New Developments in Field Programmable Gate Array (FPGA) Single Event Upsets (SEUs) and Fail-Safe Strategies by Berg, Melanie
-. 
New Developments in Field · 
Programmable Gate Array (FPGA) 
Single Event Upsets (SEUs) and Fail-
Safe Strategies 
Melanie Berg, MEI Technologies in support of 
. NASA/GSFC 
Different Aspects of Mitigation: 
Things to Think about during 
Presentation 
• Detection: 
- Watchdog (state or logic monitoring) 
- Checking ••• Decoding 
.- Action 
• Masking 
- Not letting an error propagate to other loglc 
- Redundancy or checking 
- Turn off faulty path 
• Correction 
- Error state (memory) Is changed 
- Need feedback 
To be presented by Melanie Berg at the Revolutionary Electron/cs in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
. ---··· · . --- · -- ----·· - .. . - - ·- . --- -------- ·-
1 
https://ntrs.nasa.gov/search.jsp?R=20180001175 2019-08-30T12:32:55+00:00Z
Mitigation Concerns 
• Are you reducing error rate? 
- Strategy may NOT reduce error rate but reduce system error 
(Masking) 
- Be careful not all FPGAs have the same Single Event Upset (SEU) 
error signatures 
- Poorly selected/implemented Mitigation scheme may Increase 
upset rate Instead of decrease 
• Accumulation versus Multiple Bit Upsets (MBUs) may need 
to be handled differently 
• Tradeoffs: Is your scheme buying you anything? 
- May reduce system error rate at a high cost (area, power, 
complexity, cost) 
- STOP ••.. Requirements may not need Mitigation 
- If vou can't valldate that it meets reaulrements - then vou can't fly It 
Tot»pre-,,«1t,f-flerf"'IIIOflevoJutk>Mrf-"'SpM»(Re!JpM»JJ-.J,.,,,,_•~~""""• 
How Safe is Your Design? 
• Understand the SEU error mode specifics? 
• Are there lock-up conditions in my design? 
• Does your strategy protect the entire critical path? 
• Is the synthesized design fail-safe? 
• Did you mitigate where you expected to mitigate? 
• Can your watch-dog catch failure? 
• Will your recovery scheme work? 
• Wh_at are the limitations of your verification strategy? 
The list goes on ... Based on error signatures of the target 
FPGA, the designer must keep all points in mind at all stages 
of the design 
Tot»pre.,..«llly/N- s.rg.rtllOllevoJutk>Mrf-ln s,,- /Res-,1-,,,.,-,AM_.,,.l'rof/f_,.~ 0.- 4 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, . 
2011, and to be published on nepp.nasa.gov website. 
2 
Agenda 
• Section I: Single Event Effects {SEEs) in Digital Logic 
• Section II: Application of the NASA Goddard 
Radlati~n Effects and Analysis Group (REAG) FPGA 
SEU Model 
• Section Ill: Reducing System Error: Common 
Mitigation Techniques 
Break 
• Section IV: When Your Mitigation Fails 
• Section V: Xilinx V4 and Mitigation 
• Section VI: Fail-Safe Strategies 
Agenda (First Half} 
• Section I: SEEs in Digital Logic 
• Section II: Application of the NASA Goddard 
Radiation REAG FPGA SEU Model 
• Section Ill: Reducing System Error: Common 
Mitigation Techniques 
5 
6 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
·-- -· .. ' 
3 
Van Allen Radiation Belts Have 
Source of Faults: SEEs and Ionizing 
Particles 
e Terrestrial_ devices are 
susceptible to faults mostly 
due to: 
0 Alpha particles: from packaging 
and doping and 
e Neutrons: caused by Galactic 
Cosmic Ray (GCR) Interactions 
that enter Into the earth's 
atmosphere. 
0 Devices expected to operate at higher altitude 
(Aerospace and Military) are more prone to upsets 
caused by: 
o Heavy Ions: direct Ionization 
e Protons: secondary effects 
-, 
8 
To be presented by Melanie Berg at the Revolutionary Electronics In Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
4 
Device Penetration of Heavy Ions and 
Linear Energy Transfer (LET) 
• LET characterizes the .---...,....,.,...,,..--=~- ~ ,--....,.,...,,,.,,..,..-:-1 
deposition of charged 
particles 
• Based on Average energy 
loss per unit path length 
(stopping power) 
• . Mass is used to normalize 
LET to the target material Average energy 
1 dE 2 deposited per unit . cm path length LET=-- · MeV-
p dx' ~ mg 
~ Units 
Density of target material 
9 
LET vs. SEU 
Error Cross Section ( O'seu) 
Terminology: _ #errors 
(J'seu ----
• Flux: Particles/(sec-cm2) fluence 
• Fluence: Particles/cm2 LET vs. (O'sEuJ 1.00E-06 
• The O'seu Is calculated at 
several LET values 1.00E-07 
(particle spectrum) I 
- LET Threshold (LET th) Is the E .!!, 1.00E-08 
point where errors are first :, i observed (on-set) t:) 
- LET Saturation (LET SAT) Is UlOE-09 
the point where errors stop LET th statistically increasing with 1.00E-10 
LET 0 20 40 60 80 
LET (MeV"cm'lmg) 
10 
100 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-T -· .. ··- . 
