Vendor Independent SEE Mitigation Solution For FPGAs Kamesh

Vendor Independent SEE Mitigation Solution For FPGAs Kamesh Ramani Pravin Bhandakkar Darren Zacher Melanie Berg (MEI – NASA Goddard)

Agenda n Vendor Independent solution Flow — Advantages — TMR Techniques — Handling of special cases — DRC and max fanout violation — Constraint handling — Formal Verification interface — User controls — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Vendor Independent Flow Control inference of ROM/RAM, Shift Registers, DSPs RTL TMR related synthesis controls Constraints Switches EDIF Regular Synthesis TMR Regular options Switch off Netlist Optimizations TMR Options Select Technology MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs Based on Scheme perform TMR on design and check for DRC rules PNR

Synthesis From RTL to EDIF SEU related controls during synthesis TMR Post TMR Processing PNR Interaction Block RAM inference and resource control Recognize TMR related attributes In the RTL Inference of Safe FSMs Recognizing Combinational loops Control not to infer Distributed RAM DSP Inference, resource control No MAC inference No Counter inference Control on Flop absorption Formal Verification infrastructure Constraints handling infrastructure SRL inference can be controlled MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs TMR DRC Processing TMR Max Fanout Processing TMR Related PNR options

Vendor Independent Flow n n Regular flow from RTL to synthesized Netlist and then to PNR TMR can be applied on any chosen technology and device Various optimizations for Rad. Hard protection can be incorporated during synthesis itself Output can be formally verified against RTL — against non-TMR netlist — n Special mitigation solution during synthesis for — DSPs, Black Boxes, RAMs, SRLs MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Vendor Independent Flow Advantages n n n n n Formally verifiable against RTL and non TMR netlist Can be applied on any FPGA vendor chip Can be applied on newer technology FPGAs seamlessly Control throughout the synthesis flow to perform radiation related optimizations and choices Controls at module level is available Special handling for different technology cells Ability to plug in dedicated Rad. Hard modules for different inferred components Can fix DRC and maxfanout violations effectively after TMR Can seamlessly generate appropriate constraints, attributes, area and frequency reports for TMR netlist MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Voters n Voters We define voters to be circuits that take in the output from triplicated flops and resolve it based on either majority or minority — We choose to use majority voters — Equation: A×B + B×C + C×A — Voters utilize combinatorial cells specific to target technology — n n LUTs in SRAM-based devices MAJ 3 in antifuse-based devices MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Various TMR Strategies - LTMR n Local TMR (LTMR) [1] — Triplicate sequential elements only, and majority vote the outputs n Flip-flops, shift registers, block RAMs, and sequential DSPs The input data, control signals and clock will be shared by the triplicated flops — Reduces SEE occurrence to frequency dependent SET capture; clock trees, global routes and IOs are still susceptible — [1] M. Berg, “Design for Radiation Effects, ”Invited Talk Presented 2008 at Military and Aerospace Programmable Logic Design, MAPLD, Annapolis, MD, September. 2008 MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Various TMR Strategies - LTMR Comb Logic Voter LTMR MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs Voter

