pin. Note TRST*, when present, has a pull-up. IEEE JTAG 1149.1 - Scan Path IEEE JTAG 1149.1 TCLK SERIAL _NPUT SERIAL INPUT m _hifi Register i_ TCK -_ TAP Controller undefined inTI:!SI- --_ = S2Y-S'FsETAMTE [,OGIC-RESE I gta_c OUTPUT 'Slate Machine) / SYSTEM LOGIC LNPUT , , S3Y-STSETMATE OUTPUT TDI -_ Shift Register TDO 1 SBOYIUOST]TRPEEUMCTTIC'NAL _a_S:_ Parallel Latch CConhtirpol IEEE JTAG 1149.1 - Scan I/O Cell ToNext Pin T .o0_ OutEnable ----_ T l ] Data Out T l JTAG DATA PATH 2 Input Stages - Introduction • Most CMOS inputs have rise/fall time limits - Most inputs also have some hysteresis • Typical symbols in specifications Input Stages t_,trL. -rise time tF, tTIIL - fall time tT-transition time • Waveform measurement - b'pica[ly from 10% to 90% but not always - sometime parameter measurement method is not specified Input Stages - Termination Input Stages - Practice • Floating CMOS inputs are, in general, 'bad.' - Totem-pole currents, oscillations, etc. • Data sheets may list aparameter for information only and not 100% tested * Some devices offer pull-up/down resistors - SX-S only active during power transitions • Laboratory devices have shown that not all - Xilinx resistors controlled by SRAM qualified devices will meet the data sheet - Care oninternal tri-state lines - One case was when apart was shrunk - Migration to afaster process • Dedicated Inputs - Oscillations observed - Actel unused inputs _ere handled bys/w - Not true forsome SX, SX-S clocks • Conservative margins recommended Check each case carefully Input Stages - Termination Input Transition Times Case Study: SX-S Clock Pin Part Number Reference tzm(a,x-) Aio20 1 soo AIO_0B J s_o RIIl0_ i soo z IXrr_CQF_51W AI:mOA 4 SOO I o¢9_ oFSg.k. Ea,_,_"r_l mO PJll:mo 4 S00 RT_4SXI_, J._ 7 SO 12o.t_" 3_tn._:_rural TaM _XTQ_R4_SXXLS I09 _ =SzOo v_r_x I1 _SO lo- L'T_..'_'P 10 I_ ? AT6010 (_L} 1_ SO AT_IO O_V) I4 SO krIdll (Si) Input Transition Times Clock Transition Time Specification References A Difficult Case [I] ACT r_ tField Programmable Gate Arrays, Match 19ql. [2] ACT IandACT 2MilitaryFPGAs, April,1992. [3] ACT vMISeriesFPGA_ April 1996. [4] Radiation Hardened FPGA.% v3.0, )anua_ 2000. ACElectricaCl_racterlstlcsOvertheO_raUngTem_ratureRange [5] ACT vu2Series FPGAx. April t996. [6] Acceleralor Series FPGAJ -ACT v_3Family, September, 1997. (ReadandW_teCycleTlmin_/z'_'__0 •_i ts_,v,T,•O'Cto*_'c) [7] 54SX Farm_y FPGAs RadTolcnmt andHiR¢l, prdiminary VT.5, Match 2000 [g] HiRel SX-A Family FPGA& Advanced v.I. April2000. 1-I -- l,.l,.l-]-t'-] [91 RT54SX-S RadTolerant FPGAs forSpace ApplicatiOns, Advanced 0.2, Noverabet, 2000. [10] QPRO XQR4000XL Radiation H_dcncd FPGA_ DS071 (v[.I) June 25.2000. [Il] QPRO TM Vira:xTM 2.5V Radiation Hardened FPGAs, D5028 (v1.0) April 25,2000 Advance Product Specification. II [12] Not indatasheet [13] Co'tflgurable Logic Data Book, ACntl, August I995. [141 AT6OOOLV, AWncl,October 1999. Transition Time Requirements Transition Time Requirements Implications -Pullup Resistors Implications -Filters and Protection Circuits • Often used on signals • Often used fortri-state or bi-directional - Elimination of noise busses - ESD protection • Rise time (10% - 90%) = _= 2.2 RC - Etc. • Example • RC filters orclamps (high C) can often C = 50 pF substantially degrade transition times R - I0 ki) (keep power