# **Overview of FPGA activities in the European Space Agency**

III National School: "Detectors and Electronics for High Energy Physics, Astrophysics, Space Applications and Medical Physics"

> David Merodio Codinachs Roland Weigand European Space Agency Microelectronics Section (TEC-EDM)



23<sup>th</sup> April 2009

Slide 1/43

## **Acknowledgments**

- Thanks to all colleagues, specially
  - Christian Poivey
  - Fredrik Sturesson
  - Anastasia Pesce
  - Francisco Tortosa
  - Jorgen IIstad
  - Catherine Morlet

→And also to the authors of all the referenced material



## Outline (1)

### Introduction

- → FPGA Configuration types
- Architectural general overview
- Non Rad-Hard and Rad-Hard Reprogrammable FPGAs
- → Rad-Hard One Time Programmable (OTP) FPGAs
- → General Capacity overview
- SEE mitigation, in general and dedicated to SRAM FPGA
  - SEEs recapitulation
  - → SEEs in antifuse FPGAs
  - Triple Modular Redundancy (TMR) for flip-flops in ASIC designs
  - → Functional TMR (FTMR) and the Xilinx TMR tool (XTMR) for SRAM FPGA
  - Configuration memory scrubbing
  - → Reliability Oriented Place & Route algorithm (RoRA)
  - Block and device level redundancy
  - → Temporal Redundancy
  - SEEs in Rad-hard reconfigurable FPGA



## Outline (2)

- Analysis of SEE, verification of mitigation methods
  - → Radiation testing: Heavy Ions, Protons, Neutrons
  - → Fault simulation and fault injection
  - → Functional an formal verification
  - → Analysis of circuit topology
- Selection of the appropriate mitigation strategy
- Reconfigurability
  - Motivation
  - → Basic requirements
  - → Examples:
    - » Software Defined Radio
    - » Generic Module Dynamic Reconfigurator

### Conclusion

Are the current mitigation techniques needed in the future?

#### References



Slide 4/43

## Talk Scope: Before starting ....

- The main ESA activity related to FPGAs is:
  - →<u>use them in the subsystems</u> with electronics



Image:Central Data Management Unit for ESA's scientific twin mission Herschel and Planck based on the 32-bit processor ERC-32.

#### SYSTEM UNIT SPECIFICATIONS

#### Physical and environmental

| -                    |                                                 |
|----------------------|-------------------------------------------------|
| Radiation tolerance: | 30kRad                                          |
| Mass:                | 13 kg                                           |
| Dimensions:          | base plate 230*280 mm,<br>height 292 mm         |
| Vibration and chock: | meets Ariane 5 launch<br>requirements           |
| Thermal environment: | -20 to +50 °C on base<br>plate                  |
| Power I/F:           | 50V DC supply feeds<br>each sub unit separately |
| Total power          | in normal operation 28W                         |



Smart-1 System Unit

23<sup>th</sup> April 2009



Slide 5/43

## **Subsystems with Electronics**

- On Board Computer & Data Handling System
  - → Main set of electronics, vital for the S/C functioning
  - → On board computer
  - → Mass memory
  - → Remote Terminal Units
  - → Payload data processing computers
  - → Data interfaces
- AOCS Sensors and Actuators
  - → Quite complex sensors with internal electronics
  - → Star tracker has a LEON processor ...
  - → Other
- Payloads
  - → Many types of instrument electronics, Radars, Telecom, Cameras, payload control electronics,
- Telecommunications





23<sup>th</sup> April 2009

Slide 6/43

## **FPGA Introduction**

- In the FPGA usage there are different aspects (not extensive list):
  - → Capacity and performance (frequency and power consumption)
    - » Related to the internal architecture and technology node used
  - → Radiation hardness
    - » Addressed at different levels:
      - Process
      - Transistor/ Standard Cell
      - Register Transfer (RTL)
      - System
  - → Reconfigurability
  - → Quality
  - → Others:
    - » ITAR (International Traffic in Arms Regulations)
      - The regulations are described in Title 22 (Foreign Relations), Chapter I (Department of State), Subchapter M of the Code of Federal Regulations.
    - » Cost

## **FPGA Configuration types**

#### • The configuration of FPGAs are kept by:

Unprogrammed Antifu (Antifuse example) → Antifuse Via to Metal 4 T25JV04 W#47 HPO/VPD (OTP: One time Antifuse programmable) Metal 3 → SRAM (SRAM 6 transistor example) (Reprogrammable) Switch In Floating Gate → Flash-based (Reprogrammable) Sensing Switching Word ProASIC3/E Flash Based Switch [] Switch Out



