MODULARIZATION OF TRIPLE FAULT-TOLERANT DESIGNS (TFTD) by Archer, Stuart C.
Calhoun: The NPS Institutional Archive
DSpace Repository





Monterey, CA; Naval Postgraduate School
http://hdl.handle.net/10945/63984
This publication is a work of the U.S. Government as defined in Title 17, United
States Code, Section 101. Copyright protection is not available for this work in the
United States.








MODULARIZATION OF TRIPLE FAULT-TOLERANT 
DESIGNS (TFTD) 
by 
Stuart C. Archer 
December 2019 
Thesis Advisor: Herschel H. Loomis 
Co-Advisor: James H. Newman 
 
Approved for public release. Distribution is unlimited. 
THIS PAGE INTENTIONALLY LEFT BLANK 
 REPORT DOCUMENTATION PAGE  Form Approved OMB No. 0704-0188 
 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing 
instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of 
information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions 
for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson 
Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project 
(0704-0188) Washington, DC 20503. 
 1. AGENCY USE ONLY 
(Leave blank)  
2. REPORT DATE 
 December 2019  
3. REPORT TYPE AND DATES COVERED 
 Master’s thesis 
 4. TITLE AND SUBTITLE 
MODULARIZATION OF TRIPLE FAULT-TOLERANT DESIGNS (TFTD)  
5. FUNDING NUMBERS 
 
  
 6. AUTHOR(S) Stuart C. Archer 
 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 
Naval Postgraduate School 
Monterey, CA 93943-5000 
 8. PERFORMING 
ORGANIZATION REPORT 
NUMBER 
 9. SPONSORING / MONITORING AGENCY NAME(S) AND 
ADDRESS(ES) 
N/A 
 10. SPONSORING / 
MONITORING AGENCY 
REPORT NUMBER 
 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the 
official policy or position of the Department of Defense or the U.S. Government. 
 12a. DISTRIBUTION / AVAILABILITY STATEMENT 
Approved for public release. Distribution is unlimited.  
12b. DISTRIBUTION CODE 
 A 
13. ABSTRACT (maximum 200 words)     
 The configurable fault-tolerant processor (CFTP) project was intended to develop the means for a 
system to operate in areas which include frequent single-effect events (SEEs) similar to those caused by 
ionized radiation colliding with logic gates. Such errors are capable of degrading the functionality of a 
system and completely changing a state machine, such as is at the heart of most spacecrafts’ processors. The 
method for this consisted of a field-programmable gate array (FPGA) being designed into a system which is 
capable of detecting and then correcting SEEs. The system was designed by many students. This project will 
take that design, which launched into space earlier this year, and reduce it to modules which can be uploaded 
individually, built around a core which will be part of the existing triple fault-tolerant design (TFTD). 
Modularizing the code allows more experiments to be simultaneously performed in the future, by changing 
the architecture of the system to upload specific modules to specified addresses. This will allow smaller 
uploads and code tweaks, without incurring long upload times, and more frequent updates to run specific 
tests ad hoc. Research and development conducted for this thesis has demonstrated the capability to inject 
configuration errors into the current design and the TFTD’s ability to detect those and similar errors, 
contributing to a better understanding of the TFTD. 
 14. SUBJECT TERMS 
configurable fault tolerant processor (CFTP), global triple-modular redundancy (GTMR), 
NPSAT-1, field-programmable gate array (FPGA), single event effect (SEE), cache, 
memory controller, error mitigation, hardware design, softcore design, triple fault-tolerant 
design (TFTD) 
 15. NUMBER OF 
PAGES 
 209 
 16. PRICE CODE 




