Modelling electronic circuit failures using a Xilinx FPGA system. by Carney,  T. et al.
Durham Research Online
Deposited in DRO:
11 December 2015
Version of attached ﬁle:
Published Version
Peer-review status of attached ﬁle:
Peer-reviewed
Citation for published item:
Carney, T. and McWilliam, R. and Purvis, A. (2015) 'Modelling electronic circuit failures using a Xilinx
FPGA system.', Procedia CIRP., 38 . pp. 277-282.
Further information on publisher's website:
http://dx.doi.org/10.1016/j.procir.2015.08.039
Publisher's copyright statement:
c© 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license.
Additional information:
Use policy
The full-text may be used and/or reproduced, and given to third parties in any format or medium, without prior permission or charge, for
personal research or study, educational, or not-for-proﬁt purposes provided that:
• a full bibliographic reference is made to the original source
• a link is made to the metadata record in DRO
• the full-text is not changed in any way
The full-text must not be sold in any format or medium without the formal permission of the copyright holders.
Please consult the full DRO policy for further details.
Durham University Library, Stockton Road, Durham DH1 3LY, United Kingdom
Tel : +44 (0)191 334 3042 | Fax : +44 (0)191 334 2971
http://dro.dur.ac.uk
 Procedia CIRP  38 ( 2015 )  277 – 282 
Available online at www.sciencedirect.com
2212-8271 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license 
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the Programme Chair of the Fourth International Conference on Through-life Engineering Services.
doi: 10.1016/j.procir.2015.08.039 
ScienceDirect
The Fourth International Conference on Through-life Engineering Services
Modelling electronic circuit failures using a Xilinx FPGA system
Thomas E. Carney. Richard P. McWilliam. Alan Purvis.*
School of Engineering and Computing Sciences, University of Durham,
∗ Corresponding author. Tel.: +44 0771 3505409; E-mail address: alan.purvis@durham.ac.uk
Abstract
FPGAs are a ubiquitous electronic component utilised in a wide range of electronic systems across many industries. Almost all modern FPGAs
employ SRAM based conﬁguration memory elements which are susceptible to radiation induced soft errors. In high altitude and space applica-
tions, as well as in the nuclear and defence industries, such circuits must operate reliably in radiation-rich environments. A range of soft error
mitigation techniques have been proposed but testing and qualiﬁcation of new fault tolerant circuits can be an expensive and time consuming pro-
cess. A novel method for simulating radiation-induced soft errors is presented that operates entirely within a laboratory environment and requires
no hazardous exposure to radiation or expensive airborne test rigs. A system utilising modular redundancy is then implemented and tested under
the new method. The test system is further demonstrated in conjunction with a software ﬂight simulator to test single electronic modules in the
context of active service on board a passenger aircraft and the eﬀects of failure under radiation induced soft errors are observed. Our research
proposes a test regime in which design strategies for self-healing circuits can be compared and demonstrated to work.
c© 2015 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the Programme Chair of the Fourth International Conference on Through-life Engineering Services.
Keywords: FPGA; Hardware-in-loop; Fault Tolerance; TMR; Fault Injection;
1. Introduction
The Field Programmable Gate Array is a programmable
logic device which has become ubiquitous in electronic systems
due to its cost, ease of use and reprogrammability. The inter-
national market for FPGAs is huge and growing. The FPGA
producer, Xilinx, reported 4th quarter sales in excess of half a
billion US dollars in 2013 [1] while competitor, Lattice Semi-
conductor, have sold over one billion FPGAs over the 10 year
period up to 2013, and are currently selling over a million units
per day of their ultra-low density iCE FPGAs [2].
