design of a single event effect fault tolerant
play

Design of a Single Event Effect fault tolerant microprocessor for - PowerPoint PPT Presentation

Feb 25, 2024 •384 likes •704 views

Design of a Single Event Effect fault tolerant microprocessor for space using commercial EDA tools Design Automation Conference DAC 2009 Roland Weigand European Space Agency Roland.Weigand[at]esa.int Jean Edelin Atmel Aerospace

  1. Design of a Single Event Effect fault tolerant microprocessor for space using commercial EDA tools Design Automation Conference DAC 2009 Roland Weigand European Space Agency Roland.Weigand[at]esa.int Jean Edelin Atmel Aerospace Jean.Edelin[at]atmel.com Microelectronics Section DAC User Track Slide # July 2009 (1)

  2. Contents ◆ The AT697 SPARC V8 microprocessor ◆ Radiation effects in space components ➙ Total Ionising Dose (TID) and Single Event Effects (SEE) ◆ Mitigation of Single Event Effects ➙ Hardened flip-flops, triple modular redundancy (TMR), glitch filtering ➙ RAM protection by parity and EDAC ◆ STMR: 3 voted flip-flops with 3 phase-skewed clock trees ◆ Impact on design flow ➙ Implementation of STMR in HDL or in netlist ➙ Clock tree synthesis (CTS) ➙ Verification ➙ Timing issues ➙ Scan path ➙ EDA tool issues ◆ Overheads for STMR fault tolerant design Microelectronics Section DAC User Track Slide # July 2009 (2)

  3. The AT697 Microprocessor [1] ◆ SPARC V8 Architecture ➙ LEON2 IP core [2] ➙ IEEE 754 FPU ➙ Max. 100 MHz ◆ PCI 2.2 32-bit 33 MHz ◆ SRAM/SDRAM interface ◆ Radiation tolerance ➙ Parity/EDAC on internal and external memories ➙ Up to 300 kRad total dose ➙ SEU <= 10 -5 error/device/day ➙ Latch-up free (70 MeV*cm 2 /mg) ◆ Power consumption <= 1W ◆ Atmel 180 nm technology [1] ➙ Packages: MCGA 349, QFP 256 Microelectronics Section DAC User Track Slide # July 2009 (3)

  4. Floorplan of the AT697 Microelectronics Section DAC User Track Slide # July 2009 (4)

  5. Radiation effects in space components ◆ Total Ionising Dose (TID) ➙ Defects in the semiconductor lattice, degradation of mobility and V th ➙ Reduced speed, increased leakage current at end-of-life ➙ Mitigation: process, cell layout (guardrings), design margins (derating) ◆ Single Event Effects (SEE) ➙ Electron-hole pair generation by interaction with heavy ions ➙ Glitches when carriers are caught by drain pn-junctions Drawing from: [3] Microelectronics Section DAC User Track Slide # July 2009 (5)

  6. Single Event Effects ◆ Single Event Latchup (SEL) ➙ SEE induced triggering of parasitic thyristors ➙ Mitigation by process and library cell design ◆ Single Event Upset (SEU) in Flip-Flops and SRAM ➙ SEE glitch inside the bistable feedback loop of storage point ➙ Immediate bit flip → loss of information, change of state, functional fault ◆ Single Event Transients (SET) in clocks and resets ➙ Glitches on clocks → change of state, functional fault ➙ Asynchronous resets are clock-like signals ◆ Single Event Transients (SET) in combinatorial logic ➙ SEE glitches in combinatorial logic behave like cross-talk effects ➙ Causes SEU when arriving at flip-flop/memory D-input during clock edge ➙ Sensitivity increases with clock frequency ➙ Synchronous resets are like combinatorial signals Microelectronics Section DAC User Track Slide # July 2009 (6)

  7. Mitigation of SEU in Flip-Flops ◆ Standard synchronous RTL design ◆ SEU hardened flip-flops ◆ Triple Modular Redundancy (TMR) flip-flops Microelectronics Section DAC User Track Slide # July 2009 (7)

  8. Mitigation of combinatorial SET ◆ Triple redundancy of flip-flops and combinatorial logic [4] ◆ Glitch Filtering on all flip-flop inputs [5] (P. Mongkolkachit, Pitsini; Bharat Bhuva, 2003) ◆ STMR: TMR flip-flop with triple skewed clock trees ➙ Selected for the AT697 microprocessor, see next slide... Microelectronics Section DAC User Track Slide # July 2009 (8)

