Mini AerCam Project Presented By Jeff Cotner Independent Consultant to NASA JSC through LMSO/Seat Aer Cam Project 11/6/2015

Download Report

Transcript Mini AerCam Project Presented By Jeff Cotner Independent Consultant to NASA JSC through LMSO/Seat Aer Cam Project 11/6/2015

Mini AerCam Project
Presented By Jeff Cotner
Independent Consultant to
NASA JSC through LMSO/Seat
Aer Cam Project
1
11/6/2015
My background
• 15 years of VHDL
•
•
•
•
( The tools have certainly improved)
7 years of FPGA
(The tools have certainly improved)
17 years of consulting
(The rates have certainly not improved)
VHDL instructor
Communications, Avionics, Power Systems
Aer Cam Project
2
11/6/2015
Introduction
• MiniAerCam – What is it?
• Very simply an inspection vehicle

•
•
Contains Video Imagers, Avionics,
Propulsion, GPS, Gyros, Illumination,
C&T System, Power System
Intended for use on Shuttle and Station
JSC Robotics in charge of development
Aer Cam Project
3
11/6/2015
Mini-AERCam APB Architecture
PowerPC 750FX
500MHz
32bit / 100MHz
256 MB
Flash
TBD MB
TBD MBps/TBD MBps (R/W)
115.2 kbps?
Gyros
UART
57.6 kbps
Console
I2C
200 kbps
Instrumentation
UART
100 kbps
IrDA
Ethernet
Chip
Main FPGA (Virtex II 3000)
MPEG2 for
Video,
uncompressed
for LDRI
GPS
UART
Loading/Heart Beat
Illuminator
Aer Cam Project
Memory
Controller
Thruster (x12)
Iso (x2)
& EM I/F
Thrusters
Iso Valves
Electro Mag
Reset
Controller
PPS
Video 2
Color
I2C or SPI
LDRI
?
Video 1
Mono
? Mbps
32bit/100MHz
19.2 kbps
? Mbps
SDRAM
UART
SDRAM
/EDAC
Controller
? Mbps
Comm
? Mbps
4
11/6/2015
Radiation Mitigation
Requirements
-SEU will not cause destructive latch-up
-SEU or effect will be detected
-SEU can cause undesired consequences
(This is not so much a requirement as a fact)
-Single point failure can cause reboot
-Reboot times allow for fast recovery from
SEU induced failures or double bit hits
NOTE: AerCam is not redundant, loose a part, can’t
fly. Too many SEUs reboot.

Aer Cam Project
5
11/6/2015
Radiation Mitigation

Rad Tolerant “Hard Core”
– Actel based Reset Controller


–
–
–
–

Incorporates watchdog timer in VHDL
Latch-up immune, extremely low SEU rate, TMR in
hardware
Battery
DC-DC power converter
Oscillator
Remaining elements on APB can be power cycled to
clear errors
Rad Hardened main FPGA
– Partial reconfiguration to detect and correct
configuration errors due to SEUs
Aer Cam Project
6
11/6/2015
Radiation Mitigation
Definitions Main FPGA
-Interfaces Program FLASH, SDRAM, I/O to
Processor
-Provides sanity signals to Hard Core
-EDAC SDRAM
-CRC Program Flash
Aer Cam Project
7
11/6/2015
Radiation Mitigation

Definitions Reset Controller (Hard Core)
– -Configures Main FPGA and also Partial
Reconfiguration (No scrubbing just
rewrite configuration memory)
-Controls Power to Vehicle Systems
-Determines Sanity of Processor and Main
FPGA (Cycle Power or Reset if Sanity
lost)
Aer Cam Project
8
11/6/2015
Radiation Mitigation



Multiple copies of configuration data in Flash (In Same Device)
Multiple copies of Application code in Flash (In Same Device)
PowerPC 750FX processor
– SOI process, no latch-ups
– L1 cache parity protected, L2 cache ECC protected

