120 likes | 471 Views
SpaceWire Physical Layer Fault Isolation Barry M Cook (4Links Limited) Wahida Gasti (ESA) Sven Landstroem (ESA) International SpaceWire Conference 4-6 November 2008. Content. Context Failure sequence Failure conditions LVDS Failure prevention by
E N D
SpaceWire Physical Layer Fault Isolation Barry M Cook (4Links Limited) Wahida Gasti (ESA) Sven Landstroem (ESA) International SpaceWire Conference4-6 November 2008 SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20081
Content Context Failure sequence Failure conditions LVDS Failure prevention by Over-voltage limiting requiring Reliable current limiting … … at the receiver … at the transmitter Conclusions SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20082
Context – Cross Strapped Redundant System SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20083
Failure Sequence SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20084
Failure Conditions Devices can be quite intolerant of variation • 3.3V (nominal) supply voltage (Vss) permits a supply voltage tolerance of ±10% – a voltage range of 3.0 to 3.6V • But sets an absolute limit of 4V • Input voltages are, typically, limited to Vss + 0.3V • Consider a chip with Vss = 3.6V driving one with Vss = 3.0V … • Input currents for above-Vss input voltages are limited • To, typically, 10mA • Which, in practice, makes the above situation safe – just • LVDS avoids this problem by specifying lower signal voltages SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20085
LVDS – EIA/TIA 644 A Specifies … Transmitter output voltages (regardless of Vss) • Differential • 350mV nominal • Common mode • 1.25V nominal above Transmitter ground End-to-end common mode difference • Up to ±1V Acceptable receiver input voltages • 0.05V to 2.45V (to allow for the common-mode difference) Which is fine until the driver fails and places Vss (+Vcm) on the signal line or, worse, a power supply fails and places an even higher voltage on the signal lines SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20086
Failure Prevention We can take one or more of several actions to avoid a single fault causing a failure cascade … • Ensure the PSU never fails over-voltage • Challenging (especially with Switched mode supplies) • Even with over-voltage detection, transients are likely • Prevent the over-voltage leaving the transmitter • Don’t forget common-mode differences (must clamp to LVDS levels, not to supply) • Prevent the receiver being damaged • Limit the over-voltage at its terminals • Prevent the receiver propagating the fault • Not only through power rails but also through signal lines SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20087
Over-voltage limiting We require no significant line loading (capacitance / current) with correct signal levels and firm clamping at safe levels with fault levels BUT … Limiting is not perfect and the clamping level depends, critically, on the available fault current At significant currents (100’s mA) the actual clamp voltage can be twice the turn-on voltage • Contrast this with the need to allow a correct level of 2.5V (LVDS input) or 3.6V (logic input) but clamp at ≤4.0V Safe over-voltage limiting requires reliable current limiting SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20088
Reliable Current Limiting Avoiding silicon (which tends to fail short-circuit, allowing large currents) we are forced to consider discrete resistors • Thick film SMD resistors and hole mounted metal-film resistors are accepted by most agencies as short-circuit free Adding series resistance on the signal lines will provide a reliable current limit • Can this be done with EIA/TIA 644A (LVDS) signals? • Yes … SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 20089
At the receiver R 1.075V / 1.425V Limitations • The resistors, R, with the receiver input capacitance form a low-pass filter which may degrade the signal • 100Ω & 10pF has a time constant of 1ns which would need careful consideration at 200Mb/s (5ns bit period) but should be OK at ≤100Mb/s • 100Ω is useful but we could wish for more … 100Ω 350mV 1.425V / 1.075V R 1.25V common mode SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 200810
At the transmitter 0V / 2.5V 305Ω Features • Same output differential and common-mode voltage (LVDS) • Series resistance driving a matched transmission line and load – there is no capacitive loading and no data-rate reduction • 305Ω provides a useful current limit (50mA at 15V over-voltage at the driver output) • Supply current is just 3.5mA – same low power as before • Other, similar, circuits can be used for higher output source voltages – with greater protection. 100Ω 350mV 305Ω 2.5V / 0V 1.25V common mode SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 200811
Conclusions • We have identified a failure mechanism that can cause a failure cascade causing damage to both the nominal and redundant systems • This can be alleviated by using fail-safe current limiting devices – discrete resistors – in conjunction with (discrete or in-built) voltage limiting devices (Whilst fully complying with the definition of EIA/TIA 644A – LVDS) SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 200812