Smart transducer interfaces are promising technologies for the next generation safety-critical avionics applications. In this paper we present two fault tolerant smart transducer interface architectures based on the IEEE 1451 standard. FPGA is the hardware platform that has been selected for the development of the proposed architectures. The first interface architecture is a single-chip solution while the second one is dual-chip. Reliability and safety analysis for both architectures is also carried out. A special attention is paid to the description of the single-chip interface implementation using the Spartan-6 LX45T Xilinx FPGA. The resulting prototype is used to validate fault tolerance mechanisms and real-time performance of the singlechip interface.
Introduction
An increasing number of sensing and actuation devices are needed in modern aircrafts in order to provide a variety of functions for aircrafts monitoring and control. Diverse communication networks have been adopted in new avionic systems to support data transfers while ensuring very high communication bandwidth and reducing bulky wiring bundles. Moreover, transducers interfaces equipped with processing and computing capabilities are increasingly needed to provide multiple functions and services in distributed avionic environments. Integrating a wide range of sensing and actuation elements in a heterogeneous network environment raises serious challenges requiring the standardization of transducer interfaces in avionics systems. One of the viable solutions for these problems is the adoption of the IEEE 1451 [1] standard in the development of smart transducers interfaces for the next generation avionics systems.
Another important aspect for safety-critical avionics systems is that smart transducers interfaces must respect strict constraints to meet high reliability requirements imposed by regulations and standards. Generally, system level hardware redundancy is the solution for designing reliable and fault tolerant systems. However, this solution may lead to a higher complexity, size, weight, and power consumption. Moreover, in a distributed environment where smart transducers interfaces are deployed close to the sensing and actuation elements, hardware redundancy-based fault tolerance complicates fault diagnosis and isolation [2] . Thus, smart transducer interfaces with embedded fault detection and diagnosis capabilities are needed to achieve fault tolerance with minimum hardware and to guarantee effective redundancy management.
In this paper we investigate the issue of fault tolerance for two smart transducers interface architectures based on FPGA platforms. These architectures are defined using the IEEE1451.0 standard and they integrate several fault tolerance techniques that strengthen the reliability and safety attributes of the interface. The first architecture consists in a fault tolerant single-chip design that targets a single FPGA platform. A core-level redundancy and an online testing mechanism ensure detection, diagnosis and recovery from faults. The second architecture is based on a dual-chip design configured according to the well-known COM/MON concept [3, 4] . This interface is built by coupling two FPGA chips in a manner which ensure that only valid messages are delivered through the interface output. Both architectures can handle transient and permanent faults. The proposed interface has been designed to be as generic as possible in order to support a wide range of transducers that could be deployed in several avionics safety-critical applications such as flight control systems (FCSs), electric braking systems (EBSs) and air data systems (ADSs). The proposed single-chip transducer interface has been implemented and validated using the Spartan-6 LX45T Xilinx FPGA platform.
2E4-2
The rest of the paper is organized as follows. The first section presents pertinent previous research works. The second section presents a reliability and safety analysis of the proposed architectures and makes a comparison between both designs in order to characterize their advantages and limitations. The third section presents the implementation of the single-chip based architecture and summarizes the validation tests that have been applied to the resulting prototype. Finally, concluding remarks summarize the main results of this work.
Related Works
The concept of remote data concentrators (RDCs) has recently been introduced in avionics industry and has been applied in many new aircrafts, such as Airbus 380, Boeing 787, and Airbus 350. RDCs are distributed in the aircraft and their role consists in transferring transducers data to the central processing resources through digital avionic networks and busses. Current research efforts such as IMA2G [5, 6] aim to define the next generation of integrated modular avionics. In IMA2G, RDCs are no longer passive, but they are smart units that are able to provide a variety of functions and to participate in making decisions in a distributed avionic context. Among the most important of these services are the ones dealing with detection, diagnosis of faults that occur in the transducers and in the interface electronics. Such capabilities are fundamental especially when designing reliable and safe smart transducer interfaces.
Some fault tolerant smart transducer interface architectures for safety-critical avionics applications are reported in the literature. The authors of [7] have proposed an architecture for a distributed flight control system. In that proposed architecture, some functions usually performed by flight control computers (FCCs) are supported by intelligent transducer nodes that are deployed close to the actuation and sensing elements. Each transducer node is based on a single microcontroller that ensures fault detection mainly through double execution of tasks. The authors of [9] proposed a remote concentration system for an integrated modular avionics system. The system is composed of multiple remote data concentrators. Two configurations are suggested for the RDCs architecture: either it is single-channel (one microcontroller) or dual-channel (two microcontrollers). In the latter configuration, fault detection and isolation are ensured through cross-comparison and validation. The authors claim that RDCs are preferably dual-channel to provide the desired fail-safe performances.
