SEU fault-injection in VHDL-based processors: a case study

SEU fault-injection in VHDL-based processors: a case study Wassim Mansour

Raoul Velazco

TIMA Labs 46 Avenue Felix Viallet 38000,Grenoble, France Tel: 00 33 4 76 57 49 88 Email: [email protected]

TIMA Labs 46 Avenue Felix Viallet 38000,Grenoble, France Tel: 00 33 4 76 57 46 89 Email: [email protected]

Abstract — Evaluating the sensibility of a given circuit with respect to soft errors became a main issue especially if it is intended to operate in space or at high altitudes. A hardware/software (HW/SW) approach to study the effects of soft errors by fault injection in the VHDL model of a CPU (Control Processor Unit) is presented and illustrated by results obtained for a LEON3 processor. The LEON3 is set to execute two benchmark algorithms. The first one is a typical 3x3 matrix multiplication, whereas the second one is a selfconverging algorithm which is intended to provide correct results even if a failure occurs in the middle of the execution. The results of fault-injection campaigns targeting the register file unit of the processor are compared to those issued from a state-of-the-art method, the C.E.U. (Code Emulated Upset). One of the main advantages of the proposed method is the larger targeted Single Event Upset (SEU) sensitive area leading to improved error rate predictions.

as HW and/or SW redundancy, time redundancy, error detecting and correcting codes (EDAC), etc. In all the cases the efficiency of the implemented mitigation technique must be evaluated. This can be achieved by fault simulation, fault injection, accelerated radiation testing or experiments performed in the real environment. The fault-injection approaches proposed in literature can be categorized in two main classes: hardware and software methods. There are two sub-classes in software based fault-injection: the software-implemented faultinjection (SWIFI) and the fault injection based on simulation [9-11]. In simulation based fault-injection, faults are injected using VHDL and Verilog hardware description languages (HDL). The main advantage of such approaches with respect to other types of fault injections is their larger observability and controllability of SEU sensitive area. However, their main drawback is their big time consumption.

Keywords: SEU, fault injection, CEU, CPU , VHDL, FPGA, RTL

Many works showed that performing FPGA-based fault-injection allows a good controllability and observability and faster experiments. Another significant advantage is the ability to inject SEU/SET faults. Since for most of nowadays complex circuits, such as processors the HDL code may be available, FPGA-based fault injection methods became largely used for the error-rate estimation integrated circuits, even before their fabrication, exploring thus the efficiency of implemented radhard designs.

I. INTRODUCTION The improvements of integrated circuits (ICs) manufacturing technologies and processes, result in a potential increase of the sensitivity to the effects of natural radiation [1][2]. Among these effects, the socalled SEU (Single Event Upset) phenomena [3][4] is considered critical as it may lead to the modification, randomly in time and location, of the content of a memory cell with an unexpected consequence at the application level.

Among the different simulation based methods and tools can be mentioned:  VERIFY (VHDL-based Evaluation of reliability by Injection Faults Efficiently) [12]: this method uses a VHDL extension that requires some RTL (Register Transfer Language) modification to inject faults in a given circuit, which allow fabricants, who provide the design library, to express their knowledge on the behaviour of the injected faults in their components. It also uses multithreading in the experiments in order to accelerate the fault-injection process.  MEFISTO-C (Multi-level Error/Fault Injection Simulation TOol) [9]: it is a fault-injection tool based on the VHDL model of the targeted circuit. It uses a

Control Processor Units (CPUs) are included in most of systems. The hardware description language (HDL) of many of them is available so they can often be implemented in SRAM-based Field Program Gate Arrays (FPGAs). Some representative examples of such processors and microcontrollers are Leon3, Power PC, MIPS, microblaze, etc. [5][6]. Estimating the error rate due to SEUs is a mandatory step for any application requiring reliability or dependability, devoted to operate in space or in the Earth’s atmosphere, even at ground level. SEU mitigation techniques [7][8] exist at different levels, such

1

of the studied circuit’s architecture, at RTL level, in order to allow fault injection during a single clock cycle while the DUT (Device Under Test) is executing an application program. In fact, the proposed method can be considered as a combination of multiple fault-injection methods such as FITO, FUSE, and the method presented by civera et al. [22].

simulator to inject fault in the model variables and signals via some simulation commands.  HEARTLESS [13]: it is a simulator of permanent and transient faults in the hierarchical RTL model. It is developed to simulate the behaviour of a fault in the sequential complex systems such as processors. It allows also the online validation of the test units of embedded processors.

