TMR Fault Tolerance - 1.0 English

MicroBlaze Triple Modular Redundancy (TMR) Subsystem (PG268)

Document ID
PG268
Release Date
2022-04-28
Version
1.0 English

The TMR MicroBlaze sub-blocks have triplicated MicroBlaze, LMB memory and I/O Module peripherals, with majority voting of all the interfaces as shown in This Figure . In this configuration the interfaces with voters are:

1. Instruction LMB BRAM Interface Controller: Local memory block RAM

2. Data LMB BRAM Interface Controller: Local memory block RAM

3. I/O Module external interfaces (UART, GPO)

pg268-product-spec00003.jpg

Figure 2-2: TMR MicroBlaze Fault Tolerant Subsystem - Local Memory

X-Ref Target - Figure 2-2

pg268-product-spec00005.jpg

The voters implement the FT property, with majority voting to ensure that a faulty MicroBlaze sub-block is masked by the two other sub-blocks. This guarantees that the I/O interfaces continue to provide correct output data even in the presence of a fault.

The LMB block RAM is triplicated, with majority voting of the read data to ensure that all three MicroBlaze processors see the correct data. This is necessary to be able to correct any errors in the block RAM.

It is also possible to use a single block RAM protected by Error Correcting Code (ECC) outside the triplicated sub-blocks, as shown in This Figure . The ECC is then generated and checked in the triplicated LMB Interface Controller at the boundary where the two protection schemes overlap. This configuration uses less resources, at the expense of somewhat reduced fault detection.

pg268-product-spec00007.jpg

Figure 2-3: TMR MicroBlaze Fault Tolerant Subsystem - ECC Memory

X-Ref Target - Figure 2-3

pg268-product-spec00009.jpg

To avoid accumulating errors in the block RAM over time, software scrubbing must be implemented with both these configurations.