The maiden voyage of NASA’s Orion spacecraft brought a raft of articles about how the flight computer inside is “no smarter than your phone,” running on wheezing IBM PowerPC 750FX processors. NASA’s deputy manager for Orion avionics, Matt Lemke, admits the configuration is already obsolete – at least in commercial terms.
In circles where radiation upset rules the day, the PowerPC 750FX is one of the most proven processors in existence. NASA has assembled a huge amount of software and experience around it, with Orion using triple-redundant flight computers each running two processors in lockstep. If the two processors in one computer disagree due to a radiation-induced glitch, it reboots in about 20 seconds. The probability of all three of these flight computers rebooting simultaneously is miniscule. Lemke’s assessment of the choice says a lot:
You could do it with something newer, but all the engineering that would go into making it work right would make it a lot more expensive for us to build it.
In other words, development costs around the rad-hard PowerPC 750FX from fabrication to software are baked into the equation. Why isn’t there a more modern rad-hard processor? (BAE Systems is working on productizing a more advanced multicore Freescale QorIQ design on a rad-hard IBM 45nm SOI process.) While the technology certainly exists, the economics make investment in a hardened CPU daunting. It is not difficult to run a model with the number of available rad-hard design wins and unit volumes and see why most CPU vendors ran away.
On the other hand, FPGAs present an interesting opportunity in high-reliability adventures. Many applications do not require completely rad-hard technology, with constant exposure to physically damaging levels of radiation. A hard-enough FPGA can fit a wider range of applications, foregoing the costs of a full rad-hard ASIC design, with the added benefit of system logic customization and integration.
Not all of these high-reliability applications are in space. Radiation susceptibility has crept into many terrestrial settings as process geometries have shrunk. Single-event transients (SETs) create single-event upsets (SEUs) that are now significant error terms in many safety critical systems.
With some simple steps, an FPGA design can mitigate soft errors and provide a high degree of rad-tolerant safety without a massive rad-hard silicon investment. For instance, the triple modular redundancy (TMR) approach applies at the logic and IP block level.
Sharath Duraiswami of Synopsys recently conducted a webinar outlining how Synplify Premier can help. He lays out examples using the attribute “syn_radhardlevel” specifying a value of ‘TMR’ in protecting FPGA logic. For more comprehensive design protection, he outlines a strategy using distributed TMR for duplicating IP blocks as needed with the value ‘DTMR’.
There are many more examples of mitigation techniques in this event. These range from safe encoding of state machines to insertion of ECC to methods dealing with I/O. Duraiswami has a summary table of the synthesis capability toward the end of the presentation.
Of course, an FPGA designer could tackle these techniques by hand, overtly designing in the needed redundancy by copying and connecting logic. The power of the Synplify Premier approach is it frees designers to concentrate on the basic logic, and then handles the synthesis of redundancy features automatically. Synpify Premier is also agnostic, handling various FPGA technologies and synthesizing accordingly.
The point? NASA is looking at millions of lines of rigorously certified code where failure is not an option. It is no surprise they evaluate risk and lifecycle cost in favor of staying on a proven, seemingly obsolete processor for their flagship manned space program. For many designers with more modest projects that may still be susceptible to occasional upset, an FPGA strategy with the right soft error mitigation techniques can provide the needed radiation tolerance.
If you’re involved with rad-hard or safety-critical RTL design, this webinar is worth a look just for the perspective in logic protection.