VHDL Synthesis for High

advertisement
Design Integrity Concepts
2005 MAPLD
1
Design Integrity Concepts
Unit Agenda
• Consistent terminology, consistent results –
Introduction and definitions
• What does it have to do? –
Specifying the design
• Letting constraints work for you –
Proportional design
• More than the sum of its parts –
Partitioning a design
• You mean we’re still working on it? –
Sustaining a design
• What’s the exit strategy? –
Verifying a design
• What do you mean, it doesn’t do what we thought? –
Validating a design
2005 MAPLD
2
Design Integrity Concepts
Who is this guy?
• John Stone
– Chief Engineer (Department of Space
Systems – SwRI®)
– 18 years experience (Exclusively space-flight)
•
•
•
•
•
•
C&DH design (hardware and software)
Instrument electronics design
Box-level integration and test
Hardware project management
Product assurance (parts, radiation, reliability)
Process improvement
– Broad interest in improving what we do
2005 MAPLD
3
Design Integrity Concepts
What do we want to accomplish?
• Discuss techniques that may help us to do
our jobs better
– Based on general principles
– Broad applicability (logic, board, box, system)
• Foster necessary discussion / brainstorming
– To extent possible (as time allows)
– No one person has all of the answers
– Suggestions appreciated
2005 MAPLD
4
Design Integrity Concepts
Consistent Terminology,
Consistent Results
Introduction and Definitions
2005 MAPLD
5
Design Integrity Concepts
Agenda –
Introductions and Definitions
• Design integrity – A working definition
• Why is this important?
– A tale of two designs
– Has anything changed?
– Why should I care?
• The miracle cloud
• The alternative
– Overview
– Implications
– Additional Definitions
• Summary
2005 MAPLD
6
Design Integrity Concepts
Definition and Goal
• Design – The invention and disposition of the
forms, parts, or details of something according to a
plan. (AH dictionary online)
• Integrity – The state of being unimpaired;
Soundness; The quality or condition of being
whole or undivided; completeness (AH)
• This seminar is intended to talk about techniques
and issues that ensure the soundness and
completeness of both the end product and the
means used to produce it.
2005 MAPLD
7
Design Integrity Concepts
Design 1 – Radarsat 1 ACP
2005 MAPLD
8
Design Integrity Concepts
Radarsat 1 ACP Overview
• Program dates: late 1990 – late 1992
• Specifications
– Processor: 8 MHz 80386/80387
– Memory:128 k x 8 SRAM, 192kx8 EEPROM, 16k x 8
PROM
– Interfaces: A/D (16), D/A (4-12), Synchronous serial (3
input, 3 output), RS-232 GSE
– Function: Attitude control processor for the RADARSAT1
satellite
– Logic Implementation MSI logic + PALs (16L8, 16R6,
16R8)
• Additional functions (cross-strap, control) external
2005 MAPLD
9
Design Integrity Concepts
PAL Reminder
2005 MAPLD
10
Design Integrity Concepts
Design 2 - Command Telemetry
Board (CTB)
2005 MAPLD
11
Design Integrity Concepts
CTB Overview
• Program Dates: early 2001 – late 2003
• Specifications:
– Processor: RTX2010 (16 MHz)
– Memory: 4M x 8 (random), various FIFOs (16k x8) as necessary
– Interfaces
•
•
•
•
•
MIL-STD-1553B
Synchronous Serial (command / telemetry)
Analog input
High-level discrete (output)
Low-level discrete (input / output)
– Functionality: S/C command/telemetry (level 0 and active)
– Logic Implementation: 4 54SX32S FPGAs
• Additional resources (in same box): RAD 750, Mass
Memory, Instrument Interface Card
2005 MAPLD
12
Design Integrity Concepts
What’s Changed?
• Capability / Complexity
• Logic Density
• Specificity
– RADARSAT (1 small specification with interface focus)
– CTB (1 large specification with interface, s/w, operations focus)
• Software Centricity
• Initial Errors
– RADARSAT: 3 jumpers; 1 PAL design change
– CTB: 14 FPGA revisions
• 2 spec change
• 5-6 mistakes
• 6-7 data dependency
2005 MAPLD
13
Design Integrity Concepts
What’s Not Changed?
•
•
•
•
Overall program schedules
Proportional budget
Expectation of correctness
Pain from mistakes
2005 MAPLD
14
Design Integrity Concepts
What Explains the (error)
Difference?
• Engineers aren’t as capable? – Insulting!
• Everything is just more complex? – Copout!
• Methodology?
– Methodology hasn’t changed
• Always inadequate, we just got lucky
• Adequate for old designs, no longer adequate
– Methodology has changed
• Used to be adequate, but we lost the recipe
• Design philosophy of systems has changed?
– Predicated on maximum flexibility
– Expectation of extreme complexity
– Over-specification – almost impossible to meet
2005 MAPLD
15
Design Integrity Concepts
What Do These Examples Illustrate?
• The incidence of initial correctness for designs seems to be
decreasing
– Design changes seem to be more common
– Problems late in the verification/validation cycle seem to be more
frequent
• Perhaps a combination of the factors presented explains
this, but …
– Desired complexity is not going to decrease
– Budgets are not going to get bigger
– The expectation of excellence isn’t going to go away
• The only solution is to develop and improve a consistent
methodology for implementing robustly designed products
– Based on basic principles
– Applicable to a variety of conditions
2005 MAPLD
16
Design Integrity Concepts
Why Should I Care?
• Why do we work?
– Self-actualization (fun, monetary reward, interest)
• Why do people want us to work for them?
– They need what we produce
• What do people want engineers (especially in
Aerospace) to produce?
– A quality product that satisfies the customer’s needs
• How do they want us to produce such a product?
– Consistently and efficiently
2005 MAPLD
17
Design Integrity Concepts
The Layman’s View –
The Miracle Cloud
2005 MAPLD
18
Design Integrity Concepts
The Miracle Cloud Method
• Note that too many engineering schools teach this
approach without meaning to
• Advantages to the miracle cloud method
– Total creative freedom
• Disadvantages to the miracle cloud method
– Product quality is variable
• Team makeup dependent
• Team mood/morale dependent (Monday morning car)
• Luck dependent
– Product is not produced in a repeatable manner
– Product is not produced in an efficient manner
• Result
– Quality low
– Customer Satisfaction Low
2005 MAPLD
19
Design Integrity Concepts
How Do We Replace the
Miracle Cloud?
• Provide structure to the development effort
• Evaluate the effort and the product
produced
• Improve the effort and the product
• Repeat
2005 MAPLD
20
Design Integrity Concepts
Definitions of Importance
• From Q9000-2000
• Process – A set of interrelated and
interacting activities which transforms
inputs to outputs [in our case ideas to
devices]
• Product – The result of a process
2005 MAPLD
21
Design Integrity Concepts
Implications From These Definitions
• If we want a consistent product, we must have a
consistent process
• If we want to improve a product, we must improve
the process
• If our company has no (or inadequate) process and
we must produce a quality product, then we must
establish a process [personal responsibility]
• Developing, imposing, and improving a process is
not an end (in and of itself) it is only a means to
an end
2005 MAPLD
22
Design Integrity Concepts
A Model for Discussing
the Design Process
2005 MAPLD
23
Design Integrity Concepts
Notes on the Model
• Feedback / iteration are not shown for clarity
• Model may be recursive
– Board development process includes FPGA requirement definition,
FPGA development, instantiation, etc.