  9. STMR: TMR with triple skewed clock By skewing the clocks, a glitch at D can be latched at most in one of the 3 FF D D3 SET latched into FF1 only D1 D2 SET pulse FF1 FF2 FF3 clock clk Q1 tree 1 clock δ tree 2 Q2 δ clock tree 3 Q3 Triplicated clock tree clk1 Q remains at correct value Majority and skewed clocks clk2 Voter δ ~ SET pulse length Q clk3 Q = (Q1 and Q2) or (Q2 and Q3) or (Q1 and Q3) Microelectronics Section DAC User Track Slide # July 2009 (9)

  10. Impacts on the RTL-GDS design flow ◆ Insertion of STMR into the design ➙ Create TMR flip-flops in RTL or post-synthesis ➙ Generation of triple skewed clock trees ◆ Increased complexity affects the design flow and –results ➙ Increased cell and node count → higher tool runtime (or crashes) ➙ Optimisation is less efficient, higher interconnect delay ◆ Synthesis tools are designed to remove redundancy ➙ Don't use sequential optimisation (register merging, pipelining, retiming) ◆ Timing issues ➙ TMR voters and clock skewing reduces maximum speed ➙ Clock skewing can be removed by hold-time fix ◆ Verification and test issues ➙ TMR and formal verification (1 FF in RTL  3 FF at gate level) ➙ TMR (= redundancy) affects testability in scan testing ➙ Implementation of protection has to be verified at netlist level Microelectronics Section DAC User Track Slide # July 2009 (10)

  11. STMR insertion at RTL or gate level STMR in VHDL STMR at gate level ➙ Clock nets/ports are a vector of 3 bit ➙ Used mainly for third party IP ➙ Use the “two-process” method [6] ➙ Library and tool dependent ➙ Synthesise netlist without TMR -- One process per TMR domain: rx0 : process(clk) begin ➙ Create HDL package with TMR if rising_edge(clk(0)) then r0 <= d; equivalent macro-cells end if; end process; ➙ Edit netlist to triplicate clocks and rx1 : process(clk) begin asynchronous resets if rising_edge(clk(1)) then r1 <= d; sed -e 's/CLK\(.*\) std_logic/CLK\1 end if; end process; std_logic_vector(2 downto 0) /' rx2 : process(clk) begin ➙ Edit netlist replacing every flip-flop by if rising_edge(clk(2)) then r2 <= d; its TMR equivalent end if; end process; sed -e 's/DFF1/DFF1_TMR/' -- Vote outputs sed -e 's/DFF2/DFF2_TMR/' r <= (r0 and r1) or (r0 and r2) or (r1 and r2); ➙ Resynthesise the edited netlist, linking ➙ Synthesis with TMR in one go with the TMR macro-cell package ➙ Disallow register merging ➙ Disallow register merging ➙ Structural verification required ➙ Structural verification required Microelectronics Section DAC User Track Slide # July 2009 (11)

  12. Inserting triple skewed clock/reset trees ◆ Clock Tree Synthesis (CTS) optimises skew inside a clock tree ➙ Need control over the insertion delay ( δ 1 = δ 2 ) ➙ Synthesis of several coherent trees not provided by CTS ➙ Compromise: insert three distinct trees with well adjusted CTS parameters ◆ Delay δ inserted at the origin of the clock trees ➙ Instantiate delay buffers in the VHDL source code for simulation ➙ Model δ at synthesis by set_ideal_latency and set_propagated_clock ➙ Initial value for δ is speculative → control/adjustment in backend process ◆ Combinatorial logic on clock/asynchronous reset ➙ Needs to be triplicated as well Microelectronics Section DAC User Track Slide # July 2009 (12)

  13. Coherent clock trees We need to control the relative clock latency: X X+ δ X+2* δ CTS did not achieve goal → Manual adjustment of delay elements required Microelectronics Section DAC User Track Slide # July 2009 (13)

  14. Mastering skew inside each clock tree Above: δ ~ 800 ps high variance Below: δ ~ 600 ps low variance Microelectronics Section DAC User Track Slide # July 2009 (14)

  15. Verification of STMR ➙ TMR is larger and slower than normal flip-flops » Redundancy removed by logic optimisation (synthesis and back-end) » TMR modified by timing optimisation ➙ Defects in redundant structures do not appear at simulation » TMR simulation “works” even if only two of the three FF are correct ??????????? Microelectronics Section DAC User Track Slide # July 2009 (15)

  16. Verification of STMR ➙ TMR is larger and slower than normal flip-flops » Redundancy removed by logic optimisation (synthesis and back-end) » TMR modified by timing optimisation ➙ Defects in redundant structures do not appear at simulation » TMR simulation “works” even if only two of the three FF are correct ⇒⇒⇒⇒⇒⇒⇒ ➙ Structural and formal verification required » Presence of triple FF, correct wiring of the three clock/reset domains » Parsing the netlist with scripts (grep) » Increasing complexity requires formal verification tools ➙ Timing analysis of clock trees » Measure insertion delay from clock root (PLL) to every flip-flop » Difference between clock arrival and data arrival Microelectronics Section DAC User Track Slide # July 2009 (16)