Multiple VLSI technologies could be used to develop fault tolerant smart sensor interfaces (e.g. MCU, ASIC, FPGA). In the case of single-chip smart transducer interfaces based on a microcontroller, additional software such as redundant execution, selftest programs, watchdog timers, are needed to tolerate faults. In recent years, some semiconductor manufacturers have developed fault tolerant microcontrollers for safety critical applications that are based on a hardware modular redundancy [10] . This technique consists in aggregating multiple CPU cores in redundant lockstep pair(s). The aim of these solutions is to enhance availability, and to provide efficient and fast fault detection mechanisms. Similar techniques have been used to design fault tolerant FPGAs. Since the focus of this paper is the evaluation of FPGA-based smart sensor interfaces, fault tolerance mechanisms implemented in this kind of integrated circuit will be discussed more in detail in the next section.
IEEE 1451 Standard
The smart transducer interfaces presented and investigated in this paper are based on the IEEE 1451 standard [1] . Essential features of this standard are first reviewed before proposing our robust interface architectures. The goal of this standard is the 2E4-3 description of a set of open, common, networkindependent communication interfaces that facilitate the communication and control of smart transducers. According to IEEE 1451, the role of a smart transducer interface is not limited to the transfer of data through a communication network, but also includes the execution of several control functions such as data correction and validation, closed loop control, fault detection and isolation, etc. One of the most important features of the IEEE 1451 standard is the transducer electronic data sheet (TEDS). TEDS are nonvolatile memory, located in the transducer interface, used for storing transducer identification, calibration coefficients, correction data, measurement range, and manufacture-related information. This feature enhances the flexibility and the plug-and-play capability of the transducer. The IEEE 1451 family of standards defines a network of smart transducers that is composed of several Transducer Interface Modules (TIMs) and one Network Capable Application Processor (NCAP). TIM can be used for controlling one or more sensing and actuation elements. TIMs are connected through a field bus to the NCAP, which acts as a gateway between the secondary network and the main network.
The IEEE 1451 family of standards have been mainly developed during the last decade. Initially, they were not defined for safety critical applications. As this is our target class of applications, fault tolerance aspects of this standard family have to be investigated. Eccles [11] presents IEEE1451 as a promising technology that could be used in the test and evaluation of new aircrafts. Furthermore, the author highlights the benefits of using the IEEE 1451 standards in the development of smart transducers interfaces for complex avionics systems. However, the paper points out that the safety of such technology still has to be proven before its introduction in commercial aircrafts. Despite the fact that several works have investigated the application of the IEEE 1451 standards in aerospace and aeronautical fields [12] [13] [14] , fault tolerance aspects related to the implementation of an IEEE 1451-based smart transducer interface have not yet been fully addressed.
The aim of this paper is to take advantage of the IEEE 1451 standard to design and implement smart transducer interfaces while ensuring the required performances in terms of safety and reliability.
A generic high level description of a TIM's single-chip architecture has been presented in one of our previous work [15] . The proposed TIM architecture, shown in Figure 1 , is based on a parallel configuration of similar modules connected together via two crossbars. TIM-service modules are the main controllers of the TIM that execute the control and processing functions. The Transducer Measurements Interface (TMI) module is responsible for the orchestration of the needed operations to acquire data from a transducer. Communication modules ensure the transfer of messages over redundant field busses. Our previous work highlights that in the case of a TIM-service module failure, processing can then be ensured by one of the remaining copies of the module. Fault tolerance mechanisms were not discussed in our previous work. A detailed description of the single chip TIM as well as the deployed fault tolerance techniques will be presented in the next section.
Transducers Interface Architectures
Due to the lack of directives related to fault tolerance aspects provided by the IEEE1451, we concentrated our efforts on investigating some of the most effective techniques allowing detection, isolation and recovery from faults. As mentioned before, the proposed techniques target two architectures: a single-chip architecture and a dualchip architecture based on a COM/MON configuration. The selected hardware platform for the design and implementation of the interfaces is FPGA. This technology is a flexible and low-cost hardware solution that meets the functional requirements imposed by the avionics scope of application. This 2E4-4 section will present a detailed description of the two analyzed interface architectures as well as the fault tolerance techniques that have been selected for each of them.