– Board verification process includes the FPGA validation product
• Successes and failures are cumulative
– Good requirements + successful development => successful
instantiation
– Bad requirements + failed development => failed instantiation
• Complexity multiplies
– Complex requirements increase design complexity which, in turn,
increases verification complexity
• Processes are absolute gates to the next stage of development
2005 MAPLD
24
Design Integrity Concepts
Implications From the Model
• All processes must be addressed at all levels of design
[there are no shortcuts!]
– Does not imply same formality at all levels
– Does imply same rigor at all levels
• Up front work on requirements is essential!
– Must provide adequate time and money
– Must gain team buy-in to the process*
– Benefits compound throughout the rest of the activities
• Simplicity is an essential virtue!
– Complexity inevitably multiplies
• A product is not qualified until both verification and
validation are complete
2005 MAPLD
25
Design Integrity Concepts
Additional Useful Definitions
(courtesy of Q9000-2000)
• Specification – A document* stating requirements, needs, or
expectations that are obligatory
• Quality – The degree to which a set of inherent characteristics fulfill
requirements
• Customer satisfaction – Customer’s perception of the degree to which the
customer’s requirements have been fulfilled
• Verification – Confirmation, through the provision of objective evidence,
that specified requirements have been fulfilled
• Validation – Confirmation, through the provision of objective evidence,
that the requirements for a specific intended use or application have been
fulfilled
• Objective evidence – Data supporting the existence or verity of something
• Continual Improvement – recurring activity to increase the ability to
fulfill requirements
• Note the importance of Requirements
2005 MAPLD
26
Design Integrity Concepts
Summary
• I have no assurance that my product will have consistent
quality without:
– Well-defined requirements
– A well planned approach to implementing the requirements
– A clearly defined plan for verification and validation of the
requirements
– The ability to improve the process that produces the product
• Without quality product, customer satisfaction is
impossible
• Without customer satisfaction, I won’t work!
• Therefore, I must care about ensuring design integrity
2005 MAPLD
27
Design Integrity Concepts
What Does It Have to Do?
Specifying the design
2005 MAPLD
28
Design Integrity Concepts
Agenda – Specifying the Design
•
•
•
•
•
•
Basic concepts and implications
What should we include in a specification?
What should we avoid in a specification?
The role of the design engineer
Summary
FPGA specifications
2005 MAPLD
29
Design Integrity Concepts
Basic Specification Concepts
• #1 A specification has a limited set of purposes:
– It is intended:
• To capture product requirements that are essential to meeting a
need – functionally and interfacially
• To ensure traceability of the requirements from higher levels
• To provide a fixed framework for verifying product
conformance
• To provide a framework for derived requirements
– It is not intended:
•
•
•
•
To impose a detailed implementation for a design
To provide unnecessary theory of operation statements
To become a user’s manual
As a box to check on the schedule checklist
2005 MAPLD
30
Design Integrity Concepts
Basic Specification Concepts (cont.)
• #2 Specification language must meet certain criteria
– Structure
• Similar requirements must be grouped together
• All requirements must stand on their own
– Verbs must have a consistent specific meaning
• Shall, must -> impose imperatives
• Should, might -> define preferences
• Will -> defines objective information
– Phraseology
• Phrases must be unambiguous
• Phrases must define one (and only one) requirement
• Phrases must be short and understandable
– All must agree on the meaning of what is written
2005 MAPLD
31
Design Integrity Concepts
Basic Specification Concepts (cont.)
• #3 Specifications are inherently intrusive
– Requirements exclude options in a design
• The number and specificity of requirements determine the level of
exclusion
– Specifications impose non-negotiable verification requirements
• Every requirement must be verified
• The narrower the requirement, the more specific the verification
• The more requirements, the more work needs to be performed
– A well designed specification assists the design and verification
process
– A poorly designed specification
• Unnecessarily shuts down trade space
• Increases verification time and effort
• Makes for an unhappy engineer
2005 MAPLD
32
Design Integrity Concepts
What is Included in a Specification?
• Interfaces
– Number
– Type
– Timing / Handshaking
• Interrelationships
– Temporary storage
– Data Flow
– Software Support
(careful)
• System impact
– Quality and Reliability
– Parts, materials, and
processes
2005 MAPLD
33
Design Integrity Concepts
Examples of Things to Include
• Interfaces
– The unit shall provide 16 low-level discrete interfaces
– The unit shall configure 8 low-level discrete interfaces as pulsed interface
– Pulse interfaces shall generate pulses between 2 and 20 ms long
• Interrelationships
– The unit shall provide on-board temporary storage sufficient for 2 packets
from the XYZ interface
– The unit shall forward data from the XYZ to QRS interfaces on a packet
by packet basis
– The unit shall provide an interrupt to the S/W upon receipt of a complete
package from the XYZ interface
• System Integration
– The unit shall have a .75 probability of success as calculated per the parts
count method of MIL-HDBK-217
– The Unit shall use only EEE parts that meet the requirements of EEEINST-002
2005 MAPLD
34
Design Integrity Concepts
What Should Not Be Included in the
Specification?
• Implementation details (unless essential to safety or
reliability)
– The unit shall implement standard pyrotechnic fire circuit #2 as
found in …(marginally acceptable)
– The unit shall use 4 7206 FIFOs made by IDT corporation
– 370 ns after the last bit of a packet is received the unit shall raise
bit 3 of interrupt control register 21
• Requirements based on inherent capability of devices used
– The unit shall provide a 14-bit A/D converter for interface X (when
based upon the part being used)
– Note: Decisions on precision or accuracy etc. should be made for
interface characteristics (physical measurement range and
accuracy)
2005 MAPLD
35
Design Integrity Concepts
What Shouldn’t Be Included in the
Specification (cont)?
• Ambiguous, unclear, or interpretive requirements
– The unit shall be constructed using techniques found in generally
accepted space hardware guidelines
– The unit shall interface to other components per figure 2 (picture
based requirements)
– The unit shall provide the best performance possible
• Overly complex requirements
– The unit reset shall be immediately triggered upon expiration of
the watchdog timer unless the watchdog timer has timed-out five
times (8 times if in mode 2) in which case the circuitry shall look
at discrete bit 2 to determine whether to delay 3 s (discrete bit 2 =
1) before timing out
• Extraneous information
– The unit shall interface with the visible CCD used in
spectrographic mode
– The unit shall replace the functionality provided by p/n 276401-01
2005 MAPLD
36
Design Integrity Concepts
Why Shouldn’t These Be Included?
• This type of requirement increases cost [time, money,
emotional] to develop a product
– Increase design effort (less trade space, inefficient design, overly
complex design)
– Increase verification effort [planning, implementing, configuring]
due to design complexity
– Increase probability of re-design or re-build [validation
uncertainty]
• This type of requirement reduces the overall quality of the
product developed
– Implemented design not per intention [interpreted requirements]
– Implemented design is not 100% verifiable to specification
[unclear requirements]
– Implemented design requires significant number of waivers and
deviations
2005 MAPLD
37
Design Integrity Concepts
The Role of the Design Engineer
• The design engineering team must “buy in” to the
specification development process
– They have to deal with the consequences if it is done
poorly
– Lack of “buy in” produces a non-controlled process
• “Buy in” requires early review and participation
by the design team
• Therefore, design engineers have a significant role
to play in the specification development process
• What is this role?