Slide 8/43

## **FPGA Introduction: Architecture**

## **Architectural features in FPGAs:**

- Logic (LUTs, R/C-Cells, ...)
- Internal Memory
- PLLs/ DLLs
- Arithmetic/ DSP oriented:
  - → Carry chain logic
  - → Multipliers
  - Multiply And Accumulate (MAC) plus extra registers
- Embedded processors
- Interfacing
  - → High Speed Serial Links



23<sup>th</sup> April 2009



Slide 9/43

## **FPGA vendors overview**

#### FPGA Commercial vendors

(\*) One-time programmable

|                          |                      | Actel        | Altera    | Atmel        | Lattice         | Quick-<br>logic | Xilinx   |    |
|--------------------------|----------------------|--------------|-----------|--------------|-----------------|-----------------|----------|----|
| "Architectural features" | PLD only activity?   | Yes          | Yes       | No           | Yes             | Yes             | Yes      |    |
|                          | SRAM-based           | -            | X         | X            | X               | -               | X        |    |
|                          | Antifuse             | X            | -         | _            | -               | X               | -        | (* |
|                          | E2PROM/FLASH         | X            | -         | -            | X               | -               | -        |    |
|                          | Logic                | X            | X         | X            | X               | X               | X        |    |
|                          | DSP                  | Carry- Chain | DSP block | Carry- Chain | sysDSP          |                 | Xtreme   |    |
|                          | Embed.<br>processing | Soft<br>ARM* | Soft NIOS | Hard AVR*    | Soft Cores      | Soft Cores      | Hard PPC |    |
|                          | Mixed Signal         | FUSION       | -         | -            | ispPAC<br>(PLD) | -               | -        |    |
|                          | "Structural ASIC"    | -            | -         | -            | МАСО            | -               | -        |    |



23<sup>th</sup> April 2009

Slide 10/43

## **Rad-Tolerant Reconfigurable FPGA**

- 🔹 Xilinx Q-Pro family (SRAM-based) 🧹
  - » Virtex (V): XQRV300/600
  - » Virtex 2 (V2): XQR2V3000/6000
  - » Virtex 4 (V4): XQR4VLX200, XQR4VLX200, XQR4VSX255, XQR4VFX140
  - → Non-ITAR
  - → 0.22um (V), 0.15um (V2), 90nm technologies (V4)
  - Advanced architecture including embedded Hard IPs
    (depending on the family and device)
    - » DSP Slices/Multipliers; Ethernet MAC Blocks; HSSL
    - » PowerPC Processor Blocks
  - Radiation characteristics
    - » Configuration memory, BRAM and FFs are not rad-hard: mitigation techniques required
    - » TID: 100 Krad (V); 200 Krad (V2); 300 Krad (V4)
  - → Packages: CB228 ; CG717; CF1144/1140/1509









23<sup>th</sup> April 2009

Slide 11/43

## **Rad-Hard OTP FPGAs (antifuse)**

- RTSX (RTSX32SU, RTSX72SU)
  - → Non-ITAR
  - → Rad Hardening techniques
    - » User FFs SEU hardened
    - » LET<sub>TH</sub> in excess of 40 MeV-cm2/mg
  - → TID 100Krad; Packages: CQFP-84/208/256
- RTAX (RTAX250-4000S/SL)
  - → ITAR
  - Radiation characteristics
    - » User FFs SEU hardened
    - »  $\text{LET}_{\text{TH}}$  in excess of 37 MeV-cm2/mg
    - » Cross-section < 1E-9 cm2
    - » Embedded block RAM not rad-hard: Mitigation technique required
    - » TID 300 Krad

esa

#### → Packages: CQFP-208/352, CCGA/LGA-624/1152, 1272

Microelectronics Section



I/O Structure

Slide 12/43

C-Coll

CRRCRC

Type 2 SuperCluster

CRCCRC

Type 1 SuperCluster

SuperClust

## Rad-Hard Reconfigurable FPGA (II)

- The Xilinx SIRF Project [9] (SRAM-based)
  - → SIRF = Single-event effects Immune Reconfigurable FPGA
  - → Based on the Virtex5 architecture, implemented in 65 nm technology
  - Developed under US air force funding
  - → Subject to export regulations (ITAR)
  - → Packages FF665/1136/1738 (TBC)
- Flash based FPGA (Low Power)
  - → Actel Pro-ASIC [10]; Non-ITAR
  - → Radiation evaluation is ongoing
  - → ASIC-like SEE mitigation required
  - → Flash is reconfigurable
    - » A limited number of reconfiguration cycles
    - » No on-line reconfiguration (while circuit is operating)
  - → Packages CCGA/LGA-484, 896