Single-Chip Interface Architecture
Recent advances in microelectronics and especially in the FPGA industry have led to the possibility to integrate a complete system in a single FPGA chip. In order to benefit from such technology in safety-critical applications, several techniques were proposed to build fault tolerant FPFAs. Some of these techniques, such as offline built in self-test (BIST), temporal redundancy and periodic reconfiguration, are not suitable for the design of the TIM as they do not satisfy some of the strict safety requirements i.e. speed of fault detection, performance overhead, transient and permanent fault coverage [16, 17] .
Online testing based on modular redundancy at the micro-architectural layer is the fault tolerance technique that has been selected for the development of TIM. In fact, modular redundancy is able tolerate permanent and transient faults while ensuring the above-mentioned requirements [16] . Triple modular redundancy (TMR) and dual modular redundancy (DMR) techniques have been widely used in the design of fault-tolerant FPGAs [16] . We have decided to use the DMR technique to design the single-chip TIM as it ensures better capabilities in terms of cost, performance and fail-safe characteristics [18] .
In this section we present an improved version of the single-chip TIM design presented in Figure 1 . The new design of the TIM integrates multiple customized TIM-Service cores aggregated in redundant lockstep pairs. The modules of each pair perform samples and/or commands processing simultaneously and the results are subsequently compared before being transmitted over the interface output. Furthermore, the signals to be compared are slightly delayed, which allows to significantly reduce failures resulting from common mode faults [18] . Lockstep pairs are independent and fail-silent. From the standpoint of power supply, TIM-service pairs as well as the remaining modules of the TIM depend on a common power source. TIM-service pairs process data in parallel and each one of them is responsible of controlling a set of transducers. This enhances the computing performances of the interface and reduces the latency of messages within the TIM. If an error is detected in one of the lockstep pairs, the concerned sample/command will be declared as not valid through a fail flag in the data message. In this case, the error is considered as transient and the faulty cores will be initialized. If a second error occurs just after the initialization process during a predefined bounded time interval, the failure is considered as permanent. As a result, the faulty pair stops working and a recovery mechanism assigns the lost functions to one of the remaining pairs. Consequently, the TIM enters in a degraded mode of operation. The interface remains operational as long as it has one or more working lockstep pairs. In addition to the execution of control functions, TIM-service pairs are responsible for monitoring and detection of failures of transducers as well as of those of the different modules in the TIM. This preserves the fail-safe capabilities of the TIM. TEDS and internal buses are protected against faults through error detection techniques, such as parity bits and CRCs. Despite the fact that crossbars represent single points of failures, their probability of failure is marginal due to the small amount of logic needed to implement them. 
Dual-Chip Interface Architecture
The dual-chip interface architecture is based on two FPGA chips coupled according to the COM/MON configuration. To the best of our knowledge, [8] is the only reference that proposes the use of the COM/MON technique in designing smart transducer interfaces for avionics safety-critical applications. The novelty of our dual-chip interface architecture lies in that it allows benefiting from the advantages of IEEE 1451 standard in designing both of the COM and MON lanes. The design of each of these lanes is almost similar to the one of the singlechip interface. However, they are no longer multipair, but are based on a single and simplex TIMservice module. Hardware dissimilarities (different FPGA platforms, different coding languages, etc.) enhance fault mitigation of the interface. Unlike the single-chip interface, the dual-chip architecture does not offer the possibility to recover from permanent faults that occurs in the TIM-service modules. Permanent failures in shared resources can be detected but they are not recoverable as well. Figure 3 illustrates the architecture of the dual-chip interface that controls a single actuator. Each lane communicates data to the central part of the system through a dual ARINC 825 controller. The interface architecture is the same whether it is used to control a set of sensors or actuators. 
Safety and Reliability Analysis
A preliminary analysis of the reliability of the single-chip TIM was presented in [15] , in which it is assumed that all errors are properly detected and handled. In reality however, failures can escape the implemented error detection mechanisms. This section aims at improving this analysis by introducing a distinction between safe and unsafe failures. In order to investigate the worst case scenario, the analysis of the two interfaces is based on a pessimistic approach from a reliability standpoint, which supposes that the first transient fault occurring in the interface modules is considered as a permanent fault. System modeling is performed using Markov chains. We define the fault coverage as the conditional probability C, given by: C = P (fault detection and recovery | fault existence).