2005 MAPLD
38
Design Integrity Concepts
Role of the Design Engineer (cont.)
• Know how to write a specification
– Allows constructive review of the imposed specification
– Improves qualities of derived requirements
• Try to understand the “why” behind the various
requirements
– Improves efficiency of design trade studies
– Allows intelligent suggestion of alternatives
• Suggest alternatives when necessary
– Expose more efficient ways of producing equivalent functions
– Support trade offs between software and hardware functionality
2005 MAPLD
39
Design Integrity Concepts
Role of the Design Engineer (cont.)
• Think forward
– Take the lead in defining derived requirements
– Ask:
• What implications does this have for the design?
• What implications does this have for testability?
• Will this let me sleep at night?
• Push back
– Seek clarification of ambiguous requirements
– Inform others of impractical or costly driving requirements
– Ask for relief from impossible requirements
• Remain engaged in the process
– Be thorough in review
– Don’t be passive with suggestions
2005 MAPLD
40
Design Integrity Concepts
Summary
• Specifications are critically important to the
design engineer and must not be ignored
• Design teams must be intimately involved
in the specification development process
• Detailed design and implementation will
succeed or fail largely based on successful
application of the specification process
2005 MAPLD
41
Design Integrity Concepts
FPGA Specifications - Rationale
• FPGAs are a major part of modern day spaceflight designs
– Primary control functionality
– Equivalent of multiple boards of traditional circuitry
– Major schedule driver
• FPGAs are impossible to verify completely from external
signals
– Too many buried modes and functions
– Too much dependence on simulation
• Correcting FPGAs is conceptually simple
– Temptation to sloppiness
• “First time right” is an essential virtue
– The FPGA specification is a means to achieve “first time right”
2005 MAPLD
42
Design Integrity Concepts
FPGA Specification Prototype
• Interface Section
– Specific pinout requirements
– I/O type definition (Names, Direction, Logic levels)
– Imposed Software requirements (addressing, etc.)
• Do not include non-imposed addressing / register mapping / software
interfaces
• Functionality Section
–
–
–
–
Interface interaction requirements
Data flow requirements
Exclusion requirements
Do not include
• Implementation details
• Theory of operations
• Usage instructions
2005 MAPLD
43
Design Integrity Concepts
FPGA Specification Prototype (cont.)
• Fine timing section
– All timing imposed by board peripheral circuits
– Include
• Min and max delay between I/Os
• Set-up and hold for controlled peripherals
• Fine timing requirements should be an input
to the FPGA development effort, not
outputs of the concluded design
2005 MAPLD
44
Design Integrity Concepts
Why Include Fine Timing?
• Reduces influence of changes external to FPGA
(encapsulation)
– Board implementation can change significantly
– FPGA implementation can change significantly
– Changes ok as long as interfaces remain stable - but fine timing
must be a controlled item
• Simplifies verification
– Verification between implemented FPGA performance and fixed
requirements defined at the board level can be easily accomplished
– Reduces reliance on complex back-annotated simulations at the
board level for FPGA specific verification
– Increases reliability of static timing analysis
• Note – this only works if a structured design approach is
used such that valid requirements can be imposed on the
FPGA early in the process.
2005 MAPLD
45
Design Integrity Concepts
Stand-Alone or Integral?
• When should an FPGA specification stand alone?
– When the FPGA design engineer is not the board design
engineer
– When there are multiple interrelated FPGAs on a board
– When the FPGA design will be used in multiple board
applications
– When the FPGA will become an ASIC
– When the development schedule between the board and
FPGA are disjoint
– When the complexity of the FPGA is greater than that
of the board support circuitry
2005 MAPLD
46
Design Integrity Concepts
Stand Alone or Integral (cont.)?
• When should an FPGA be specified as part of the
board specification?
– When the FPGA is so intertwined with the peripheral
circuitry that writing a stand-alone specification is not
practical
– When the FPGA functionality is easily expressed by
simple gate level schematics
– When the FPGA and board are designed by the same
person
– When heritage design with adequate specifications exist
2005 MAPLD
47
Design Integrity Concepts
Letting Constraints Work For You
Proportional Design
2005 MAPLD
48
Design Integrity Concepts
Agenda – Proportional Design
•
•
•
•
•
Conceptual background
Types of constraints
Examples
The proportional design mindset
Summary
2005 MAPLD
49
Design Integrity Concepts
Conceptual Background
• Three parts to solving a problem:
– Need, solution set, constraints
• All parts have a role to play in the solution
• Ignoring any of them will lead to problems
2005 MAPLD
50
Design Integrity Concepts
Conceptual Background (cont.)
• Example
– Need:
– Solution set:
means of conveyance to work
Skateboard, bicycle, bus, jogging shoes, mid-size
sedan, luxury car, helicopter
– Constraints: Distance (6 miles), $, not on bus route, $, not in
very good shape, $
– Solution:
1992 Honda Accord (120 kmiles, 4 k$)
– The constraints guide selection of the solution from the solution set
• The particular solution is not necessarily – The cheapest (roller skates)
– The most desired (Lexus LS400)
– What is perceived as best for society (bus)
• But … the best overall fit to the needs
2005 MAPLD
51
Design Integrity Concepts
Conceptual Background (cont.)
• Definitions
– Constraint: the state of being checked, restricted, or compelled to
avoid or perform some action (AH)
– Proportional: corresponding in some degree or intensity (AH)
• Proportional design is design that results in a product
“sized” appropriately to the needs and restrictions of the
specification
• The concept of proportional design:
– Accepts the reality of constraints
– Attempts to optimize the solution given the constraints
– Accepts that the constraints provide benefits (more later)
•
•
•
•
More efficient designs
More thorough designs
More correct designs
Caveat – All other things being equal
2005 MAPLD
52
Design Integrity Concepts
Types of Constraints
• External (mass, power, cost, quality)
• Internal
– Derived (packaging, architecture, component
availability, maximum clock speed)
– Self-imposed
• Design rules/guidelines (free space, clock use, logic structure,
HDL language)
• Documentation style (pre-design, post design)
• Component acceptability (maturity of part, limited use of
various features
2005 MAPLD
53
Design Integrity Concepts
Examples (1)
• Problem: provide decoding logic for memory map
– 0-3FFF = SRAM; 4000-4FFF = Peripheral; E000-FFFF = PROM
• Constraint: use minimum amount of logic
• But what about …
– Unused addresses, future expansion, etc.
• Doesn’t matter – given the constraints
2005 MAPLD
54
Design Integrity Concepts
Examples (2)
• Problem: provide all combinational / sequential logic for
the RADARSAT ACP
• Constraint: Only low density high speed logic available
(16X8 PALs, MSI/SSI logic)
• What was forced by the constraint?
