Slide 1

Self-Healing Approaches for FPGAs and Wiring Manifolds

Sarah ThompsonUSRA/RIACS, NASA Ames Research Centerthompson@email.arc.nasa.gov

Alan Mycroft University of CambridgeGuillaume Brat USRA/RIACS, NASA AmesArnaud Venet Kestrel Technologies

Slide 2

Reparing FPGAs with SAT Solvers

Slide 3

FPGAsFPGA = Field Programmable Gate Array

Offer many of the advantages of full-custom ASICsHigh density, >10 million gates per chip is possibleMass savings roughly equivalent to similar gate count ASIC (depends mostly on package)

Disadvantages:Order of magnitude worse power consumptionOrder of magnitude slower

But…Extremely cheap (no NRE charges whatsoever)Can be reconfigured in-flight

Slide 4

Cosmic ray damage

Slide 5

Single-Event Effects(Relatively) low energy impacts can cause Single Event Effects (SEUs and SETs)

One or more transistors turn on for a brief time, causing a voltage spike to be propagated around the circuit

Features:Many SEEs are harmless and do not affect functionalitySome may alter memory contents, or corrupt state machinesSEEs affecting critical control signals must be carefully handled

Slide 6

Permanent DamageHigher energy impacts can cause permanent damage

Various mechanismsGate rupture due to latch-upFailure due to long term total dose effects

May manifest as:Stuck at 1Stuck at 0Power to ground short

Slide 7

Radiation Hardening Techniques

Non-Standard FabLarge geometry transistors are less susceptible to damageWafer processing can be tweaked to reduce susceptibility

Internally-Redundant Standard CellRather than e.g. 2 FETs per inverter, use 4, 6 or moreReduces perfomance, increases power consumptionWorks well (e.g. RAD6000, RAD750)

FPGA Dynamic ReconfigurationNew approachUses internal redundancy in FPGAs to work around permanent damage

Slide 8

Undamaged FPGA

Slide 9

Cosmic Ray Impact

Slide 10

Repaired FPGA

Slide 11

The Genetic ApproachSeveral groups (e.g. Lohn at Ames, Stoica at JPL) have used genetic algorithms to ‘evolve around’ damage.

Results are encouraging

There are drawbacks, however:Very CPU intensiveSoundness problem

Slide 12

The SAT ApproachDavid Greaves at Cambridge has suggested the use of SAT solvers for generating FPGA layouts

The big idea: since FPGA layout is thought to be NP-complete, why not attack the problem with a SAT solver?

We propose modifying this approach in order to generate work-around configurations for damaged FPGAs.

Slide 13

Boolean SAT in a NutshellIt is known that all NP-complete problems can be converted to Boolean SAT problems in P time.

Convert your problem into a Boolean expression such that:

If a solution exists, some set of variable bindings will cause the expression to evaluate to trueIf no solution exists, the expression evaluates to false for all possible bindings

Usually:If a solution is possible, the variable bindings themselves represent the solution in some way

Slide 14

FPGA Repair as a SAT Problem

Slide 15

FPGA Repair as a SAT Problem

Wherei is the inputs of the slice under repairf is a model of a correctly functioning FPGAf’ is a model of the damaged FPGAb is the original bit streamb’ is the derived work-around bit stream

Slide 16

Proof-of-Concept Demonstrator

Zero budget simulation

Our implementation:Implemented in C++ under LinuxFPGA-like circuit modeled with HarPECircuit was flattened using partial evaluationInitially we converted to CNF then used zChaffLater we implemented a non-CNF (non-clausal) SAT solver from scratch (NNF-WALKSAT)

Slide 17

Test Circuit

Slide 18

Experimental ResultsInitial results were promising:

A surprisingly large amount of damage can be accommodated in many casesTo be repairable, resource utilisation needs to be less than 100%

• (which is normally the case)

Time-to-repair is usually rapid (seconds) on typical CPUs

Slide 19

Repair Success Rate

Slide 20

Mean Repair Time

Slide 21

ConclusionsThe proof-of-concept exercise was successful.

As-yet untried in real FPGAs

Many open questions remain:Can COTS FPGAs be tested (e.g. via JTAG) accurately enough to enable this approach?Can faults be fixed within a realistic time scale given typical available CPU performance?Under radiation testing, what proportion of faults can be worked around, and what proportion render the FPGA too badly damaged to allow recovery?

Slide 22

Self-Healing Reconfigurable Wiring Manifolds

Slide 23

Typical Small Satellite Configuration

Slide 24

Typical Fixed-Architecture Satellite Block Diagram

Slide 25

Reconfigurable Manifold

Slide 26

Just like a big FPGA?Not quite…

Need to support analogue, power, high current and microwaveFPGA architectures don’t scale up well for this application –satellites aren’t a ‘sea of gates’ interspersed with wiringNeed to be able to compute wiring plans rapidly (NP-complete is too slow)FPGA routing is not complete.