Despite their many advantages, FPGAs are susceptible to
faults. Wirthlin et al. [3] provides a discussion of radiation
induced faults on SRAM based FPGAs. These faults can take
the form of (i) Total Ionizing Dose, causing permanent and
irreparable damage to the device. (ii) Single Event Latchup
(SEL) A potentially destructive condition in which a charged
particle causes latchup within a device. Once in latchup, high
currents will ﬂow through parasitic bipolar transistors and de-
stroy the device. (iii) Single Event Upset (SEU), a change in
state of a digital memory element caused by an ionizing parti-
cle. These last are soft errors which do not cause any permanent
damage to the device. [3] notes that devices such as the Xilinx
QPRO high reliability FPGA are immune to latchup and has an
acceptable dose tolerance, but are still sensitive to SEUs.
Anti-fuse FPGAs are available which are not susceptible to
SEUs, but as noted in [4] these have their own drawbacks. They
are one time programmable devices and are only available in
smaller devices with a much smaller gate count than SRAM
based versions.
Gusmao and Katensmidt [5] note the sensitivity of FPGAs
to radiation while Niknahad et al. [6] point out that it is the
SRAM memory elements inherent to most FPGAs which are
particularly susceptible to SEUs (Single Event Upsets). Such
errors may not present in systems in stable environments, and
it is possible that some low priority systems may allow for such
errors, but FPGAs have now become commonplace in critical
applications in which transient faults cannot be tolerated. Such
applications are pervasive in hazardous or remote applications
including aircraft and spacecraft, where errors due to radiation
are more likely.
Aircraft and spacecraft are prime examples of environments
where these faults from radiation are likely to occur and abso-
lutely cannot be tolerated.
[7] notes the eﬀects of mechanical and/or ionizing stress dur-
ing aircraft and spacecraft launch and operations, and the high
incidence of cosmic rays and high energy photons encountered
by FPGA systems operating in deep space.
   . li   l i  . . This is an open access article under the CC BY-NC-ND license 
(http://cr ativecommons.org/ censes/by-nc-nd/4.0/).
Peer-review under responsibility of the Programme Chair of the Fourth International Conference on Through-life Engineering Services.
278   Thomas E. Carney et al. /  Procedia CIRP  38 ( 2015 )  277 – 282 
It is clear then that fault tolerance and fault recovery in FP-
GAs is an absolutely vital area of research for aerospace appli-
cations. However, the testing and qualiﬁcation of such systems
for ﬂight is of equal importance, and can be an extremely ex-
pensive process. [8] notes the expense and complexity involved
in testing a piece of equipment under realistic operating condi-
tions
1.1. TMR
TMR (Triple Modular Redundancy) is a technique com-
monly used in high radiation environments to avoid errors. It
is the most common scheme for mitigating SEU (Single Event
Upset) errors in sequential circuits in orbit. [9] TMR uses hard-
ware redundancy to mask any single design failure by voting on
the result of three identical copies of the same functional unit.
[10]. Morgan et al. [11] points out several successful demon-
strations of TMR implementation, but point out the drawbacks
of the scheme in terms of the additional resources required. In
fact TMR can require up to six times the area of the original
circuit [3]
1.2. Conﬁguration Scrubbing
Conﬁguration scrubbing is the process of reloading the bit-
stream into conﬁguration memory during operation. This can
be carried out constantly or in the instance of fault detection.
Adell and Allen [4] point out that this process will require an
external, radiation hardened ASIC or one time programmable,
Anti-Fuse FPGA. [4] also notes that scrubbing in itself is not
a useful technique, but rather must be associated with a redun-
dancy scheme in order to observe any improvement in reliabil-
ity. This recommendation is echoed by Bridgeford et al. [12]
as discussed in the section on Xilinx tools, below.
1.3. Xilinx Tools
Bridgeford Et Al [12] in the Xilinx application note ”Single
Event Upset Mitigation Selection Guide” present a number of
fault mitigation techniques which can be easily implemented
through Xilinx’ own software tools. The most basic approach
noted is termed ”Power Cycling” i.e. switching the power oﬀ
and then on again to force the FPGA to reconﬁgure.