– Careful mapping of peripherals into available address space
– Careful partitioning between:
• Programmable logic and MSI/SSI
• MSI/SSI functionality
– Efficient data bus partitioning (tri-state enable issues)
– Special attention to component delays at the gate level
2005 MAPLD
55
Design Integrity Concepts
The Proportional Design Mindset
• Constraints inevitably foster attention to detail (creativity
“inside the box”)
– With respect to methodology
– With respect to level of planning
– With respect to implementation
• Attention to detail is of inherent value because it produces
carefully structured, well-thought out designs
– Improved up-front correctness
– Decreased design post-processing time (simulation, verification,
validation, lab time)
– Efficient designs that meet the stated requirements
– Increased reliability
• Therefore, constraints are welcomed, whether externally
imposed or self-imposed
2005 MAPLD
56
Design Integrity Concepts
The Proportional Design
Mindset (cont.)
• Examples of self-imposed constraint
– Ignoring achievable flexibility (when not
necessary)
– Removing non-specified capability
– Avoiding gratuitous cleverness (especially with
abstract design techniques)
– Rejecting brute force solutions without analysis
2005 MAPLD
57
Design Integrity Concepts
The Proportional Design
Mindset (cont.)
• Characteristics of the right mind set
–
–
–
–
–
Planning before starting
Reviewing before finalizing
Simplifying ruthlessly
Making the design do only what it must
Viewing resources as precious commodities to be used
only to the extent needed
– Understanding the implication of the design’s level of
abstraction
– Being satisfied with the result
2005 MAPLD
58
Design Integrity Concepts
The Proportional Design
Mindset (cont.)
• Why aren’t self-imposed constraints more common?
– They aren’t absolutely essential because we have:
• Lots of logic space [FPGAs, ASICs]
• Lots of memory space [DOS file systems, complicated operating
systems]
• Lots of bandwidth [fast data busses, general purpose communications
protocols]
– They don’t match the current paradigm
•
•
•
•
Flexibility is all-important [re-use, re-configure, adapt]
Specifications are malleable late in the game
Software changes, why can’t hardware?
We can catch problems in simulation and reprogram the part
– They aren’t fun
– We don’t train people to value constraints and work within them
• This is unfortunate because constraints can make our job
easier without degrading the end product
2005 MAPLD
59
Design Integrity Concepts
Summary
• The proportional design mindset is
important because it:
– Focuses on fulfilling needs, not wants
[specification orientation]
– Deepens understanding of the final design
[ownership oriented]
– Avoids unnecessary effort [efficiency oriented]
– Fosters simplicity that aids verification and
validation [quality oriented]
2005 MAPLD
60
Design Integrity Concepts
More Than the Sum of Its Parts
Design Partitioning
2005 MAPLD
61
Design Integrity Concepts
Agenda – Design Partitioning
• Definitions and examples
• Why partition an electronic design?
• Guidelines for partitioning an electronic
design
• Why isn’t it done more often?
• Summary
2005 MAPLD
62
Design Integrity Concepts
Definitions and Examples
• Partition – to divide into parts or shares
– Examples: budgeting, outlining, WBS development
• Design partitioning refers to the deconstruction of
a design into various sub-designs in an ordered
and logical manner
• Goal – to simplify the whole by optimizing the
parts and thus increase:
– Efficiency
– Reliability
– Maintainability
2005 MAPLD
63
Design Integrity Concepts
Why Partition (General)?
• Complexity interferes with ready comprehension
– Comprehension of a complex system depends on ability to impose order
upon it
– But … a given mind has a finite capability to impose order which depends
on the quantity and structure of the data related to the system
– The more complex the system, the more difficult its comprehension
• Partitioning a design introduces a piece-wise reduction in complexity
– Reduces quantity and complexity of design to manageable “chunks”
– Improves comprehension of the various parts of the design
– Increased comprehension of the parts leads to better comprehension of the
whole
• Better comprehension of the whole increases the ability to
– Verify correctness of the design
– Correct errors in the design
– Update the design when necessary
2005 MAPLD
64
Design Integrity Concepts
Why Partition (cont.)?
• Programmatic advantages
– Refines scope of work
• Identifies unexpected effort
• Identifies reuse possibilities
• Identifies staffing requirements
– Identifies schedule dependencies
• Improves allocation of resources
• Identifies parallelization and schedule enhancement
opportunities
– Promotes management visibility
2005 MAPLD
65
Design Integrity Concepts
Why Partition? - Design
• Improved interface organization / more formal structure
– Interfaces between functions have more predictable characteristics
– Expansion by addition of functions is more controlled
• Enhanced functional encapsulation
– Individual functions have predictable results when invoked
– Functional design enhancements have limited side-effects when
installed
– Effects of faults are more easily predicted and mitigated
• Efficient design implementation
– Functional (fewer functions and types of functions)
– Data flow (fewer, more sensible data busses)
– Control flow (simpler address decoding and state machines)
• All are side effects of additional thought put into “How?”
2005 MAPLD
66
Design Integrity Concepts
Why Partition? - Correctness
• Simpler inspection
– Functionality may be “obvious at a glance”
– Error space is more limited
• Within the function or within the interconnect
• Simpler Qualification
– Verification can begin with encapsulated modules or circuit subsets
– Overall functionality correctness becomes less of a “late” concern
because subset functionality is proven correct “early” in the
process
• Simpler / more thorough review
– Structure provides orientation to peer reviewers
– Encapsulation allows easier review
– Peer input more likely to be useful
2005 MAPLD
67
Design Integrity Concepts
Why Partition? – Maintainability
• Clearer documentation
– Documentation has “smaller” parts to focus on
– Structure of documentation grows from the design structure
• Simpler maintenance
– Changes affect only enhanced area
– Interactions between changed area of design and remainder of
original design is controlled by a formal structure
• Enhanced reuse
– Sub-circuits / functions usable in other applications as long as the
interface structure is observed
• Inherent capability of design better understood
2005 MAPLD
68
Design Integrity Concepts
Guidelines for Partitioning
• Take advantage of organizational strengths
– Expertise (analog, digital, software, etc.) is seldom the
same across organizations
– Partition the design in accordance with organizational
strengths according to primary functions
– Divide auxiliary functions (those that can be assigned
to multiple organizations) so that
• Interfaces are simplified
• Workload is equalized
• Functions are easily tested without requiring all of the
hardware
2005 MAPLD
69
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Example: Alice UV spectrograph electronics
(Rosetta)
• Core expertise
– Sensor Sciences: Detector and front end electronics
– Mobius Systems: Embedded software
– SwRI® space systems: Digital, low speed data
acquisition
– SwRI® space science: LV and HV power supplies
• Primary partition per core expertise
2005 MAPLD
70
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Alice example (work breakdown chosen)
– Sensor Sciences: detector electronics through parallel
digital output – simplified interface
– Mobius: instrument control / protocol servicing (some
error decoding partitioned to H/W)
– Space systems: microcontroller; s/c interface; heater,
motor, door digital control; analog high-voltage control
– Space sciences: LVPS; HVPS; motor, door, and heater
drive circuitry
2005 MAPLD
71
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Alice example – partitioning decisions
– Auxiliary expertise split along sensible
interfaces
• C&DH to detector – analog or digital? (noise, ease
of test) - digital
• C&DH to HVPS – analog or digital? (space, noise
susceptibility, ease of test) - analog
• C&DH to S/W – protocol decoding? (performance
margin, logic capability) – hardware error
decoding, s/w protocol encoding
2005 MAPLD
72
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Use specific functionalities
– Combine functionality with very similar characteristics
• Low-level analog / discrete bi-level (comparator is difference)
• Example: Spacelab flex interfaces
– Cluster related functionalities
• Shared data-flow direction, shared logical control
• Examples
– Constant level discretes / pulsed discretes
– Low-level discretes / high-level discretes
2005 MAPLD
73
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Use specific functionalities (cont.)