Various TMR Strategies - DTMR n Distributed TMR (DTMR) [1] — Apply TMR on sequential and combinational logic n n n Triplicate sequential and combinatorial logic; global routes and I/O are not triplicated Vote out the triplicated logic just after the sequential elements Triplicate the majority voting circuit as well to protect SET effects on the voting circuit Reduces SEE occurrence; clock trees, global routes and IOs are still susceptible — Preferrable scheme for SEU and SET protection of technologies with hardened clock trees — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Various TMR Strategies - DTMR Comb Logic DTMR Voter Voter Voter MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Various TMR Strategies - GTMR n Global TMR (GTMR) [1] — Apply TMR on the entire design including global buffers n n — — — Triplicate the sequential elements, combinational logic, voters and the global buffers Voters converge the triplicated flop outputs at clock and control domain crossovers This gives very high level of radiation protection This scheme requires that the triplicated global lines have minimum skew between them Preferred scheme for commercial SRAM based FPGAs MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Various TMR Strategies - GTMR Comb Logic Voter Voter GTMR Voter MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling Overview n In vendor independent flow we can handle embedded resources effectively — — — Tech cells such as RAMs, DSPs, Shift registers etc Need to triplicate and vote datapath can limit usage Ability to control automated embedded resource inference n n — Synthesis tool decides embedded resource allocation earlier in the implementation flow n — To Selectively infer To infer with restricted features Enables more effective TMR application. Gives better control over synthesis for radiation hardening MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Embedded Resource Handling n Embedded RAM Triplicated and voters are inserted at each output — Treated as sequential elements and will be TMRed in all the schemes — The user can instantiate an error correcting (EDAC) RAM — n n Supply black box or netlist IP, or set an attribute on the instance Instance will be treated like a black box or IP and not triplicated MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Embedded Resource Handling n Embedded Shift Registers (e. g. SRL) — By default, embedded shift registers will not be inferred during synthesis n — User has option to enable shift register inference if desired If present in the design, embedded shift registers are triplicated and a voter is inserted at the output MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Embedded Resource Handling n DSP — DSPs can be classified for TMR broadly into n n — Sequential DSPs Combinational DSPs Sequential DSPs n Contain Flops in them — n n n Flops can be at the input, output or as pipeline registers Infer DSPs with only flops at the output by default These DSPs will be triplicated and voters inserted at every output Scan chain facilities in these DSPs will not be used as we cannot insert voters at their outputs MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Embedded Resource Handling n DSPs — Combinational DSPs n n — These contain only combinational logic Will be triplicated and voted out in DTMR and GTMR schemes only Multiply-Accumulate (MAC) n MACs will not be inferred — — They contain loops and can potentially get stuck after a fault Hence the loop will be outside the DSP so that voters can be inserted in the loop to correct SEUs MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling n I/O Boundary Flops at input and output may need special handling based on the TMR scheme — LTMR — n n n The inputs to the TMRed design will fanout to triplicated flop instances The output flops will also have a voter at its output similar to other flops in the design. If user wishes, by using regular synthesis attributes can absorb the flops into the pads — Flop not triplicated when absorbed into the pad MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling I/O Boundary Flops n DTMR and GTMR — — The inputs to the TMRed design will fanout to triplicated design The outputs from the TMRed design will converge at output flops Voters need to be applied at the output flops to converge the output If user wishes, by using regular synthesis attributes can absorb the flops into the pads n — Flop not triplicated when absorbed into the pad Can choose to triplicate pins on top level n n Each of the triplicated outputs can be voted Or user can choose to absorb flops, without voting, into pads using normal synthesis attributes MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling n Boxes By boxes we mean black, white, grey, clear etc — Need to be mitigated by the user, as there is either no or limited visibility inside them — All inputs to the box will converge at the box input boundary — n A voter will be inserted before each box input All outputs from box will fanout to triplicated instances — Tool will fix and report any max fanout violation at box outputs — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling n Latches are treated similar to sequential elements — If a latch is present we will always triplicate it and insert voters at the output — n This is because latches contain loops which have the ability to retain faults MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling n Combinational Loops Combinational loops should be avoided in a design targeted for mitigation — However if combinational loop is present, we will insert a voter at the point of feed back — We will also warn the user about the combinational loop as well — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Special Case Handling n Clock generation circuits such as PLLs, DCM etc are susceptible to SEEs and should be avoided — We warn the user about these circuits — We do not triplicate these, nor vote them out — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Design Rule Check (DRC) violations n TMR on some cells can cause DRC violations — Inserting voters between cascade pins of embedded resources is generally not allowed n n n — The violations are handled by n n — not cascading the embedded resources or using the appropriate non-cascade input and output pins of those resources Global buffers such as those with pads cannot be triplicated n n — Block RAM cascading DSP cascading Scan chain feature of DSPs To triplicate them we split them into pad cell and buffer cell Buffer cells are then triplicated Flow advantage: preventive steps can be taken during synthesis MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Max fanout violations n Potential TMR violations occur at: Input nets that feed triplicated logic — Black box outputs — Flop inputs in LTMR — n Flow advantage: Since TMR is part of the synthesis flow such violations are detected and fixed MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Constraints Handling n n Constraints on original instance copied to triplicated instances Constraints on flop output is transferred to voter output(s) Appropriate constraints are written out at the end of synthesis for the TMRed design as a whole Flow advantages: Constraints are applied seamlessly throughout the TMRed design — No need of post processing constraints after synthesis — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Formal Verification RTL vs. TMR Netlist n Novel approach regarding TMR insertion — n Formal Verification Interface (FVI) constraints for triplicated instances generated — n “Formal Verification of Advanced Synthesis Optimizations”, Anant Kumar Jain et al, MAPLD-09 This assists Formal. Pro in verifying the generated netlist against RTL Flow advantages: — — FVI constraints are automatically generated during synthesis Post-TMR netlist can be easily verified MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Formal Verification TMR Netlist vs. Non TMR Netlist n FVI matching rules are generated during synthesis — n Matching rules helps to identify instance in normal netlist with its triplicated counterparts in the TMRed netlist Flow advantages: FVI matching rules are automatically generated during synthesis — Post-TMR netlist can be easily verified — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Module Level User Controls n n Ability to apply different TMR techniques on different modules Allows TMR application on an as-needed basis for a given module — n Using attributes can specify TMR scheme on a — — n n Voters converge the triplicated flop outputs on the module boundaries with lesser TMR protection given instance in RTL On all instances of a given module in RTL TMR scheme is inherited through the hierarchy Flow advantages: — — — Control at the RTL level Beneficial for design review Greater flexibility to the user MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Additional User Controls n Voter insertion Force Voter Insertion on net or net’s driver’s output if specified — Can be specified using an attribute — n Triplication control Specify a given instance not be triplicated — Can be specified using an attribute — MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs

Summary n n n n Flow implemented as part of Precision synthesis tool TMR output netlist formally verifiable against RTL and non TMR netlist TMR can be applied on any FPGA vendor chip TMR can be applied on newer technology FPGAs seamlessly Controls available throughout the synthesis flow to perform mitigation related optimizations and choices TMR netlist is free of any DRC and maxfanout violations Constraints, attributes, area and frequency reports for TMR netlist are automatically generated. MAPLD 2009 - Vendor Independent SEE mitigation solution for FPGAs