23th April 2009

Slide 13/43

## **Rad-Hard Reconfigurable FPGA (III)**

- The Atmel ATF280E [8]
  - → Non-ITAR (European)
  - → It has hardened
    - » Configuration memory
    - » User FFs
    - » User memory
  - → TID tested upto 300Krad
  - → Packages: CQFP-84/208/256
  - → Development of larger devices is planned in cooperation between:
    - » Atmel Aerospace
    - » Abound Logic (http://www.aboundlogic.com)
    - » CNES (French Space Agency)
    - » JAXXA (Japanese Space Agency)
    - » ESA (European Space Agency)







23<sup>th</sup> April 2009

Slide 14/43

## **Rad-Hard FPGA Capacity Overview**



## Single Event Effects, SEE (recapitulation)

- Single Event Latchup (SEL)
- Single Event Transients (SET)
  - → in clocks and resets
    - » Glitches on clocks  $\rightarrow$  change of state, functional fault
    - » Asynchronous resets are clock-like signals



Slide 16/43

- → Single Event Transients (SET) in combinatorial logic
  - » SEE glitches in combinatorial logic behave like cross-talk effects
  - » Causes SEU when arriving at flip-flop/memory D-input during clock edge
  - » Sensitivity increases with clock frequency
  - » Synchronous resets are (normal) combinatorial signals
- Single Event Upset (SEU) in Flip-Flops and SRAM
  - → SEE glitch inside the bistable feedback loop of storage point
  - $\rightarrow$  Immediate bit flip  $\rightarrow~$  loss of information, change of state, functional fault



## SEEs in antifuse FPGAs (I)

- Actel Antifuse FPGAs (RTSX-SU and RTAX-S/SL families):
  - → Routing is done with antifuse (passive); no upset effect.
  - → DFFs, rad-hard at transistor level [22]:
    - » Simplified version of the non-hardened D FF:





CLK

CLK

- Internal memories are not "rad-hard":
  - » Mitigation techniques
    - at RTL level required (requirements-dependent)



Slide 17/43

## SEEs in antifuse FPGAs (II)

- However, the overall radiation hardness of the DFFs has 2 components [3]:
  - → SEU in the D FFs:
    » radiation hardened
    → SET in the C-Cell:
    - » Causes SEU when arriving to the FF





(ACTEL DFF primitive equivalence)



## SEEs in antifuse FPGAs (III)

#### • See report [3] for details on the radiation experiment:



Figure 16: LET vs. Cross Section: multiple frequencies, data pattern = checkerboard, 4F4L architecture



## **SEEs in non-hardened SRAM FPGA**

### Single Event Upsets (SEU) in configuration memory

- → In SRAM FPGA, the circuit "itself" is stored in a RAM. A bit flip can modify the circuit functionality – e.g.
  - » Modify a look-up-table (combinatorial function)
  - » Changing IO configuration (revert IO direction)
  - » Causing an open connection
  - » Causing a short circuit
- Single Event Functional Interrupt (SEFI)
  - → Defined in [2]: SEFI is an SEE that results in the interface of the normal operation of a complex digital circuit. SEFI is typically used to indicate a failure in a support circuit, such as:
    - » a region of configuration memory, or the entire configuration.
    - » loss of JTAG or configuration capability
    - » Clock generators
    - » JTAG functionality
    - » power on reset



## Mitigation of SEU in User Logic

Standard synchronous RTL design

esa



TMR and single voters for flip-flops for hard-wired logic (ASIC)



**Microelectronics Section** 

Functional TMR (FTMR) [4] for SRAM (reprogrammable) FPGA



23<sup>th</sup> April 2009

Slide 21/43

## FTMR-XTMR

- FTMR is based on full triplication of the design and majority voting at all flip-flop inputs and/or outputs
  - → Tolerates single bit flips anywhere in user or configuration memory
    - » Bit flips are "voted" out in the next clock cycle
  - → Mitigated SET effects (glitches in clocks and combinatorial logic)
  - → The VHDL approach presented in [4] requires a special coding style, it is synthesis and P&R tool dependent and therefore difficult to use