5 
Single Event Faults and Common 
Terminology 
• Single Event Latch Up (SEL): Device latches in high 
current state 
• Single Event Burnout (SEB): Device draws high 
current and burns out 
• Single Event Gate Rupture: (SEGR): Gate destroyed 
typically in power MOSFETs 
• Single Event Transient (SET): current spike due to 
ionization. Dissipates through bulk 
• Single Event Upset (SEU): transient is caught by a 
memory element 
• Single Event Functional Interrupt (SEFI) - upset 
disrupts function 
Single Event Effects (SEEs) and FPGA 
System Error 
• FPGA SEUs or SETs can occur in: 
- Configuration 
- Combinatorial Logic (including global routes or 
control) 
- Sequential Logic 
- Memory Cells 
11 
Every Device has different Error Responses - We 
must understand the differences and design 
appropriately 
12 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
6 
Agenda (First Half) 
• Section I: Single Event Effects in Digital Logic 
• Section II: Application of the NASA 
Goddard REAG FPGA SEU Model 
- Configuration Oseu (P configuration> 
- Functional Data Path O'seu (P1unctlona1Logic) 
- Microsemi (Actel) ProAS1C3 Example 
• Section Ill: Reducing System Error: Common 
Mitigation Techniques 
The NASA Goddard REAG FPGA SEU 
Model : Top Down Approach 
13 
Top Level Model h~s 3 ·major categories, of <1sEu: 
p (JS) error oc pConfigurat ion + p ( f S) functional Logic + P SEFI 
Design D"sEu Configuration UsEU Functional logic SEFI asEu 
·asEu 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
. T . -·--·- ..•.... • - - ----- -
7 
-- - --
P ( J s trror o{PConfigurat io~+ P(fs) functional Logic + P SEFI 
-.... - --
Configuration SEU Cross Sections 
Place, Route, and Gate Utilization are 
Stored in the FPGA Configuration 
15 
1/0 CONNECTS 
• Configuration Defines: 
Arrangement of pre-existing 
logic via programmable 
switches 
- Functionality (logic cluster) 
- Connectivity (routes) 
- Placement . 
• Programming Switch Type : 
ROUTING MATRIX // 
PROGRAMMABLE 
SWITCHES 
- Antifuse: One time Programmable (OTP) 
- SRAM: Reprogrammable (RP) 
- Flash: Reprogrammable (RP) 
16 
To be presented by Melanie Berg at the Revolutionary Electronics In Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
8 
Programmable Switch.Implementation and 
SEU Susceptibility 
SR_A_M (/3~}. 
Q 
·-···-·?, b~ 
Data 
P1ogrammlng Bit 
Configuration SEU Test Results and 
the REAG FPGA SEU Model 
SAAM {non-
mitigated). 
Flash < 
Hardened SAAM 
P(fs t,,o, oc Pconfigu,ation 
tion + p functiona/Logic (fs) + PSEFI 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
' :..:::__ , .... ----· . --~ ------ - - ----- --- . - - ·-· -- ---- -------
9 
------. .,,,,. . ' 
p (Js trror oc p Configurat ion ,I.( ( f S) functional Logic T P SEFI 
.._ -- .. .,,,,. 
Functional Data Path SEU Cross 
Sections 
Concepts of Synchronous Design 
Synchronous Design Basic Building 
Blocks: Combinatorial Logic and Flip-
Flops (DFF's) 
CLK 
Ct.KB 
Combinator/al Logic: Output Is a 
function of the inputs after some 
delay(rd1y) 
Output=f(input, rd1y) 
OFF: Captures data input at clock edge 
and is a function of the clock period (rc,,J 
reset · 
CLKB Q=f{D,rc,,J 
jj 
CLK 
---4D Qi----• 
CLK ~ 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
10 
Component Libraries: Basic Designer 
Building Blocks 
• Combinatorial logic 
blocks 
D Vary In complexity 
D Vary In VO 
• Sequential Memory blocks 
(Flip-flops or DFFs) 
a Uses global Clocks 
0 Uses global Resets 
0 May have mitigation 
DFF's in a Synchronous Design 
Clock Tree 
• All DFFs are connected to a clock 
• Clock period: 'rctk 
• Clock frequency: ls 
'r elk 
21 
DFFs are BOUNDARY POINTs in a synchronous 
design 
22 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Ml/ltary and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
- . . . .. -··-· _ . .:.._ --
' 
11 
Deterministic Data Capture ... Adhering to 
Setup ('t50 ) and Hold Time ('th) for a OFF 
Data Launch from 
StartPoint 
clock 
Data Delay through 
combinatorial logic and 
routes 
StartPoint 'rdfy EndPoint 
_n!llt 
Data Capture Is Deterministic when: 