– Isolate related functional sub-groups from other items
• Ex. – analog data acquisition group (multiplexers, converters,
signal processing, control logic)
• Isolate
– Through appropriate data/address buffering
– Through separate programmable logic sub-sets
– Exploit directionality
• Write functions; read functions; read/write functions –
appropriate buffering
• Examples
– Write: Analog output, digital output, telemetry
– Read: Analog input, digital input, command
– R/W: Memory, bi-directional discretes, GSE
2005 MAPLD
74
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Exploit operational considerations
– Operational considerations often determine the specific
configuration of a set of common components
– Example: memory system
• Components: memory, write control, read control, sequencing,
buffering
• Application: telemetry system
–
–
–
–
Packetized / unpacketized?
Asynchronous timing / TDM ?
Science data / engineering data?
Pushed / pulled ?
• The type of telemetry system determines the partitioning
2005 MAPLD
75
Design Integrity Concepts
Example – Science Data Storage and Readback
System
• How should the logic be partitioned?
– Is write logic part of science data process or memory process?
– Is read logic part of telemetry system or memory process?
– How complicated is the arbitration?
• How it is partitioned depends on specific operational requirements
2005 MAPLD
76
Design Integrity Concepts
Example - New Horizons Alice Science Data
•
Alice Operation
–
–
•
Slow source accumulation relative to output speed
Push interface initiated by instrument
Alice Implementation (others likely in different circumstances)
–
–
–
–
Block 1: handshake and latch data
Block 2: Ingest data, process, write to memory
Block 3: Read, serialize, send, blank memory
Arbitration simplified to a switched double buffered memory access (no real-time arbitration)
2005 MAPLD
77
Design Integrity Concepts
Guidelines for Partitioning (cont.)
• Ensure encapsulation is reflected in the form of the
engineering documents
– Functions contain many types of operations
– Example: Telecommand interface
• De-serialization, decoding, error determination, re-packetization,
temporary storage
• Real time functionality [level 0], forwarding to software
• Storage access / arbitration, status log maintenance, data-bus handshaking
– Partitioning should ensure that all reasonable aspects of a function are
in one locality (we are ordering data for understanding)
• One (or a few) pages in a schematic
• One module in HDL
• One object in software
– Benefits: readability, error determination, testability, maintainability
2005 MAPLD
78
Design Integrity Concepts
Ordering Example – Bus Structure
• A logical bus structure
–
–
–
–
–
–
–
–
Simplifies data flow
Eases expansion / enhancement
Identifies bottlenecks / opportunities for efficiency
Ensures signal compatibility
Reduces timing uncertainty (capacitive loading)
Reduces power
Simplifies control logic / arbitration
Simplifies analysis
2005 MAPLD
79
Design Integrity Concepts
Ordering Ex. – Bus Structure (cont.)
Before:
After:
2005 MAPLD
80
Design Integrity Concepts
Ordering Ex. – Bus Structure (cont.)
• Directional data flow is clustered
• High-speed access devices (SRAM) not
buffered
• Exclusive functions clustered (PROM/
EEPROM)
• Simplification of
– Timing
– Loading
– Control
2005 MAPLD
81
Design Integrity Concepts
Why is Partitioning Not a Priority?
• It is – at the S/C, sub-system, and box level (sometimes)
• Why not at the board level?
– Requires potentially significant planning effort (schedule / cost)
– The tool syndrome (CAD / CAE)
• Crush creativity by forcing an early start to design
• Primarily a way to communicate between software packages rather
than humans (schematic => PWB)
– Too much junk being placed in too little space (simplification may
not always be space efficient)
– Lack of emphasis from senior engineers
– Boards aren’t where the action is (FPGAs) – less effort placed on
them
2005 MAPLD
82
Design Integrity Concepts
Why is Partitioning Not a Priority? (cont.)
• At the FPGA level
– Lack of solid design methodology
• Methodology must be tailored to a tool
• VHDL / Verilog are functional descriptions
• VHDL / Verilog don’t inherently enable data flow visualization
or block oriented deconstruction
• The synthesizer can understand non-partitioned design
– Perception of expansive resources (no / few constraints)
– The tool syndrome (“I must start coding”)
– Lack of effective design quality gates prior to start of
detailed design
2005 MAPLD
83
Design Integrity Concepts
Summary
• A design is only as solid as its weakest part
• Proper planning and partitioning of a design:
–
–
–
–
–
Ensures individual functions are logical and complete
Ensures interconnects are ordered and efficient
Provides for improved reliability / verifiability
Allows easier modification and enhancement
Enhances detailed understanding of how things work
• Partitioning requires ordering the design by considering
–
–
–
–
The capabilities of the team
The functionality of the modular pieces
How the design will operate
The individual components of a particular function
• Partitioning a design ensures that all parts are solid – resulting in a
solid whole
2005 MAPLD
84
Design Integrity Concepts
You Mean We’re Still Working
On It?
Sustaining a Design
2005 MAPLD
85
Design Integrity Concepts
Agenda – Design Sustainability
• Definitions
– Sustainable – Capable of being supported (AH)
– Sustainability – The characteristic of an item
that allows it to be supported
• Why is this important?
• Suggestions for sustainability
• Summary
2005 MAPLD
86
Design Integrity Concepts
Why Sustainability?
• Missions may be multiple decades long
– Flight systems may develop anomalous behavior
– Ground equivalents may need repair
– An understanding of the design is necessary to ensure
mission success
– Original designers will not be available for debugging
• Other critical assignments
• Working in telecon
• Cruising the Pacific
– Sustainable designs allow analysis and correction
without the access to the original designers
2005 MAPLD
87
Design Integrity Concepts
Why Sustainability? (cont.)
• Many designs are derivative
– Reuse of unmodified circuits essential for similar performance in
modified designs
– Acceptable modification depends on creative incorporation of what IS
• Derivation may take many years
– Example – Alice UVS
•
•
•
•
Design 1 – Rosetta (1997-2001)
Design 2 – New Horizons (2002-2005)
Design 3 – LRO (2005-2008)
Design 4 – Juno (2006 - ???)
– Staffing will not be constant
– Human memory will not be precise
• Sustainability ensures an ability to efficiently build on past
successes
2005 MAPLD
88
Design Integrity Concepts
Why Sustainability (cont.)
• You may not be the person who has to make it work
– Staffing is dynamic
• You may quit
• You may get re-assigned
• Somebody with more clout may be needed to satisfy the customer
– Teams produce a product and share debugging
• Test technician
• S/W designer
• I&T team
– Self-interest and common courtesy
• You don’t want 18 questions per day
• Ethics – Do unto others
– Example (ICB)*
2005 MAPLD
89
Design Integrity Concepts
Suggestions for Sustainability
• Remember the dual nature of design input
– The CAD perspective
• Schematic => PCB layout package => circuit board
• HDL => Synthesizer => Fuse file => Programmed FPGA
– The human perspective
• Schematic
– Interrelationships (time, space, connection)
– Debugging tool
– Functionality description
• HDL
– Describes functions and interaction
– Renders constraints understandable
– Ensure Readability!