1.4. Real World Eﬀects
The failure rate of FPGA devices due to SEUs is entirely
dependent on the level of radiation, most signiﬁcantly neutron
ﬂux, and device cross section. [13] The largest Virtex-6 de-
vice (XC6VLX760) contains 184,823,072 bits of conﬁguration
memory and will exhibit a nominal failures-in-time (FIT) rate
of 176 at sea-level in New York. While this represents a mean
time between failures (MTBF) of 648 years, a system com-
prised of 1,000 FPGAs would experience a failure every year.
[14] At high altitude (40000 feet), these numbers severely in-
crease, namely as much as 100 times at the Equator and 560
times at the Earth poles [15].
Real world failures due to SEUs have been known to occur
and pose a grave threat to the aviation industry. On 7 October
2008, Qantas ﬂight 72 suﬀered a SEU in one of its three Air
Data Inertial Reference Units causing the aircraft to carry out
a sudden pitch down manoeuvre causing over 100 injuries to
passengers including 14 serious injuries requiring passengers
to be airlifted to hospital following an emergency landing. [16]
1.5. Testing Apparatus
Experiments for this investigation were carried out us-
ing the Xilinx ML605 evaluation board, featuring a Virtex-6
XC6VLX240T FPGA. Designs were developed in VHDL us-
ing ISE 14.7 and Xilinx System Generator in conjunction with
Matlab 2013b. Though the problem of enhancing resilience has
led to many design strategies there is a need to develop a stan-
dard test bed to stress these diﬀerent circuits in repeatable, near
real world engineering systems.
2. Error Injection System
The fault mitigation schemes put forward in this study are
intended to be used in the presence of ionizing radiation, es-
pecially at high altitude, but it would be expensive, time con-
suming and potentially dangerous to test these schemes in such
an environment and so it was necessary to develop a technique
for simulating the eﬀects of ionizing radiation by artiﬁcially in-
troducing SEUs in the laboratory. One possible approach to
introducing SEUs is Beam Testing. The device under test can
be placed in a test chamber and bombarded with a beam of ar-
tiﬁcially generated radiation. Advantages to this technique are
that the level of radiation can be accurately monitored and con-
trolled, and that this is the closest possible simulation to actu-
ally exposing the hardware to natural ionising radiation. The
obvious disadvantage to this approach is the immense cost as-
sociated with the development of a beam testing facility. [17],
[18] and [19] all present details of such test schemes where pur-
pose built facilities have been constructed. [17] and [18] present
neutron beam testing facilities at diﬀerent energies while [19]
employs proton beam testing via a synchrotron device. All of
these facilities represent a considerable investment of time and
capital resources whilst only managing to perform testing over
a small range of possible radiation sources.
If beam testing is considered to be too costly, then a sim-
ulation of SEU by local hardware is an acceptable alternative.
[6] notes that the nature of SEUs is to invert SRAM memory
elements within the FPGA. An external fault injection system
could be developed using Xilinx Dynamic Reconﬁguration to
modify the state of the conﬁguration memory. A method simi-
lar to this is presented in [20] where it is used to eﬀectively sim-
ulate some SEU type errors. This approach is restricted by the
limits of the Xilinx reconﬁguration techniques which will ac-
tively prevent alteration of certain reserved bits in conﬁguration
memory, providing a level of protection which is not present in
real-world applications.
The chosen solution was to use the Xilinx Soft Error Mitiga-
tion (SEM) IP Core. This core is included as part of the Xilinx
CoreGen utility and is intended as an error detection and correc-
tion tool, but can also be conﬁgured to provide fault injection
by inverting bits in the FPGA conﬁguration memory via the
279 Thomas E. Carney et al. /  Procedia CIRP  38 ( 2015 )  277 – 282 
FPGA’s Internal Conﬁguration Access Port (ICAP). The error
detection and correction capabilities of the SEM core are ap-
plicable only to a small selection of Xilinx’ own FPGA chips.