'!dly < '!elk -( '!su +'!skew +'!jitte) · 
Setup Clock Clock 
Time Skew Jitter 
23 
StartPoint DFFs ~ EndPoint DFFs 
'tdly and the "Cof'\e qt Logic" , 
I I 'r, ~ 
__ _,i-dly' j( elk~--.... 
_ _!---I>--: _ I I 
T-1 1 T T+1 
I 
·· .. , EndDFF (I')= f (StartDFFs (T - 1)) 
Signal will arrive at 
destination by ·i-dly ••• 
but it will not be 
captured until the next 
clock edge 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-.,. .. _ ..... ~ .... -
12 
Synchronous Design Take Away 
Points 
• Basic Blocks: DFFs and Combinatorial logic 
• DFFs are boundary points 
- For each OFF (EndPoint) there is a backwards trace to 
start point DFFs 
- There Is delay between StartPolnt DFFs and endpoint 
DFFs . 
• Combinatorial logic 
• Routes 
• SEU analysis is based on utilized DFFs in a 
design because a functional data path upset is 
not an upset unless it is captured by a OFF 
The question is ... If an upset occurs will it 
reach and affect an endpoint DFF? 
---- .... 
-- ' P(Js trror oc Pconfigurat ion ../.f(Js) functionalLogic T PSEFI 
--------
Functional Data Path SEU Cross 
Sections 
28 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and · 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be publ/shed on nepp.nasa.gov website. · · 
' 
13 
.Configuration versus Data Path 
(Functional Logic) SEUs 
• Configuration and Functional logic are 
separate logic 
• Can be implemented with different 
technologies within one device 
• Configuration is static and data paths are 
not. Requires a different test and analysis 
approach 
This explains why there are separate categories of 
error: 
p configuraJion VS. pfunctionalLogic 
Logic function generation , · Captures 'and holds'_state of ;, 
(comput.atiori)~::~·/,'"~ ... ·::,. :\:. data input at rising ~dg~ ~!. '/ .. 
. ·.-· ~> .... r:, t" · ~:~, ,..:: "' clockA, ·, ,. · .·,~: , -x,, ·-: 
~ • • •• ..,. .,. • f , ,,v ' • 
SET _~ · 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
- ""'-- _ . .;.,. --
14 
Data Path Mod I and OFF Logic Cones 
p ( f s) functional Logic 
.,,.. ... - -- ' 
P(fs) error oc Pconfigurat ion {!'(f S) functionalLoJJ) + PSEFI 
--- ---
Functional Data Path SEU Cross Sections 
and Combinatorial Logic Effects 
(Capturing SETs) ... - ... 
.,,.. ' 
P(fs) functional Logic ex:: P(fs) DFFSEU-'ISEU(tP(fs ) SET -'ISEU 
... - -- , 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published o~ nepp.nasa.gov website. 
--- ---· . --- ,-· -· 
15 
SETs and a Synchronous System 
• Generation (Pgen) 
• Propagation (Pprop) . 
• Logic Masking (Progic.> 
• Capture 
All Components comprise: 
P(fs)sET-SEU 
31 
SET Generati«?n: Pgen 
• SET generation occurs due 
to an "off" gate turning "on". ,. 
• SET has an a~plitude and 
width ('twidth) based on: 
- Amount of collected charge (i.e. 
small LET -small SET) 
- The strength of the gate's load 
- The strength of Its 
complimentary " ON" gate 
- The dissipation strength of the 
process. 
Off 
Collected Critical 
Charge Char9e Q coll > Qcrzt 
Q crit = C node * V node 
Node Node 
Capacitance Voltage 
Tobt-Ollby-e.,g1111 .. ,._.__,,_,,,,._{II.S1>-Jl-.,.,-Aor-~logl<llf-• 32 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
16 
SET Propagation to an EndPoint OFF: Pprop 
• In order for the data path SET to become an upset, it 
must propagate and be captured by its Endpoint OFF 
• P prop only pertains to electrical medium (capacitance of 
path ... combinatorial logic and routinQ) 
- Capacitive SET amplitude reshaping 
- Capacitive SET width reshaping 
• Small SETs or paths with high capacitance have low Pprop 
• Pp,op contributes to the non-linearity of P(fs)sET-+SEu 
because of the variation in path capacitance 
SET Logic Masking: P1ogic 
• . P1ogic: Probability that a SET can logically propagate 
through a cone of logic. Based on state of the 
combinatorial logic gates and their potential masking. 
. .., 
Determining P1ogic for a complex 
system can be very difficult 
Logic O Masks 
other data path 
33 
To be presented by Melanie Berg at the Revolutionary Electron/cs in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
' -----· ---· .. 
17 
SET Capture at Destination OFF 
The transient width ( 'rwidt,J will be a fraction of 
the clock period ('rc,J for a synchronous design 
In a CMOS process. 