2005 MAPLD
90
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Record the design process
– Keep a notebook (type not vital)
– Describe everything of importance
• Why?
– Is this bus used for this function?
– Is this function implemented like this?
– Etc.
• How?
–
–
–
–
–
Do these things talk to one another?
Does this sequential logic work (state diagrams)?
Is the address map decoded?
Are errors handled?
Etc.
2005 MAPLD
91
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Record the Design Process (cont.)
– Describe (cont.)
• What?
–
–
–
–
–
Signals are needed to perform this function?
Do the waveforms look like?
Timing do I expect to observe?
Changes have I made?
Etc.
• When? – Record chronology
– Provide a way to reproduce what was done
– Make part of permanent project record
– Example – Radarsat 1 Notebook
2005 MAPLD
92
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Schematics
– Provide an overview of the design
• Schematic table of contents
• Block diagram (hierarchical design if available)
– Provide consistent naming scheme
• Descriptive of signal direction / function / polarity
• Consistent across logic gates and within various blocks
–
–
–
–
Cluster sub-circuits on contiguous pages
Make connections between components explicit
Add comments where necessary for clarification
Remove unused circuitry (for FPGA schematics)
2005 MAPLD
93
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Don’t:
2005 MAPLD
94
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Do:
2005 MAPLD
95
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Help!
2005 MAPLD
96
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• HDL (Must be done from beginning!)
– Provide overall orientation to design
– Provide top-level comments on
• Level of use (top, intermediate, etc.)
• Overall purpose of function / block / module
• Signal function and origination (external and internal)
– Provide operational comments on
•
•
•
•
State machine purpose and configuration (how? why?)
Transition logic (theory and reasoning)
Function of particular sequences
State to control signal translation
– Clarify obscure references
• Remove superseded code (don’t comment out) and explain uncommon
structures
– Improve readability
• Create logical file names
• Minimize file, logic block, function sizes
• Include related functions together (error generation, data interface, basic
function, etc.
2005 MAPLD
97
Design Integrity Concepts
Suggestions for Sustainability (cont.)
Comments?
2005 MAPLD
98
Design Integrity Concepts
Suggestions for Sustainability (cont.)
Header from same design!
(After the fact documentation)
2005 MAPLD
99
Design Integrity Concepts
Suggestions for Sustainability (cont.)
• Post process documentation
– Theory of Operation / Users Manual
• Generate One
• Include
–
–
–
–
Design concept / features
Operational Constraints
Appropriate Uses
Complete Engineering Documentation
• Update, release and correct as necessary
– Create design archive
• Self-consistent and complete
• Place under revision control
• Control changes
2005 MAPLD
100
Design Integrity Concepts
Summary
• Useful designs will be corrected, modified and
evaluated
– FOR A LONG TIME!
– By people besides you
• Sustainability measures must be implemented to
make this happen efficiently
• Sustainability requires
– Adequate conceptual documentation and records
– Clear and readable implementation records
– Finalized and controlled configuration records
• Ensuring sustainability will preserve your legacy
2005 MAPLD
101
Design Integrity Concepts
What’s the Exit Strategy?
Verifying a Design
2005 MAPLD
102
Design Integrity Concepts
Agenda – Design Verification
•
•
•
•
•
•
•
Concepts and implications
The specification connection
Verification before test
Test thoroughness
Tiered verification
Concluding the process
Summary
2005 MAPLD
103
Design Integrity Concepts
Verification Concepts
• Verification – Confirmation, through the provision of
objective evidence, that the specified requirements have
been fulfilled (Q9000-2000)
• Confirmation – the act of ratifying or corroborating (AH)
2005 MAPLD
104
Design Integrity Concepts
Verification Implications
• The verification process is not intended to be a “craps
shoot”
– Verification is primarily intended to highlight correctness
– Verification is NOT primarily intended to reveal incorrectness
• The mindset is important!
– Doubt that a design will work expresses a lack of confidence in the
designer and the design process
– Waiting until “verification” to guarantee correctness is an excuse
for being sloppy
• We should expect our designs to work! Verification simply
puts the seal of confirmation on the expectation
2005 MAPLD
105
Design Integrity Concepts
Verification Implications (cont.)
• Verification addresses two processes
– Design
• Primarily a one-time, iterative process in which the developed
concept is proven sound
• Fundamental correctness can be proven analytically
– Inspection confirms logical correctness in all circumstances
» Peer reviews are a manual form of inspection
» Functional simulation is an automated form of inspection
» Inspections must be tailored to design
– Analysis verifies correctness in the presence of variability
» Reliability (WC, Derating, FMEA, etc.)
» Timing over environments and age
2005 MAPLD
106
Design Integrity Concepts
Verification Implications (cont.)
• Verification addresses two processes (cont.)
– Instantiation
• Particular instance must be sound
• Particular correctness must be demonstrated experimentally
– Inspection confirms that instructions are followed
» Correct components installed
» Correct configuration selected
» Correct processes performed
– Test and demonstration confirms that operation matches
expectations
» Functionally and parametrically
» Predicted by nominal analytical predictions
2005 MAPLD
107
Design Integrity Concepts
Verification Implications (cont.)
• Verification “after the fact” is too late
– Analysis and test are NOT equivalent
– Design analysis and inspection must proceed in lockstep with
design processes
– Implementation tests and inspections should simply confirm what
is known
• Design efforts fail because they occur in a vacuum
– Creativity takes primacy over correctness
– Functionality comes first with operability being “shoehorned” after
the fact
• The “monster” simulation syndrome
• Conclusion: Verify as you proceed
2005 MAPLD
108
Design Integrity Concepts
Verification Implications (cont.)
• Correctness is a matter of personal integrity
for the designer
– Verification is not simply externally imposed
task
– Verification is something that the designer must
want to do (a part of his/her ethos)
– Verification is confirmation that the designer is
“worth his/her salt”
2005 MAPLD
109
Design Integrity Concepts
The Specification Connection
• “Requirements” are confirmed during verification
– The designer does not have a free hand with respect to how a
design is confirmed
– Specification provides the constraint set under which verification is
prosecuted
– Therefore, verification must be defined prior to start of design
• Not simply in a general manner
• Specifically
– Since specification is a customer and vendor document
• Both customer and vendor must be involved in the verification
process
• “Trust me” is not a reasonable phrase when it comes to verification
2005 MAPLD
110
Design Integrity Concepts
The Specification Connection (cont.)
• Specification contains a complete [ideally] set of requirements for the
design
– Some requirements are very specific
• “All discrete outputs shall have a source impedance of 2 kOhms.
• An adequate test is fairly obvious
– Some requirements are not very specific
• “The unit shall provide 512 kbytes of SRAM”
• Note the implied requirement – The SRAM shall function correctly
• What is an adequate functional test for this requirement? (walking 1’s, 0’s
addressing, etc?)
– Some requirements lend themselves to quantitative analysis – “The unit
shall provide a .1° C accuracy at end of life”
– Some requirements lend themselves to simple inspection – “The unit shall
provide 4 analog output channels”
– When do we decide adequacy of the method of verification and the
individual verification cases?
• – Before we start designing
2005 MAPLD
111
Design Integrity Concepts
The Specification Connection (cont.)
• Therefore, verification planning must begin with
specification creation
– Each requirement must be assigned a method or
methods
– Each requirement must be assigned a test or analysis
case
• Must answer question – What is an adequate verification?