Thrusters
–
–
–
–


Separate arm and fire registers
Hardware controlled duration
Individual thruster watchdogs
Iso valve can shutdown all thrusters
Main memory ECC protected
Individual subsystems can be power cycled to clear errors
Aer Cam Project
9
11/6/2015
APB
Color
Imager
LDOs
Thruster,
Iso Valve,
EM
Power
Supply
Aer Cam Project
LDRI
LDO
LDO
Comm
LEDs
DC-DC
DC-DC
GPS
I2C Bus
?
LDO
Mono
Imager
LDO
IrDA
LDO
Thruster
Drivers
Raw Battery
+6V (TBR) Converted Power
+3V (TBR) Converted Power
On/Off Control
?
Gyros
LDO
Mini-AERCam Power Distribution Architecture
Battery
(12V-16V)
24V DC-DC
10
11/6/2015
Why we think this is acceptable
• AerCam travels at very slow velocities




•
A stuck thruster will just spin the vehicle
-Multiple stuck thrusters are a problem
Thrusters have multiple guards against sticking
Can reboot fairly quickly to regain control
If communications are lost, Shuttle can
pull away from AerCam
These justifications are from Robotics at JSC
If you happen to be an astronaut and have an issue, please take this
up with Robotics. I’m just a lowly Logic Designer.
Aer Cam Project
11
11/6/2015
SDRAM Controller

Requirements
-Standard SDRAM controller
-EDAC
-Multi device access (Virtex PPC 405)
-Autonomous Rewrite cycle for EDAC
-As robust as possible given no TMR &
possible reactions to SEU
-Design reuse a possible by product
-125 MHz clock speed
Aer Cam Project
12
11/6/2015
Icing on the Cake

Extra things we did on this controller
-Programmable scrub range
Why scrub memory you aren’t using
-Scrub cycle complete signal
Nice to know how long a scrub pass takes
-Track SDRAM hits by sector
Conceivably could tell when a portion
of a SDRAM has failed.
Aer Cam Project
13
11/6/2015
Design Approach
VHDL structured design
 As bullet proof a state machine as possible
 Verification through

-Functional Simulation
-Post Synthesis Simulation
-Post Lay Out Simulation
-Use of complex VHDL stimulus models
Aer Cam Project
14
11/6/2015
Design Organization
Aer Cam Project
15
11/6/2015
The Bullet Proof State Machine
Ours isn’t perfect either, but not too bad
 Our wish list

-Want a pretty safe state machine
-SEU disruptions to a minimum
-Easy checking for illegal states
-Fast clock speed
Aer Cam Project
16
11/6/2015
How we think we got there
Barrel Shifter provides the safety
-Initial state and a linear progression
through possible states returning to Idle
 Barrel Shifter provides an easy method to
check for illegal states

More than one bit set and you’ve got problems

Overlay desired SDRAM cycle over linear
progression of states
(Burst R/W, Precharge, Mode Write, Refresh)
Aer Cam Project
17
11/6/2015
More About The State Machine
Barrel Shifter
‘0’
‘0’
‘0’
‘1’
‘0’
Single One Detector
State
Error Error
State Machine
S0
S1
State Machine Outputs
S2
S3
S4
Decoded
States
(Registered)
State Machine Inputs
This example denotes S3 since a one is in the S3 position
Aer Cam Project
18
11/6/2015
More About The State Machine

More detail about the previous slide
– Initial State is S0 “0001” (Also Idle)
– State Error exists when more than one bit is set
– Inputs to state decoder determine what sequence of
outputs are generated
i.e. for this SDRAM controller there are a maximum of 15 states.
If you look at the SDRAM data sheet you can overlay each type
of operation (Read,Write,Mode,Refresh) over these 15 states.
The nice thing about SDRAM cycles, they are started and run to
completion with interruption, that’s why this State Machine
works
Aer Cam Project
19
11/6/2015
Maybe Some Code will help
A clocked process to do the barrel shifter
State_gen : Process (Return_Idle,clk)
begin
if (Return_Idle=‘1’) then state <= “0001”;
elsif (clk’event and clk=‘1’) then
if ((gen-c1=‘1’ or gen-c2=‘1’) and state=“0001”) then
state <= “0010”
else
state <= state (1 to 3) & ‘0’;
end if;
end if;
end process State_gen;
Assume state : std_logic_vector (0 to 3); four states
Aer Cam Project
20
11/6/2015
More code please

State Decoder stuff
State_decode : process (Reset_L,clk)
Begin
If (Reset_L=‘0’) then
All_Outputs <= ‘0’; Return_Idle<=‘1’; Done<=‘0’;
elsif (clk’event and clk=‘1’) then
case state is
when “0001” =>
if (gen-c1=‘1’) then
modify outputs for gen-c1 event in S0;
Aer Cam Project
21
11/6/2015
Return_Idle <= ‘0’;
elsif (gen-c2=‘1’) then
modify outputs for gen-c2 event in S0;
Return_Idle <= ‘0’;
end if;
Done <= ‘0’;
when “0010” =>
if (gen-c1=‘1’) then
modify outputs for gen-c1 event in S1;
Return_Idle <= ‘0’; Done <= ‘0’;
elsif (gen-c2=‘1’) then
modify outputs for gen-c2 event in S1;
Return_Idle <= ‘1’; (Return to Idle truncated cycle)
Done <= ‘1’;
end if;
(This should illustrate the concept)
Aer Cam Project
22
11/6/2015
Some additional information
-In the code above All Outputs registers are
reloaded during every state.
-gen-c2 doesn’t need all provided states so it
terminates early using Return_Idle signal
(i.e. SDRAM modewrite & precharge
don’t need as many clocks as Read/Writes)
-SDRAM Ras,Cas,WE can be overlaid on
the linear progression of states based on
the needed cycle (Read,Write,Refresh,etc)
Aer Cam Project
23
11/6/2015
More additional Information
-In states other than idle, Return_Idle must be set to
zero in at least one state, otherwise the state
register will eventually become all zeros. If you
detect all zeros in the state register you can
protect against this error also.
-Nested if statements gives priority but beware, too
much nesting causes excessive timing delays.
-Requests to state machine are held high until Done
signal is asserted indicating requested cycle is
complete.
Aer Cam Project
24
11/6/2015
Isn’t that what one hot is?

Not quite the same
-One hot can jump from any state to any
other state. Barrel shifter always forces
linear state transitions.
-Barrel shifter has basically two options
Hold in initial state or progress through
states. State decoder can truncate the
cycle of states and return to Idle.
Aer Cam Project
25
11/6/2015
Additional State Machine Safety

Refresh all outputs every state
-Extra logic but minimizes undesired output due to SEU
(Some designers only code an output change in states during which
a given output should change. You generate extra logic when
you code logic for every given output in every state)
-Keeps SEU induced output transitions to one clock
This is true as long as the SEU occurs in an output
register. When the inputs get clobbered all bets
are off.
Aer Cam Project
26
11/6/2015
Where is the design currently

Very much a work in progress
-Functional simulation done
-Design synthesized
-Needs Post Synthesis and Post Layout
verification and timing checks
-Other FPGA peripheral cells need to be integrated into
design and simulated

What’s the holdup
-Funding issues and time
Aer Cam Project
27
11/6/2015
Performance and Size

•
Design much smaller than anticipated
-Place and Route tools indicate entire
SDRAM controller occupies approx.
1% of a Virtex II 3000
How fast will it run
-Estimates are SDRAM controller will
operate at clock speeds up to 115MHz
Final requirement was 100MHz
Aer Cam Project
28
11/6/2015
Design Tweaks

We’ve got some time before flight
-Since design turned out so small might
consider some TMR
-Perform more exhaustive verification
exercise
-Investigate periodic SDRAM mode
register refresh
-Test PPC 405 path to SDRAM
Aer Cam Project
29
11/6/2015
If I Only Could Of…….
• Some things that might be done differently
-Had better requirements from the onset
-Understood SDRAM SEU failures better
-Added some additional protection when
processor crashes i.e. Maybe some cumulative
vector logic so we could null motion in Reset
Controller (Hard Logic) when sanity is lost.
-Hard Proximity Detector & RF Beacon
AerCam starts screaming if it gets too close to vehicle.
Aer Cam Project
30
11/6/2015
VHDL Pointers for Safe Logic

