rtl and synthesis design approach to radiation-tolerant and fail-safe targeted applications buu...

RTL and Synthesis Design Approach to Radiation-Tolerant and Fail-Safe Targeted Applications Buu Huynh & Roger DoMentor Graphics Corp.

BH/RD, MAPLD 2009 – RTL & Synthesis for Rad-Hard & Fail-Safe App, Sep-20092

Fail-Safe and Radiation ApplicationsHave Comparable Digital Design Challenges

Radiation-Harden Design— Corner-cases design coverage— Account for adverse SEE in

radiation environment Voltage supply spikes Clock signal spikes Single Event Upsets (SEU)

Fault-Tolerant Design— Detect error conditions— Contain error— Recovery from error

Fail-Safe Application Design— Corner-cases design coverage— Account for adverse operating

environment Voltage supply spikes Multi-Clock Domain issues Soft Error Rates (SER)

Fault-Tolerant Design— Detect error conditions— Contain error— Recovery from error

Indistinguishable Design Requirements for RTL Design Code


Meeting Timing Requirements at RTL

Design margin requirements— Cover corner-cases— Account for adverse effects (e.g. voltage

supply, operating temperatures, extreme bandwidth scenarios, etc.)

How does a design margin requirement effect RTL design?

Check for poor RTL code which jeopardizes hardware performance

— Long logic snake paths— Deep logic nesting— Combinatorial vs. registered outputs

Laboratory Conditions

Environmental Chamber Testing


Problem: Noisy power supply environment— Can cause registers to change state— Device may lock up

Solution: Implement global reset in RTL to support system initiated device “soft reset” for fault recovery

Adverse Conditions Example:

Noisy Power Supply Environment

Code Example:

status_registers_proc: process (clk, rst_n) begin if (rst_n = '0') then -- Clear Registers, to safe

state, xmitting_reg <= '0'; -- when global RST is asserted done_xmitting_reg <= '0'; rcving_reg <= '0'; done_rcving_reg <= '0'; elsif rising_edge(clk) then if (xmit_flag = '1') then

. . .


Adverse Conditions Example:

Extreme Environments Problem: Extreme environment conditions

Can cause FSM to enter error states Device may lock up

Solution: Use RTL code supporting FSM synthesis which can recover from undefined states*, to support fault recovery

Code Example:

case current_state iswhen idle =>

if (rd_req = ‘1’ and pre = ‘0’) then -- read request & no precharge next_state <= READ;. . .

when read => . . . when precharge => . . .

when others => -- other states, including error states

next_state <= ALARM; -- transition to a safe recovery state

end case; * Be sure to use “safe FSM” option in the synthesis tool to keep FSM error state recovery transitions from being removed during synthesis optimizations


Radiation & Fail-Safe Challenge Example:

Fault-Tolerant Digital Design Problem: SEU induced input errors into control logic

Incomplete conditional branch code will not resolve in a predictable, controlled behavior

Undefined conditional input state will resolve in an unknown manner, and can be synthesis run dependent

Solution: Disallow incomplete case statement

Code Example:case altitude_in is when GROUND => if (t_minus = FOUR_SEC) then -- run start sequence fuel_valve_cmd_s <= OPEN_SEQ;

. . . when ELV_8K => -- throttle-down . . . when ELV_40K => -- throttle-up

. . . when others => -- trap error conditions fuel_valve_cmd_s <= fuel_valve_cmd_r;end case;


Human Factor & Value of Coding Guidelines

Consistent quality across team members and projects

Leverages amassed knowledge base

Industry

RMM, RTL Essentials, etc

Your organization

Senior engineers, lessons learned from previous programs, etc

APPRAISAL& TRAINING

OPTIMIZE“Like having an

expert watch over your code”


Option 1: Manual HDL code reviews— Required when design specific or “topic-expert” knowledge must be

applied during code review— Extremely labor intensive— Inconsistent and error-prone

Option 2: Automated HDL design checking (Linting)— Enforces standard quality level per organization’s guidelines— Standardize RTL code quality & design reuse cost metric— Reduce RTL synthesis errors— Run rules interactively throughout development— Automatically capture results as process artifact— Machine checks can not cover all design guidelines

