The fault-tolerant microprocessor systems used in safety-critical applications need to be thoroughly validated during the design stages. As feature sizes reduce in future CMOS technologies, there is an increased probability of transient and intermittent faults. This paper proposes a new model for multiple bit-flips in the time domain, which can be used to target fault injection experiments. This extends the single or multiple bit-flip model that is currently used. Some results from fault injection experiments on two different processor architectures are also presented to illustrate the applicability of this model.
Page 3 of 13 increasing clock frequencies increase the probability of latching a fault that occurs on a combinational circuit in the output memory element [4] . As a result, embedded processor designers are increasingly employing fault-tolerant techniques to protect the internal datapaths and storage elements. This practice is in addition to the wellestablished requirement to protect the memory blocks, which are generally considered to be more susceptible to transient faults. An additional consequence of shrinking feature sizes and of increasing clock frequencies is the increased likelihood that multiple faults will occur from a single upset event. Fault-injection experiments on microprocessors found in the literature use only single bit-flips or concurrent multiple bit-flips [5, 6, 7] . Concurrent multiple bit-flips are often used in the evaluation of fault-tolerant memories. However, memory arrays and memory elements associated with the non-programmer-visible state control logic (such as the pipeline stage registers of a RISC CPU) affect the processor's operation in a different way. For that reason it is necessary to enhance the existing fault models with temporal parameters in order to efficiently validate the latter.
Fault model:
As has been explained, radiation-induced errors may occur in several consecutive clock cycles due to the characteristics of future CMOS sub-micron technologies. Furthermore, these errors may occur in different locations, depending on the different fault-propagating paths. Electromagnetic interference (EMI) with a periodic form can also be a source of consecutive errors. In order to model nonconcurrent multiple faults we propose the use of the normal distribution as a means of selecting the occurrence cycle number for each fault. Each randomly selected fault occurs at a cycle determined from the cumulative distribution function defined by:
Where µ is the mean fault injection cycle number, σ is the standard deviation and x is the cycle number. To select the cycle number at which to inject the fault into a particular pre-selected register, a sample is taken from a uniformly-distributed set of numbers in the interval 0 y(x) 1 and then x is determined from the inverse. The distribution function is plotted in Figure 1 for a mean error cycle of x = 50 and with several different standard deviations. It should be noted that there is a finite probability of the fault occurring outside the execution time of the program. In the event that this happens, another random number is selected according to the linear distribution function:
Where x MAX is the last execution cycle number being considered in the fault injection campaign. By using this scheme it is guaranteed that the chosen fault or faults will be injected only during the execution of the program, and in addition it forms a method for injecting concentrated or uniformly distributed individual or multiple faults. For small values of σ, the fault profile takes the form of the cumulative distribution function of (1) and as σ increases it tends towards the uniform distribution of (2). This approach is general, and is potentially useful for characterising the properties of microprocessors in a variety of scenarios.
Fault injection experiments:
Using the multiple fault model described above, we have performed a set of fault-injection campaigns on two different processor configurations: a 5-stage pipelined microprocessor that implements the SPARC v8 Page 5 of 13 instruction set (hereafter known as the simple architecture), and a fault-tolerant version of the above processor that has a triplicated core [8] . We injected double faults on the pipeline registers only, while the processor was executing two different benchmark programs (mtx4x4, bitcnt). We also gathered information concerning the processor's status and the results that were produced. 6000 pairs of faults were injected in each campaign, resulting in a total number of 240,000 simulations. Since VHDL simulation times are long, only a limited number of values for were selected (Table 1 Table 1 Concurrent The two faults are concurrent = 0.83 99% of the two faults occur within 5 clock cycles = 10 99% of the two faults occur within 60 clock cycles = 510 99% of the two faults occur within 3056 clock cycles Uniform The time of the two faults is chosen by using a uniform distribution