Avoid too much clever stuff
–
Stick to cloud of logic with output register
• Plug all the holes
-This can really help out in verification
-The beauty of the barrel shifter
-This can be very hard with conventional state
machines. What does “When others” really
mean at the end of the case statement?
Aer Cam Project
31
11/6/2015
VHDL Pointers for Safe Logic
• When you want to be sure Instantiate
(if you can) this issues dogs me with XST
(ADD8 is a good example. XST won’t take
an instantiation you must infer, Synplify will)
-Use this all the time with DLLs and Buffers
IOBs, etc. in Virtex
-Keep in mind if you instantiate everything you
might be better off doing things with a schematic
Aer Cam Project
32
11/6/2015
VHDL Pointers for Safe Logic

Be wary of synthesis tools
-Optimization can be a real pain
Warning messages often tell as much as
looking at Logic generated by tools.
Warnings often tell you something isn’t coded right.
-Take care that registers didn’t get
inferred as latches.
-Use acceptable coding practices
Standard inference rules produce uniform results.
Good coding practices reduce the need to sift
through synthesizer logic outputs.
Aer Cam Project
33
11/6/2015
VHDL Pointers for Safe Logic
• Get to know your synthesis tool
•
•
•
User groups can be a great thing too!
Tool vendors go to great lengths to ensure
they meet standards
Lots of examples exist to help produce
uniform synthesis results
You might not believe it, but someone else
has already had most of your problems and
it’s probably in a database you can get to.
Aer Cam Project
34
11/6/2015
VHDL Pointers for Safe Logic
• Be wary of the great sales pitch
-Still have concerns about C code to logic
conversion tools. The demos look great but they
seem to be optimized to the tools. For some real
world applications I have seen them generate extra
clocking stages (design won’t make timing
objectives) or synthesis tools optimize out some
desired logic.
-Haven’t looked at these recently so it could be better.
Aer Cam Project
35
11/6/2015
VHDL Pointers for Safe Logic
• The boss wants one of the software guys to
do VHDL for a FPGA
-My little tale from VHDL class
-I have seen many programmer types generate
great looking code, made functional simulation
work but wouldn’t synthesize and/or make
timing.
-Best results generated when a designer
understands logic design as well as HDL
Aer Cam Project
36
11/6/2015
General Logic Issues

Understand what your part is connected to
-Not a good idea to generate invalid data to
some connected component.
-Your part may continue to work but everything
may come to a grinding halt and/or smoke!
-Man invented data sheets for a reason
Aer Cam Project
37
11/6/2015
General Logic Issues

Hiccups will happen
-SEUs can wreak havoc on a design.
-TMR if you can
-Otherwise view unprotected logic blocks
in system context.
-Detect problems somewhere and recover
(sometimes processors and/or
software can do the job)
Aer Cam Project
38
11/6/2015
General Logic Issues

Hiccups continued
-If you must glitch try to isolate or minimize the
effect on the next block.
i.e. the notion of a latch refresh every clock
This is true even with TMR. The longer a
latch sits uncorrected, the greater the chance a
redundant latch can get hit and TMR breaks.
Aer Cam Project
39
11/6/2015
The Holy Grail of Logic Design

Verification
-Perhaps the most daunting task facing logic
designers today.
-My best advice is to break down design into
smaller blocks that you can verify
independently.
-Try to constrain the outputs of a block even
when SEU strikes. If you can characterize the
output of a block, even in error or SEU
conditions it allows a more sane verification of
the design as a whole
Aer Cam Project
40
11/6/2015
Verification Continued
• The old days of running every possible test
vector into a complex design are over.
 The new verification tools are probably
very rich (both in features and cost)
 I plan to check out Verification tools the
next few days.
Aer Cam Project
41
11/6/2015
HDLs And Critical Systems
Verification is most significant issue
(From my Perspective)
– How do you verify the design to confidence
– If you can’t verify to 100% how do you
mitigate potential problems
– Not talking SEUs but logic problems.
– SEUs need their own examination
Aer Cam Project
42
11/6/2015
HDLs And Critical Systems
• Synthesis tools can be very predictable
-Use accepted inference rules
-Combinatorial Logic Inside Clocked Process
-Think about verification as a design requirement
-Understand that logic can fail. If it is critical in nature,
how is the failure dealt with.
-These issues (logic and SEU) were around before
Apollo but modern silicon densities and design
complexities compound problems.
Aer Cam Project
43
11/6/2015