Skip to Main Content
Triple modular redundancy (TMR) is a widely used mitigation technique to protect FPGA circuits against single event upsets (SEUs). TMR, however, does not adequately protect signals that cross asynchronous clock domains. Signals which cross clock domains in TMR circuits may suffer from the combined effects of two failure modes: asynchronous sampling effects and SEUs. This paper analyzes and quantifies these problems. In addition, various solutions are proposed for designing safe synchronizers with TMR. Finally, the improvements in reliability provided by the proposed synchronizers are demonstrated by both mathematical modeling and fault injection testing on an FPGA circuit. It is shown that the proposed mitigated synchronizer designs provide between 6 and 10 orders of magnitude improvement in reliability compared to unmitigated designs.