23<sup>th</sup> April 2009

Slide 22/43

### XTMR development by Xilinx has a very similar topology

- → Voters only in the feedback paths (counters, state machines)
  - » Bit flips are voter out in N clock cycles
    - (N = number of stages of linear data path)
  - » Less area and routing overhead
- → Implemented automatically by the TMRTool [5]
- Independent of HDL coding style and synthesis tool
- → Well integrated with the ISE tool chain
- → Also triples primary IO signals



## **Multiple SEU – Configuration Scrubbing**

### Multiple bit flips can be

- → Single bit flips (SEU), accumulated over time
- → A single particle flipping several bits (Multiple Bit Upset MBU )
- Neither XTMR nor FTMR tolerate multiple bit flips
  - → Refresh of configuration memory at regular intervals required
  - → Background configuration scrubbing by partial reconfiguration [8]
    - » Without stopping operation of the user design function
  - → Scrubbing protects against accumulated single bit flips, provided the scrubbing rate is several times faster than the statistical bit upset rate
  - → Requires an external rad-hard scrubbing controller
- Scrubbing does not protect against MBU
  - → MBU are rare in current technology
  - → MBU could become an issue in future technology generations
  - → MBU usually affects physically adjacent memory cells
  - → MBU mitigation requires in-depth knowledge of the chip topology

## **XTMR cross-section added value**

- Data from []
- Device:
  - → XQR3V3000 Die size ~16x16 mm<sup>2</sup>



• Results:

- → 2 clock: XTMR not active
- → 3 clock: XTMR active

Clear added value when using XTMR .... BUT, is it enough?



Fig 6.5 Recorded cross sections for the modules FFT, FFmatrix, LUTmatrix and M18matrix plotted as a function of LET for the V2 design variant. Data are only shown for test runs with low flux.



23<sup>th</sup> April 2009 Slide 24/43

## **RoRA: Mitigation at Place and Route**

- In spite of (X)TMR, single point failures (SPF) still exist
  - Optimization during layout leads to close-proximity implementation
    - » Flipping one bit may create a short between two voter domains
    - » Flipping one bit may change a constant (0 or 1) used in two domains

#### → Malfunction in two domains at a time can not be voted out any more



- The Reliability oriented place & Route Algorithm (RoRA) [7]
  - → Disentangles the three voter domains
  - → Reduces the number of SPF (bits affecting several resources)
  - → Besides giving additional fault tolerance to (X)TMR designs, RoRA is applicable also to non- or partial-TMR designs



## **Protection of SRAM blocks (1)**

### EDAC = Error Detection And Correction

- Usually corrects single and detects multiple bit flips per memory word
- → Regular access required to preventing error accumulation (scrubbing)
- Control state machine required to rewrite corrected data
- → Impact on max. clock frequency (XOR tree)

### Parity protection allows detection but no hardware correction

- → When redundant data is available elsewhere in the system
  - » Embedded cache memories (duplicates of external memory)  $\rightarrow$  LEON2-FT
  - » Duplicated memories (reload correct data from replica)  $\rightarrow$  LEON3-FT
- → On error: reload in by hardware state machine or software (reboot)

### Proprietary solutions from FPGA vendors

- → ACTEL core generator [21]
  - » EDAC and scrubbing

#### → XILINX XTMR [5]

» Triplication, voting and scrubbing



Slide 26/43

## **Protection of SRAM blocks (2)**

- EDAC protected memory (Actel)
  - Scrubbing takes place only in idle mode (we, re = inactive)
  - → Required memory width
    - » 18-bit for data bits <= 12
    - » 36-bit for 12 < data bits <= 29
    - » 54-bit for 20 <data bits <= 47

edaci/edacii Block

Encoder

Decoder

Scrubbing

Control

wdata

rdata

B

Axcelerator

RAM

Block

waddr, raddr

we,re



- Scrubbing in background using spare port of dual-port memory
- → Triplication against configuration upset RAMB4 S# S16



