Triple-Redundant VMEbus SBC for Extremely Safety-Critical Applications
Mobile applications are the most important target market of MEN Mikro Elektronik. Following many years of experience in the railway and vehicle markets, MEN now also enters the extremely safety-critical avionics market. An important prerequisite to achieve this was the certification to EN 9100 in October 2008.
The A602 is a 64-bit VMEbus SBC in double Eurocard format and has been developed according to DO-254 especially for applications in a plane (up to DAL-A) or a train (up to SIL 4).
The most special feature which assures the extreme safety of the single-board computer is the triple redundancy of the hardware components. The PowerPC processor 750 with up to 900MHz, as well as the 512MB system memory, the local PSUs, the clock oscillators and the flash memory are built up to be redundant, ensuring operation in critical applications.
The FPGA is triple-redundant as well and accommodates critical functions as IP cores. These critical functions are voters, for example, which monitor that at least two of the three redundant components of the board provide the same result in order to guarantee safety. The system remains completely operational even if one of the three redundant components fails, providing the required availability.
By building up a lock-step architecture, software overhead is kept extremely low, because virtually the hardware components are visible only once for the programming.
Standard I/O is realised in the FPGA and is accessible via rear I/O. It includes a sextuple UART, an I²C bus and an RS232 interface, which can optionally also be led to the front. For realising additional I/O two PMC slots are provided on the board. The first can be accessed via front or rear I/O and can be used with all standard PMC modules. The second slot is specially reserved for connection of an AFDX PMC via rear I/O.
Additional diagnosis mechanisms (BITE, e.g. extensive self tests) help to detect latent errors before they lead to a system error, increasing safety and availability. For the same purpose, the design is oriented towards strictly deterministic operation avoiding interrupts and DMA.