1. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 1 SpaceWire Physical Layer Fault Isolation Barry M Cook (4Links Limited) Wahida Gasti (ESA) Sven Landstroem (ESA) International SpaceWire Conference 4-6 November 2008

2. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 2 Content Context Failure sequence Failure conditions LVDS Failure prevention by Over-voltage limiting requiring Reliable current limiting … … at the receiver … at the transmitter Conclusions

3. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 3 Context – Cross Strapped Redundant System

4. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 4 Failure Sequence

5. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 5 Failure Conditions Devices can be quite intolerant of variation –3.3V (nominal) supply voltage (Vss) permits a supply voltage tolerance of ±10% – a voltage range of 3.0 to 3.6V But sets an absolute limit of 4V –Input voltages are, typically, limited to Vss + 0.3V Consider a chip with Vss = 3.6V driving one with Vss = 3.0V … –Input currents for above-Vss input voltages are limited To, typically, 10mA Which, in practice, makes the above situation safe – just –LVDS avoids this problem by specifying lower signal voltages

6. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 6 LVDS – EIA/TIA 644 A Specifies … Transmitter output voltages (regardless of Vss) –Differential 350mV nominal –Common mode 1.25V nominal above Transmitter ground End-to-end common mode difference Up to ±1V Acceptable receiver input voltages 0.05V to 2.45V (to allow for the common-mode difference) Which is fine until the driver fails and places Vss (+Vcm) on the signal line or, worse, a power supply fails and places an even higher voltage on the signal lines

7. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 7 Failure Prevention We can take one or more of several actions to avoid a single fault causing a failure cascade … –Ensure the PSU never fails over-voltage Challenging (especially with Switched mode supplies) Even with over-voltage detection, transients are likely –Prevent the over-voltage leaving the transmitter Don’t forget common-mode differences (must clamp to LVDS levels, not to supply) –Prevent the receiver being damaged Limit the over-voltage at its terminals –Prevent the receiver propagating the fault Not only through power rails but also through signal lines

8. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 8 Over-voltage limiting We require no significant line loading (capacitance / current) with correct signal levels and firm clamping at safe levels with fault levels BUT … Limiting is not perfect and the clamping level depends, critically, on the available fault current At significant currents (100’s mA) the actual clamp voltage can be twice the turn-on voltage Contrast this with the need to allow a correct level of 2.5V (LVDS input) or 3.6V (logic input) but clamp at ≤4.0V Safe over-voltage limiting requires reliable current limiting

9. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 9 Reliable Current Limiting Avoiding silicon (which tends to fail short-circuit, allowing large currents) we are forced to consider discrete resistors –Thick film SMD resistors and hole mounted metal- film resistors are accepted by most agencies as short-circuit free Adding series resistance on the signal lines will provide a reliable current limit –Can this be done with EIA/TIA 644A (LVDS) signals? Yes …

10. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 10 At the receiver Limitations The resistors, R, with the receiver input capacitance form a low- pass filter which may degrade the signal 100Ω & 10pF has a time constant of 1ns which would need careful consideration at 200Mb/s (5ns bit period) but should be OK at ≤100Mb/s 100Ω is useful but we could wish for more … 100Ω R R 350mV 1.25V common mode 1.075V / 1.425V 1.425V / 1.075V

11. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 11 At the transmitter Features Same output differential and common-mode voltage (LVDS) Series resistance driving a matched transmission line and load – there is no capacitive loading and no data-rate reduction 305Ω provides a useful current limit (50mA at 15V over-voltage at the driver output) Supply current is just 3.5mA – same low power as before Other, similar, circuits can be used for higher output source voltages – with greater protection. 100Ω 305Ω 350mV 1.25V common mode 0V / 2.5V 2.5V / 0V 305Ω

12. SpaceWire Physical Layer Fault Isolation, Barry M Cook (4Links Limited), Wahida Gasti (ESA), Sven Landstroem (ESA) at ISC 2008 12 Conclusions We have identified a failure mechanism that can cause a failure cascade causing damage to both the nominal and redundant systems This can be alleviated by using fail-safe current limiting devices – discrete resistors – in conjunction with (discrete or in-built) voltage limiting devices (Whilst fully complying with the definition of EIA/TIA 644A – LVDS)