Option 3: Combination of Automated & Manual— Leverage the strength in both methodology

Assessing RTL Code Quality


Tool Introduction: HDL DesignerA Team Development Environment for Design Assurance

RTL Entry & Visualization

Assurance Mandates HDL Designer Provides the Solution

10 editor types including text, graphical, and code generation, also automated visualization of RTL

Assurance provided with design integrity checks, quality assessment, and automated visualization

Automated scoring based on industry standards or company-defined coding guidelines

Synchronizes design and all associated data, linking to popular version management systems

Creates design review website with all design and associated data in exported HTML directory

Integration with ReqTracer to link the RTL implementation back to requirements

Reuse Assessment

Code Checking

Version Mgmt

Design Reviews

Requirement Tracing


What is Synthesis?

Transformation of HDL code to gate-level implementation

— RTL code input VHDL, Verilog, SystemVerilog

— Inferencing and mapping of architectural features

— Structural netlist output Default operation focuses on logic optimization Fail Safe design considerations must be weighed

against performance optimizations

Program Device

SYNTHESIS

Place & Route

RTL Design

http://www.garbage.at/7200.10_pcb.jpg


Safe FSM Operation

Radiation may change one bit → invalid state

FSM must be designed with error detection & correction— Unused/unreachable states are not pruned — Safe FSM ensures valid transition to default state— FSM Implements all possible states

TYPE fsm_state IS (S0, S1, S2, S3);TYPE fsm_state IS (S0, S1, S2, S3);

SIGNAL current_state :SIGNAL current_state : fsm_state;fsm_state;SIGNAL next_state:SIGNAL next_state: fsm_state;fsm_state;……IF (RST=‘1’) THEN current_state=S0;IF (RST=‘1’) THEN current_state=S0;……PROCESS (S0, S1, S2, S3)PROCESS (S0, S1, S2, S3)BEGINBEGIN CASE current_state ISCASE current_state IS

WHEN S0 => next_state <= S1 …WHEN S0 => next_state <= S1 …WHEN S1 => next_state <= S2 …WHEN S1 => next_state <= S2 …WHEN S2 => next_state <= S0 …WHEN S2 => next_state <= S0 …WHEN WHEN othersothers => next_state <= S3; => next_state <= S3;

END PROCESS;END PROCESS;

Safe FSMSafe FSM

..

Transition to Transition to Default stateDefault state

????(0101)(0101)????(0101)(0101)

Invalid StateInvalid State

DefaultDefault

S3S3(1000)(1000)S3S3(1000)(1000)

State defined for State defined for error reportingerror reporting

S0S0(0001)(0001)S0S0(0001)(0001)

S1S1(0010)(0010)S1S1(0010)(0010)

S2S2(0100)(0100)S2S2(0100)(0100)

States defined for States defined for normal FSM operationnormal FSM operation

ResetReset


Redundancy Methods

Redundancy mitigates effects of a circuit failure Uses replication and voting mechanism 3 Methods Available

1. Combinatorial-Combinatorial (C-C) mapping Combines two combinatorial cells with feedback as

opposed to using flip-flop

2. Triple Module Redundancy (TMR)

3. Triple Module Redundancy & C-C mapping


TMR Example

Before TMRBefore TMR

After TMRAfter TMR

Supports design assurance but produces dramatically larger circuits (goes against optimization goals)!


Tool Introduction: Precision™ SynthesisVendor Independent FPGA Synthesis for Fail Safe Design

Meet Performance Requirements Mixed language support for VHDL, Verilog,

SystemVerilog, and EDIF Advanced logic inferencing & optimization Physical synthesis

Design Analysis Interactive static timing analysis Design debugging and cross-probing

Increasing Productivity Incremental design flows Resource management

Fail Safe Design Considerations Safe state machines TMR support Radiation-hardened device support Verifiable results Deterministic netlist for repeatable results

FPGA Vendor Independent

Concept DesignConcept Design

RTL DesignRTL Design

SYNTHESISSYNTHESIS

Place & RoutePlace & Route

Program DeviceProgram Device

RequirementsRequirements

PlanningPlanning

DebugDebugHardwareHardware

VerificationVerification

rtl and synthesis design approach to radiation-tolerant and fail-safe targeted applications buu...

Documents