levels reasonable) • Consider discrete hysteresis buffers, = 500 ns particularly for clock signals violates many devices' specifications (see table) Bus Hold Circuit in an FPGA Transition Time Requirements Implications -Interfacing with older logic families • Case Study (1) - CD4000B CMOS NOR gate -- VDD = 5V - tr (typ)= 100ns • Case Study (2) - CD4050B (used as alevel shifter, for example) - VDO= 5V - tT(max, 25 °C)= 160 ns 2 Transition Time Requirements Transition Time Requirements Implications - Interfacing with older logic Parameter Measurement families (cont'd) i Case Study (3) - 54HC00 CMOS NOR gate VOH - 5962-8403701VDA,NANDGATE, QUAD2-1NPUT T_! Symbol Test conditions l: ____Lira/Is Unit 50,_ .55oC STc _+I2S°C Min Max unless other_As¢ specified Tc=+25°C Vce=ZO 75 c_ul ri_and %, =sopF Vec=4.5 is as tTH L i; TLH V0L S¢cfigure 4 v,:c=6.0 13 Tc=-55"C, -55°( IVcc=2O lI0 Ct =50pF ivote.5 22 ns _ figure 4 [Vcc=6,0 19 3/Tramit/on _ (try, trot), ifnott©stcd, shallb¢guaran:eed to_ sCccificd Tim/isin From: Figure 4, 5962-8403701VDA, NAND GATE, QUAD 2-1NTUT table I. Transition Time Requirements Transition Time Requirements Case Study: RH1020 Case Study: RH1020 CLKBUF • Production Parts ! : . -!L - Inputstagewasmodifiedforclockupset • Vcc =+5VDC • T=25oc • CLKBUF monitored onoutput Because of design ofthe buffer, d/fficuh toseeeffects ontheinput pin • Used alow impedance signal generator, triangle waveform )ooooov : _2ooooovi i • Commercial specification is tg, tFof 500 ns -60500 ns -105.00 n= 39500 n$ - RHI020 didnot mcct thisspecification t00 ns/div roBltlme - SMD 596290965 does notspecify this parameter rilitiml { I)_gS.715n= Transition Time Requirements Transition Time Requirements RH1020 CLKBUF @ VrN threshold Case Study: RH1020 CLKBUF Notes i - i Conditions: Room temp; Vcc = 5.0 V. Oscillations detected consistently at tR= 360 ns Sporadic outputpulses at tg = 300 ns i l i i Transition time requirement not symmetric - Oscillations detected consistently atIv= 1.5p.s - Sporadic output pulses observed attv= 1.0 -205000 ns -105.0OO ns -SOO0 as 200 nl/_lv rlalttm! trequln¢_ (3) 104.000M_ Interfacing - Voltage Margin Inputs: RT54SX 16 tT • TTL _ CMOS - Problem with discrete circuits (still seen) .......i.i.i ....ili i ............i.i,ii.... - Normally not aproblem with 5V FPGAs - Issue with new FPGAs : :i =: -_ ........ •0.35tammayonlypullupto3.3VDC ! •0.25p,mmayonlypullupto2,5VDC : i •CanbeissuewithpartshavingaVm=70%Vt_D -i oo_ .$ ooqo s i oooous •Ringingcancausefalsetriggering curr|nL .lnl_U. maximum a_ere_| rtso_Iml <t_I07_2us m -- -- • Vm = 0.8V and fast devices are sensitive to ringing on abackplane. RIrJ4,_FI6 output (bon'om trace) withaslow r_xing input (top trace) which cloc_ adivide by two counter reciting ina*glitch." The clock laput wo_prvvided byanHP8110_¢ pulxe generator. Inputs: RT54SX16 tT JTAG and Loss of Control ! i i i i : • Run TCK with TMS='I' r - Guaranteed toreturn toTEST_LOGICRESET state within 5clocks. • Share system clock with TCK • JTAG Hit • Inputs turn to outputs - Clock pin turns to output, clamps system clock -ioo.oo ns oooo s Ioo,oo ns 2o,o n$/Cllv real tlm* No TCK, system hangs. RT54SXI 6ourgn,t (bottom trace) with aslow rising Input(top trace) which clocl_ adivide byt_v counter re..ndtfng ina"glitch." The clock input wartreovided byanHlaSIIOApu&e generator. 4