Slide 27/43

23<sup>th</sup> April 2009



Timer

wdata

rdata

error flags

slowdown flag

waddr, raddr, we,re

Testing, error and optional ports

R

## **Other Mitigation Techniques (1)**

- Block and device level redundancy [6]
  - → Implementation of each design is plain (non-voted)
  - Design/verification of plain blocks/devices does not require special tools
  - $\rightarrow$  2x1 implementation ( $\rightarrow$  error detection and restart)
  - $\rightarrow$  3x1 or 2x2 implementation ( $\rightarrow$  continue operation in case of fault)



Figure 4: Dual FPGAs implementation

Figure 5: Three FPGA Implementation



## **Other Mitigation Techniques (2)**

- ... Block and device level redundancy
  - → Redundant blocks or devices must be re-synchronised
    - » Context copying when error in one instance is detected
    - » Reset system or restore context from snapshot stored at regular intervals
  - Device TMR overcomes shortage of gate resources and IO pins
  - → Device TMR also protects against SEFI
  - → Device TMR requires separate rad-hard voting and reconfiguration unit
  - → Also applied for non-FPGA COTS devices [11]
- Temporal redundancy
  - → Repeat processing two or more times and vote result
  - Employed for embedded microprocessors
- Partial (Selective) TMR [12]
  - Triple only the most sensitive parts of a system
  - → Trade fault tolerance against complexity, but difficult to validate
- Single instance and watchdog

## **SEEs in Rad-Hard SRAM FPGA**

- FPGAs: all Atmel and future SIRF Xilinx
- Single Event Upset (SEU) in configuration memory
  - → No effect as the memory cells are radiation hardened A bit flip can NOT modify the circuit functionality – e.g.
    - » NO modification of look-up-tables (combinatorial function)
    - » NO changing of the IO configuration (revert IO direction))
    - » NO cause an open connection
    - » NO cause a short circuit
- Single Event Functional Interrupts (SEFI)
  - → Under study
- User D FFs
  - → No effect as they are radiation hardened
- Open points:
  - → Hard macros hardness: TBD
  - → Final radiation result: TBD

Should higher level mitigation techniques be applied?

Microelectronics Section

23<sup>th</sup> April 2009

Slide 30/43

## **Verification of fault-tolerant designs**

- Verification has to answer three main questions
  - → Does the mitigation strategy provide adequate fault tolerance?
    - » Radiation testing, fault simulation and fault emulation
  - → Was the planned mitigation strategy properly implemented?
    - » Analysis of netlist and physical implementation (layout)
  - → Are we sure the TMR did not break the circuit function?
    - » Dedicated formal verification tools are required
- Standard verification methods and tools are not sufficient
  - Simulation of a TMR netlist "works" with a defect in one voter domain
  - → COTS formal verification tools are confused by TMR
  - → Structural verification of TMR ASIC designs: InFault [19]
  - → NASA/Mentor: Formal verification for TMR designs [1]
  - → STAR, the STatic AnalyzeR tool [20]
    - » Performs static analysis of a TMR circuit layout in SRAM FPGA
    - » Identifies critical configuration bits (single bit affecting two voter domains)



## **Radiation Testing**

- There is nothing like real data to f' up a great theory
  Richard Katz, NASA Office of Logic Design, circa 1995
- Heavy lon Testing
  - → Using fission products (e.g. Californium 252) [13]
  - → Cyclotron, e.g. UCL [14]







- Other Radiation Testing
  - → Proton testing e.g. PSI [15]
    - Protons penetrate silicon  $\rightarrow$  backside irradiation, suitable for flip-chip
  - Neutron Testing, interesting for ground and aircraft applications

**CSA** Microelectronics Section

23<sup>th</sup> April 2009

Slide 32/43

## **FPGA radiation: RT ProASIC3**

- A radiation test activity <u>has just started under ESA contract;</u> with a duration of 12 months
- Objective:
  - → Get further insight in the radiation sensitivity of RT ProASIC3 FPGAs by performing

» TID sensitiveness (currently published as 15 Krad for programming

- » Heavy ion SEE tests
- » Proton SEE tests
- » Co-60 TID tests

functionality)

- → Main concern of this FPGA are:
  - » SET sensitiveness



23<sup>th</sup> April 2009



Slide 33/43

## **Fault Simulation and Emulation**

- Fault injection to user flip-flops (but not configuration memory)
  - → SST, an SEU simulation tool [16]
  - → FT-Unshades for user flip-flops and memory [17]
- Fault injection to configuration memory by FPGA emulation
  - → The FLIPPER test system [18]





Figure 13: Comparison between injection and radiation data for the FFmatrix module