 18. SECURITY 
CLASSIFICATION OF THIS 
PAGE 
Unclassified 








NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) 
Prescribed by ANSI Std. 239-18 
i 
THIS PAGE INTENTIONALLY LEFT BLANK 
ii 
Approved for public release. Distribution is unlimited. 
MODULARIZATION OF TRIPLE FAULT-TOLERANT DESIGNS (TFTD) 
Stuart C. Archer 
Lieutenant, United States Navy 
BS, Texas A&M University, 1995 
Submitted in partial fulfillment of the 
requirements for the degree of 
MASTER OF SCIENCE IN SPACE SYSTEMS OPERATIONS 
from the 
NAVAL POSTGRADUATE SCHOOL 
December 2019 
Approved by: Herschel H. Loomis 
Advisor 
James H. Newman 
Co-Advisor 
James H. Newman 
Chair, Department of Space Systems Academic Group 
iii 
THIS PAGE INTENTIONALLY LEFT BLANK 
iv 
ABSTRACT 
The configurable fault-tolerant processor (CFTP) project was intended to develop 
the means for a system to operate in areas which include frequent single-effect events 
(SEEs) similar to those caused by ionized radiation colliding with logic gates. Such errors 
are capable of degrading the functionality of a system and completely changing a state 
machine, such as is at the heart of most spacecrafts’ processors. The method for this 
consisted of a field-programmable gate array (FPGA) being designed into a system which 
is capable of detecting and then correcting SEEs. The system was designed by many 
students. This project will take that design, which launched into space earlier this year, 
and reduce it to modules which can be uploaded individually, built around a core which 
will be part of the existing triple fault-tolerant design (TFTD). Modularizing the code 
allows more experiments to be simultaneously performed in the future by changing the 
architecture of the system to upload specific modules to specified addresses. This will 
allow smaller uploads and code tweaks, without incurring long upload times, and more 
frequent updates to run specific tests ad hoc. Research and development conducted for 
this thesis has demonstrated the capability to inject configuration errors into the current 
design and the TFTD’s ability to detect those and similar errors, contributing to a better 
understanding of the TFTD. 
v 
THIS PAGE INTENTIONALLY LEFT BLANK 
vi 
vii 




II. BACKGROUND AND PRIOR WORK ..............................................................5
A.  TRIPLE MODULAR REDUNDANCY (TMR) AND ERROR 
MITIGATION ............................................................................................5 
B.  SEM CONTROLLER .............................................................................10 
C.  CURRENT DESIGN ...............................................................................13 
D.  CONTRIBUTIONS FROM EARLIER THESES.................................15 
III. IMPLEMENTATION .........................................................................................17
A.  DESIGN ARCHITECTURE AND IMPLEMENTATION ..................18 
1. TMR Architecture and Implementation ....................................18
2. SEM Architecture and Design ....................................................21
a. SEM Interfaces .................................................................23
b. Partial Reconfiguration ....................................................24
3. Other Code Modules ....................................................................25
B.  ERROR CORRECTION.........................................................................25 
1. Latency Analysis ..........................................................................27
C.  ERROR INJECTION ADDRESSING ...................................................28 
D.  TMR ERROR REPORTING .................................................................31 
E.  FUNCTIONAL TESTING ......................................................................32 
IV. TESTING AND EVALUATION ........................................................................35
A.  TEST ARCHITECTURE ........................................................................35 
B.  TEST PLAN .............................................................................................37 
C.  TEST RESULTS ......................................................................................42 
V.  CONCLUSION ....................................................................................................51 
A.  CONCLUSIONS ......................................................................................51 
B.  FUTURE WORK .....................................................................................52 




3. Pr_example.xdc ............................................................................89 
APPENDIX B. TMR CODE ..................................................................................97 
A. TMR_MULT_EXP.V ..............................................................................97 
1. err_gen.v .....................................................................................109 
2. TMR_LRS.v ...............................................................................111 
a. A_31_bit_voter.v ..............................................................116 
3. TMR_arr_mult_X.v ...................................................................117 
a. mult18x18_str.v ...............................................................122 
b. a_36bit_voter.v ................................................................126 
4. nuversion7.v ................................................................................127 
APPENDIX C. SOFT-ERROR MITIGATION CODE ....................................131 
A. SEM_0_SUPPORT_WRAPPER.V ......................................................131 
B. SEM_0_CFG.V.......................................................................................146 
C. SEM_0_SAMPLE_MESSAGE_DECODER.V ...................................151 
D. SEM_0_SAMPLE_MESSAGE_ENCODER.V ...................................161 
E. SEM_0_SEM_MON_FIFO.V ...............................................................168 
F. SEM_0_INJECTION_HANDLER.V ...................................................175 
APPENDIX D. INTELLECTUAL PROPERTY (IP) SETTINGS ..................185 
A. CLOCK WIZARD SETTINGS ............................................................185 
B. SOFT ERROR MITIGATION IP SETTINGS ...................................185 
LIST OF REFERENCES ..............................................................................................189 