  17. Structural and Formal Verification ◆ COTS formal verification tools get confused ➙ Netlist contains three FF for one described in RTL ➙ Workarounds: declare equivalence of flip-flops ➙ Script/constraint was provided by tool vendor ◆ Structural verification of TMR ➙ Netlist parsing was used in our project ➙ Formal verification, custom tool developed at ESA [7] ➙ NASA/Mentor: Formal verification for TMR designs [3] ◆ Fault injection ➙ Fault injection by simulation » Example: SST, an SEU simulation tool developed at ESA [8] ➙ Fault emulation by FPGA emulation » Example: FT-Unshades [9] ◆ Radiation Testing ➙ Expensive, and only after manufacturing Microelectronics Section DAC User Track Slide # July 2009 (17)

  18. TMR Timing Issues FF3 d3a t setup q3a d3a FF3 q3a combinat. Voter Voter t prop d2a FF2 q2a logic d2a FF2 q2a δ voter δ voter δ logic d1a FF1 q1a d1a FF1 q1a clk clk1 δ clk2 δ clk3 Cycle Time T >= t prop + δ logic + t setup + δ voter + 2 δ TMR voters and clock skewing reduce operating frequency Microelectronics Section DAC User Track Slide # July 2009 (18)

Recommend

Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and

1 Adaptive Fault Tolerant Systems: Adaptive Fault Tolerant Systems: Reflective Design and Validation Reflective Design and Validation Marc-Olivier Killijian Dependable Computing and Fault Tolerance Research Group Toulouse - France 2

865 views • 50 slides
Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault

Lecture 10: Fault Tolerance Fault Tolerant Concurrent Computing The main principles of fault tolerant programming are: Fault Detection - Knowing that a fault exists Fault Recovery - having atomic instructions that can be rolled back in

361 views • 18 slides
4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design

4/22/2009 Designing highly available systems Incorporate elements of fault-tolerant design Replication, TMR Distributed Systems Fully fault tolerant system will offer non-stop availability Clusters You cant achieve this! Problem:

458 views • 11 slides
Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the

EDA421/DIT171 - Parallel and Distributed Real-Time Systems, Chalmers/GU, 2011/2012 Lecture #14 Updated May 2, 2012 Fault-tolerant techniques Fault-tolerant techniques What causes component faults? What are the effects if the

374 views • 9 slides
FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09,

FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- tolerant control. DPS09, Gdask Canonical Control Engineering Problem Disturbance Controlled output Set-point Filter Controller Plant Sensor Noise This problem is

639 views • 29 slides
A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09,

A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09,

A Fault-Tolerant Alternative to Lockstep Triple Modular Redundancy Andrew L. Baldwin, BS 09, MS 12 W. Robert Daasch, Professor Integrated Circuits Design and Test Laboratory Problem Statement In a fault tolerant system containing

478 views • 35 slides
Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana,

Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana,

FMC-Properties Main Tools Construction of 2-FTRS Reference Fault-Tolerant Subgraph For Single-Source Reachability: General and Optimal Surender Baswana, Keerti Choudhary, Liam Roditty Presented by: Santhini K A and Sampriti Roy CS18D013

1.46k views • 91 slides
REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK

REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK

REVIEW OF FAULT TOLERANT TECHNIQUES FOR DIFFERENT TYPES OF GRAPHS BY- HATEM NASSRAT TARAK SHINGNE Outline General view of Fault Tolerance Ft-Design approaches Trees Meshes &amp; Hypercubes conclusion Introduction Fault

584 views • 44 slides
CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012):

CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012):

CS6100: Topics in Design and Analysis of Algorithms Fault Tolerant Consensus CS6100 (Even 2012): Fault Tolerant Consensus Models Failure Types 1. Clean Crash Failure completely fail 2. (Unclean) Crash Failure fail after some messages

653 views • 16 slides
Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault

4/1/2014 Overview Introduction and basic concept ECE 753: FAULT-TOLERANT Fault model and fault coverage COMPUTING Checkpointing and backward error recovery (rollback) Kewal K.Saluja General principles General principles

259 views • 3 slides
Kinematic Design of Redundant Robotic Manipulators that are Optimally Fault Tolerant Presented

Kinematic Design of Redundant Robotic Manipulators that are Optimally Fault Tolerant Presented