Faults are injected via a saboteur implemented in FPGA that is connected via an Ethernet link to the PC of the user to get instantly the results of the executed algorithm. In principle, all SEU sensitive memory cells, such as registers, internal memories, etc, are accessible through the HDL model, thus, the considered sensitive area will be closer from the one of the hardware implementation of the studied circuit.

The most popular emulation/semulation (simulationemulation or Hybrid) based fault-injection tools and methods are:  FITO (FPGA-based fault-Injection TOol) [14]: the permanent and transient faults were injected in the flip-flops and the logic gates of the circuit under test. The fault-injection process is based on the addition of some extra ports and connections to the flip-flops of the initial circuits.  FIDYCO (Flexible on-chip Injector for run-time DependabilitY validation with target specific COmmand language) [15]: it is a HW/SW combination for fault injection, where the hardware part is implemented in VHDL on the FPGA, whereas the software is in the PC side. The main objective of this method is the development of a flexible and open system capable of testing a variety of components.  Flipper [16]: is an SEU emulation platform that targets the configuration memory of an FPGA under test via partial reconfiguration.  SCFIT (Shadow Components-based Fault Injection Technique) [17]: it is a fault-injection tool based on the SEmulation. It uses TCL scripts to access different resources in Altera FPGA via a JTAG cable.  FUSE (Fault-injection Using SEmulation) [18]: it is a SEmulation based fault injection tool that combines the performance of the prototype implemented in hardware and the flexibility as well as the visibility of the HDL simulation standard. Faults might be injected by the simulator in the RTL signals or variables using either the simulated HDL model or the netlist implemented inside an FPGA in order to accelerate the fault injection process.  FT-UNSHADES (Fault Tolerant – UNiversity of Sevilla Hardware Debugging System) [19-20]: it is a fault-injection FPGA emulator using the partial reconfiguration technique. FT-UNSHADES inject faults using the technique read-modify-write of the configuration bits.  FIFA (Fault-Injection Fault Analysis tool) [21]: this tool uses saboteurs to inject SEU, MCU and stuck-at faults at the RTL level. Two versions of the circuit under test were implemented inside the FPGA.

The studied approach will be applied to a LEON3 processor while executing a benchmark program. Obtained results will be compared to those issued from the Code Emulated Upsets (CEU) approach presented the first time in [26] and applied particularly to Power PCs and the LEON3 [27] [28]. In Section II, details about the proposed SEU faultinjection emulation method and advantages with respect to existing methods are provided. In Section III, the LEON3 processor, the test platform and the benchmark program used during fault injection experiments are described. Section IV presents and discusses the experimental results obtained for both the proposed approach and the CEU approach. Conclusions and future work are given in Section IV. II. THE PROPOSED METHOD: DIRECT FAULT INJECTION The explored method in this work, Direct Fault Injection (DFI) method, is an alternative way to inject SEU-like faults in any flip flop (FF) of the CPU under test within a single clock cycle. The key point of this method consists in the modification of the VHDL code of the studied circuit at the RTL level by adding extra hardware to the real implementation. These modifications are similar for all the registers of the system: the modified registers replace the initial ones without changing their behaviour, thus they can be generalized. The main issue consists on keeping track of the written and read data by adding ports to the registers: a read-port that is always enabled, so that the data is always read out, and a write-port with an active-high enabled, for one cycle, when the instant of fault-injection occurs. A multiplexer is also added on the input of the new write-port allowing the fault-injection control finite state machine (FSM) to select to inject the fault either on the previously saved data or on the data being written. It is mandatory in the write process, to give the writeinjection a low permission, which will allow the injection process to modify the currently written data in case of a

There are also fault-injection methods that inject faults in the netlist of the tested circuit. We can reference [2225]. In this paper a fault-emulation method, so-called Direct Fault Injection (DFI), is presented to emulate the consequences of SEUs occurring on memory cells of CPUs. The studied approach is based on a modification 2

simultaneous write access by both the CPU and the faultinjection FSM.