• Must establish answer to question – When are we done?
– Each requirement must be verified at one or more levels
[FPGA, board, box, sub-system, system]
– Customer must concur with decision
• Note that modern verification databases make this
relatively straightforward
2005 MAPLD
112
Design Integrity Concepts
The Specification Connection (cont.)
• Advantages to this type of verification planning
– More verifiable / verified designs
• Up-front focus on programmatically difficult verification can
be instituted
– Earlier analysis
– Simplification of overly complex circuit designs
• Guidance for lower-level verification efforts can be established
– Sub-module vs. module level
– Module vs. unit level
• Integral self-test provisions can be included in design
• Earlier simulation vector definition (FPGAs / logic)
2005 MAPLD
113
Design Integrity Concepts
The Specification Connection (cont.)
• Advantages (cont.)
– More robust test sets
• Early knowledge regarding end-item function communicated
• Capability of test set matched to need
– Precision (timing, voltage, current, etc.)
– Speed
– Test level (component, unit, system)
• Test flow design considerations included in test set design
– Knowing verification requirements early makes the
entire development process more efficient
2005 MAPLD
114
Design Integrity Concepts
The Specification Connection (cont.)
• Defining requirements and test cases at the same
time as the specification clarifies and simplifies
the FPGA verification process
– Allows early start to simulation vector design
– Creates early knowledge of additional functional
models (SRAM, peripherals, etc.) needed
– Clarifies decision regarding what can be functionally
simulated and what must be simulated with backannotation
– Defines levels at which simulations must be run
2005 MAPLD
115
Design Integrity Concepts
Verification Before Test
• It is a relatively bad thing to discover a design flaw during
test (better than nothing)
– Late in the development cycle
– Correction is more complicated / expensive
– Personal stress is higher
• Yet … a surprising lack of verification occurs early (before
test)
• Types of pre-test verification
– Inspection - conformity evaluation by observation and judgment
accompanied, as appropriate by measurement or testing (ISO)
• Personal self-check
• Peer Review
• Basic functional verification (Signal audits, functional simulation,
etc.)
2005 MAPLD
116
Design Integrity Concepts
Verification Before Test (cont.)
• Types of pre-test verification (cont.)
– Analysis – Conformity evaluation of the predictions
produced by realistic models of the system
• Worst case analysis (voltage, current, frequency, time) using
models that incorporate real world degradation of function
• Derating analysis using models that reduce stress
• Other
• Note that pre-test verification is fundamentally
conceptual
– Not tool dependent
– Not design dependent
– Can be accomplished many ways
2005 MAPLD
117
Design Integrity Concepts
Verification Before Test (cont.)
• Two approaches to pre-test verification
– Verify full design at once (one big peer review, code walkthrough,
analysis, simulation)
• Benefits
–
–
–
–
Complete design reduces need to develop assumptions
When proved correct, does not need to be repeated
When design is solid, less work
Reduces final documentation for verification
• Drawbacks
– Allows small design flaws to propagate for a long time
– Complexity reduces visibility (verification more prone to mistakes and
oversights)
– When design is flawed, it increases work
– Leads to corrections that are global (hard to test effectively and predict
side effects)
– May take longer to execute than an aggregate of smaller verification
activities
2005 MAPLD
118
Design Integrity Concepts
Verification Before Test (cont.)
• Two approaches to pre-test verification (cont.)
– Verify incremental designs
• Benefits
–
–
–
–
Supports development of “known good” sub-designs
Meshes with a partitioned design approach
Facilitates visibility (fewer mistakes, clearer goals)
Allows small flaws to be fixed quickly (minimizes downstream
impact)
• Drawbacks
– Is more work in the ideal case (no/few flaws)
– Increases documentation if formality is vital
• Either approach can be made to work, but one or
the other must be chosen and implemented
2005 MAPLD
119
Design Integrity Concepts
Test Thoroughness
• Principles for test thoroughness
– Every “shall” in the specification that meets the following criteria must be
tested
• Items that may be affected by the instantiation process (subject to fabrication
error)
• Items for which the only extant verification is model based
• Items for which the testing does not pose unacceptable risk (radiation,
overstress, etc.)
– Every instance of a “shall” must be tested
• 18 interfaces require 18 specific tests
– Requirements that have an exclusive character
• Must be tested for correct operation
• Should be tested at some level for abnormal operation
• Example: If you write a 5Ah to something to set it on, you should verify that
writing other values does not set it on
– Requirements must be tested over a representative range of conditions
2005 MAPLD
120
Design Integrity Concepts
Test Thoroughness (cont.)
• A thorough test is complicated and time
consuming
– Requires some level of automation to be
comprehensive
– Requires some level of compromise to be
practical
– Requires team agreement to be acceptable
2005 MAPLD
121
Design Integrity Concepts
Test Thoroughness (cont.)
• Ensuring thorough, yet practical, tests
– Define which tests require manual interaction and which can be
automated
• Output impedance or analog fine precision may need to be manual
• Signal level or analog coarse precision may be automatable
– Define which tests must be performed over environmental
conditions and which can be performed at room temperature only
• Make decision based on character of measurement
• Do not decide based purely on practicality
– Define level of complexity for all measurement sets
• Example: 24 analog inputs (3 eight channel muxes)
• Test full range of values for 24, or limited range for 7 of 8 mux inputs
and full range for remaining
– Define need for repetition of measurement at higher level of
integration (tiered verification)
• Example: voltage level / signal quality / clock jitter at board level
• Repeat at box level?
2005 MAPLD
122
Design Integrity Concepts
Test Thoroughness (cont.)
• Test thoroughness issues affect everything
– Customer relationship
– Test set design (board, box, system)
– Schedule / cost
• An adequate test program is not trivial
– Cannot wait until system level
– Must incorporate lowest level of design
– Must be a constant background activity during design process
• All programs must balance perfect and good enough
• A good test program
–
–
–
–
Will ensure that the specification is met
Will verify everything that can be affected by fabrication
Will build on the analysis and inspection effort
Will maximize automation without sacrificing test accuracy
2005 MAPLD
123
Design Integrity Concepts
Tiered Verification
• Tiered verification is the process of matching the correct type of
verification to the appropriate level of integration
• Tiered verification incorporates all types of verification (before and
during testing)
• Tiered verification applied to the test regime attempts to have
thoroughness with practicality
– Test a requirement at the lowest conceivable level
– Determine which tests must be repeated at higher levels by
• Establishing the purpose of a test at a particular level
• Determining whether the next level has the potential to change previous
measured quantities
• Determining what test set capabilities are
• Tiered verification cannot be retrofitted into the process
– Must be planned up front
– Must be implemented throughout the development process
2005 MAPLD
124
Design Integrity Concepts
Tiered Verification - Example
• Need: A set of 16 high-level pulsed discretes to control
latching relays used to change the spacecraft power
configuration
• Basic Requirements
–
–
–
–
–
–
Quantity:
Level:
Load:
Duration of pulse:
Rise / Fall time max:
Command capability:
– S/W requirements:
2005 MAPLD
16
+30V +/- 2 V
2 kOhm, 4 mH
50 ms
1 ms
Unique bit pattern, only one at a time,
arm first
Various (beyond scope of example)
125
Design Integrity Concepts
Tiered Verification – Example (cont.)