Slide 34/43

## Selection of a Mitigation Strategy

- SEE mitigation has area and performance overhead
- Trade-off between cost and fault tolerance
  - → Same hardening scheme for the complete design is easiest to implement
  - → Selective hardening of critical parts is often the only acceptable solution
  - Life time requirement of applications can be very different

| Data Criticality<br>Error Persistence |            | Low              |       |      | High              |
|---------------------------------------|------------|------------------|-------|------|-------------------|
|                                       |            | No               | Yes   |      |                   |
| O perating Window                     | Minutes    | No<br>Mitigation |       | TX   | MR                |
|                                       | Days       | Scrubbing        | Scrub | bing | Red-              |
|                                       | Months     |                  | XTMR  | IR   | undant<br>devices |
|                                       | Continuous |                  |       |      |                   |

Slide 35/43



## **Reconfigurability: motivation**

- Question: is reconfigurable/ adaptive hardware useful in Space?
  - → It enables resources usage optimization (HW resources time sharing)
  - → It enables adaption to miss-functions
  - → It gives flexibility to hardware:
    - » Same hardware reused for different applications
    - » Easier adaptation to different and/or new standards
  - → AND FOR MANY MORE REASONS, YES
- Current systems actually include reconfigurability:
  - → Software currently gives the "reconfigurability" to the systems
- The FPGAs to be potentially reconfigured in space shall fulfill the quality and radiation requirements
  - → When mitigation is required, reconfigurability shall be compatible with it
- FPGA currently used in the big majority of space designs:
  - → Antifuse; so no reprogrammable FPGAS



## **Reconfigurability: SDR**

### Example, Activity to be finished in 3Q09

#### → Software Defined Radio (SDR):

» Processor Signal Processing Chain:



### • Reconfigurability levels (possible classification):

#### → Full reconfiguration:

» Full reconfiguration of the processor with new algorithms

#### → Partial reconfiguration with new/upgrade algorithms:

» Only a portion of the design in the FPGA gets reconfigured

#### → Parameters modification:

» Afects only the parameters (same as with SW)

#### → Add-on algorithms:

» Adding one or more algorithms to the current chain.



## **Reconfigurability: GMDR (I)**

#### FPGA Based Generic Module and Dynamic Reconfigurator: Activity Objectives:

- → Design, develop a payload data processing module demonstrator utilizing reprogrammable FPGAs as core data processing unit.
- → Allow for a range of data processing algorithms to be implemented to cover a wide range of applications.
- → Fault tolerant design
- → In-flight reconfigurable core of FPGAs
- → Focus on the SW Development Environment kit to exploit the unit's capabilities.
- Run Performance Benchmarks based on CCSDS Image compression standards
- Activity Start-up Q1 09
- Duration 24 Months



Slide 38/43

## **Reconfigurability: GMDR (II)**

### • FPGA Based Generic Module and Dynamic Reconfigurator:





Slide 39/43

## **Reconfigurability: future FPGAs**

Reconfigurable FPGAs: either SRAM-based or Flash-based

### • Current offer:

- → Rad-Hard SRAM-based:
  - » Atmel AT40K; small capacity
- → Rad-Tolerand SRAM-based:
  - » As it has been seen, big efforts required in order to mitigate against radiation
  - » Packaging offered are currently not qualified

#### → Rad-Hard Flash-based:

» Mitigation techniques required; relatively less efforts that SRAM

### • Future:

- High capacity Rad-Hard SRAM-FPGAs and Flash-based FPGAs
  - » Xilinx SIRF is ITAR

# Question: Will the mitigation techniques be useful in the future?

23<sup>th</sup> April 2009

Slide 40/43



## **Rad-Hard FPGA Capacity Overview**



## Mitigation efforts at RTL level

### Future High capacity Rad-Hard SRAM-based FPGAs

- → Will have lower level mitigation
- ◆ BUT
  - → Rad-Tolerand SRAM-based:
    - » Are currently not ITAR; so might be interesting for some applications

#### → Rad-Hard Flash-based:

- » Mitigation techniques are anyhow required
- High capacity Rad-Hard SRAM-based FPGAs and Flash-based FPGAs
  - » To be further investigated the added value of extra higher-level mitigation techniques



## Conclusion

### ESA involved in FPGA device developments

→ FPGAs extensively used in space designs !!

