SpaceWire Physical Layer Fault Isolation
Download
Report
Transcript SpaceWire Physical Layer Fault Isolation
SpaceWire
Physical Layer
Fault Isolation
Barry M Cook
Wahida Gasti
(4Links Limited)
(ESA)
Sven Landstroem (ESA)
International SpaceWire Conference
4-6 November 2008
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
1
Content
Context
Failure sequence
Failure conditions
LVDS
Failure prevention
by
Over-voltage limiting requiring
Reliable current limiting …
… at the receiver
… at the transmitter
Conclusions
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
2
Context – Cross Strapped Redundant System
FUNCTION 1
NOM
DC/DC 1
NOM
FUNCTION 1
RED
DC/DC 1
RED
FUNCTION 2
NOM
DC/DC 2
NOM
FUNCTION 2
RED
DC/DC 2
RED
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
3
Failure Sequence
> +10 V … .
1
DC /DC converter
control fails
2
Input voltage reaches
> Vcc from DC / DC 2_ NOM
+ 3 .3 V
5
Insulation failure –
S / C from Vcc to Out (+)
3
DC / DC 1 - NOM
6
Insulation failure –
S / C from In (+) to Vcc
Current injection
raises Vcc above + 4 V
DC / DC 2 - NOM
Voltage source
current injection
4
Vcc 1 - NOM
Vcc 2 - NOM
GND 1 - NOM
GND 2 - NOM
Tx
Zo = 100
100
> +4 V
Data
+ 3. 3 V
Tx
7
Zo = 100
10
Voltage source
current injection
DC /DC 1 - RED
Insulation failure –
S / C from Vcc to Out (+)
Rx
FPGA /
ASIC
100
Rx
8
Voltage source
current injection
DC / DC 2 - RED
Vcc 1 - RED
Vcc 2 - RED
GND 1 - RED
GND 2 - RED
Tx
Data
Zo = 100
9
Tx
> +4 V
100
Rx
Insulation failure –
S / C from Out (+) to Vcc (+)
Zo = 100
FPGA /
ASIC
100
Rx
+ 3. 3 V
11
Insulation failure –
S / C from Vcc to Out (+)
GND 1 - NOM GND 1 - RED GND 2 - NOM GND 2 - RED
12
Input voltage reaches
> Vcc from DC / DC 2 _RED
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
4
Failure Conditions
Devices can be quite intolerant of variation
– 3.3V (nominal) supply voltage (Vss) permits a
supply voltage tolerance of ±10% – a voltage range
of 3.0 to 3.6V
•
But sets an absolute limit of 4V
– Input voltages are, typically, limited to Vss + 0.3V
•
Consider a chip with Vss = 3.6V driving one with Vss = 3.0V …
– Input currents for above-Vss input voltages are
limited
•
•
To, typically, 10mA
Which, in practice, makes the above situation safe – just
– LVDS avoids this problem by specifying lower
signal voltages
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
5
LVDS – EIA/TIA 644 A
Specifies …
Transmitter output voltages (regardless of Vss)
– Differential
•
350mV nominal
– Common mode
•
1.25V nominal above Transmitter ground
End-to-end common mode difference
•
Up to ±1V
Acceptable receiver input voltages
•
0.05V to 2.45V (to allow for the common-mode difference)
Which is fine until the driver fails and places Vss (+Vcm) on the
signal line or, worse, a power supply fails and places an even
higher voltage on the signal lines
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
6
Failure Prevention
We can take one or more of several actions to avoid a
single fault causing a failure cascade …
– Ensure the PSU never fails over-voltage
•
•
Challenging (especially with Switched mode supplies)
Even with over-voltage detection, transients are likely
– Prevent the over-voltage leaving the transmitter
•
Don’t forget common-mode differences (must clamp to LVDS
levels, not to supply)
– Prevent the receiver being damaged
•
Limit the over-voltage at its terminals
– Prevent the receiver propagating the fault
•
Not only through power rails but also through signal lines
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
7
Over-voltage limiting
We require no significant line loading (capacitance /
current) with correct signal levels and firm clamping at
safe levels with fault levels
BUT … Limiting is not perfect and the clamping level
depends, critically, on the available fault current
At significant currents (100’s mA) the actual clamp
voltage can be twice the turn-on voltage
•
Contrast this with the need to allow a correct level of 2.5V (LVDS
input) or 3.6V (logic input) but clamp at ≤4.0V
Safe over-voltage limiting requires reliable current
limiting
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
8
Reliable Current Limiting
Avoiding silicon (which tends to fail short-circuit,
allowing large currents) we are forced to consider
discrete resistors
– Thick film SMD resistors and hole mounted metalfilm resistors are accepted by most agencies as
short-circuit free
Adding series resistance on the signal lines will provide
a reliable current limit
– Can this be done with EIA/TIA 644A (LVDS)
signals?
•
Yes …
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
9
At the receiver
R
1.075V / 1.425V
350mV
1.425V / 1.075V
100Ω
R
1.25V common mode
Limitations
•
•
•
The resistors, R, with the receiver input capacitance form a lowpass filter which may degrade the signal
100Ω & 10pF has a time constant of 1ns which would need
careful consideration at 200Mb/s (5ns bit period) but should be
OK at ≤100Mb/s
100Ω is useful but we could wish for more …
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
10
At the transmitter
0V / 2.5V
305Ω
350mV
100Ω
305Ω
2.5V / 0V
1.25V common mode
Features
•
•
•
•
•
Same output differential and common-mode voltage (LVDS)
Series resistance driving a matched transmission line and load –
there is no capacitive loading and no data-rate reduction
305Ω provides a useful current limit (50mA at 15V over-voltage at
the driver output)
Supply current is just 3.5mA – same low power as before
Other, similar, circuits can be used for higher output source
voltages – with greater protection.
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
11
Conclusions
• We have identified a failure mechanism that can cause
a failure cascade causing damage to both the nominal
and redundant systems
• This can be alleviated by using fail-safe current
limiting devices – discrete resistors – in conjunction
with (discrete or in-built) voltage limiting devices
(Whilst fully complying with the definition of EIA/TIA 644A – LVDS)
SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008
12