Furthermore, the design and operation of the SEM core is con-
sidered by Xilinx to be commercially sensitive information and
is not available to form part of this study. For these reasons this
will not be considered as a fault mitigation scheme for the pur-
poses of this study. The Error Injection function is not required
to be transferrable to other technologies and while its capabili-
ties cannot be independently veriﬁed, they are fully documented
in [21]. This makes the SEM core an appropriate and expedient
tool to use for the implementation of error injection, although
there are a number of issues which need to be overcome before
the SEM IP core can be used in this manner.
2.1. Addressing
The SEM IP core is designed for testing the fault tolerance
of an entire, chip-wide design, but the creation of such a design
is a huge task and is well beyond the scope of this project. The
Virtex-6 XC6VLX240T contains in excess of 57 million ad-
dressable bits of conﬁguration memory of which no more than
6% was ever used during this investigation. The SEM core is
capable of injecting errors into the conﬁguration memory at an
address speciﬁed at run time, but there is no direct mapping of
conﬁguration memory address space to FPGA fabric physical
location of logic, in fact this mapping is deliberately withheld
by Xilinx in order to protect the intellectual property of its cus-
tomers. It is diﬃcult therefore to be conﬁdent that errors are
being injected into an address which will (i) compromise the
design (ii) avoid compromising the SEM core itself. In order to
determine a suitable address range for error injection, the fol-
lowing steps were taken:
1. Area Constraints
The user constraint ﬁle included with the design was modi-
ﬁed to place strict physical area constraints on the logic un-
der test. This constraint restricts the CLB slice and Block
RAM ranges where the logic can be placed as well as spec-
ifying that no other logic can be placed within this range.
2. FPGA Editor
The FPGA editor program is a part of the ISE design
tools. If run from the command line with the appropri-
ate switches, this tool will automatically access the user
constraint ﬁle mentioned above and incorporate it into the
place and route process to generate the native circuit de-
scription and physical constraint ﬁles required to specify
the physical implementation of the circuit. FPGA Editor
can also create a log ﬁle which details how the area con-
straints in the user constraint ﬁle have been implemented.
3. Bitstream Generation
The BitGen program uses the native circuit description and
physical constraint ﬁles from the place and route process
to create a bitstream to conﬁgure the device. If the proper
command line switches are used, then BitGen is also ca-
pable of generating an essential bits ﬁle (.ebd). This ﬁle is
a string of binary digits representing every bit in the bit-
stream, but rather than representing the actual data, a ’1’
represents a bit which is used in the design and a ’0’ rep-
resents an unused bit. Crucially, BitGen can be instructed
to access the log ﬁle created by FPGA Editor and generate
the essential bits ﬁle only for the parts of the design men-
tioned in the area constraints which were inserted into the
user constraint ﬁle.
4. Essential Bit Analysis
The .ebd ﬁle created by BitGen is still not particularly use-
ful as it is in a proprietary format, details of which are not
made available by Xilinx. Through negotiation with Xil-
inx it was possible to acquire the EBD Analyser — a piece
of software which is not advertised or commercially avail-
able but is used by Xilinx engineers speciﬁcally for the
purpose of analysing the EBD ﬁle and generating a list of
linear frame addresses in conﬁguration memory. Unfortu-
nately the only version of the EBD Analyser in existence
is designed exclusively for 7-series FPGAs. The SEM IP
core for 7-series uses a slightly diﬀerent address structure
to the Virtex-6 version. Address structures are detailed
in [21] and so it was possible to write a C++ program to
parse the address ﬁle and generate a list of conﬁguration
memory addresses which were correctly structured for the
Virtex-6.
2.2. Communication
The SEM IP core, when conﬁgured for error injection, has a
36 bit inject-address bus input and an inject-strobe input which
can be used to inject errors to a known address. Unfortunately
using these pins to inject errors to a series of non-sequential ad-
dresses while meeting timing requirements for injection proved
impractical. Fortunately when the SEM IP core is instantiated
it contains a PicoBlaze soft microcontroller. The PicoBlaze is
a very small, very limited controller which in this case serves
only as a control mechanism for the SEM IP core. Commands
can be sent to, and data received from the pico-blaze using the
monitor tx and monitor rx pins. In order to make use of this
control mechanism, a soft RS232 communication module was
implemented on the FPGA using the on-board UART of the
ML605 board, and connected to the monitor tx and monitor rx
pins of the controller. A proprietary software interface was writ-
ten in the C# language to allow fault injection commands to be
written to the on board UART from a windows PC.
