D602 - Vital Embedded Single Board Computer with 3 PowerPC 750

The D602 is a 6U CompactPCI COTS computer with onboard functional safety that realizes triple redundancy on a single board to achieve fail-operational, fault-tolerant behavior. The board can also act as a fail-silent subsystem, i.e. it can shut down in case of a fatal fault. Its complex FPGA-based design helps dramatically lower software development costs as it automatically manages the system's triple-redundant processors and memory. The result: The system's redundant architecture is fully taken advantage of by software designed for a standard single-CPU card.

The D602 is designed for deterministic operation and offers extensive BITE features (e.g., ECC error counters for all types of memory, monitoring of all internal voltages), internal buses with error correction and fault-tolerant (fail-operational) implementation. Its three processors run in lockstep mode with 2-out-of-3 (2oo3) voting implemented in FPGA and software-assisted resynchronization, while its triple redundant dynamic memory automatically corrects upsets caused by cosmic radiation (SEU) and hardware faults. The system is powered by redundant local power supplies with separate power supplies for the three CPUs and the three main memory ranks.

The D602 has been developed according to DO-254, compliant to DO-160 and certifiable up to DAL-A in avionics applications. Additionally, the product meets the requirements of EN50128/EN50129 and can be deployed in signalling and rolling stock applications up to SIL 4. All I/O is realized in SEU-resistant FPGAs and available on the system's rear connectors. Additionally, the D602 offers two PMC slots (product revisions -02 and later with rear I/O for PMC1). As an option, the second PMC slot can be customized for an AFDX PMC (rear I/O only). A second D602 can be connected to build a high reliability/availability cluster. The two D602s exchange data via a sextuple UART connection and a BMCX link.

Features

  • 3x PowerPC 750 (lockstep mode), 3x 512 MB DDR RAM
  • Fail-operational, fault-tolerant behavior
  • Fail-safe and fail-silent board architecture
  • Clustering of two D602 to raise availability
  • Board management, BITE
  • SEU (radiation) tolerant
  • Certifiable up to SIL 4 (with report from TÜV SÜD) and DAL-A
  • Developed according to RTCA DO-254, EN 50129 and IEC 61508
  • EN 50155 compliance
  • Up to -40 °C to +70 °C
  • Convection or conduction cooling

