Military Embedded Systems Spring 2005 Volume 1 Number 1
Share Embed Flag
Download ePaper

Military Embedded Systems Spring 2005 Volume 1 Number 1

Military Embedded Systems Spring 2005 Volume 1 Number 1 Military Embedded Systems Spring 2005 Volume 1 Number 1

mil.embedded.com
from mil.embedded.com More from this publisher
24.11.2014 Views

Hardware fore have the same inherent radiation characteristics as the processor. The internal L2 cache has a capacity of 512 KB and utilizes an eight-bit Error Correction Code (ECC) for every 64-bit word in memory. The ECC logic is used to correct a majority of single bit errors and detect multiple bit errors. The L2 tags also support parity and by-way locking. The L1 cache has a 32 KB Instruction Cache and 32 KB data cache; both types of cache are eight-way set associative and the L1 cache tags support parity, as well. Non-volatile ROM Similar to the protection scheme for RAM, the integrity of extensive firmware utilities stored in boot Flash can also be guaranteed by dual redundancy (two independent banks of boot Flash) in combination with a watchdog mechanism. Software-independent radiation-hardened circuitry is the key component of this watchdog mechanism and the design expects a periodic service generated by the firmware or the flight software application. The redundancy scheme maximizes an opportunity to boot successfully after an initiated or environment-induced reset (software reset, or a power cycle reset, or a SEE). The dual-redundant scheme works as follows: upon power up, the radiation-tolerant module must successfully start the flight software, and any one defective boot Flash can be overwritten by the contents of the intact boot Flash to provide two identical copies for future start up operations. A hardware register can be added to provide a status if such overwritten operations were performed during the last reset. For further assurance against soft errors, MILITARY EMBEDDED SYSTEMS Resource Guide the control logic to implement the watchdog timer and the overwritten operations are also implemented in an anti-fuse FPGA. Dual-redundant boot Flash is controlled by a radiation-hardened watchdog supervisor function (see Figure 2). The redundant Flash is used to boot up if the watchdog expires without an initial service from the boot-up firmware and subsequent service by the flight application. Figure 2 Besides boot Flash, additional non-volatile user memory is required to store the user’s application and data such as digital filter coefficients or static data tables. The user Flash is often NOR Flash to provide best performance in random access scenarios. It is further enhanced with an ECC correction algorithm integrated with the Flash memory controller inside an anti-fuse FPGA. As shown in Figure 3, the user Flash controller calculates and writes ECC syndromes to the third Flash bank while data is written in 32-bit mode to the other two user Flash banks. The ECC mechanism corrects single-bit errors and detects multi-bit errors. When the processor initiates a read request to the user Flash, a CRC checksum is calculated and compared against the stored value. If the two checksums are different, a single-bit correction will be attempted or the flight software will be notified with a multi-bit error in the Flash. Similar to the intent of dual redundant boot Flash, the ECCprotected user Flash is also designed to mitigate SEE. Figure 3 RSC# 24 @www.mil-embedded.com/rsc System-level functions As shown in Table 2, there is more to a radiation-tolerant system processor besides the CPU and memory subsystems. A local expansion slot is an attractive feature because it enables additional mission or application specific I/O interfaces to be inserted into a single-slot solution and maintains the same system processor as a building block. This feature is particularly important when a system has a high-speed I/O interface and the high bandwidth 24 / 2005 MILITARY EMBEDDED SYSTEMS Resource Guide

traffic can be localized to a dedicated bus on the processor instead of an external bus system. For communication among other cards, a bus interface is desirable to allow expanding multiple system processors to perform redundant or different tasks. Moreover, a bus system provides access to additional I/O features that cannot fit onto a daughter card. One application example of such an I/O card is a motor controller, which typically has high current and large components that do not fit in any industry-standard I/O card form factor. An example of such expansion and bus interfaces is the implementation of a local PCI bus for an onboard PMC site implemented in an FPGA. The same FPGA approach is used for the external CompactPCI bus. It is essential that the CompactPCI bus interface be designed to operate as either a master or slave controller to allow maximum system flexibility. In the case of a master controller, the interface should support up to eight PCI devices in a standard CompactPCI backplane (the maximum amount without additional bridging). The UART control logic for legacy serial channels can also be implemented in an FPGA, while the serial transceivers are implemented using bipolar space-qualified devices. Timers or counters can also be implemented in an FPGA to provide auxiliary timing functions for the flight software and execution of time-based software development tools. Figure 4 MS in Electrical Engineering from UCLA as well as a BA in Electrical and Computer Engineering with a minor in Applied Mathematics from UC Irvine. For further information, contact Anthony at: Aitech Defense Systems, Inc. 9001 Oakdale Avenue • Chatsworth, CA 91311 Tel: 866-388-0712 E-mail: sales@rugged.com • Website: www.rugged.com COTS radiation-tolerant board We have described the ideal mitigation techniques for designing a radiation-tolerant processor card. Many of the individual techniques have been introduced in the past, but they are now implemented together to provide integrated radiation hardness enhancements at the board level in the Aitech S950 product. Figure 4 depicts the functional block diagram of the S950 and shows the flow of processing functions among the processor, memory elements, and expansion I/O or bus interfaces. By incorporating dual footprints for various components in the design, this product comes with an engineering unit that is a form, fit, and functional equivalent to the flight unit. The engineering design units allow for rapid prototypes of space missions with software compatibility for the flight configuration. For different space environments, the processor card is offered in two flight configurations to accommodate customers’ environmental and operational requirements. O References 1. F. Irom, F. F. Farmanesh, A. H. Johnston, G. M. Swift and D. G. Millward, Single-Event Upset in Commercial Silicon-on-Insulator PowerPC Microprocessor, IEEE Trans. on Nucl. Sci., vol. 49, no. 6, pp. 3148-3155, Dec. 2002. Anthony Lai Anthony is currently space product business development manager for Aitech. He has more than 15 years of experience in space avionics design and development for radiation tolerant computer products. Prior to joining Aitech, he led several avionics payload designs at Jet Propulsion Laboratory, including the Mars 2003 Rover prototype (FIDO). Lai has an RSC# 25 @www.mil-embedded.com/rsc MILITARY EMBEDDED SYSTEMS Resource Guide 2005 / 25