- ESA involved in tools to verify the correct implementation of the mitigation techniques
  - Fault Injection Systems
    - » FLIPPER, FT-UNSHADES, SST (simulation)
  - Analytical
    - » InFault, STAR
- ESA involved in Radiation testing of FPGAs
- ESA involved in reconfigurability
  - Software defined Radio, Generic Module and Dynamic Reconfigurator
- Will the mitigation techniques be required in the future?
  - Non rad-hard SRAM based FPGAs might be used
  - → Flash-based will require mitigation techniques

Questions?



## **References/Links (1)**

- [1] Melanie Berg: Design for Radiation Effects http://nepp.nasa.gov/mapId\_2008/presentations/i/01%20-%20Berg\_Melanie\_mapId08\_pres\_1.pdf
- [2] Single-Event Upset Mitigation Selection Guide, Xilinx Application Note XAPP987 http://www.xilinx.com/support/documentation/application\_notes/xapp987.pdf
- [3] "RTAXS Field Programmable Gate Array Single Event Effects (SEE) High-Speed Test Plan Phase 1"; T110405\_RTAX.pdf, available at http://radhome.gsfc.nasa.gov/radhome/RadDataBase/RadDataBase.html
- [4] Sandi Habinc: Functional Triple Modular Redundancy (FTMR)

http://microelectronics.esa.int/techno/fpga\_003\_01-0-2.pdf

[5] The Xilinx TMRTool

http://www.xilinx.com/ise/optional\_prod/tmrtool.htm

#### [6] Xilinx Application Notes concerning SEU mitigation in Virtex-II/Virtex-4

http://www.xilinx.com/support/documentation/application\_notes/xapp987.pdf

http://www.xilinx.com/support/documentation/application\_notes/xapp779.pdf

http://www.xilinx.com/support/documentation/application\_notes/xapp988.pdf

#### [7] A new reliability-oriented place and route algorithm for SRAM-based FPGAs, Sterpone, Luca; Violante, Massimo;

IEEE Transactions on Computers, Volume 55, Issue 6, June 2006

http://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=12&year=2006

#### [8] The Atmel ATF280E Advance Information

http://www.atmel.com/dyn/resources/prod\_documents/doc7750.pdf



Slide 44/43

## **References/Links (2)**

[9] The Xilinx SEU Immune Reconfigurable FPGA (SIRF) project http://klabs.org/mapId05/presento/176\_bogrow\_p.ppt [10] Actel Rad Tolerant ProASIC3 http://www.actel.com/products/milaero/rtpa3/default.aspx [11] Super Computer for Space (SCS750), Maxwell, ESCCON 2002 http://www.maxwell.com/microelectronics/support/presentations/ESCCON 2002.pdf [12] Selective Triple Modular Redundancy for SEU Mitigation in FPGAs, Praveen Kumar Samudrala, Jeremy Ramos, and Srinivas Katkoori http://www.klabs.org/richcontent/MAPLDCon03/abstracts/samudrala a.pdf [13] The CASE System, Californium 252 radiation facility at ESTEC https://escies.org/ReadArticle?docId=252 [14] PIF, the Proton Irradiation Facility at Paul Scherrer Institute, Switzerland http://pif.web.psi.ch/ [15] HIF, Heavy Ion Facility at University of Louvain-la-Neuve, Belgium http://www.cyc.ucl.ac.be/HIF/HIF.html [16] SST: The SEU Simulation Tool

http://microelectronics.esa.int/asic/SST-FunctionalDescription1-3.pdf http://www.nebrija.es/~jmaestro/esa/sst.htm

23<sup>th</sup> April 2009

Slide 45/43



## **References/Links (3)**

#### [17] FT-Unshades, a Xilinx-based SEU emulator

http://microelectronics.esa.int/mpd2004/FT-UNSHADES\_presentation\_v2.pdf

#### [18] The FLIPPER SEU test system

http://microelectronics.esa.int/finalreport/Flipper\_Executive\_Summary.pdf

http://microelectronics.esa.int/techno/Flipper\_ProductSheet.pdf

#### [19] Simon Schulz, Giovanni Beltrame, David Merodio Codinachs: Smart Behavioural Netlist Simulation for SEU Protection Verification

http://microelectronics.esa.int/papers/SimonSchulzInFault.pdf

#### [20] Static and Dynamic Analysis of SEU effects in SRAM-based FPGAs

L. Sterpone, M. Violante, European Test Symposium ETS2007

#### [21] Actel Core generator

http://www.actel.com/documents/EDAC\_AN.pdf

#### [22] RTAX-S/SL Rad Tolerant FPGAs Datasheet

http://www.actel.com/documents/RTAXS\_DS.pdf



## **References/Links (III)**

#### [] RTAX-S/SL Rad Tolerant FPGAs Datasheet

David: Include link

[] "RTAXS Field Programmable Gate Array Single Event Effects (SEE) High-Speed Test Plan – Phase 1"; T110405\_RTAX.pdf, available at http://radhome.gsfc.nasa.gov/radhome /RadDataBase/RadDataBase.html