The following parameters are used for modeling the interfaces:
• is the failure rate of TIM-service pairs/cores; • is the failure rate of TIM shared resources: TEDS, crossbar, etc...
• ℎ is the rate of common-cause failures, i.e. power supply, clock tree and silicon substrate; 
2E4-6

Single-Chip Interface Modeling
Let us consider a single-chip TIM design with N TIM-service pairs running in parallel. Each pair controls a set of transducers. In case of a failure occurring in one of the pairs, the functions formerly performed by the faulty pair are ensured by one of the remaining pairs.
We define the following fault coverage parameters:
• is the coverage of TIM-service pairs faults;
• is the coverage of shared resources faults. Figure 4 shows the transition diagram of the single-chip TIM. We assume that the failure rate of TIM-service pairs remains unchanged for all the transitions regardless of their work load. We also assume that at time t, only one failure can occur. The probability that the system is in one of the N+2 states is given by solving the following state transition equation:
where ( ) is a vector of size N+2 whose i th element represents the probability ( ) that the system is in the state i at time t. M is the transition matrix of the system. The transition diagram shown in Figure 4 contains the following N+2 states with 0 ≤ i ≤ N-1: The interface is assumed to be operational as long as the interface is in one of the i states (0 ≤ i ≤ N-1). Let us consider the state i: the transition between state i and state i+1 (0 ≤ i ≤ N-2) depends on TIM-service pair failure rate ( − ) and the probability, , that given the existence of a fault, the system succeeds in detecting it and performing a recovery. The transition between state i and state S depends on the failure rate of the shared resources and the probability, , that given the existence of a fault, the system succeeds in detecting it.
The transition between the state i and state F depends on the following factors:
• failure rate of a TIM-service pair ( − ) and the probability,
, that given the existence of a fault, the system does not succeed in detecting it.
• shared resources failure rate and the probability, (1 − ), that given the existence of a fault, the system does not succeed in detecting it.
• TIM common-mode failure rate ℎ . TIM reliability is given by the probability that the system is in one of the states i (0 ≤ i ≤ N-1) . TIM safety is given by the probability that the system is either in a state i (0 ≤ i ≤ N-1) or in the state S. Figure 5 shows the transition diagram of the dual-chip architecture. As mentioned in the previous section, the dual-chip interface operates according to the COM/MON configuration. Fault detection is based on the comparison of the COM and MON lanes outputs. Let C be the coverage of fault detection. The failure rate related to the logic in each lane is evaluated as follows:
Dual-Chip Interface Modeling
= +
Figure 5. Transition Diagram of the Dual-Chip Interface
The transition from state 0 to state S depends on:
• failure rate of the logic in one of the COM and MON lanes, 2 , and the probability, , that given the existence of a fault, the system succeeds in detecting it; • common-cause failure rate of the COM lane, ℎ , and the probability, , that
given the existence of a failure, the system succeeds in detecting it. The transition from state 0 to state F depends on:
• failure rate of the logic in one of the COM and MON lanes, 2 , and the probability, 1 − , that given the existence of a fault, the system does not succeed in detecting it; • common-cause failure rate of the COM lane, ℎ , and the probability, 1 − , that given the existence of a failure, the system does not succeed in detecting it; • common-mode failure rate of the MON lane, ℎ .
TIM reliability is given by the probability that the system is in the state 0. TIM safety is given by the probability that the system is either in the state 0 or in the state S.
Numerical Results
The state transition equation (1) [19, 20] . Failure rates and coverage probabilities that have been used are given in Table 1 . These values are commonly used in the literature (see, e.g., [7] and [19] ). Reliability curves of the single-chip TIM (see Figure 6) show that by incorporating redundant lockstep TIM-service pairs, the reliability of the TIM increases. It can be noticed that the introduction of a second TIM-service pair improves significantly the reliability of the TIM. However, the improvement due to the addition of a number of pairs greater than two is marginal. The trend shows a stagnation of reliability with the use of a large number of TIM-service pairs. It can be concluded from the analysis that the best trade-off for the number of TIM-service pairs is two. Figure 6 shows also that the dual-chip interface is the least reliable of the two considered. This is due to the increased failure rate caused by the use of two FPGA chips coupled in series. Figure 7 shows that safety curves of the single-chip interface with 2, 3 and 4 TIM-service pairs are very similar. It can be noticed also that the single-chip interface with a single TIMservice pair presents the best performance in terms of safety, mainly in the interval [50000, 20000] . Furthermore, Figure 7 shows that the dual-chip interface is the safest among the analysed configurations. The difference between the safety of the dual-chip interface and the different configurations of the single-chip interface increases gradually over the interval [50000, 200000] . This is caused by the fact that the FPGA units are configured in series.