Pre-digital era circuit-switched telephone exchanges are actually a better model.

Slide 27

Signal TypesPower

+28V Supply RailsHigh current analogue

Motor/solenoid drives, torquer bar drivesLow Current, low-speed analogue

Temperature sensorsLow Current, High-Speed Analogue

CCD image sensor feedsLow Speed Digital

Simple sensors, limit switchesHigh Speed Digital

Networking, USBLow Power Microwave

Antenna feeds

High Power MicrowaveOptical

Slide 28

Switch TechnologiesFPGAFPTADigital crossbar switch ASICAnalogue crossbar switch ASICDigital/Analogue permutation network ASIC?MEMS relaysFull-size relaysDiscrete MOSFET/IGBT

Slide 29

Handling Multiple Signal Types

Slide 30

Handling Multiple Signal Types

Slide 31

Physical ArchitecturesSingle Manifold

Appropriate for small satellites

Manifold-of-ManifoldsBetter bet for larger systemsAdvantageous for ‘parts-bin’ construction, because the manifold-of-manifolds scales with the number of parts added.

Slide 32

Single Manifold

Slide 33

Manifold-of-Manifolds

Slide 34

Switching ArchitecturesFPGA ‘sea of gates’ approach doesn’t scale

Satellites simply aren’t that (logical) shapeComputing configuration bit streams is too difficult (NP-complete)They can not support all possible permutations of inputs and outputs (incompleteness)Self-healing is possible, but computationally difficult (NP-complete, though feasible with a good SAT solver)

Slide 35

Crossbar Switch

Slide 36

Switching ArchitecturesCrossbar Switch

O(N2) complexity is less than ideal, but OK for small switchesComputing switch plan is relatively trivialSupports Make-Before-Break and many-to-many connectionsComplete

Permutation NetworkO(N log N) complexity, better for larger switchesComputing switch plan is also O(N log N)Doesn’t support Make-Before-Break directlyDoesn’t support many-to-many connections directlyComplete

Slide 37

Permutation Network

Slide 38

Other PossibilitiesClos Networks

Multiple layers of interconnected, small crossbar switchesWell known in telecommunicationsSwitch plan can be computed efficiently

Shuffle NetworksE.g. Omega NetworkEssentially an incomplete permutation networkRecent result proved that composing two Omega networks in sequence gives a true (complete) permutation network

Slide 39

Omega Network

Slide 40

Other PossibilitiesEmbedding into Arbitrary Graph

Most general solution – all other architectures are special casesCan be complete or incompleteGeneralised routing is NP-complete, which is very bad for dynamic reconfiguration and self-healing

Slide 41

Dynamic Discovery

To enable the responsive space paradigm, it is essential that a reconfigurable manifold should be able to discover its connections automatically, and configure itself dynamically without outside intervention.

Slide 42

Space Velcro

Slide 43

Space Velcro

Slide 44

Probe Circuit

Slide 45

Power Scavenging

Slide 46

Discovery Algorithm1. Power scavenging provides power for manifold’s

CPU2. All connections are announced/detected via

protocol3. Manifold reconfigured to route new connections4. All connections refreshed periodically via make-

before-break5. Old connections time out and are torn down by

default

… which gives self-healing for-free.

Slide 47

Make-Before-Break

Slide 48

Make-Before-Break Workaround

(Can add a 3rd/4th permutation network for modular redundancy)

Slide 49

ConclusionsThis work is still at an early stage

Not yet flownHas been ground-tested in a limited sense by AFOSR (small MEMS relay based prototype) Plenty of spin-off applications both within and outside aerospace

Formal methods challengesReliability estimationCompleteness/correctness proofs for hardware architecture and routing algorithmsCorrectness proofs for glitch-free, make before break switching

Slide 50

AcknowledgementsThe author wishes to acknowledge the support and encouragement of Jim Lyke and others at AFOSR, Kirtland AFB, NM.

Much of the work presented here was carried out in collaborationwith Alan Mycroft, Guillaume Brat and Arnaud Venet, for which thanks are due.

This work has been financially supported by:US Air Force Office of Scientific Research, Space Vehicles Directorate via the European Office of Aerospace Research & DevelopmentNASA AmesSt Edmund’s College, CambridgeIntelEPSRC

Slide 51

Questions

Slide 52

Contact InformationSarah Thompson

sarah.thompson@cl.cam.ac.uk

Alan Mycroftalan.mycroft@cl.cam.ac.uk

Guillaume Bratbrat@email.arc.nasa.gov

Arnaud Venetarnaud@kestreltechnology.com