The DFI method allows injecting faults in all the registers, including those accessible and non-accessible by the instruction set. Thus, a larger and more accurate surface area closer to the real one is targeted, contrary to the CEU fault-injection method [26] which has more limitations. In fact, in the CEU approach is used some registers of the register-file to hold-on fault-injection parameters. Also, in every processor there are a large number of registers that cannot be accessible by the instruction set. A typical example is the pipeline registers that hold data between different stages of the pipelining process. i.e. if a register holding the fetched instruction between the fetch cycle and the decode cycle is perturbed, it may lead to erroneous results or timeout.

Figure 1, illustrates the architecture of a modified register, where the 32-bits WD1 is the CPU write data, the WE1 is the CPU write enable line, the RE1 is the CPU read enable line, and the 32-bits RD1 are the read data of the CPU. Whereas the 32-bits data2inj is the read data to be perturbed, the 32-bits data_mask contains the information of the bit to be perturbed and written back when the injection signal goes high. The worst case is always taken into consideration: if both the CPU and the fault-injection FSM are writing at the same clock cycle to the register, the FSM will select to write a perturbed WD1.

Fig. 2: Architecture of a modified 32x32 bits register-file

Fig. 1: Architecture of a modified register

Another limitation of the CEU method due to the fact that it is based on interrupt signals: the registers are perturbed when an asynchronous interrupt occurs. Thus, if the running application uses the interrupt signals, then in this case the CEU fault injection method cannot be applied. Moreover, the ALU control state machine, that provides the data controlling the ALU, the CPU memory controller that is responsible for write and read from the external memory, and the whole data-path finite state machine, is very sensitive with respect to SEUs. As well as the control registers during the boot sequence, which are used to configure the CEU method. A good estimation of the error rates due to the effects of soft errors on a processor should include all the sensitive bits any time of the running benchmark. Since the DFI method has access to every single register, and cost no loss cycles, then it makes possible such study.

Since the largest SEU sensitive areas are the instruction cache, data cache, and the register file, and since they are all different RAM sizes, then the implementation of the modified algorithm can be applied by substituting the added hardware. They can be modified by adding one extra read and write port in addition to the same combinational circuit described for the single register case. An example is shown in figure 2, where we focus on the sensitive area of 32 registers of a general registerfile that is used in most of the CPUs nowadays. The register-file is the more meaningful sensitive area because it is always under use by the arithmetic and logical unit (ALU) of the processer. In general, the modified register-file can be implemented in processors that use dual read ports register-file.

In comparison with other FPGA fault-injection methods, the proposed method can inject faults in digital blocks such as register files and memories with multiple input/output ports not only in the design flip-flops. Another key point is that we implement only one version of the studied circuit inside the FPGA, which gives us the possibility to inject faults in larger circuits.

As stated before, the DFI method is controlled by a fault-injection FSM which provides a signal to allow the write of the faulty data, as well as the injection address and the data mask. This FSM is controlled by the computer supervisor to provide it with the injection parameters.

3

There are also some netlist fault-injection methods, such as AMUSE [25] and civera et al. [22], which inject faults in the low level logic gates, and that may require a more complex saboteurs to be able to handle the entire flip-flops injection signals.

includes the register files (32 registers of 32 bits) and the configurable instruction and data cache memory. The Leon3 has been modified to allow applying both the DFI and the CEU methods. In a preliminary study presented in this work, the register-file is the only targeted area. The Leon3 has specific windows architecture, so-called the register-file windows. Registers in the register-file are interconnected. Each of the eight windows has 32registers, 8 inputs that come from a previous window, 8 outputs to the next window, 8 local registers, and 8 global registers shared between all windows. Figure 4, illustrates the 8-windows architecture.