P( ) '!width '!elk SET~SEU oc--
Tclk 
Probability of capture is 
proportional to the width 
of the transient as seen 
from the destination DFF 
Data Path Model and Combinatorial 
Logic SETS 
#Combinator ialCells #Combinatoria/Cells I P (fs)sET'-+SEU(i) oc: "J:.Pgen(i) p prop(i)plogic(i)'fwidrh(i)fs 
~I ~ 
#Combinatoria/Ce/ls 
< 'I. P gen(i) p prop(i)-rwid,h(i)ts 
( /•I 
Upper Bound SET P1091c=1 
36 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace.Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
18 
-----, 
P(fs )error O<: P configuration -! P(fs) functiona[Logi) + P SEFI 
~ ' .,, 
.... ...; - .-
Functional Data Path SEU Cross 
Sections and DFF Effects 
(Capturing StartPoint SEUs) 
--- .... 
.,,,. ' P(fs) functional Logic o(P(fs) DFFSEU ~ SEi.,V+ P( fs) SET ~SEU 
.... ___ .,,,. 
Conventional Theory: 
System Upsets Have a Static 
Component+Dynamic Component 
Composite Cross Section 
P(fs tror = PDFFSEU+ P(fs) SET ~seu 
Takes into account upsets 
from combinatorial logic In 
OFF data path and the OFF 
potential for fllpp/ng its state 
~~J Frequency ~--+ 
Does not fully characterize DFF upsets as they 
pertain to a synchronous system 
ToOOp,o#fltodb1--. .. lilo-lMaty_ .. .,._(tt.5-JIMll/r_.,Mld_l'rOfll',mm-l.of/lCO,- 38 
To be presented by Melanie Berg at the Revolutionary Electron/cs in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
·- -- - .. ·-·-· - ---· . ' 
19 
StartPoint SEUs and a Synchronous 
System: New Stuff 
• Generation (P DFFsEu> 
• Pp,op=l for hard state switch 
• Logic Masking (P1ogic.) 
• Capture 
All Components comprise: 
P(fs) DFFSEU-SEU 
39 
Generation of DFF Upsets: P DFFsEu 
• Probability that a OFF will flip its state 
• Can be a hard flip: 
- Will not change until the next clock cycle 
- Amplitude and width are not affected as with a 
SET ~ 
• Can be a metastable flip ,~{-~ r!1~, -~ .. j 
- No real defined state ~ ~ 
- Otherwise known as a "weak" state 
- Can cause oscillations in the data path 
I PoFFSEU 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Dev_ices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
20 
Generation P DFFsEu versus 
Capture P(fs)DFFSEu-sEu 
Probability a StartPoint _.;• ~ 
OFF becomes upset ... 
.. - . ~ .. : " ,···,:. ~~ ,"'::, 
.. , .. / .. ., ·. \. 
. . 
... 
". . 
(. • < 
:.: . '::~ ...... ' . 
. ·' 
Probability, that.the ;: . '.J:· , · 
; ·~ fl •• 1,A- ..2:'S $ta~Point upset 1s ~: 
captured by tile.endpoint . 
OFF.: .,_ ,. . . ~ ... J~~ 
Occurs at some point in Occurs at a clock edge 
time within~ clock period (capture) 
NZ~ frequency, de~~nq_ent_;;_ ~r,~quenct ~e~_~r~~nt :, ·! . 
.. \... . \ ' ,.(· , : . ..... / ,, 
Logic Masking DFFs ... P1ogic 
• Logic masking for DFF StartPoints is similar to 
logic masking of combinatorial logic. 
• DFF logic masking is generally the point where 
Triple Modular Redundancy (TMR) is inserted 
P1ogic=O 
for DFFs ... their 
upsets are masked 
P1ogic>O 
for Voter ... its upsets 
are not masked 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
' 
21 
StartPoint SEU Capture Example: 
Start Point Assume 'tcik=15ns 
DFFs 
End Point 
OFF. 
???m 
(A XOR B ) AND (C XOR D) 
If DFF0 flips its state ... 
0<-r<(5.5)ns 
The upset will get caught ... 
otherwise it's as if the event 
never occurred 
Percentage of Clock Cycle.for SEU Capture: 
Upset Is caught within 
this tlmeframe 
Fraction of clock 
period for upset 
capture 
upset capture with respect 
to to frequency 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-··· . - .. . 
22 
Data Path Ups~ts and StartPoint DFFs 
#Start Po int DFFs #StartPontDFFs L P(fs) DFFSEU-+SEU(j) oc LPDFFSEl{j) Piogic(j) (1-Tdly(j) fs) 
~I ~ 
#StartPointDFFs 
< L PvFFseuu/l- rd,y(j) fs) 
j=I 
#StartPointDFFs 
< L PDFFSEU(j) 
j=l 
P(f s) FunctionalLogic 
Putting it all together: 
P(Js )functionalwgicoc P(Js) DFFSEU-sEu+Pifs) SET-SEU 
Data Path Upsets StartPoint DFF SEU Combinatorial 
capture Logic SET 
capture 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
- -· . ·- ··- . . _, ..;: ___ . 
