Fault-Secure synchronous timer that relies on the Gray- ... code. A checker that performs concurrent error detection to the normal circuit operation [7] is used to ...
Proceedings of IEEE International Conference on Electronics, Circuits and Systems (ICECS'02), Croatia, September 15-18, 2002
A Low Power Fault Secure Timer Implementation Based on the Gray Encoding Scheme K.S. Papadomanolakis, A.P. Kakarountas, N. Sklavos and C.E. Goutis VLSI Design Laboratory, Electrical and Computer Engineering Department University of Patras, Greece
ABSTRACT
most efficient but complex and area costing arithmetic residue codes (such as Berger, CRC, etc.). One of the most commonly found components in safety critical applications is the counting unit, either in the form of a timer or as a state machine. The basic properties that a counting unit must have are high performance and low power dissipation. Fast counters are components of great importance in safety critical applications because of the time critical aspect of these systems operation. The basic properties are in short: i) a high counting rate, preferably independent of the counter size, ii) a binary output that can be read on-the-fly, iii) a sampling rate equal to the counting rate, and iv) a regular implementation suitable for VLSI [10]. In this paper an implementation of a fault-secure counter based on the Gray [8] encoding scheme that complies to the desired properties referenced above, is presented. This counter is then used to imp lement a fault-secure timer unit. In the following paragraphs, this timer is examined in comparison to a timer using the simple Fault-Secure Parity-Prediction binary counter proposed in [9] and to the conventional approach (double timer). The area, power and performance measurements for this implementation as well as its effectiveness in fault detection are determined. Prior to examining the FS timer presented, a simple reference to the Fault-Secure theory is necessary.
In this paper a novel architecture for Low Power Fault-Secure synchronous timer that relies on the Graycoding scheme, is introduced. This timer is based on the Parity prediction technique and it can detect any single stuck -at-fault, transient or permanent, in real-time. A thorough analysis of the timer’s architecture and its behavior at the occurrence of any single fault on the circuit is presented, to ensure the Fault-Secure property of the timer. Also the Hardware and Power requirements of this fault-secure timer are examined, in comparison to other dominating safe operation timers based on existing fault-secure counters, to show the benefits that can be derived from the use of this timer scheme.
1. INTRODUCTION The demand for on-line testability and error detection in safety critical applications, such as aerospace industry and medical applications, lead to the development of new and innovative techniques for real-tine and on-line error detection. The required safety level of the target application determines the needed overhead to ensure the reliability, according to the standards [1]. This safety level imposes the use of safety mechanisms that can offer error detection to a certain level, during operation. Conventional technology employs double or multichannelled architectures (e.g. two microcontrollers) which continuously compare their data, in order to detect faults in a system. This solution, although highly efficient in error detection, leads to high demands in hardware and power. New design methods for on-line error detection are based on the use of arithmetic coding techniques to obtain redundant information able to detect transient and permanent faults in a significantly lower cost [2,3,4,5,6]. These methods have created the class of self-checking circuits and systems. Self-checking design is based on the implementation of functional blocks, which deliver outputs belonging to an error detecting code. A checker that performs concurrent error detection to the normal circuit operation [7] is used to monitor this code. This checker has the ability to give an error indication even when a fault occurs on the checker itself. Most recently researchers have been drawn to the conclusion that parity prediction techniques are the most appropriate techniques for self checking circuits [4]. These present small area overhead in comparison to the
2. FUNDAMENTAL THEORY ON FAULTSECURE PROPERTY Self-checking circuits are used to ensure concurrent error detection for on-line testing by means of hardware redundancy. This kind of circuits can detect the presence of both transient and permanent faults. All these circuits aim at the so-called totally self-checking goal; i.e. the first erroneous output of the functional block provokes an error indication on the checker outputs. To achieve this goal checkers have been defined to be TSC [2,7] and they have to be combined with TSC or Strongly Fault Secure (SFS) functional circuits. A brief explanation of the safety properties of a circuit is following, in order to provide the ability to understand terms as the ones above. A circuit G is called fault-secure (FS) with respect to a fault set F if, fo r each fault f∈F, the circuit never produces an incorrect output codeword for any input codeword.
