From: blockedofcourse@foo.invalid   
      
   On 12/7/2025 4:06 AM, Gerhard Hoffmann wrote:   
   > I have written a VHDL library with bits, bit_vectors, signed, unsigned   
   > etc that look like standard_logic types but are triple module redundant   
   > with voting internally (stuff for the ISS). ISS is still relatively   
   > harmless; there are some people living next door after all.   
      
   But, what control did you have over the actual *placement* and   
   routing of those elements.  I.e., to ensure disturbances were   
   *independent* events (so a single disturbance couldn't affect   
   more than one bit)?   
      
   I inherited a piece of code where the previous author had opted to   
   use triply redundant data to "ensure" it would be robust.   
      
   With no analysis/justification for the types of failures it   
   *might* incur nor a rationale justifying the approach.   
      
   [Having three bit-identical copies of a thousand bit data   
   structure doesn't guarantee you can recover *anything* meaningful   
   from a disturbance -- unless you can constrain how it could   
   impact that structure and its component parts *OR* predict the   
   likely disturbances that will be encountered.   (e.g., if a   
   memory loses power, what happens to individual cells within it?]   
      
   > Most of the work was to prevent the optimizer to reduce this to a   
   > single version. Throwing 2/3 plus voting away is a huge temptation   
   > for the optimizer, and it does not give in easily. I solved that with signals   
   > like "always_high_but_don't_tell_the_optimizer" that   
   > came from an external pin with an external pull up etc.   
   > Maybe I should rewrite that in present-day VHDL for open source.   
   >   
   > We used ST radiation hardened voltage regulators that still could   
   > go berserk for some ms after a SingleEventUpset if it hit the   
   > regulation amplifier. At least they would not latch up.   
   > The proposed cure was huge output capacitors that would limit   
   > the voltage rise for some ms of berserk mode.   
   >   
   > BTW the caps from the qualified parts list were tantalums, but   
   > with abt. 6 times the volume of similar commercial ones.   
   >   
   > Ah, and I was not qualified to solder my own boards.   
      
   And yet they likely had someone on staff (or on contract) who could!   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)