23 
NASA REAG FPGA Data Path Functional 
Logic Susceptibility Model 
P(fs) functionalogic 
~ 
o1F (P(fs) oFFsEu -+SEU + P(fs ) sET-+SEu ) 
~ #StartPtJint DFFs ~ #ComblnatoialCe/Js • J 3 ( , LPDFFSEU(j)(l -t'dly(j)fs)Piogic(j))+ L(Pger(l)Pp,op(l)Piogic1'.,.;d1/t(.l/s) N ~ . M 
NASA REAG FPGA Upper Bound 
Susceptibility Model 
Upper-bound assumes P1091c=1 (no mitigation) and 
NO DFF frequency (fs) dependency 
47 
To be presented by Melanie Berg at the R_evolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
24 
How OFF or Combinatorial Logic 
Dominance Affects asEu 
P(fs) DFFSEU->SEU P(f's)sET-.SEU 
Capture percentage -rd,~ · ... · '! · 
of clock period (1- .- ~) = (l -Td1yfs) width = T width fs 
T clk ." elk ~ 
Combinatorial Logic Increase 
Effects Combinatorial logic 
increases 'tdly and 
decreases CJseu 
Increase in 
combinatorial logic 
increases P9~n and 
increases <Js~u 
Which String Would You Expect to Have a 
Higher SEU Cr?SS Section? WSR0 or 
WSR8 
Startpolnt Endpoint 
Combinatorial Logic: Inverters 
You can't answer the question until you understand the 
relative UsEu contribution of DFFs to Combinatorial Logic ... 
Is there Loaic Mitiaation? 
TOOO-~- ....... ,,.._loMty_tl_(~//Mllll#yif;!J-l'rogr,,,,,,,•l>lol.og(c.,,,_o 50 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. · 
, ,--. ~ .. - - ·-· ~ 
25 
NASA REAG Models + Heavy Ion Data: 
ProASIC3 
Background: Micro-Semi (Actel) 
ProASIC3 Flash Based FPGA 
51 
• Originally a 
commercial device 
Conttol gato (poly lllicon) 
• Configuration is flash 
based and has proven 
to be almost immune to 
SEUs 
• No embedded 
mitigation in device 
• · Evaluation of user 
mitigation insertion has Wor 
been performed 
~::::!:=t SIO, t- Sf,H 
'1oalint o•• (poly slhcon 
TUOMI oxldo (100A-810,) \~.-- .. _._,.-.....,....._ ..-_-
" ... ····· 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. · 
26 
Testing Combinatorial Logic Contributions to 
SEU Cross-Sections: Shift Registers 
Ins ___ __. 
Actel ProASIC3 Shift Register Study , 
• Shift Register Functional Logic Designs Under Test: 
- Six WSR strings with various levels of combinatorial loglc 
P(fs trror oc Pc~ on + P( fs) fimctionaLLogic + PSEFI 
( 
'Inverters ) 
o1F P (fs) oFFsEu -+SEU + ~ P(fs) srr-+SEUU> 
S4 
To· be presented by Melanie .Berg at the Revolutionary Electronics In Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
. - ., 
27 
ProASIC3: Which String Would You 
Expect to Have a Higher SEU Cross 
Section? WSR0 or WSR8 
Startpoint Endpoint 
:·p eET q • ._w._s_R_o __ 'r dly = 1 ns ----+ 
9,~!!i, 
,i·l s:~ Q 
If the DFFs are not mitigated they will have the dominant O"sEu 
O"sEu cx. (1-Tdtyfs): O"sEu is inversely proportional to 'fdty 
O"sEu WSRa >O"sEu WSRs 
Tobo,,,...r,todby-/wo•I 1/lolll_"'*>' _ .. $poco (Ro~J/MMo,yMldAM_ l'rogr_,.. °""""• 55 
crsEu Test Results: Windowed Shift 
Registers (WSRs) No-TMR 
• No Mitigation: O"sEu WSR0> O"sEu WSR8 For every LET 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
28 
Agend.a(First Half) 
• Section I: Single Event Effects in Digital Logic 
• Section II: Application of the NASA Goddard 
Radiation Effects and Analysis Group (REAG) FPGA 
SEU Model 
• Section Ill: Reducing System Error: 
Common Mitigation Techniques 
- Triple Modular Redundancy (TMR) 
- Embedded RHBD 
Example: TMR Mitigation Schemes will 
use Majority Voting 
Ma ·ori Voter= Il A I2 + IO A I2 + IO A Il 
57 
10 11 12 Majority Voter 
0 0 0 0 
0 0 1 0 
0 1 0 0 
0 1 1 1 
1 0 0 0 
1 0 1 1 
1 1 0 1 
1 1 
58 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
' ·-. 