1
Proceedings of IEEE International Conference on Electronics, Circuits and Systems (ICECS'02), Croatia, September 15-18, 2002 A circuit G is called self-testing (ST) (or selfchecking SC) with respect to a fault set F if and only if, each fault f∈F can be detected by at least one code word input. The above two properties, the self-testing and the fault-secure, when combined in a circuit, characterize it as totally self-checking (TSC). A Self-Checking circuit is consisted of a functional unit, which produces encoded output vectors plus a checker unit, which checks these vectors to determine if an error has occurred. This checker also has the ability to produce an error indication even if a fault has occurred in the checker itself. Also, for the fault-secure circuits, a hypothesis is made for multiple errors, all along this paper. When an error is present in a circuit, a second one is possible to appear, after enough time, so the first one has been detected. This hypothesis may seem convenient but it is fully realistic. It is very hard that two errors appear simultaneously. When an error appears, the circuit should detect it, in order to be self-checking. The structure of a self-checking circuit can be found in [6]. By the term fault we imply an abstract view for all classifiable defects of the hardware, e.g. stuck-at, stuckopen, etc. On the other hand errors are defined as the erroneous pattern shown at the output of the circuit in the presence of physical abnormality. Better clarified definitions concerning these terms can be found in [2]. This work considers implementations using parity prediction techniques, with the use of standard cells because they are predominant in industrial context and also can be easily automated through the use of a HDL.
derived from the parity prediction scheme that is generated using the D flip/flop inputs Di . Let us denote as Pest and Pt the parity of the output bits vector, Qt , and the predicted parity from the input bits vector Dt , of the Gray counter at state t, respectively. Then the function that generates each one of these two parity outputs is: Pest = Pt =
Q1t ⊕ Q 2t ⊕ Q3t ⊕ Q 4t
(1)
D1t ⊕ D2t ⊕ D3t ⊕ D4t
(2)
In order to produce the parity for the output state according to [9] we must use the parity derived by the inputs of the D F/Fs that construct the 4 bit Gray counter module. But because the input bits vector depends on the previous counter state a single fault can trigger an error in the output bits vector Qt , that can trigger a second error in the input bits vector Dt , making the 4 bit Gray counter unstable and not fault secure. This problem can be resolved easily. Since a Gray code changes from even to odd parity and vice-versa after every state change, a simple T flip flop with the T input set to logic “1” can predict the parity of the output if it is concurrently reset with the Gray Counter circuit. Thus the parity prediction scheme is greatly reduced, and the Fault secure property is retained. The inverted predicted parity barPt along with the output parity Pest are used as inputs in a 2-RC (2 rail checker)[6] (Fig. 1). It has to be noted that the initial value of the T flip/flop must correspond to the parity of the initial state of the 4 bit Gray counter.
QQ Q1 3 2
3. 4-BIT GRAY COUNTER SEGMENTATION In order to implement a N-bit Gray-coded counter, we follow a 4-bit segmentation architectural scheme. The decision is unavoidable, since a true N-bit graycoded counter should lead to an exponential-like increase in hardware demands as the N value grows. This means that the counter produced can give us an output bitwidth multiple of 4 (4,8,12,16,…). The 4 bit Gray counter that we implemented is consisted of 4 D flip/flops, placed in a successive order, and a structure of logical gates for providing the Gray coding scheme as input to these flip/flops. In order to implement an N bit Gray counter we use m 4 bit Gray counter units, where m=n/4. The Gray coded counter that is derived in this way is synchronous with the clock, since a “1000” value at the output of the previous 4 bit Gray counting unit triggers, a “Counter Enable” signal for the succeeding 4 bit Gray counter module.
Q3Q2
D3
D3
Q1Q0
D2
D2 D
RESET
SET
CLR
Q
SET
CLR
Q3
T
SET
CLR
Q1Q0
Q
D0
D0 D
Q
Q
P
t
SET
CLR
Q2
Q
Q3Q2Q1 Q0
D1
D1 D
Q
Clock
QQ 3 2
Q
D
Q
SET
CLR
Q Q
Q1
XOR tree
Q0
4 bit Gray coded output
Pest
To the Double Rail checker
Fig. 1. Parity prediction scheme of the 4bit Gray counter
3.2 The N bit Gray-coded FS counter For presentation purposes the 8 bit FS parity prediction Gray coded counter will be examined. The whole implementation scheme for this counter is illustrated in Fig. 2, in order to indicate the certain modifications that are implemented to attain the Fault secure property for this design. The 8 bit counter implementation scheme for the proposed timer is constructed from two identical 4 bit Gray coded modules, with some logic in between them. The purpose of this logic is primary to enable the 2nd
3.1 Gray module’s parity prediction scheme Let us denote that Di and Qi are the input and output respectively, of the i D flip/flop of the Gray counter. Actually the outputs of the D flip/flops correspond to the outputs of the 4 bit Gray counter. In order for the Gray counter to be fault secure, the parity generated from the flip/flop outputs Qi must be the same with the one
2
Proceedings of IEEE International Conference on Electronics, Circuits and Systems (ICECS'02), Croatia, September 15-18, 2002 module only whenever this is needed, meaning that the next module’s state transition does not depend on the concurrent transition of the preceding Gray counter module, but only from its previous transition. Thus for larger counters the whole circuit remains stable during transitions, which increases the counting rate making this proposed counter architecture preferable for high performance safety critical applications. Enable
D T
S E T
D T
Q
C L R
Q
Register
XOR tree
t
Gray Parity
Q
Timer Comparator
Q
Timer Trigger Output
4 consequent D f/fs
P 1
Double Rail Checker
Fig. 3. FS Gray coded timer architecture XOR tree
Two Rail Checker (TRC)
0-3 bits Gray 4 bit Gray counter module
N Bit Gray Counter XOR Tree
2nd T F/F Enable 2nd Gray module Enable
Decoder Parity Prediction
P
Binary to Gray Decoder
Gray Encoding logic
4 consequent D f/fs
Parity
S E T
C L R
Gray Encoding logic
Binary Input
t
P
2
4.1 Faults in the 4-bit Gray counter module
Two Rail Checker (TRC)
When a single fault occurs at the output of a flip/flop, in the 4 bit gray counter module shown in Fig.1, during a counter state or during a state transition, it propagates through the XOR tree to the estimated parity Pest of the Gray module. Then Pest is compared with the predicted parity Pt , which is produced through the totally independent parity prediction structure (with the separate T FF), and in case of an error we have fault detection. If a fault affects the input of a flip/flop, then after one or more clock cycles, depending on when the effect of this fault will lead to an error at the output of the flip/flop, it will be detected as in the previous case. The above scheme can also detect a single fault on the parity prediction circuit.