The choice of the interface architecture depends on the requirements and the nature of the avionics application. For a fly-by-wire system, the safety of actuator interfaces is extremely important. The dualchip interface architecture based on the COM/MON technique represents a good candidate to develop highly safe smart actuators interfaces. According to our analysis, it seems that the dual-chip architecture could be the most appropriate for flight control actuator interfaces. Indeed, smart actuator interfaces constitute the last level of the system that is responsible for actuating control surfaces. Moreover, if an error cannot be detected locally, it is complex to get the interface back to a safe state.
On the other hand, the major advantage of the single-chip interface is its ability to ensure satisfactory safety and reliability levels while providing a compromise between both of these attributes. The single-chip interface appears to be better for smart sensors interfaces. In fact, in a worst case scenario with unsafe failures, faults can still be detected by upper levels of the system, (i.e., NCAPs, FCCs, etc...) and data can be extracted from a redundant sensor interfaces.
Implementation
This section deals with the development of a FPGA-based prototype of the single-chip interface architecture. The implemented prototype has been used to validate the proposed fault tolerance mechanisms, and more precisely the TIM-service lockstep configuration. The prototype serves also as a proof of concept of the smart transducers technology and provides a test bed for the validation of a variety of algorithms and features for safety-critical avionics systems.
Network Wrapper Prototype
Together with the TIM prototype, an FPGAbased NCAP has been implemented to build up a complete network interface wrapper that allows the transfer of data to central avionics computers through an AFDX End System. The FPGA platform that has been selected to develop both parts of the wrapper (TIM and NCAP) is the Xilinx SP605 board, which is equipped with the Spartan-6 XC6SLX45T FPGA. As shown in Figure 8 , the prototype is composed of two SP605 boards, a power distribution board and a temperature sensor PCB. One of the FPGA boards is dedicated to the TIM and the other one to the NCAP. The communication between the TIM and NCAP is ensured via a dual ARINC 825 bus. COTS AD7415 temperature sensors from Analog Devices are used to ensure temperature acquisition. These components forward the measured samples through an I2C bus [21] . Figure 8 illustrates a simple configuration of the prototype based on a single sensor, but the prototype is able to support multiple sensor connections (up to 10 sensors). The implemented prototype serves to emulate a temperature sensor interface that is part of an aircraft Air Data system and that delivers critical temperature information to the aircraft systems. The implemented TIM is based on the architecture presented in Figure 2 . In order to evaluate the worst case scenario performances, we have implemented a TIM that integrates 4 TIM-service pairs (P1, P2, P3, P4) and 8 temperature sensors (S1, S2, S3, S4, S5, S6, S7, S8). In order to enhance computing performances, TIMservice pairs perform data processing in parallel and share equitably the control of sensors, so that each pair controls two temperature sensors. Each ARINC 825 controller (C1, C2) manages data forwarded by the half of TIM-services pairs, i.e. C1 manages data forwarded by P1 and P2, and C2 manages data forwarded by P3 and P4. The main function of the TIM-service pairs is to correct the data according the datasheet provided by the manufacturer. Default values of correction coefficients are stored in the TEDS within the FPGA. TIM-service modules are also able to update these default values with new ones upon the reception and processing of the associated command. On the other side, the NCAP, presented in Figure 9 , is composed of a dual ARINC 825 controller, an NCAP-service module and a UART Gateway, all configured in series. Finally, the NCAP interfaces directly with an AFDX End System through a built-in UART-USB controller. This last controller is managed through our custom implementation of an UART gateway. The main functionalities of the NCAP-service are related to the control of this gateway, the formatting of its data and to the latency measurement mechanisms explained later.
Figure 9. NCAP Architecture
The NCAP does not integrate fault tolerant techniques. However, fault detection and diagnostic mechanisms similar to those implemented in the TIM, are supported by the NCAP design. The AFDX End System is built using a PC Platform. A software program implemented on the PC has been used to debug the network wrapper and validate the fault tolerance mechanisms.