Hardware<br />

fore have the same inherent radiation characteristics as the processor.<br />

The internal L2 cache has a capacity of 512 KB and utilizes<br />

an eight-bit Error Correction Code (ECC) for every 64-bit word<br />

in memory. The ECC logic is used to correct a majority of single<br />

bit errors and detect multiple bit errors. The L2 tags also support<br />

parity and by-way locking. The L1 cache has a 32 KB Instruction<br />

Cache and 32 KB data cache; both types of cache are eight-way<br />

set associative and the L1 cache tags support parity, as well.<br />

Non-volatile ROM<br />

Similar to the protection scheme for RAM, the integrity of extensive<br />

firmware utilities stored in boot Flash can also be guaranteed<br />

by dual redundancy (two independent banks of boot Flash) in<br />

combination with a watchdog mechanism. Software-independent<br />

radiation-hardened circuitry is the key component of this<br />

watchdog mechanism and the design expects a periodic service<br />

generated by the firmware or the flight software application. The<br />

redundancy scheme maximizes an opportunity to boot successfully<br />

after an initiated or environment-induced reset (software<br />

reset, or a power cycle reset, or a SEE).<br />

The dual-redundant scheme works as follows: upon power up, the<br />

radiation-tolerant module must successfully start the flight software,<br />

and any one defective boot Flash can be overwritten by the<br />

contents of the intact boot Flash to provide two identical copies<br />

for future start up operations. A hardware register can be added<br />

to provide a status if such overwritten operations were performed<br />

during the last reset. For further assurance against soft errors,<br />

MILITARY EMBEDDED SYSTEMS Resource Guide<br />

the control logic to implement the watchdog timer and the overwritten<br />

operations are also implemented in an anti-fuse FPGA.<br />

Dual-redundant boot Flash is controlled by a radiation-hardened<br />

watchdog supervisor function (see Figure 2). The redundant<br />

Flash is used to boot up if the watchdog expires without an initial<br />

service from the boot-up firmware and subsequent service by the<br />

flight application.<br />

Figure 2<br />

Besides boot Flash, additional non-volatile user memory is<br />

required to store the user’s application and data such as digital<br />

filter coefficients or static data tables. The user Flash is often<br />

NOR Flash to provide best performance in random access<br />

scenarios. It is further enhanced with an ECC correction algorithm<br />

integrated with the Flash memory controller inside an<br />

anti-fuse FPGA. As shown in Figure 3, the user Flash controller<br />

calculates and writes ECC syndromes to the third Flash<br />

bank while data is written in 32-bit mode to the other two user<br />

Flash banks. The ECC mechanism corrects single-bit errors<br />

and detects multi-bit errors. When the processor initiates a read<br />

request to the user Flash, a CRC checksum is calculated and<br />

compared against the stored value. If the two checksums are<br />

different, a single-bit correction will be attempted or the flight<br />

software will be notified with a multi-bit error in the Flash.<br />

Similar to the intent of dual redundant boot Flash, the ECCprotected<br />

user Flash is also designed to mitigate SEE.<br />

Figure 3<br />

RSC# 24 @www.mil-embedded.com/rsc<br />

System-level functions<br />

As shown in Table 2, there is more to a radiation-tolerant system<br />

processor besides the CPU and memory subsystems. A local<br />

expansion slot is an attractive feature because it enables additional<br />

mission or application specific I/O interfaces to be inserted into<br />

a single-slot solution and maintains the same system processor<br />

as a building block. This feature is particularly important when<br />

a system has a high-speed I/O interface and the high bandwidth<br />

24 / <strong>2005</strong> MILITARY EMBEDDED SYSTEMS Resource Guide

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!