Slide 47/43



# **Backup Slides**



23<sup>th</sup> April 2009

Slide 48/43

## Main FPGA vendors for space

| Characteristics                     | FPGA Vendor                                                                                                       |                                                                        |                                                                                                                          |  |  |
|-------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|--|--|
| Characteristics                     | XILINX (HQ: USA)                                                                                                  | ACTEL <b>(HQ: USA</b> )                                                | ATMEL (F) EU product !                                                                                                   |  |  |
| Reprogrammabi<br>lity               | Unlimited                                                                                                         | One-time-programmable/<br>"limited" (Flash-based)                      | Unlimited                                                                                                                |  |  |
| Technology                          | SRAM-based, .35065µm/<br>0.65µm                                                                                   | Anti-fuse (ONO and M2M),<br>0.8-0.15µm/ 0.13µm Flash                   | Hardened SRAM-based, .35,<br>.18µm                                                                                       |  |  |
| Radiation<br>Hardness               | No TID, SEL; configuration<br>logic is SEU sensitive/ SIRF                                                        | No TID, SEL ; Rad-hard anti<br>-fuse/ TID issue, ASIC-like SET,<br>SEU | No TID, SEL ; Rad hardened<br>SRAM, CMOS libraries                                                                       |  |  |
| Capacity (in<br>ASIC equ.<br>gates) | 1Mgates<br>2-3Mgates (2007)                                                                                       | 250Kgates / 600 Kgates (non-<br>500Kgates (2007) / mitigated)          | 40Kgates<br>280Kgates (4Q09)                                                                                             |  |  |
| ITAR                                | No / Yes                                                                                                          | Yes / No                                                               | No                                                                                                                       |  |  |
| Weaknesses                          | more SEU sensitive (SRAM),<br>Hardening by design at various<br>levels needed / ITAR                              | Can be programmed only once,<br>ITAR applies. / TID                    | only small ones available yet<br>(40K gates), though new<br>larger ones (280K) due 2009,<br>New technology, not used yet |  |  |
| Strengths                           | Unlimited reprogramability;<br>Many functional macrocell<br>options (DSP, mC, serdes),<br>large size / + Rad-Hard | Rad hard, Higher level of space<br>qualification /<br>Reprogrammable   | Unlimited reprogramability;<br>Non ITAR, fabricated in EU;<br>hardened SRAM, clock and<br>reset                          |  |  |



23<sup>th</sup> April 2009

Slide 49/43

## **FPGA and ASIC trends**

### FPGA and ASIC trends



- SRAM-FPGAs go rad hard
- -> Xilinx US "SIRF programme" succeeds,
- -> 3<sup>rd</sup> generation of larger rad hard Atmel FPGAs

#### **<u>SRAM- FPGA</u>**:

reprogrammable, growing in capacity and rad hardness, less expensive, faster time to market than ASIC

#### Anti-fuse FPGA:

growing in capacity, less expensive, faster time to market than ASIC

ASIC: more functions in less area, always best performance, fewer numbers in favour of FPGAs and increasing developing times & costs

23<sup>th</sup> April 2009



Slide 50/43



C-Cell and R-Cell detail



Xilinx – Virtex-4 CLB

#### • Logic resources in One CLB (Configurable Logic Block):

- → 4 Slices
- → 8 4-input LUTs
- → 8 Flip-Flops
- → 8 MULT\_ANDs
- → 2 Arithmetic and Carry Chains
- → 64 bits of Distributed RAM (SLICEM only)
- → 64 bits Shift Registers (SLICEM only)





23<sup>th</sup> April 2009

Slide 52/43







Microelectronics Section

Slide 53/43

## ECSS-Q-60-02



Microelectronics Section

Slide 54/43

### **RTAX-S**

#### • SEE frequency dependency [3]:



Figure 17: 4F4L Data Patterns at18.8 MHz and 150MHz