4-7 bits Gray
Fig. 2. 8-bit Gray-coded FS counter architectural scheme The disadvantage of this in-between logic, is that it introduces a big hardware overhead. This however does not comp romise the good low power characteristics that the N bit FS Gray coded counter has. This statement is supported by the following analysis. We know that for an n bit binary counter we have a total number of states that is equal to 2n . That means that the average number of bit transitions per state is:
2n + 2 n / 2 + 2 n / 2 2 + 2 n / 2 3 + ... + 2n / 2 n −1 2n
(3)
4.2 Faults on the Register/Decoder structure
From Eq. (3) derives that the average number of bit transitions per state for a n bit binary counter is: 1 1 1 1 1 =2 (4) 1 + + 2 + 3 + ... + n− 1 = 2 2 2 2 1 − 1/ 2 Thus for a simple N bit binary counter the average number of bit transitions per stage is 2 (in the F/Fs). For the N bit Gray coded FS binary counter, the average number of bit transitions is given taking under consideration the fact that for every 24 , 28 ,212 …, 24(n-1) we have an extra bit transition, as given by the following expression for the n bit segmented Gray FS counter:
As in the previous case any fault that might appear in the decoder unit will be detected from the comparison between the output XORing of the decoder versus the Parity decoded output of the register, and vice-versa. Of course in order for the decoder cell not to produce any double or multiple undetectable stuck-at faults we must take under consideration the theorem presented in [4] when designing the binary-to-Gray decoder: Theorem 1: Parity prediction in an odd-cell fan-out circuit, achieves fault secureness for any single permanent or transient fault, if this can be detected before the occurrence of a second fault. After this modification if a single fault occurs in the Decoder circuits input this will propagate to one of the decoder output signals, and this will alter the parity of the decoder’s Gray output. This will lead to the detection of the error occurrence after the comparison with the predicted parity of the Gray decoder output. Similarly if a single fault occurs in the Parity prediction circuit this will be detected after the comparison of the predicted parity with the output parity as shown in Fig. 3.
n −1 1 1 1 1 1 + 8 + 12 + ... + 4 ( n−1) = ∑ 4 i = 4 2 2 2 2 i= 0 2 1 1 1 1 + 4 1 + ... + 4 n −1 = ≅ 1. 067 (5) 4 0 1− 1/ 24 (2 ) (2 ) (2 )
1+
From the previous analysis derives that, even though this timer circuit (Fig. 3) has an extra binary to gray decoder for the data and for the parity checking scheme, (this circuit dissipates Power only during Write operation), we expect great power savings.
4. FAULT-SECURE ANALYSIS
5.4 Faults on the enabling circuits
Following, the whole architectural scheme will be examined, in order to determine if this timer circuit complies with the constraints that are imposed from the Fault-Secure theory. It is shown that all errors, provoked by possible single faults in the circuit, can be detected.
Erroneous situations might happen if we use the same enabling circuit for enabling the next counter module plus the next module’s parity prediction scheme (T F/F). To avoid this erroneous situation we have implemented two separate enabling circuits, one for the parity prediction circuit (T flip/flop) and one for the 3
Proceedings of IEEE International Conference on Electronics, Circuits and Systems (ICECS'02), Croatia, September 15-18, 2002 Gray counter module (Fig 2.). Of course if both enabling circuits were triggered by the same Gray counter module’s output (“1000”) the problem would remain. For this reason the second enabling circuit is taking as input, the output of the 4 bit Gray encoding logic unit of the previous module (thus if an error has occurred in the previous module’s logic it would have been detected) and is triggered when the sequence “1001” appears in it.
performance characteristics are becoming even more evident. This timer’s difference in terms of power can be seen more clearly in Fig. 4 below.