• Tier 1 – Basic Verification (functional simulation)
– Verify each channel fires for a specific bit pattern /
address
– Verify cannot be fired without an arm command
– Verify that other complementary patterns don’t
accidentally fire the pulse
– Analyze drive capability of FPGA and input / output
requirement / capability of translation chip
– Evaluate glitch hardness of logic selected
2005 MAPLD
126
Design Integrity Concepts
Tiered Verification – Example (cont.)
• Tier 2 – Board level
– Test to confirm signal level between FPGA and
driver chips is compatible
– Test rise, fall, duration, level with dummy load
– Repeat test for all 16 outputs
– Replace dummy load with relay, verify that the
relay switches for all 16 outputs
– Repeat over temperature if necessary
2005 MAPLD
127
Design Integrity Concepts
Tiered Verification – Example (cont.)
• Tier 3 – Box level
– Attach GSE (verifies with relays)
– Functionally pulse all outputs
• Verify relay switches
• Verify gross drive duration
• Tier 4 – Box and operational software level
– Verify functionality commanded through software
– GSE verifies correct relay switch
• Tier 5 – System
– Verify gross functionality as needed for system
operation
2005 MAPLD
128
Design Integrity Concepts
Tiered Verification - Notes
• Most complex and detailed functionality is verified at
lower levels
– Performance
– Error cases
– Predictive of future operation
•
•
•
•
Higher levels focus on functionality / operation
Lower level verification requires more manual touch
Higher level verification is more automated
STE and test procedure developed as appropriate
– Purpose is maximum test completeness
– As well as “bang for the buck”
2005 MAPLD
129
Design Integrity Concepts
Concluding the Process
• (“… through the provision of objective evidence…”)
• The importance of traceability
– Something is only verified (formally) when it is documented
– The tie between verification item and specification must be made
(verification matrix or database)
• The importance of planning
– Establish the links between requirement, method, level, test case
early
– Use the established structure to develop verification items
• The importance of buy in
– All responsible must complete verification and report results
– Systems engineers must track and close
– People must keep up with the process
• Only personal commitment from all involved will ensure
that the process is successful
2005 MAPLD
130
Design Integrity Concepts
Summary
• Verification is to prove success, not avoid failure
• Verification planning is an integral part of the project lifecycle
– Must be initiated with specification (including customer buy-in)
– Must be included in design effort
– Must be used to develop documentation and appropriate test hardware
• Verification is more than final test
– Begins at lowest possible level
– Incorporates analysis and inspection throughout design process
– Develops proof of compliance at all levels of operation
• A thorough test is complicated
– Requires extensive work
– Must trade perfect for practical (a tiered test approach can help)
• Verification processes must be tracked and documented
– The whole team must buy in
2005 MAPLD
131
Design Integrity Concepts
What Do You Mean It Doesn’t
Do What We Thought?
Validating a Design
2005 MAPLD
132
Design Integrity Concepts
Agenda – Design Validation
•
•
•
•
•
Concepts and implications
Specification mitigations
Design mitigations
Test set mitigation
Summary
2005 MAPLD
133
Design Integrity Concepts
Concepts
• Validation – Confirmation, through the provision of
objective evidence, that the requirements for a specified
intended use or application have been fulfilled
2005 MAPLD
134
Design Integrity Concepts
Implications
• The issues relating to validation encompass those of verification
• Additional concerns with validation
– Caused by the need to match the application to the product
– Desired application has been translated to specification through the
requirements process
– Requirements process is by nature imperfect
– Sometimes the specification does not satisfy the needs of the application
• Result – a verified product might be invalid
– May require significant rework to the product
– May require accepting reduced functionality (waiver)
• A goal of the development process is to minimize validation failures
– Begins in review of the requirements process (hopefully primary point)
– Mitigate by design activities
– Reduce by robust test set design
2005 MAPLD
135
Design Integrity Concepts
The Implication Illustrated
• Alice electronics (detector component and C&DH
component)
• Joint requirement: process > 10 k sustained events per
second
• Individual requirements defined for detector and C&DH
processing
– Both met individual requirements for processing
– When combined only 6-7 k sustained events per second
• Verification of individual units led to invalid system
• What went wrong?
– The overall requirements were not broken down correctly
– The C&DH and DE test sets were not high fidelity
• Verified functionality, not performance
• We got lucky that a waiver was acceptable
2005 MAPLD
136
Design Integrity Concepts
Specification Mitigation
• Only list requirements, not desirements
• State unambiguous performance requirements
• Build in adequate margin
– Not open-ended enhancement, but
– Enough to accommodate performance shortfalls
• Ruthlessly remove TBDs
• Insist on definite test methods for mitigation
• Remember – Unless application needs can be
unambiguously specified, they won’t be met!
2005 MAPLD
137
Design Integrity Concepts
Design Mitigation
• Implement specification exactly
• Isolate various sub-sections
– Minimizes “corner cases” and negative interactions
– Allows correction with minimal impact when things don’t work
right
• Verify complex functions early, thoroughly, and
completely
– Allows early look at potential problems
– Analysis / simulation / what ifs should be as realistic as possible
• Insist on end-user review of implementation
– Allows user community to comment
– Minimizes misunderstandings upon delivery
• Develop test plans that have high fidelity to the end
application
2005 MAPLD
138
Design Integrity Concepts
Test Set Mitigation
• Ensure interfaces are maximally flight-like
– Precludes misunderstandings of characteristics
– Provides early indication of problems
– Don’t emulate only one characteristic of interface (R vs. R+L)
• Make test set reasonably sophisticated
– Sufficient complexity to reproduce operational timing
– Adequate functionality for stress testing
• Run all interfaces at maximum speed with margin
• Don’t let the same group build the tested unit (design) and
the unit tester (test bench)
– Identical assumptions might go into both ends of an interface
– Faithful reproduction is dependent on familiarity (if possible, test
bench should be provided by end user)
2005 MAPLD
139
Design Integrity Concepts
Test Set Mitigation (cont.)
• Make the control interface as application like as
possible
– Forces correct command structures / types
– Allows all test scripts to be reproduced at higher levels
• If at all possible, incorporate early interface tests
of real engineering hardware
• Keep the test (or simulation) environment constant
unless the flight system changes
– Don’t change test equipment hardware configurations
– Apples to apples comparisons during tests vital
– Ensure that flight changes are reflected in test set
design
2005 MAPLD
140
Design Integrity Concepts
Test Set Mitigation (cont.)
• Use the same controls for test set development as for flight
unit development
– Configuration management
– Software development
– Peer reviews
• Build in diagnostics so that anomalies can be traced to test
equipment or unit under test
• Ensure that test results mean something
–
–
–
–
Pass / fail criteria clear
Allowable flight parameter variations included
Reasonable displays (with significant information clearly shown)
Ensure that test set accommodates calibration
2005 MAPLD
141
Design Integrity Concepts
Summary
• Successful verification does not always guarantee
successful validation
• Techniques can be incorporated that improve the
likelihood that validation will succeed
– Careful specification development
– Thorough and cautious design techniques
– Extensive test set fidelity to flight requirements
• Effective techniques for validation are extra effort
– More time consuming
– More expensive
– But, definitely worth it.
2005 MAPLD
142
Design Integrity Concepts
Download