III. FAULT INJECTION ENVIRONMENT A) Test platform To study the sensitivity to SEUs of a given benchmark by applying the DFI method, we used the ASTERICS (Advanced System for the Test under Radiation of Integrated Circuits and Systems) platform. ASTERICS is an upgraded version of THESIC+ platform, developed at TIMA Labs, for which detailed information can be find in [29]. Fig. 3 illustrates the ASTERICS system, whose architecture is built around two FPGAs. The first one, called COM FPGA, contains a PowerPC processor. It handles the communication between the user’s computer and the resources available on the ASTERICS motherboard. and includes a programmable watchdog to check errors provoking sequence loss. It also monitors the current consumption of the device under test (DUT) in order to protect it against destructive faults such as SEL (Single Event Latchups) which may occur during radiation ground testing experiments. Data transfers are performed over an Ethernet network providing high data rate transfer. The second FPGA, called Chipset FPGA, contains the user design, which can be either the tested design, or used to interface to the ATERICS resources, the hardware part implemented in a daughterboard. In this way are minimized the time, development effort and cost of the hardware platform required to perform radiation ground tests or fault injection experiments on a new circuit.

Fig. 4: Architecture of register windows

The HDL model of the register file is much simpler. A dual read port register file with 135-registers, can replace the whole windows. Modifications on the register file according to the DFI method were done. The CPU was implemented on the DUT FPGA allowing executing both CEU and DFI approaches. C) Tested benchmark Before starting a first fault injection campaign on a typical benchmark, one would locate the placement of the registers inside the 135x32-bits register file as well as the workability of the DFI method. Exhaustive injections were performed on a simple program that writes in all the registers of the currently used window, and writes back all the registers into the memory of ASTERICS in order to identify potential errors: the register windows are located as blocks from the output registers to the input registers including the local ones, aside the global registers are located at the end of the register file from addresses 0x80 to 0x87 as shown in figure 5.

Fig. 3: Architecture of ASTERICS test platform

Two benchmarks were selected to validate the proposed fault-injection method, and to be able to give a good comparison between both the DFI and the CEU approaches.

B) Tested device A Leon3 processor [5] was implemented in the chipset FPGA, the VIRTEX-IV, presented in ASTERICS motherboard. A version written in C language was used to obtain the executable code of the tested benchmark for Leon3. The main SEU-sensitive area of this processor

The first benchmark was a simple matrix multiplication, where the matrices size is 3x3 for inputs and outputs. 4

TABLE 1: DFI VS CEU TIMING COMPARISON

Method

DFI

Boot duration Running duration Running duration (silent fault)

CEU

453 CC 15950 CC 15950 CC

602 CC 15950 CC >16070 CC

Three fault injection campaigns were done while running the matrix multiplication algorithm: in the first one all the registers in the register file for the window in use are targeted, whereas the second and third campaigns targeted only the registers that are accessible by the CEU method in order to perform a realistic comparison: i.e. the global registers were excluded in this campaign. Table 2 shows the results of all the fault-injection campaigns.

Fig. 5: file-register map for the Leon3 Processor

The second benchmark was the self-convergent algorithm presented in [30] [31], where the CEU method was applied. Some modifications on the algorithm were applied in order to achieve best performances with respect to soft errors. But, for the best comparison with the CEU algorithm, the DFI was used with a running limit equal to five, because at that limit the errors and timeouts stabilizes as a consequence of the CEU.

TABLE 2: Results of fault injection experiments on the matrix multiplication benchmark

Various fault-injection campaigns were performed during which huge numbers of SEUs were injected randomly in time and location. It is important to notice that in each of these runs; only one SEU per execution was injected in the register file of the LEON3. In other words, only one bit of the randomly selected register was perturbed within the execution time of the tested benchmark and at a randomly chosen clock cycle.