2.3. Integration with System Generator
The above steps are suﬃcient to enable error injection via
the SEM IP core into any design generated using the ISE tools,
but in order to interface the design with the Flight Simulator
in Simulink it was necessary to use the design in Hardware
CoSimulation mode in System Generator. System Generator
inherently takes control of all i/o on the FPGA which renders
the USB communication mentioned above ineﬀective. To solve
this problem it was necessary to redeﬁne the ML605 board pa-
rameters within System Generator and reserve some pinouts as
Non Memory Mapped (NMM) Ports. The NMM ports could be
assigned to ports on the SEM IP block within system generator,
eﬀectively routing those i/o ports to the on-board resources.
3. N Modular Redundancy
The most common method of fault mitigation is Triple Mod-
ular Redundancy, or more generally, N-Modular Redundancy.
280   Thomas E. Carney et al. /  Procedia CIRP  38 ( 2015 )  277 – 282 
Fig. 1. Example of Triple Device Redundancy
The principle of operation of this scheme is to create multiple
copies of the same module and apply a majority voting mech-
anism to the outcome. For this scheme to be eﬀective, N must
be greater than or equal to 3. Systems with N=2 may be able
to detect an error but will not be able to correct it. The system
of N-Modular redundancy which has been implemented here is
similar to that presented by [22].
In implementing a system of modular redundancy it is nec-
essary to decide the level at which redundancy will exist. The
most reliable system would be device level redundancy. [22]
notes that this method ”has the highest reliability for detecting
single and multiple bit upsets, transient upsets, and any other
functional interrupts including total device failure” [12] agree
that ”duplicating the design on multiple FPGAs with voting on
the outputs of the FPGAs provides the most robust mitigation
scheme” This arrangement is shown in ﬁg. 1. It is obvious how-
ever that this approach is the most costly in terms of resources,
requiring multiple discrete devices as well as a radiation hard-
ened voting device.
The Module level redundancy approach applies the same
concept to the individual modules on the chip. Each module
is replicated and a voting mechanism is applied for each output
required. This level of redundancy provides a trade-oﬀ between
resource utilisation and fault tolerance. It is possible to employ
a more ﬁne grained level of redundancy, with every individ-
ual component in the module, or even every logic gate or Slice
LUT being replicated. This ﬁnest level of redundancy requires
extremely high levels of resources, as discussed below.
The addition of the voting logic introduces a potential weak-
ness into the system as this new component involves additional
logic where errors may occur. It is diﬃcult to envisage any
manner in which a modular redundancy system may protect its
own voting mechanism without introducing yet more unpro-
tected voting mechanisms. This additional circuitry may lead
to an increased likelihood of single faults occurring while si-
multaneously increasing the reliability of the overall system.
It is inherently diﬃcult to implement n-modular redundancy
for FPGAs due to the complex design ﬂow involved in moving
from HDL code to bitstream, most of which is beyond the con-
trol of the engineer. Synthesis tools such as Synopsis Synpliy
and Xilinx Synthesis Tool (XST) perform optimisation opera-
tions on the schematics and HDL code created by the engineer
and are explicitly designed to remove any redundant logic in
order to maximise on-chip resource utilisation. To avoid this
Fig. 2. Schematic diagram of the ripple multiplier circuit used to test redundant
circuit
unwanted optimisation process it is necessary to use the design
approach detailed in [22]. This includes designing all circuits
using purely structural VHDL in order to gain an extra level of
control over the synthesised design. It is also required to assign
synthesiser attributes to the designed modules. These attributes
vary between synthesis tools but when using XST it is neces-
sary to apply the ”KEEP HIERARCHY = true” attribute to the
top level module in the design, and to apply the ”KEEP = true”
and ”EQUIVALENT REGISTER REMOVAL = no” to all in-
terconnecting signals.