Introduction Kinematics Fault Tolerance Goal 3R Planar 4R Planar To Spatial 4R Spatial 7R Spatial Conclusions Kinematic Design of Redundant Robotic Manipulators that are Optimally Fault Tolerant Presented by: Khaled M. Ben-Gharbia

1.11k views • 76 slides
Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent

Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent

Fault-Tolerant Data Collection in Fault-Tolerant Data Collection in Heterogeneous Intelligent Monitoring Networks Networks Heterogeneous Intelligent Monitoring Jing Deng Department of Computer Science University of North Carolina at

335 views • 18 slides
IBM zSeries Fault Tolerant Design Lisa Spainhower Technology m ^ September 20, 2001

IBM zSeries Fault Tolerant Design Lisa Spainhower Technology m ^ September 20, 2001

IBM zSeries Fault Tolerant Design Lisa Spainhower Technology m ^ September 20, 2001 Power/Cooling Fault Tolerance N+1 350 volt DC to DC Load Converter AC to DC DC to DC Converter Converter AC input Battery DC to DC Load Converter

131 views • 9 slides
Fault-tolerant design techniques slides made with the collaboration of: Laprie, Kanoon, Romano

Fault-tolerant design techniques slides made with the collaboration of: Laprie, Kanoon, Romano

Fault-tolerant design techniques slides made with the collaboration of: Laprie, Kanoon, Romano Fault Tolerance Key Ingredients Error Processing ERROR PROCESSING Error detection: identification of erroneous state(s) Error diagnosis : damage

1.16k views • 104 slides
Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems

Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems

Design Optimization of Time- and Cost-Constrained Fault-Tolerant Distributed Embedded Systems Viaceslav Izosimov, Paul Pop, Petru Eles, Zebo Peng Embedded Systems Lab (ESLAB) Linkping University, Sweden 1/21 1 of 14 Motivation Faults

408 views • 21 slides
Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction

Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction

1/21/2014 Overview ECE 753: FAULT-TOLERANT Fault Modeling COMPUTING References Introduction Kewal K.Saluja Kewal K Saluja Fault models at different levels (HW) Department of Electrical and Computer Engineering Error

304 views • 5 slides
Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant

Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant

Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant Speculation Presenter: Haojun (Howard) Zhu Background Due to time-tested safe design of PBFT and due to the limiting designs of other BFT protocols,

536 views • 26 slides
Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural

Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural

Verification and Validation of a Verification and Validation of a Fault- -Tolerant Architectural Abstraction Tolerant Architectural Abstraction Fault Patrick H. S. Brito - Unicamp, Brazil Rogrio de Lemos - University of Kent, UK Eliane

381 views • 21 slides
Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar)

Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar)

Fault Tolerant Computing Coping with errors Steven Janke February 2013 Steven Janke (Seminar) Fault Tolerant Computing February 2013 1 / 30 Outline Problem: How do you design a computer system to avoid errors? Failure Data for laptops,

608 views • 30 slides
IBM POWER6 Processor and Systems IBM POWER6 Fault-Tolerant Design Presenter: Natalya Kostenko

IBM POWER6 Processor and Systems IBM POWER6 Fault-Tolerant Design Presenter: Natalya Kostenko

IBM POWER6 Processor and Systems IBM POWER6 Fault-Tolerant Design Presenter: Natalya Kostenko WHATS IBM POWER 6 MICROPOCESSOR POWER is a RISC instruction set architecture designed by IBM. (POWER is P erformance O ptimization W ith E

534 views • 21 slides
outline introduction locality in fault-tolerant quantum comp. topological codes &amp;

outline introduction locality in fault-tolerant quantum comp. topological codes &amp;

outline introduction locality in fault-tolerant quantum comp. topological codes &amp; local operations results single-shot error correction self-correction gauge color codes universality via gauge-fixing

687 views • 44 slides
Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element

Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element

Idealised Fault Tolerant Idealised Fault Tolerant Architectural Element Architectural Element Rog rio rio de Lemos de Lemos Rog University of Kent, UK University of Kent, UK Motivation architectural fault tolerance; iFTE

350 views • 16 slides
Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi,

Fault-Tolerant Distributed Optimization Lili Su, Arun Padakandla, Qiong Hu, Seyyed A. Fatemi, Rehana Mahfuz, Vidyasagar Sadhu CSOI-Data Science Workshop May 27th, 2016 Lili Su et al. (SOI-DSWKSP) Fault-tolerant distributed optimization May

854 views • 6 slides
Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi

Distributed Systems 5. Fault Tolerant Systems Fault-Tolerance - 1 Lszl Bszrmnyi Distributed Systems Fault tolerance A system or a component fails due to a fault Fault tolerance means that the system continues to provide its

428 views • 40 slides

More recommend