Test Procedure and Results
The network wrapper prototype has been used to validate the following TIM's fault tolerance and realtime features:
• capacity to detect and recover from permanent TIM-service pairs faults • message latency, separating the instant of data acquisition within the TIM and the instant of message reception by the NCAP, that should be less than 2 ms • Tests related to transient faults handling were performed but they are not discussed in this paper.
2E4-10
On the other hand, diagnosis mechanisms that allow distinguishing between transient and permanent faults were validated through simulations.
In order to validate the above-mentioned features, we have defined a test strategy that consists in emulating the occurrence of a permanent fault by injecting a faulty processing result in the comparison module of each TIM-service pairs. Also, in order to simplify the fault injection procedure, the TIM was configured to consider all the detected faults as permanent. The main purpose of the test is to evaluate the impact of the permanent fault occurrence on the messages delay.
The test measures the time that separates the acquisition of the data by the transducer measurement module (TMI) within the TIM and its reception by the ARINC 825 controllers of the NCAP, in presence of one or multiple TIM-service pair permanent failure(s). To do so, we have added latency fields to the data message structure: TIM_Latency and NCAP _Latency. TIM_latency is the delay of the message within the TIM and is calculated through a time stamp counter when the message is transferred to the TIM's ARINC 825 controller. NCAP_Latency represents the delay for transferring messages through the bus (Figure 10 ). The mechanism that allows the measurement of this latency is explained in detail in [22] . When the message is received by the End System, an application calculates the total latency by adding the two latency measurements (TIM and NCAP) and displays the total latency relative to each sensor.
Failures are recovered based on a predefined Transducer-Lockstep pair affiliation table. Table 2 shows the part of the affiliation table that covers the set of failure injection scenarios that are performed during our validation test. In other words, Table 2 illustrates the set of sensors that are processed by each TIM-service pairs, with respect to the faulty pairs. The fault detection mechanism was validated through the reception of a raised Health Management flag in the received messages after the injection of a fault. Table 3 shows the total latencies as a function of the number of faulty pairs. 0.7 0.7 1.1 2.1 Nearly 66% of messages bits are dedicated to transfer latency measurements data. As a result, we have estimated the real latency to be less than half of the measured latency. Latency measurements in Table 2 shows that injected permanent failures in TIM-service pairs have no major influence on the latency of messages and that the 2 ms requirement is respected. According to Table 2 , in normal operation mode, the measured latencies vary between 0.4 ms and 0.7 ms. In case of one faulty pair (P1), the measured latency for sensors S1, S2, S3 and S4 increases slightly. This is due to the increase in data processing load of the pair P2. In presence of a second faulty pair (P3), sensors S5, S6, S7 and S8 are in turn subject to a slight increase in their data latency similar to the one noticed in the case of one faulty pair. In the worst case scenario, characterised by 3 permanent failures and data transfer through a single bus (which is equivalent to a loss of one bus), the measured latency is 2.1 ms. The increase in latency noticed in the latter scenario is mainly induced by the transfer of data over a single ARINC 825 bus. The real latency value relative to these measurements is estimated to be less than 1 ms, which satisfy the 2 ms requirement. It can be concluded that the increase in processing load of the pairs replacing the faulty ones have no significant influence on the messages latency and that the 2 ms latency requirement is always satisfied. A significant margin of latency (more than 1 ms) is still available and allows the implementation of additional functions in the TIM-service pairs.
Conclusions
In this paper, we proposed two smart transducer interfaces architectures for avionics safety-critical applications. These architectures are based on the IEEE 1451 standard and integrate several fault tolerance techniques. The single-chip interface is based on modular redundancy and integrates several TIM-service cores aggregated in lockstep pairs that allows the detection, diagnosis and isolation of faults. A recovery technique extends the availability of the interface by replacing the faulty pairs with working ones. The dual-chip interface is based on two FPGA chips coupled in series and configured according to the COM/MON technique. Fault detection is ensured through lanes outputs comparison and validation. The reliability and safety of these architectures are investigated. We have demonstrated the benefits and drawbacks of the two considered interface architectures as well. A hardware prototype of the single-chip interface has been built in order to validate features related to the fault tolerance and real-time nature of the interface. At this point, only the single-chip architecture has been implemented and validated but we believe that dual-chip architecture can be easily implemented due to similarities with the single-channel design.