4. Device Under Test
For the ﬁrst part of this study, the circuit being tested was an
array of binary multipliers, with an input of 16 x 4bit numbers
and outputting a single 64bit number. The numbers are mul-
tiplied together in stages, two at a time, with the outcome of
each multiplication rippled forward to a next stage multiplier,
as shown in ﬁg 2. This conﬁguration was chosen because it
provides a simple, predictable calculation with a high number
of bitwise logic functions. Each multiplier is composed of a
shift register and ripple adder. These arithmetic components
were built in structural VHDL at gate level in order to avoid be-
ing synthesised into any specialised arithmetic logic circuits on
the FPGA, but rather to encourage synthesis into Slice LUTs in
order to keep the results of the trial as generalised as possible.
Several versions of this circuit were implemented for analy-
sis and testing as detailed below.
• Version 1 was unprotected and essentially identical to the
version displayed in Fig 2. Following synthesis and place-
ment this circuit was found to occupy 4245 Slice LUTs.
• Version 2 was designed with 3x module level redundancy
and Version 3 was designed with 5x module level redun-
dancy, as discussed in III above. Following synthesis and
placement these circuits were found to occupy 17,564 and
29,138 Slice LUTs respectively.
• Version 4 was designed with triple component level re-
dundancy. In this conﬁguration each full adder, ripple
281 Thomas E. Carney et al. /  Procedia CIRP  38 ( 2015 )  277 – 282 
Table 1. Characteristics of the circuit designs created
Ver. Replic. Replic. LUT Res. Res.
Count Level Count Util. Increase
1 x1 NA 4245 2%
2 x3 Module 17564 11% x4.18
3 x5 Module 29138 19% x6.86
4 x3 Component 176555 111%
Fig. 3. Box plot showing the distribution of the number of errors injected before
a fault is observed
adder and multiplier was triplicated with voting mecha-
nisms added. Following synthesis and placement this cir-
cuit was found to occupy 176,555 Slice LUTs.
This data is summarised in table 1. It can be seen from the
table that resource utilisation increases beyond the replication
level, with each multiple of module level replication requir-
ing approximately 1.375x increase in resources. Furthermore
it should be noted that version 4 could not be studied further as
it required more resources than were available on the Virtex-6
chip.
5. Testing and Results
Each circuit was implemented within the system generator
hardware co-simulation model and subjected to a series of er-
rors via the error injection system described above in section II.
The inputs to the hardware were kept constant and consequently
the output would normally be expected to remain constant. For
circuit 1, a fault was considered to have occurred when the out-
put from the circuit changed by one or more bits at which point
the trial was ended and the system reset. For the TMR pro-
tected circuit 2 it was noted when a single one of the outputs
changed, but the trial was continued until the ﬁnal, voted out-
put also changed.
The data collected from these trials is summarised in ﬁgs 3
and 4. and table 2. Note that the conﬁdence interval stated in
table 2 is adjusted for the fact that the number of errors before
failure must be greater than or equal to 1.
It can be seen from ﬁg 3 that the reliability of each individual
output is reduced by the inclusion of module level redundancy,
while the overall reliability of the system is improved. The to-
tal range of the data is greatly increased for the TMR circuit
and there is considerable overlap between the three result sets,
Table 2. Summary of data
Version Mean Std Dev 99.7% interval
Non Redundant 4956.59 1988.2 1 — 10921
TMR Single Fault 3163.64 1530.08 1 — 7754
TMR Failure 9607.58 5921.41 1 — 27371
Fig. 4. Cumulative Frequency of the count of errors injected before a fault is
observed
indicating that while the TMR circuit is likely to be more re-
silient to SEUs, it is possible that it may fail just as quickly.