Specifications

CPU
  • 3x PowerPC 750 CL
    • Scalable performance
    • 1 GHz processor core frequency
    • Superscalar
    • Classic PowerPC FPU, MMU
    • CPU bus to FPGA: 100-MHz/64-bit
  • Lock-step operation
    • All CPUs do the same thing at the same time
    • 2-out-of-3 voting in FPGA with CPU bus clock speed (100MHz)
    • Software-assisted resynchronization
    • No functional interruption in case of an SEU inside the CPU
  • Chipset
    • North- and Southbridge realized in FPGA
Memory
  • 2x 32 kB L1 cache, 1MB L2 cache integrated in each CPU
  • 3 independent ranks of 512MB DDR SDRAM system memory, FPGA-controlled
    • 100MHz memory bus frequency (32 bit)
    • Up to 800 MB/s
    • 2-out-of-3 voting in FPGA
    • Scrubbing to prevent accumulation of SEU
    • No functional interruption in case of an SEU inside the memory
  • 2 independent ranks of 256MB Flash, FPGA-controlled
    • Primary and backup Flash ranks contain the same data, auto-selection by boot loader
    • ECC protection
  • 1MB FRAM
    • ECC protection
  • 4KB serial EEPROM for production data (serial number etc.)
I/O
  • All I/O realized in FPGA and available at rear I/O
  • Sextuple UART
    • E.g., for communication with other D602
    • Data rates up to 460,800 Baud for each channel
    • Handshake lines: none
  • RS232 UART
    • Data rates up to 460,800 Baud
    • 2x 256 Byte transmit/receive buffer
    • Handshake lines: none
  • PCI bus
  • I²C bus
Mezzanine Slots
Two PMC slots
  • 32 bit/33 MHz, 3.3V V(I/O)
  • PMC slot 1 with rear I/O (revisions -02 and later)
Miscellaneous
  • Voltage monitoring
  • Temperature monitoring
  • Watchdog
  • Reset signal control
  • Control of redundant power supplies
  • Sleep mode
    • Lowers power consumption in case of primary power supply interruption
    • Power failure indicated through signals from backplane
    • Supports power interruptions specified in Airbus directive ABD0100.1.9
    • CPUs and memory can be put into sleep mode
  • Redundant clock generation
  • Connection with second D602 possible (with special backplane)
    • Control of shared outputs
    • Exchange of state information
    • BMC and 6x UART link
CompactPCI Bus
  • Compliance with CompactPCI Core Specification PICMG 2.0 R3.0
  • System slot
  • 32-bit/33-MHz PCI-to-PCI bridge
  • V(I/O): +3.3V
Electrical Specifications
  • Dual power input from CompactPCI bus, uninterrupted (EN 50155, Class S1)
    • 3.3V (-5%/+5%)
    • 5V (-3%/+5%)
    • Standard backplane supplies both input rails with power
    • Continued operation if one power input fails (or is not present)
    • Separate power supplies for the three CPUs and the three main memory ranks
  • Supply voltage/power consumption:
    • 30W
    • 15W in sleep mode
Mechanical Specifications
  • Dimensions: conforming to CompactPCI specification for 6U boards
  • Front panel: 4HP with ejector
  • Weight: 640g (with heat sink)
Environmental Specifications
  • Temperature range (operation):
    • 1-slot models: -40..+55°C, temperature classes T1, T2, and TX inside buildings, or in containers with temperature control for signalling equipment, according to EN 50125-3, table 2
    • 2-slot models: -40..+70°C, temperature classes T1, T2, and T3 for equipment onboard rolling stock, according to EN 50125-1, table 2
    • Airflow: min. 2 m/s
  • Temperature range (storage): -40..+85°C
  • Relative humidity (operation): max. 95% non-condensing
  • Relative humidity (storage): max. 95% non-condensing
  • Altitude: -300m to +2,000m (EN50124, Class AX)
  • Compliant to EN50125-1, meeting requirements of EN61373, Cat. 1, Class B and Classes GTX, GL3 for rolling stock
    • Shock: 50 m/s², 30 ms (EN 61373)
    • Vibration (function): 1 m/s², 5 Hz - 150 Hz (EN 61373)
    • Vibration (lifetime): 7.9 m/s², 5 Hz - 150 Hz (EN 61373)
  • For signalling equipment, a distance of 3m from the track bed is required
  • Protection class IP00 (EN50124, Category PD1)
  • Conformal coating on request
  • All components soldered
MTBF
  • 46 000 h @ 40°C according to MIL.HDBK-217FN2 with modifications.
    • Weighted mean figure for 65% operation in AIC (air inhabited cargo) and 35% operation in GF (ground fixed) conditions
  • 312 437 h @ 40°C according to IEC/TR 62380 (RDF 2000)
  • 430 705 h for continuous operation @ 25°C according to IEC/TR 62380 (RDF 2000)
Safety
  • Erroneous behavior of CPU/memory subsystem < 1E-8 / h
    • Considering hardware failures and worst-case SEU environment
  • PCB manufactured with a flammability rating of 94V-0 by UL recognized manufacturers
EMC Conformity
  • EN55011 (radiated emission disturbances - rolling stock)
  • EN 61000-6-4 (radiated emission disturbances - signalling equipment)
  • EN 61000-4-3 (electromagnetic field immunity)
  • EN61000-4-2 (electrostatic discharge immunity)
  • EN61000-4-8 (power - frequency magnetic field)
  • EN61000-4-9 (pulsed magnetic field)
BIOS/Boot Loader
MENMON
Software Support

Downloads