/ 
29 
TMR: Correction vs Masking 
• TMR with feedback will correct 
an error 
• TMR with no feedback will mask 
an error 
- May not buy you anything if a large 
amount of circuitry has no 
correction capability 
- Triple the circuitry without 
correction: 
• triples the upset rate 
• may end up with the same upset 
rate using this scheme 
ToNpn_.,. .,. __ g.,, .. ..,_._,._,,,onlcomSp,,oo("'Sp,,oo}l-.,Y_,AM_Proi,_Loo,lo_, 
Copy1 
-
Can Only 
Mask Errors 
• Need Feedback to Correct 
3x the error rate with 
triplication and no 
correction 
• Generally can not apply internal correction from voted 
outputs . 
~ ... ,sf!,W!.£i!.l1 .. ,i!~£.Ym~1n; •• neJ...,~ftq,cjjy~.~s!UJJmte 60 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
30 
Local Triple Modular Redundancy 
(L TMR): Only DFFs 
oter+ ee ck=Correction 
Pif Je,ror ocpconfiguration "!° Pif J1onction llogic + PsEFI 
FSEU -+SEU + PifJsET-+SEU 
ProASIC3 LTMR Shift Register Data Path 
Model 
(
#Starr Po int DFFs #Comblnaror ia/LogicGa tts J 
o1F L P(fs) DFFSEU-+SEVU> + L P (fs) sF:T-+SEU(t> 
,~ ,~ 
LTMR: P1og1c=O 
l ( DI J"~ #Cnnrbinaroria/LogicGares J 
o1V7DFFSEU-+ SEU + . ~ P(fs)SF:T-+SEU(I) 
#Combinator ia/LogicGo res L P( fs)SF:T -+SEU(i) oc p gen(i) p pmp(l)Piog1/r .,.;d,h(l) fs 
/<I / 
81 
As we increase #combinatorial logic gates we increase CTseu 
Hence for LTMR {disregarding Pp,0 p), C1seu WSRs> CTseu WSR0 
62 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-· . 
31 
O'seu Test Results: Windowed Shift 
Registers (WSRs) No-TMR versus TMR 
• LTMR is effective and has reduced P»FFSEU 
• LTMR: SEU cross Sections WSR0<WSR8 For every LET 
No-TMR vs. LTMR: 
Combinatorial Logic Effects 
Significant .;,.,; ~ StartPolnt DfF :.,.~ ,· :,,__ ' Combinatorial: SET ·capture 
circuit type ,, .. (sequential): SEU capture r:·/ ..... -~, . ""..: .. .,.._tJ. 
Significant PoFFsEuf1--rd1/s) P911nPp,op'fw1cnhfs 
Model 
component 
Error Type' v". One sld~~ functlo'n . z:.. 
,y ':',.;· ~ ~~ · .• ,·:· -w,,p,."' 
<rseu WSR8 vs. <rseu WSR8 <<rseu WSR0 
<rseu WSRO 
Two-sided function 
<rseu WSRa ><Jseu WSRo 
RelatJve cr5~u· .. W~f18'has mo~~ ·. ..;-.: ,!": ~· WSR8 ha~ !llori t-\,·; · .,..;,., . 
reasoning :. ;-- combinatorial Logic and ' combinatorial Logic and has .. 
· · ~?-' ~.,, _more.-r;;between DFFs... ~c>re opportu_nlty for.SJ~T ~-, 
-,~ ,;,~ .t .l; . ;-;· , \ . ., .. , ; , .-:; · generation . .:--. '.<·~. • ,-J ' ~ ~ 
'. ~:/ ·,:;~~'.•'. L / ~,~:?.f':Jt;., I~~ .·:~;., .• ~:>., ·. ('•~ ~ ~~.·:: 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and · 
Aerospace Programmable Logi~ Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
32 
No-TMR vs. LTMR: 
Frequency Effects 
• The same reasoning as tdly can be used for 
Frequency 
• No-TMR: 
- Inverse relationship to frequency: PoFFSEu(1--rd1yfs) 
- Increase Frequency Debrease <Jseu 
• LTMR 
- Direct relationship to frequency: PgenPprop1'wtduls 
- Increase Frequency Increase <Jseu 
Distributed Triple .Modular Redundancy 
(DTMR): DFFs + Data Paths 
All DFFs with Feedback have Voters 
i 
. , ~ow Minimally 
P(f Je" oc;,c P configuration + P(f ~ tLogic + P s~Lowered 
______ A ______ _ 
/" ~ Low "I 
ToN-~~-a-,•uw~~bwy~:!.~~l~~-;~~nd~ :7!~°-. 
To be presented by Melanie Berg at the Revolutionary Electronics In Space (ReSpace) I Mllltary and 
Aerospace Programmable Logic Devices {MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
' 
. --- · ···- -· ·--- · . .. ..... . 
