Please e-mail comments and suggestions for these guidelines and criteria.
As space vehicle missions have become more complex, the use of onboard digital computers and logic has become more prevalent. The functions which the avionics are assigned to perform are also expanding in number and magnitude. As a result, the problem of specifying and designing digital avionics for space vehicles has increased in complexity.
The flight performance of spaceborne digital avionics has generally, but not always, been successful. However, a number of recurring problems have been experienced during the design, development, and testing of these machines. Previous systems have been very costly, have required major redesigns, have caused significant schedule delays, or have launched with a needlessly high level of risk. Most difficulties have resulted from
- Poor design/analysis practices
- Incomplete knowledge of the newer technologies and tools coupled with their impact on the design and analysis.
- Inadequate reviews
This monograph discusses design guidelines and criteria which form a basis for the specification, design and evaluation of digital avionics for spaceborne applications. The goal of this work is to help ensure that the design of the hardware is flight worthy. The responsibility for a reliable design and hardware rests solely with the design and analysis team. The material presented here will concentrate effort on items that are often seen to be problems in space flight digital hardware, giving us the most benefit for the time and effort expended. This list will not state how to design a particular circuit, perform an analysis, or prepare the results but will cover a list of items that needs to be considered for a successful and robust design.
It is tempting to provide a checklist for designs. However, the unique nature of many spaceflight applications as well as unique requirements do not make an exhaustive checklist practical; there are simply too many possible cases and the technology changes too rapidly. The approach taken in this monograph is to discuss the principles, the guidelines, and the criteria to be used for design and analysis of spaceflight digital avionics. This gives the design engineers the freedom to pursue solutions to fit their unique problems. An exhaustive checklist that will serve as a mechanical pass/fail test will needlessly overly restrict and constrain the design engineer from valid and reliable solutions. That approach is not taken in this document.
This monograph is designed to be used in three ways. First, the list at this top level would be useful for discussion at formal reviews such as the PDR, CDR, Pre-Ship Review (PSR), etc. Each item on this list is hyperlinked to sections (level 2) discussing, in some detail, each topic. That is suitable for detailed peer-reviews. The http://klabs.org www site, which comprises level 3, provides case studies, application notes, papers, and other material and references to support in-depth analysis of specific items. Phase 2 of this effort will provide hyperlinked access to those references. It is expected that these items will be discussed and "checked off" at the PDR with plans for the remaining items in place. All items should be satisfied at the time of the CDR. The PSR will be used to close out any open items.
1 (based on NASA SP-8070, SPACE VEHICLE DESIGN CRITERIA, SPACEBORNE DIGITAL COMPUTER SYSTEMS)
Design Guidelines and Criteria - Part 1, Low Level
- I. Special Pins
- II. Input/Output
- III. Clocks
- A. Use of Non-low-skew Clocks
- B. Chip-to-Chip Timing Strategy
- C. Clock Tree
- D. Asynchronous Interfaces and Failure Rate Calculations for Metastable States
- IV. Finite State Machines
- V. Reset
- VI. Hazard Analysis
- VII. Power System
- VIII. EEPROM, Flash, FRAM, and other Non-volatile memories including embedded memories
- IX. Timing Analysis and Margins
- X. Miscellaneous Design Guidelines and Criteria
- XI. Design and Analysis Documentation
- XII. Review of Digital Electronic Circuits
Design Guidelines and Criteria - Part 2, System Level
- XX. SEE Mitigation Strategy
- A. Configuration memory
- B. User flip-flops
- C. Block/embedded RAM and discrete RAM/DRAM
- D. "SEFI" - Note: Some SDRAM models can be destroyed
- E. Latchup
- F. Stuck bits
- G. Single event, multiple upset
- H. Telemetry Reporting Strategy
- A. Strategy: Active or dynamic
- B. Verification of correctness of hardware through all tests
Design Guidelines and Criteria - Part 3, Miscellaneous Documentation
- XXX. Miscellaneous Documentation
- A. Summary of on-chip test logic and disabling/removal strategy
- B. Logic/Memory Device Failure Reports and Analyses
- C. Lessons Learned
Richard B. Katz
Head Grunt, Office of Logic Design
National Aeronautics and Space Administration
Electronic Reliability Design Handbook
1.1 Introduction This Handbook provides procuring activities and development contractors with an understanding of the concepts, principles, and methodologies covering all aspects of electronic systems reliability engineering and cost analysis as they relate to the design, acquisition, and deployment of DoD equipment/systems.
1.2 Application This Handbook is intended for use by both contractor and government personnel during the conceptual, validation, full scale development, production phases of an equipment/system life cycle.
JPL Reliability Analyses Handbook
I. INTRODUCTION (excerpt)
A. General: This document provides guidelines for performing and reviewing reliability analyses associated with flight equipment. It is responsive to the analysis requirements of JPL D-1489 (Ref. 1). In addition, it provider procedures for identifying, preparing, processing, tracking and resolving deficiencies in the analyses and/or design. This document does not address analyses required in direct response to safety concerns. It should be emphasized that these analyses are not an after-the-fact documentation of what resulted from the design process, but are an active integral part of the design process. There should be immediate action taken if unacceptable analysis results are found.
B. Purpose: The analyses guidelines provide a centralized source of information on performing and reviewing reliability analyses. The purpose is to promote uniformity of the various methodologies, both within a specific project and from project to project. The review guidelines not only provide information to assist the review function, but by explicitly defining what the reviewer should be looking for, the analyst performing the analysis can provide the information in a form that is understandable to the reviewer,
An Outline of Worst Case Analysis Requirements for Digital Electronics
Every designers goal is mission success: the production of a correctly functioning system. One of the keys to achieving that goal is the worst case analysis (WCA). A detailed WCA, if performed during the design phase, can find design problems that may not be found during the test phase. Timing errors, interface margin problems, and other design flaws may manifest themselves only under limited operating conditions that are not present during test, such as temperature extremes, age, or radiation, or in limited operating modes that are not exercised in test. The only way to guarantee that no design flaws exist in a circuit is to carefully analyze the circuit and prove their absence.
The purpose of a WCA is to prove the design will function as expected during its mission. The spirit of analysis is proof: all circuits are considered guilty of design flaws until proven innocent. The following is an outline of WCA requirements which introduces the circuit design items that must be reviewed as part of the WCA.
Digital Timing Analysis Tools and Techniques
The timing analysis is a crucial part of a digital systems worst case analysis. Every latched device has timing requirements -- set-up times, hold times, etc. - - that must be met in order to guarantee correct system operation, and the goal of the timing analysis is to determine whether they are met. Because each device input can have many sources whose timing can vary with circuit operation mode , the timing analysis can be very complicated and time consuming. Thus many attempts at automating the timing analysis task have been made. But, the task is sufficiently complex that attempts to fully automate it have, so far, had only limited success. This report examines several timing analysis methods, and discusses their strengths and weaknesses.
Root-Sum-Square (RSS) Calculations of Digital Timing Delays
The subject of RSS versus extreme value calculations arises often in worst case analyses because the calculation of a quantity, e.g., the delay of a digital parts chain, required to be less than some value, will yield a smaller result when calculated by the RSS method than by the extreme value method, making it easier to claim that requirements are met.
The validity of RSS is often debated without exploring its mathematical basis. This report discusses the basis for RSS calculations and the methods limitations. Although the discussion is centered around calculating the propagation delays of digital circuits, the basic theory and conclusions apply to any application of RSS.
NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz