Please e-mail comments and suggestions for these guidelines and criteria.
- X. Miscellaneous Design Guidelines and Criteria
Noise Immunity and Quiet Designs: Take steps to ensure adequate and robust noise immunity.
- Key steps are listed with respect to simultaneous switching outputs and signal terminations.
- Choose differential signals, particularly for connections between cards. Newer logic devices are directly supporting differential standards. Additionally, high-speed, lower power differential devices support standards such as LVDS are now qualified.
- SERDES components/cores can cut down the number of lines, reducing noise, and hence, increase the noise immunity of the system.
- Use hysteresis inputs when available to reject noise.
- Avoid having flip-flops or logic devices with internal memory driving cables or massive capacitive loads.
- Inputs that are "TTL compatible" often have specifications and real thresholds that are not TTL compatible, particularly for VIH.
- Outputs, particularly from some CMOS families, may not be able to drive TTL loads to a valid logic '1' with sufficient noise immunity. Calculate worst-case currents and voltage output vs. worst case input thresholds.
- DC margins for TTL interfaces should be no less then 400 mV, with at least 500 mV recommended.
- For TTL outputs driving CMOS logic thresholds, a pull-up resistor can give adequate DC noise margin, after allowing sufficient time for the voltage to rise. However, when used as a clock input, multiple triggers are reasonably likely to occur as the waveform will have a "hump" in it. This should be avoided and is a poor interface.
Defensive Design and Designing for Off-Nominal Events: Consider credible but unplanned events. Often many of these situations can be economically handled with a bit of thought. Here are a few sample issues to consider.
- Perform limit and validity checking. The system should respond in a reasonable fashion to unreasonable inputs. For data passed from one source to another, simple bounds checks can detect and cause appropriate action for many off-nominal conditions, such as a disconnected source, perhaps resulting in all F's being returned on a data bus. For floating point numbers, is the input in a valid format? A minimum criteria is that any credible input should not damage hardware and prevent recovery. Assume that the probability of software failure is 100%.
- Provide fail-safe interfaces. Analyze the performance and safety of the circuits if a wire breaks in a connector, for each wire. For power, use multiple wires such that if any one wire breaks the remaining set can carry the load (and be sure to test this redundancy). For signals, consider on-board terminations that will pull floating signals into a safe and operational state. This can also provide protection if the board or subsystem is powered with a connector not hooked up, perhaps by test error. Avoid putting signals such as power and ground on adjacent pins, as a short can take out the system (remember SEASAT).
- Lockup states: Ensure that all devices you design do not have lockup states in the finite state machines. Choose commercial or commercial devices wisely and operate them defensively. For example, SDRAMs have lockup states that may require power cycling to clear and may cause damage. Noise, single event upsets, or even invalid commands can cause this condition. Refresh command words often. Many microprocessors, non-volatile memories such as EEPROMs, etc., can have various lockup states. Some devices may be cleared by a reset; others often require the cycling of power to clear.
- Power Glitches: Power glitches may occur for a number of reasons, electrical discharges, switching loads on or off, faults in loads, firing pyrotechnic initiators, lightning strikes, relay switching, etc. These transients may result in the maloperation of circuits and effectively multiple bit upsets in finite state machines and lockup of commercially derived components. Careful attention needs to be paid to circuits that have permanent state such non-volatile memories. Can a write cycle be interrupted resulting in a system being put into an inconsistent state such as during a memory upload? Can false writes be generated corrupting the system state? Can one-time events be falsely initiated? Are driving circuits for latching relays holding system state information adequately protected from false triggers? Will a glitch on one supply result in a power sequencing violation for a component with multiple supplies or a set of components operating off of different supplies?
- Shorting Test Points: Since test points will be accessed by humans, assume that they can be abused. That is, a short to ground from the ground ring on an oscilloscope probe is an example of a credible and expected fault. Use isolation resistors to ensure that a failure in the test interface does not damage flight hardware.
Various Tips, Considerations, and Criteria
- ESD Ratings: Many of the modern high speed components have low ESD thresholds. Some components designed and qualified for spacecraft interfaces have been seen to have 300V limits. Often these values are not listed on the data sheets and qualification test reports must be obtained.
- Spares, Pins, Gates: Leave spare space and pads on the printed circuit boards. Pre-wire footprints for power, ground, and bypass capacitors to fit SSI/MSI components that may be needed to fix an "oops" or to meet a changing requirement. For programmable devices, ensure that adequate gates, flip-flops, and pins are available. While this sounds obvious, designs with no spares have been presented as early as PDRs, leaving zero room for change. For programmable devices with spare pins, program in a variety of simple functions such as inverters, AND gates, flip-flops, etc., with the input pins terminated through resistors. For small fixes this will provide available logic on the board and potentially eliminate a re-spin of an ASIC or FPGA and a rework cycle on the board.
- Holes In the Board: Place holes strategically around the printed circuit board. For late fixes on double sided boards, this can simply the modifications.
- Test Points: While it is common and useful to place test points on boards, also strategically place points to hook up the oscilloscope ground lead. With the move to surface mount capacitors, good termination points are often hard to find, resulting in long ground leads, poor connections, and inaccurate waveforms for fast moving signals.
- Grounding of Lids: Verify that lids are grounded for operation in a charged environment. Indeed, a charged environment can include test where moving air is heated and cooled and then blown into an environmental chamber. Some devices' lids are not grounded, even on parts sold into the space market. In some instances, lids that are grounded have been made floating by the manufacturer prior to shipment. A drain wire should be used to ensure that no buildup of charge is possible, preventing ESD damage.
Note the drain wire attached to the lid of the FPGA (lower left hand corner) of the MOLA-2 PC-2 Electronics which is orbiting Mars on Mars Global Surveyor. Conductive epoxy was used.
The gold trace coming from only one corner of the lid identifies Pin 1 on this Virtex FPGA.. The manufacturer cut through the trace prior to the delivery leaving the lid floating, based on some customers' inputs. We requested the opposite to ensure that there will be no buildup of charges and thus prevent ESD events. Here is the cut, in a magnified view.
OLD News #11 Interface Components and ESD, May 28, 2003. ESD and proper device handling practices are nothing new and normally would not warrant an OLD News posting. Indeed, ESD practice and component tolerance have improved so much over the years that ESD damage hasn't been a major source of problems for quite a while, for regular digital integrated circuits and interface components. However, there have been some recent surprises. ...
- The specifications for inputs must be carefully read as not all device or MCM inputs are truly TTL compatible.
- "Case Study: Simultaneous Switching Outputs," presented at "Design Seminar on Actel SX-A and RTSX-S Programmed Antifuses," Tuesday, April 13, 2004, NASA Goddard Space Flight Center. Presents 4 cases of "staggering" I/O switching, trading off lower di/dt for increased data transfer time and analyzes software performance and the effect of module placement.
TOP LEVEL: "Design Guidelines and Criteria for Space Flight Digital Electronics"
Home -
NASA Office of Logic Design
Last Revised:
February 03, 2010
Digital Engineering
Institute
Web Grunt: Richard
Katz
