Single Event Effects Mitigation Techniques Report
Total Page:16
File Type:pdf, Size:1020Kb
DOT/FAA/TC-15/62 Single Event Effects Federal Aviation Administration William J. Hughes Technical Center Mitigation Techniques Aviation Research Division Atlantic City International Airport Report New Jersey 08405 February 2016 Final Report This document is available to the U.S. public through the National Technical Information Services (NTIS), Springfield, Virginia 22161. This document is also available from the Federal Aviation Administration William J. Hughes Technical Center at actlibrary.tc.faa.gov. U.S. Department of Transportation Federal Aviation Administration NOTICE This document is disseminated under the sponsorship of the U.S. Department of Transportation in the interest of information exchange. The U.S. Government assumes no liability for the contents or use thereof. The U.S. Government does not endorse products or manufacturers. Trade or manufacturers’ names appear herein solely because they are considered essential to the objective of this report. The findings and conclusions in this report are those of the author(s) and do not necessarily represent the views of the funding agency. This document does not constitute FAA policy. Consult the FAA sponsoring organization listed on the Technical Documentation page as to its use. This report is available at the Federal Aviation Administration William J. Hughes Technical Center’s Full-Text Technical Reports page: actlibrary.tc.faa.gov in Adobe Acrobat portable document format (PDF). Technical Report Documentation Page 1. Report No. 2. Government Accession No. 3. Recipient's Catalog No. DOT/FAA/TC-15/62 4. Title and Subtitle 5. Report Date SINGLE EVENT EFFECT MITIGATION TECHNIQUES REPORT February 2016 6. Performing Organization Code 7. Author(s) 8. Performing Organization Report No. L.H. Mutuel D12 9. Performing Organization Name and Address 10. Work Unit No. (TRAIS) Thales Avionics, Inc. 2811 South 102nd Street, Suite 100 11. Contract or Grant No. Seattle, WA 98168 DTFACT-13-D-0008 12. Sponsoring Agency Name and Address 13. Type of Report and Period Covered Federal Aviation Administration Final Report FAA National Headquarters 950 L'Enfant Plaza N SW Washington, DC 20024 14. Sponsoring Agency Code AIR-134 15. Supplementary Notes The Federal Aviation Administration Aviation William J. Hughes Technical Center Aviation Research Division COR was John Zvanya. 16. Abstract The research objectives were to articulate the criteria for selecting components for single event effect (SEE) analysis and collect considerations pertaining to SEE mitigation techniques. A proposed process to integrate the SEE analysis that incorporates this information is defined at both the system and equipment level. The following highlights the main take-away findings. The requirement to perform an SEE safety analysis as part of the system level safety assessment is dependent on the system criticality, contribution of the system to catastrophic and/or hazardous failure conditions. The analysis results in the determination of whether or not the SEE error rate is acceptable with regard to the safety objectives. The determination of the SEE error rate can be made at different levels of system integration (e.g., electronic component, integrated circuit, system, and equipment) and with different levels of accuracy. The system designer needs to ensure that the data supporting the determination of the SEE rate are commensurate with the criticality of the system to be assessed. The vast majority of the recommendations are therefore related to the acceptable level of scrutiny to be applied. Similarly, the selection and effectiveness of mitigation techniques are dependent on the type of SEE to be mitigated and the functions of the component to be protected. All mitigations carry penalties and no mitigation covers the full range of SEE. The system developer will use its knowledge of the circuit layout, critical elements, and functions to determine tradeoffs between protection coverage and the level of effectiveness of the mitigation and associated penalties, which are specific to each design. Because there is no one-fits-all strategy to address SEE, there are recommended avenues and minimum substantiation to be provided by the system designer as part of the demonstration of compliance with SEE safety assessment. 