33 
Global Triple Modular Redundancy 
(GTMR):DFFs + Data Paths + Global Routes 
All DFFs with Feedback have Voters 
.. ~ow Lowered 
P(f J e" o';"= p configuration + P(f ~ alLogic + p SJii/f 
______ A _____ _ 
r ~ow Low "\ ToN--by--g•t~~~--~:.~ (~~-:.~u_~ ~~~h• 
GTMR Proves To be A Great Mitigation 
· . Strategy ... BUT ... 
• Triplicating a design and its global routes takes up a 
lot of power and area 
• · Generally performed after synthesis by a tool- not 
part of RTL . 
• Difficult to verify 
67 
• Does the FPGA contain enough low skew clock trees? 
(each clock+ its synchronized reset)x3 
68 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.go':' website. 
34 
Ag~nd~(First Half) 
• Section I: Single Event Effects in Digital Logic 
• Section II: Application of the NASA Goddard 
Radiation Effects and Analysis Group (REAG) FPGA 
SEU Model 
• Section Ill: Reducing System Error: 
Common Mitigation Techniques 
- Triple Modular Redundancy 
-Embedded RHBD 
• Section IV: When Your Mitigation Fails 
• Section V: Xilinx V4 
• Section VI: Fail-Safe Strategies 
OFF with Embedded L TMR: Microsemi 
(Actel) RT AXs Family of FPGA 
• Localized (only at OFF) 
• Microsemi uses Wired "OR" approach to voting.- no 
SETs on v~ters 
Tol>o,..,._.odbyllo-kgMtllll_......,. __ hS,,,../lfo$pon/llfllllM1 __ ,,,__lf"--• 
69 
70 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
·--··-·- •--· -· ·---·-----··-- -···---- . . ---·--
35 
OFF with Embedded Dual Interlock Cell 
(DICE): Aeroflex Eclipse FPGA 
. 
• Uses a Dual Redundancy Scheme instead of L TMR 
• Single nodes can become upset but their partne·r 
node will pull the output in the correct direction 
Embedded Temporal Redundancy (TR): 
SET Filtration 
• Temporal Filter placed directly before OFF 
• Localized scheme that reduces SET capture 
• Delays must be well controlled. FPGA designers should 
not implement- best if embedded 
• Maximum Clock frequency is reduced by the amount of 
new delay 
Combinatorial Temporal DFF 
Redundancv 
Tobop,-odby-llf,gMtl>tll"'10/IIIJonrf-lnsi,-(t1o~JIMMary ~-l'nlgromffl-~-· 72 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
36 
Combining Embedded Schemes 
• Some Radiation Hardened by Design (RHBD) schemes 
combine embedded temporal redundancy with localized 
redundant latches: 
- TR+LTMR 
- TR+DICE 
• New Xilinx RHBD FPGA (Virtex 5QV) has embedded 
TR+DICE 
Low 
PifJe" oroe p conflguraJion + Pif J1Aa1Logic + P sEFI 
. A 
. r ~Low ____ L_O_IM-~ed 
P(fs)fll'Fsiu -sEu + P(f ~ sEu . 
RHBD for Global Routes 
• Many RH FPGAs contain 
hardened clock trees and 
other global routes 
• Global structures are 
generally hardened by using 
larger buffers 
• TR will not work on a global 
· network (signal integrity, 
skew balancing, speed and 
area would be significantly 
affected) 
Clock Tree 
I 
73 
74 
To be presented by Melanie Berg at the Revolutionary Electronics In Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
--· - -··-· ·- - ,---· . 
37 
Break! 
10 minutes 
Agenda 
• Section I: Single Event Effects in Digital Logic 
• Section II: Application of the NASA Goddard 
Radiation Effects and Analysis Group (REAG) FPGA 
SEU Model 
• Section Ill: Reducing System Error: Common 
Mitigation Techniques 
· Break 
• Section IV: When Your Mitigation Fails 
• Section V: Xilinx V4 and Mitigation 
• Section VI: Fail-Safe Strategies 
75 
76 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
38 
Agenda {Second Half) 
• Section Ill: When Your Mitigation 
Fails 
• Section V: Xilinx V4 and Mitigation Strategies 
• Section y1: Fail-Safe Strategies 
L TMR Failure 
• Shared Data Path 
into OFFS 
• Voters can upset 
• Global routes 
77 
78 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-··---. ----- ' 
39 
• Global routes 
• Domain placement 
- possible for domains to share common routing matrix 
- Hit to shared routing matrix can take out two domains . 
• Domain placement 
- possible for domains to share common routing matrix 
- Hit to shared routing matrix can take out two domains 
• ClockSkew 
• Asynchronous clock domain crossings need additional 
voter insertion - tools don't auto handle 
To be prsNnfed by Melanie Bero at rM ,-vo11111onary Eloctronlca In $pace (R4Space) I Mil/I.., and Mroap«e Programmabla Logic De~~• 
79 
80 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
·Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
40 
TR Failures 
Temporal 
Filtering 
Narrow SETs: No overlap Wide SETs: Overlap 
DICE Susceptibility 
• One particle strike can take out 2 nodes and break 
Dice 
- Source: "Radiation Hard by Design at 90nm" ; Wa,ren Snapp et. al, MRQW 
December 2008 
; 
.,· ~- :·:·!,\ ··,:.<-~,·1 :. 