6. EXPERIMENTAL RESULTS We have developed parameterized VHDL descriptions to present the fault-secure parity prediction Gray coded timer implementation. The results that were obtained are from mapping the produced from CAD utilities netlist to the AMS standard cell library for 0.6µm CMOS technology. In order to provide a better comparison between the proposed implementation and the simple FS binary counter presented in [9] the simple synchronous binary counter-timer and the conventional FS counter (doubling technique) were realized as well. The experimental results are presented in table I and these results are normalized to the power, performance and area of the simple non-FS synchronous binary counter/timer. Table I. Comparison of the 3 FS timers Integrated area FS binary counter/timer Double binary counter/timer Gray FS timer Power dissipation FS binary counter Double binary counter JM FS counter Performance FS binary counter/timer Double binary counter/timer Gray FS timer
4 bit 2.211
8 bit 1.891
16 bit 1.739
32 bit 1.665
64 bit 1.629
1.927
1.894
1.879
1.871
1.867
1.983
1.995
2.000
2.002
2.004
1.402
1.418
1.451
1.520
1.663
2.210
2.226
2.259
2.328
2.471
1.543
1.095
0.871
0.758
0.721
1.65
1.69
1.67
1.62
1.52
1.08
1.05
1.03
1.02
1.01
1.71
1.16
0.86
0.69
0.59
Fig. 4. Comparison in terms of power dissipation
7. CONCLUSIONS In this paper a Low power fast Gray coded timer was presented, which is based on the parity-prediction technique and leads to high fault coverage. The whole counter architecture ensures the Fault-Secure property with the use of the parity prediction units that were previously described. The integrated area, power and performance requirements of this implementation were presented in comparison to other safe timers such as the double counter/timer and the simple Fault Secure Parity Prediction timer. The extracted results shown that for little area overhead, the proposed counter presents much better performance and power savings, when compared with the other FS counter designs.
8. REFERENCES [1] DIN V VDE 0801 “Principles for computers in safetyrelated systems”, 1990. [2] M. Nicolaidis, “Fail-Safe Interfaces for VLSI: Theoretical Foundations and Implementation,” IEEE Transactions on Computers, Vol. 47, pp. 62-77, Jan. 1998. [3] Niraj K. Jha, Sying-Jyan Wang, “Design and Synthesis of Self-Checking VLSI Circuits,” IEEE Tranaction on Computers, Vol 12, No 6, pp 878-887, June 1993. [4] M. Nicolaidis, R. O. Duarte, S. M. J. Figueras, “FaultSecure Parity Prediction Arithmetic Operators” IEEE Design & Test of Computers Magazine, pp. 60-71, AprJun. 1997. [5] R. O. Duarte, M. Nicolaidis, H. Bedder, Y. Zorian, “FaultSecure Shifter Design: Result and Implementations” European Design and Test Conference, (ED&TC), 1997. [6] P. Kakaroudas, K. S. Papadomanolakis, E. Karaolis, S. Nicolaidis, C. E. Goutis, “Hardware/Power Requirements versus Fault Detection Effectiveness in Self-Checking Circuits”, Proc. of Patmos’99, pp. 387-396. [7] D. Nikolos, A. M. Paschalis, G. Philokyprou, “Efficient Design of Totally Self-Checking Checkers for all LowCost Arithmetic Codes”, IEEE Trans. On Comp., vol. 37, no. 7, pp. 807-814, July 1998. [8] M. Morris Mano, “Digital Design”, Prentice-Hall Inc., 1992. [9] E. Karaolis, S. Nikolaidis, C.E. Goutis, “Fault Secure Binary Counter Design”, Proc. of ICECS ’99,vol III, pp. 1659-1662. [10] D. Chu, “Phase digitizing sharpens timing measurements”, IEEE Spectrum, pp. 28-32, July 1988.
Prior to continuing with the results analysis we must declare that for all the timer circuits we used a similar timer architectural scheme to the one in Fig.2. Some obvious conclusions derive from the table above about the comparison of the three Fault-secure timers. If integration area is the main design issue in developing a safety critical application, then it seems that the simple FS binary counter proposed in [9] is the most suitable selection, for the timer. This does not mean that the Gray timer proposed lacks greatly in comparison to the simple FS counter/timer scheme. On the other hand as it derives from table I, the proposed FS segmented Gray coded timer is the most suited timer for Low Power safety critical applications since it is by far the least power dissipating timer circuit while it also outperforms the other 2 FS designs. In fact as the timer’s bitwidth grows its Low Power and high
4