17. Key Words 18. Distribution Statement Single event effect, Semiconductor electronics, Mitigation, Safety This document is available to the U.S. public through the National assessment Technical Information Service (NTIS), Springfield, Virginia 22161. This document is also available from the Federal Aviation Administration William J. Hughes Technical Center at actlibrary.tc.faa.gov. 19. Security Classif. (of this report) 20. Security Classif. (of this page) 21. No. of Pages 22. Price 296 Unclassified Unclassified Form DOT F 1700.7 (8-72) Reproduction of completed page authorized TABLE OF CONTENTS Page EXECUTIVE SUMMARY xviii 1. INTRODUCTION 1 1.1 Purpose 1 1.2 Background 1 1.3 Methodology 2 1.4 The SEE Definition 3 2. SEE TYPES AND ANALYSES 4 2.1 Types of SEE 4 2.1.1 Descriptions of SEE 4 2.1.2 Criteria for Determining SEE Sensitivity 6 2.1.3 Synopsis of SEE types, Effects, and Impacted Electronic Components 7 2.2 Safety Analysis 8 2.2.1 Objectives and Scope of the SEE Analysis 8 2.2.2 SEE Analysis Method 8 2.3 System-Level Analysis 11 2.3.1 Overview 11 2.3.2 SEE Impact on System, Operational Functions, and Mission Profile 14 2.3.3 SEE System-Level Mitigation Mechanisms 14 2.3.4 System-Level Redesign 15 2.4 Equipment-Level Analysis 15 2.4.1 Overview 15 2.4.2 Determination of SEE-Sensitive Components 17 2.4.3 SEE Mitigation Mechanisms 21 2.4.4 Trade-Space and Limitations of Mitigation Techniques 28 2.4.5 Determination of Radiative Flux 31 2.4.6 SEE Error Rates 32 2.4.7 Compendium of Methods to Determine SEE Error Rates 35 2.4.8 Component-Level Redesign 38 3. DETAILED RESEARCH: IDENTIFICATION OF SEE-SENSITIVE AVIONICS SYSTEMS AND COMPONENTS 38 iii 3.1 Introduction 38 3.2 Methodology 38 3.2.1 Overall Process 39 3.2.2 Filtering Process 40 3.3 Application of Methodology to Generic Aircraft 41 3.3.1 List of Aircraft Systems 41 3.3.2 SEE-Related Inputs to Analysis 46 3.3.3 SEE-Sensitive Components 48 3.4 Conclusion on SEE-Sensitive Avionics Systems and Components 59 4. DETAILED RESEARCH: IDENTIFICATION OF CURRENT PRACTICES AND METHODOLOGY FOR SEE MITIGATION TECHNIQUES 63 4.1 Introduction 63 4.2 SEE for Electronic Systems 63 4.2.1 Types of SEE 63 4.2.2 Affected Electronic Components 67 4.2.3 Application of Mitigation Technique(s) 72 4.3 Mitigation Techniques 72 4.3.1 Radiation Hardening 73 4.3.2 Redundancy Mitigations for SEU and SET 75 4.3.3 Protection of Memory Blocks 78 4.3.4 SEU Protection in SRAM and Reprogrammable FPGA (RFPGA) 85 4.3.5 Fault-Tolerant ASIC Design 86 4.3.6 Protection Against SEFI 87 4.3.7 Example of SEE Sensitivity at Equipment Level 88 4.3.8 SEB and SEGR Protection of Power Electronics 88 4.4 Conclusion on SEE Current Practices and Methodology 90 5. DETAILED RESEARCH: EXPLORATION OF SEE MITIGATION TECHNIQUES, NOT-BUILT-IN AVIONICS SYSTEMS OR COMPONENTS 91 5.1 Introduction 91 5.2 SEE Assessment Process 91 5.3 Inputs to the Component Evaluation 93 5.3.1 Determination of SEE Rates at Device-Level 93 5.3.2 Impacting Factors 96 5.3.3 Orders of Magnitude 97 iv 5.4 Building SEE Rates 98 5.4.1 Estimation of “Critical” Bits 98 5.4.2 Effectiveness of Mitigation 100 5.5 Proposed Methods for Determining SEE Rates 102 5.5.1 In-the-Loop Testing 102 5.5.2 LRU Irradiation 102 5.5.3 Using Components Datasheet or Test Compendiums 103 5.5.4 Using Generic SEE Data 103 5.5.5 Stimulating Component With Focused Laser Beam 103 5.5.6 Using In-Service Data 103 5.5.7 Fault Injection Methods 104 5.5.8 Analytical Approaches 104 5.5.9 Considerations About Testing 105 5.6 Case Examples 107 5.6.1 General Considerations for an FCC 107 5.6.2 Example of Macro-Sizing a Device and Reliability Analysis 107 5.6.3 FPGA Device Testing 109 5.6.4 Closed-Loop Testing of Recoverable FCC 113 5.7 Conclusion on SEE Mitigation Techniques for Not-Built-In Systems or Components 116 6. DETAILED RESEARCH: EXPLORATION OF BUILT-IN SEE MITIGATION TECHNIQUES 117 6.1 Introduction 117 6.2 Built-In Mitigation Technique 118 6.2.1 Context 118 6.2.2 General Assumptions 119 6.2.3 Assessment of Mitigation Effectiveness of 65 nm Technology FPGA 119 6.2.4 Assessment of Mitigation Effectiveness on 90 nm Technology ASIC 124 6.2.5 Issues 129 6.3 Testing Considerations 131 6.3.1 Modeling and Experimental Methods to Assess EDAC Mitigation 131 6.3.2 Types of Tests 132 6.3.3 Definition of Errors and Failures 133 6.3.4 Limitations of Experimental Methods 133 6.4 Example Fault Handling Methodology 134 v 6.4.1 System Failure Prevention 135 6.4.2 Module Error Correction 135 6.4.3 Analytical Expressions, Decision Tree, and Fault Propagation 136 6.5 Conclusion on SEE Mitigation Techniques for Built-In Systems or Components 138 7. DETAILED RESEARCH: SEE SSA FOR CDS 140 7.1 Introduction 140 7.1.1 Definitions 140 7.1.2 Purpose 140 7.2 System Architecture 141 7.2.1 The CDS Description 141 7.2.2 Boundaries With Other Aircraft Systems 143 7.2.3 CDS Internal Electrical Interfaces 144 7.2.4 System Mission Profile 145 7.2.5 System FCs From FHA 146 7.3 Safety Mechanisms 147 7.3.1 The SBs Against FCs 147 7.3.2 Safety Design Features at System Level 149 7.3.3 Safety Design Features at Equipment Level 156 7.3.4 Crew Alerting and Flight Warning 163 7.4 Methods of compliance 164 7.4.1 Single Failures Analysis 165 7.4.2 Significant Multiple FCs Analysis 165 7.4.3 SEE Analysis 173 7.5 Safety Analyses 183 7.5.1 Significant Single Failures Analysis 183 7.5.2 Significant Multiple FCs Analysis 183 7.5.3 SEE Analysis 205 7.5.4 Outcomes of Safety Assessment 213 7.6 Conclusion on SEE SSA for CDS 214 8.