This is consistent with expectations given the random nature of
the simulated SEUs which are equally likely to strike the ﬁnal
output voter as any other component.
6. Flight Simulator Link
In order to assess the real-world eﬀects of the error injection
mechanism, as well as to achieve a realistic, full test environ-
ment of the circuits under test, the System Generator model was
linked to the Flight Gear open source ﬂight simulator. Flight
gear contains some native support for interfacing with Matlab,
via the Simulink Aerospace Blockset. This method of interface
was used where possible due to its relative ease of use, but not
all of the internal parameters used by Flight Gear can be ac-
cessed in this method, it was therefore necessary to implement
a novel, more expandable interface. A schematic diagram of
the complete test setup can be seen in ﬁg.5.
FlightGear is capable of running with an inbuilt telnet server
which can be used to access and set any values in its internal
parameter tree via a set of telnet commands. In order to in-
terface with the telnet server, a set of tcp sockets were set up
within the Simulink model to act as i/o blocks. The Flight Sim-
ulator model used was an Airbus A380. A hardware model of
the aircraft’s pitot tube control electronics was developed. With
the hardware-in-loop model running, the error injection appli-
cation was used to introduce simulated SEUs into the FPGA
SRAM memory in batches of 100 SEUs at a time.There were
two failure modes present: Failure mode 1 was to cause the
measured forward pressure to increase dramatically, by up to
30 orders of magnitude in some cases. This erroneous data
caused the autopilot in the simulated aircraft to believe that its
282   Thomas E. Carney et al. /  Procedia CIRP  38 ( 2015 )  277 – 282 
Fig. 5. Overall schematic diagram of the system, showing relevant circuitry
within the FPGA as well as external components
speed was unnecessarily high and reduce the engine power to
idle speed, causing the aircraft to rapidly lose altitude. Failure
mode 2 was to cause the measured forward pressure to dramat-
ically decrease, often to zero. This erroneous data would cause
the autopilot to assume that its speed was dangerously low and
throttle the engines to maximum in an attempt to compensate.
Many devices can be modelled in hardware and placed in-loop
in the ﬂight simulator. SEU injection has been demonstrated
but fault types such as stuck-at or ’no fault found’ could be
simulated, mitigation techniques implemented.
7. Conclusions
A Hardware-in-loop method for the qualiﬁcation of FPGA
circuits with radiation induced soft errors has been developed.
It relies on generating random SEU type errors within the hard-
ware under test without dangerous radiation or expensive air-
borne test rigs. The method can be used to assess modular re-
dundancy in FPGA circuits and shows increased reliability for
TMR circuits. Furthermore the method has been applied to the
Flight Gear open source ﬂight simulator to conduct hardware-
in-loop testing of speed calculations from pressure readings and
the resultant failure modes observed. It has been demonstrated
that the fault injection tools developed to compare approaches
to designing resilience into circuits work well as the TMR ex-
ample shows.
Acknowledgements
This work was carried out with the support of the EP-
SRC Innovative Centre for Through-life Engineering Services.
[EP/IO33246/1]. AP is also grateful for the support and wel-
come he received whilst a visitor at the University of Sydney
Australian Centre for Field Robotics.
References
[1] “Xilinx investor information,” http://investor.xilinx.com/releasedetail.cfm?
ReleaseID=759113.
[2] EETimes, “With over 1 billion fpgas sold, lattice introduces machxo3 fam-
ily,” http://www.eetimes.com/document.asp?doc id=1319597.
[3] M. Wirthlin, N. Rollins, M. Caﬀery, and P. Graham, “Hardness by design
techniques for ﬁeld programmable gate arrays,” in Proc. 11th annual NASA
symposium on VLSI design, Coeur d’Alene, Idaho, 28-29 May 2003.
[4] P. Adell and G. Allen, “Assessing and mitigating radiation eﬀects in xilinx
fpgas,” JPL Publ, vol. 08-09, 2008.