Targets (registers)

Method

#injected faults

#errors

#timeouts

32

DFI

8000

861(10.76%)

1234(15.42%)

25

CEU

8000

2838(35.47%)

1347(16.38%)

25

DFI

8000

870(10.87%)

1306(16.32%)

As shown in Table 2, error rates and timeouts issued from the DFI method are lower than the rates obtained when the CEU is applied. In the first case, where the target is the whole 32 registers, put a larger SEU sensitive area under fault injection. This leads to a reallike SEU behaviour in the targeted area, thus a better estimation of both error rate and timeouts. In the second case, the CEU targets less registers: only global registers are not targeted being used to implement the CEU. The C-compiler when compiling the code to assembly lowlevel puts all the variables of the program into the local, input and output registers. Thus, a larger number of faultinjections in a smaller area leads to the higher error rate. In the last case, not all the variables are targeted since we exclude the global registers, which might be used by the compiler to set some variables into them. This explains why the sum of the erroneous results and timeouts is lower than the CEU prediction but higher than the DFI prediction in the first case. Timeouts are also consequences of the injected SEU. The rates of observed timeouts increase or decrease depending on the same factors as described above. Indeed, for the CEU method the timeout limit is selected to be 1.1 times the normal running duration of the given algorithm. A self-stabilizing algorithm was also tested to provide a clearest view of the difference between both methods. Results are shown in Table 3, where the timeout limit is set to be five times the running limit [30].

The consequences of the injected SEU may be classified as follows: - Silent fault: the injected fault does not have any consequence on the program’s results. As an example, typical silent faults are those affecting a register or data not used or yet used by the processor. Another possibility is that the algorithm provides a correct result despite the fault. - Result error: the results of the program are not the expected ones. - Timeout: the program execution duration exceeds a limit defined by the user. In our experiments, the SEU faults were injected at instants chosen within the nominal duration of the executed program. Table 1, shows the normal durations for the matrix multiplication program with and without the injection of silent faults and provides a timing comparison in terms of clock cycles (CC) between both the CEU and the DFI method. One can clearly notice that in the CEU method, after the injection of a random fault, the normal duration is not constant. In fact, we cannot confirm a strict timeout, since the number of cycles that the interrupt service routine (ISR) executes varies depending on the address of injection.

5

TABLE 3: Results of fault injection experiments on the selfconvergence benchmark

Targets (registers)

Method

#injected faults

#errors

#timeouts

32

DFI

8000

340(4.25%)

760(9.5%)

25

CEU

8000

844(10.55%)

1084(13.55%)

25

DFI

8000

340(4.25%)

844(10.55%)

a vector of faults in order to speed up the fault-injection process. As an example, the SCFIT method takes an average of 0.3 minutes to perform one execution whereas FuSE can go up to 4000 times faster. For the DFI method, if the online fault-injection is considered, faults can be injected in a rate up to 5 injections/second whereas if the vector faults is considered the method can inject faults in a rate of 1 injection/cycles of execution, which leads to a real-time fault-injection rate.

Results of the fault-injection campaigns performed on the self-stabilizing algorithm show that they are coherent with those obtained in the fault-injection campaigns when the Leon3 executes the matrix multiplication benchmark. In few words, the CEU method overestimates both the result errors and timeouts rates. Given the same number of injected faults, the DFI targets a larger sensitive area thus a lower error-rate, whereas the CEU target a smaller sensitive area thus a higher errorrate . This over-estimation can explain the small difference between the predicted and the measured results in the case of a PowerPC 7448 in [32]. Another fault-injection campaign was realized in order to show clearly the difference between the DFI and the CEU method. Faults were injected in the sensitive areas of the Leon3 processor which are not accessible via the CEU method. The self-convergent algorithm is being executed by the Leon3. Table 4 shows that the nonaccessible sensitive area is estimated to be 18938 bits. 2519 faults were injected and the global error-rate (errors + timeouts) is around 4%. In this campaign we could not inject more than 2519 faults because we faced 5 errors of type SEFI (Single Event Functional Interrupt) which require a hard reset. These kinds of faults were injected in the reset and state machine modules, which means that they cannot be obtained using the CEU method.