. . ' . . . ,. ~. . . 
Minimum spaced DICE flip flop 
(fines t how critlcal n odo) 
Multiple bit upset ion 
strike simplified 
geometric model 
81 
82 
To be presented by Melanie Berg st the Revolutionary Electronics in Space (ReSpsce) / Militsry and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nsss.gov website. 
. ·-··· --· ···-·-·--··-- . ,--· --··-·--·-··· ---···. - -·--· --. 
41 
DICE Susceptibility 
Agenda (Second Half) 
• Section Ill: When Your Mitigation Fails 
• Section V: Xilinx V4 and Mitigation 
Strategies 
• Section VI: Fail-Safe Strategies 
? 
? 
. 
83 
84 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
42 
• 
General Xilinx Virtex 4 FPGA 
Architecture 
Functional Logic 
Xilinx SX55: Radiation Test Data • Xilinx Consortium: VIRTEX-4VO STATIC SEU CHARACTERIZATION SUMMARY: Apr/V2008 
Probability Error Rate LEO GEO 
Upsets Upsets 
device-day d{vice-day 
Configuration p configuration dE conjigurat ion 7.43 4.2 Memory: 
XQR4VSX55 
dt 
Combined P sEFI dESEFI 7.5x10-s 2.7x10·5 SEFls per 
device · dt 
For non-mitigated designs the most significant upset factor 
is: 
P eon.figuration 
To6-,,._...,,,.,_..,011toolttYOl<llloNr/-ln~/ltt~/l~--Prov---- 86 
--· . ... _...... ·- /JU _ ._ ...... -·· ·- _ .. 
To be presented by Melanie Berg at the Revolutionary Electron/cs in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
. - .. -- . 
43 
Because P configu~ation is Dominant, Use 
XTMR (also known as GTMR} for 
Critical Applications 
How does 
XTMRaffect 
resource . 
-ll ;;;a__.l-
utilization? 
Predicting Available Resources after 
XTMR Insertion 
• Goal: Determine how many devices 
are required to implement design after 
XTMR insertion · 
• Because of mapping ... not as much 
room as you think ... 
• Check project FPGA maximum 
capacity requirements (usually 80% to 
90%) of device 
~ C> 
87 
88 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
44 
Xilinx V4 Takeaway Points 
• Can be used in non-critical missions without any 
mitigatio~ 
- Upset rates In the order of days 
- WIii need to be reconfigured periodically 
- Watchdog required · 
- Great for non-critical data processing 
• Can be used in a critical path (beware of SEFls) with 
mitigation 
- Utilize mitigation tools from a proven vendor, otherwise: 
• Design may break after GTMR (XTMR) Insertion 
• Mitigation may not be placed where expected 
- Upset rates are extremely low 
Agenda (Second Half) 
• Section Ill: When Your Mitigation Fails 
• Section V: Xilinx V4 and Mitigation Strategies 
• Section VI: Fail-Safe Strategies 
89 
90 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
-·-- ___ , ·-· 
45 
How Safe is Your Design? 
• Understand the SEU error mode specifics? 
• Are there lock-up conditions in my design? 
• Does your strategy protect the entire critical path? 
• Is the synthesized design fail-safe? 
• Did you mitigate where you expected to mitigate? 
• Can your watch-dog catch failure? 
• Will your recovery scheme work? 
• What are the limitations of your verification strategy? 
The list goes on •.• Based on error signatures of the target 
FPGA, the designer must keep all points in mind at all stages 
of the design 
Tobo ,n--,l>y-•»IW; .. ll>oll•-floc1rOOlco loSpooe(RIS,,-Jl ~ • nd-_.,.._1.og1oo,_, 91 
Conclusion 
• Understand the device's error signatures and upset rates before 
mitigation Is Implemented 
• Not all designs are crltlcal and may not need mitigation 
• Be aware when correction is necessary: 
- Make sure you are correcting your state 
- Masking without correction can Incur error accumulation and 
eventually break 
• Detection circuits don't generally have redundancy and can be 
susceptible - make sure they are not making your design more 
susceptible (e.g. state machines} 
• Perform proper trade studies to determine the type of mitigation 
necessary to meet requirements: 
- Upset rates 
- Area+Power 
- Complexity ... completion and verification with time specified 
92 
To be presented by Melanie Berg at the Revolutionary Electronics in Space (ReSpace) I Military and 
Aerospace Programmable Logic Devices (MAPLD) 2011 Conference, Albuquerque, NM, August 22-25, 
2011, and to be published on nepp.nasa.gov website. 
\ 
" 
46, 