[5] F. Gusmao, G. Kastensmidt, R. Hentschke, L. Carro, and R. Reis, “Design-
ing fault tolerant techniques for sram-based fpgas,” IEEE Design and Test,
vol. 21, pp. 552–562, 2004.
[6] M. Niknahad, O. Sander, and J. Becker, “Qfdr — an integration of quadded
logic for modern fpgas to tolerate high radiation eﬀect rates,” in 12th Euro-
pean Conference on Radiation and Its Eﬀects on Components and Systems
(RADECS), Sevilla, Spain, 19-23 Sept 2011, pp. 119–122.
[7] M. G. Parris, C. A. Sharma, and R. F. Demara, “Progress in autonomous
fault recovery of ﬁeld programmable gate arrays,” ACM Comput. Surv,
vol. 43, pp. 31:1–31:30, 2011.
[8] A. Griﬃo, D. Druryand, and D. Salt, “Hardware in the loop based syn-
chronous generator emulation test rig for more electric aircraft power sys-
tems,” in 6th IET International Conference on Power Electronics, Ma-
chines and Drives, Bologna, Italy, 16-18 Oct 2012, pp. 1–6.
[9] S. Smith, “Single event upset mitigation by means of a sequential circuit
freeze,” Microelectronics Reliability, vol. 52, pp. 1233–1240, 2011.
[10] M. Straka, J. Kastil, Z. Kotasek, and L. Miculka, “Fault tolerant system de-
sign and seu injection based testing,” Microprocessors and Microsystems,
vol. 37, pp. 155–173, 2007.
[11] K. Morgan, D. McMurtrey, B. Pratt, andM.Wirthlin, “A comparison of tmr
with alternative fault tolerant design techniques for fpgas,” IEEE Transac-
tions on Nuclear Science, vol. 54, pp. 2065–2072, 2007.
[12] B. Bridgeford, C. Carmichael, and C. W. Tseng, Xilinx Application Note
987: Single-event upset mitigation selection guide, 2008.
[13] C. Hu and Z. Suhail, Xilinx Application Note 1073: NSEU Mitigation in
Avionics Applications, 2010.
[14] Neutron Induced Single Event Upset FAQ, Microsemi Corporation, 2011,
www.microsemi.com/document-portal/doc view/130760-neutron-seu-faq.
[15] C. Leong, J. Semiao, M. B. Santos, I. C. Teixeira, and J. P.
Teixeira, “Seu sensor for short-term eﬀects monitoring in fpgas,”
INESC-ID Technical Report, Tech. Rep., June 2013, http://www.inesc-
id.pt/ﬁcheiros/publicacoes/9174.pdf.
[16] A. T. S. Bureau, “In-ﬂight upset 154km west of learmouth, wa, 7 october
2008,” 2008.
[17] M. Osterlund, J. Blomgren, S. Pomp, and A. V. Prokoﬁev, “The uppsala
neutron beam facility for electronics testing,” Nuclear Instruments and
methods in Physics Research, vol. B241, pp. 419–422, 2005.
[18] S. Lee, J. Rinckel, and P. E. Sokol, “New neutron radiation eﬀects capa-
bilities at the low energy neutron source (lens),” Physics Procedia, vol. 60,
pp. 110–117, 2014.
[19] A. Hasanbegovic, “Proton beam characterization at oslo cyclotron labo-
ratory for radiation testing of electronic devices,” 16th Symposium on the
Design and Diagnostics of Electronic Circuits and Systems, pp. 135–140,
2013.
[20] M. Straka, J. Kastil, and Z. Kotasek, “Seu simulation framework for xilinx
fpga: First step towards testing fault tolerant systems,” 14th Euromicro
conference on Digital System Design, pp. 223–230, 2011.
[21] Xilinx product guide PG036: LogiCORE IP Soft Error Mitigation Con-
troller v4.0, 2013.
[22] S. Habinc, “Functional triple modular redundancy: Vhdl design methodol-
ogy,” Gaisler Research, vol. v0.2, pp. 003–01, 2002.