IV. CONCLUSIONS AND FUTURE WORK In this paper was studied a method for injecting faults into VHDL-based processors: The DFI method. Advantages over a state-of-the art method, the Code Emulated Upset was also presented. Whereas the only disadvantage is that the DFI can only be applied on processors for which the HDL model is available. So for real hardware that the VHDL source code is not provided the CEU still applicable. Obtained results confirmed the accuracy of the DFI method when faults are injected into the register file of a Leon3 processor running different benchmark algorithms. In future work, is planned applying the DFI method on the instruction and data cache which are in their architecture similar to a register file with single read and write ports but with a bigger size. Also will be targeted the pipelining registers, the ALU FSM registers, as well as the data-path FSM registers that were not accessible in the past. Another perspective is to generalize the method to be able to inject fault in any VHDL-based processors, and apply it to a processor that have a real hardware version, and then validate the method by comparing predicted results issued from DFI to results obtained by performing radiation ground testing.

TABLE 4: Results of fault injection experiments on the nonaccessible zone of the Leon3 executing a self-convergence algorithm

Zone Sensible

#injection

#errors

#timeouts

18938 bits

2519

42(1.66%)

58(2.3%)

REFERENCES [1]

[2]

As a conclusion, these experiments put in evidence the sensitivity of two programs running on a Leon3 processor, by applying different fault-injection approaches. The obtained results provide a good feedback about the accuracy of the proposed method, the DFI method, in estimating program error rates due to SEU. It is as well compared to other state-of-the art method the CEU method, and shows that for the register file case, the CEU over-estimates both the rates of timeouts and erroneous results. Both methods CEU and DFI are online methods, in a meaning that the result of each execution is forwarded to the PC of the user in order to have a better observability of the system. Other HDL based fault-injection methods, whether they are simulation or emulation methods, apply

[3]

[4] [5] [6] [7] [8]

[9]

6

Allan. H. Johnston, “Scaling and Technology Issues for Soft Error Rates”, Proceedings of 4th Annual Research Conference on Reliability, Stanford University, October 2000. T. Ma, P. Dressendorfer, “Ionizing Radiation Effects in MOS Devices and Circuits”, Wiley Eds., New York, 1989. R. Baumann, “Soft Errors in Advanced Computer Systems”, IEEE Design and Test of Computers, vol 22, n° 3, pp. 258-266, 2005. E. Normand, Single-Event Effects in Avionics, IEEE Trans. on Nuclear Science, Vol. 43, n° 2, pp. 461-474, April 1966. http://www.gaisler.com/cms/index.ph http://www.xilinx.com/ M. Nicolaidis, “Soft Errors in modern electronic systems”, SPRINGER Ed., ISBN 978-1-4419-6992-7, (2010) D. G. Mavis and P. Eaton, “ Soft error rate mitigation technqiues for modern microcircuits”, in Proc. of International Reliability Symp., (IRPS), pp. 216-225 (2002) P. Folkesson et al., “A comparison of simulation based and scan chain implemented fault injection”, Proc. Of the Annual International Symposium on Fault-Tolerant Computing, Jun. 1998, pp. 284-293.

[30] R. Velazco et. al., “Robustness with respect to SEUs of a selfconverging algorithm”, in Proc. of LATW 2011 (Latin American Test Workshop), Porto Galinhas, Brazil, 28-30 March 2011. [31] R.Velazco et. al., “Improving SEU fault tolerance capabilities of a self-converging algorithm”, in Proc. of RADECS 2011 (RADiation Effects on Circuits and Systems), Sevilla, spainl, 1923 September 2011. [32] P. Peronnard, “Etude de cas: caractérisation d'un processeur complexe de type PowerPC ”, chapter in Méthodes et outils pour l'évaluation de la sensibilité de circuits intégrés avancés face aux radiations naturelles“, october 2009

[10] H.Madeira et al., “RIFLE: a general purpose pin-level fault injector”, Proc of the European Dependable Computing Conference., 1994, pp. 199-216. [11] J. Arlat et al., “Fault-injection for dependability validation – a methodology and some applications”, Trans. on the IEEE Software Engineering, Feb. 1990, pp. 166-182. [12] V.Sieh et al., “VERIFY: evaluation of reliability using VHDLmodels with embedded fault description” Proc. Of the International Symposium on Fault-Tolerant Computing, pp. 3236, June 1997. [13] C. Rousselle et al., “A Register-Transfer-Level Fault Simulator for Permanent Faults in Embedded Processors”, in Proc. of DATE2001 Conference, Munich, Germany, 2001. [14] M. Shokralla-Shirazi et al., « FPGA-based fault injection into synthesizable verilog HDL models », The Second International Conference on Secure System Integration Reliability Improvement, SSIRI 2008. [15] B. Rahbaran et al., “Built-in fault injection in hardware- the FIDYCO example”, Proc. of the Second IEEE International Workshop on Electronic Design, Test and Application, pp. 327332, January 2004. [16] M. Alderighi et al., “Experimental validation of fault injection analysis by the FLIPPER tool”, Trans. on the Nuclear Science, vol 57, no. 4, pp. 2129-2134, Aug. 2010. [17] A. Mohammadi et al., “SCFIT: A FPGA-based fault injection technique for SEU fault model”, in Proc. of the Design, Autimation and Test in europe Conference and Exhibition (DATE), pp.586-589, 2012. [18] M. Jeitler et al., “FuSE – a hardware accelerated HDL fault injection tool”, In SPL. 5th Southern Conference on Programmable Logic, 2009, pp. 84-94, April 2009. [19] M. A. Aguirre et al., “FT-UNSHADES : A new system for SEU injection, analysis and diagnostics over post synthesis netlist”, in Proc. NASA Military and Aerospace Programmable Logic Devices, MAPLD, Washington, D.C., September 2005. [20] H. Guzman-Miranda et al., “FT-UNSHADES-up : A platform for the analysis and optimal hardening of embedded systems in radiation environments” IEEE International Symposium on Industrial Electronics, pp.2276-2281, 2008. [21] L. Naviner et al., “FIFA: A fault-injection-fault-analysis-based tool for reliability assessment at RTL level” in Microelectronics Reliability, vol. 51, pp. 1459-1463,2011. [22] P. Civera et al., “Exploiting FPGA-based techniques for faultinjection campaigns on VLSI circuits” IEEE International Symposium on Defect and Fault Tolerance in VLSI systems pp. 250-258, 2001. [23] H. Zhang et al., FITVS: A FPGA-based Emulation Tool For High Efficiency Hardness Evaluation”, in International Symposium on Parallel and Distributed Processing with Applications, pp.525531, 2008. [24] C. LopezOngil et al., “A unified Environment for Fault Injection at Any Design Level Based Emulation”, IEEE Trans. On Nuc. Sci., Vol 54, pp.946-950, 2007. [25] L. Entrena et al., “Soft Error Sensitivity Evaluation of Microprocessors by Multilevel Emulation-Based Fault Injection, Trans. On Computers, pp.313-322, 2012. [26] R. Velazco, S. Rezgui, and R. Ecoffet, “Predicting error rate for microprocessor-based digital architectures through c.e.u. (code emulating upsets) injection,” IEEE Trans. Nucl. Sci., vol. 47, pp. 2405–2411, December 2000 [27] Rezgui S., Velazco R., Ecoffet R., Rodriguez S., Mingo J.R., “Estimating error rates in processor-based architectures”, IEEE Trans. Nucl. Sci., vol. 48, pp. 1680–1687, October 2001. [28] R. Velazco et. al., “Integrated circuit qualification for Space and Ground-level Applications: Accelerated tests and Error-Rate Predictions”, Chapter in Soft Errors in Modern Electronic Systems, Springer Ed., (2010). [29] F. Faure, P. Peronnard, and R. Velazco, “Thesic+: A flexible system for SEE testing,” in Proc. of RADECS, 2002.

7

8