LIST OF FIGURES  
Figure 1.  Localized Triple Modular Redundancy (LTMR) Example. Source:  
[2]. ................................................................................................................7 
Figure 2.  Distributed Triple Modular Redundancy (DTMR) Example. Source: 
[2]. ................................................................................................................7 
Figure 3.  TMRed Array Multiplier..............................................................................8 
Figure 4.  TMR with Next-State Logic. Adapted from [8]. .........................................9 
Figure 5.  TMRed LRS Operand Generator ...............................................................10 
Figure 6.  CFTP-7 NPSAT-1 Implementation for Spaceflight – June 2019 ..............14 
Figure 7.  Mercury KX1 Module Architecture. Source: [10]. ....................................15 
Figure 8.  Placement Constraints ................................................................................19 
Figure 9.  Implementation Usage ...............................................................................20 
Figure 10.  Lower half of Nexys 4 DDR Board. Adapted from [13]. ..........................30 
Figure 11.  Nexys 4 DDR with USB connection to JTAG Port. Source: [15]. ............38 
Figure 12.  Lower Half of Nexys 4 DDR Board. Source: [13]. ...................................38 
Figure 13.  Waveform Initial ........................................................................................40 
Figure 14.  SEM Signals during First Injections in Series. ..........................................42 
Figure 15.  Initial SEM Signals. ...................................................................................43 
Figure 16.  Persistent Errors Detected by TMR. ..........................................................45 
Figure 17.  Transient Error Detection by TMR ............................................................47 
Figure 18.  Transient Error Detection Variable Names and Values .............................48 
Figure 19.  Transient Error Detections .........................................................................49 
x 
THIS PAGE INTENTIONALLY LEFT BLANK 
xi 
LIST OF TABLES 
Table 2.  Clock Signals. Adapted from [5]. ..............................................................27 
Table 3.  Maximum SEM Scan Times. Source: [5]. .................................................27 
Table 4.  TMR Register Fixed Locations ..................................................................29 
Table 5.  TMR Module Testing Information ............................................................30 
Table 7.  Clock Wizard IP Settings .........................................................................185 
Table 8.  SEM IP Settings .......................................................................................186 
 
xii 
THIS PAGE INTENTIONALLY LEFT BLANK 
xiii 
LIST OF ACRONYMS AND ABBREVIATIONS 
ARM Advanced RISC Machine 
ASCII American Standard Code for Information Interchange 
BIT Built-In Test 
CFTP Configurable Fault-Tolerant Processor 
CRC Cyclic Redundancy Check 
ECC Error Correction code 
EMC External Memory Controller 
FPGA Field-Programmable Gate Array 
IDE Integrated Development Environment 
IP Intellectual Property 
LED Light-Emitting Diode 
LRS Linear Recursive Shift 
NAND Not And 
NOR Not Or 
NPSAT-1 Naval Postgraduate School Satellite-1 
Pblock Physical region of an FPGA consisting of blocks of allocated 
logical blocks or memory 
PCB Poly-Chloride Boards 
PPE Personal Protective Equipment 
PR Partial Reconfiguration 
RAM Random Access Memory 
RISC Reduced Instruction Set Computer 
RM Reconfigurable Module 
RP Reconfigurable Partition 
SEE Single-Event Effect 
SEM Soft Error Mitigation 
SET Single-Event Transient 
SEU Single-Event Upset 
xiv 
SRAM Static Random-Access Memory 
TMR Triple-Modular Redundant 




I would like to thank God; my wife, Kasey; and my children for their love, 
understanding, and support while I have been working on this thesis. Separation is very 
difficult for long periods. 
I would also like to acknowledge the help and support received from my thesis 
advisor, Dr. Loomis, in developing and finishing this thesis. He has been patient with me 
and tried to marry my needs with those of the NPSAT-1 team (Jim Horning, Dan Sakoda, 
David Rigmaiden, Ron Aikins, and Jim Newman). To the NPSAT-1 Team, thank you for 
support during hardware failures, explaining the CFTP architecture, and taking time from 
your hectic schedules to answer my questions, which enabled me to complete this, even if 
I couldn’t solve your problems as we hoped. Thank you to CDR William Crane for offering 
support and guidance on the NPS thesis process and trying to keep me on schedule. 
xvi 
THIS PAGE INTENTIONALLY LEFT BLANK 
1 
I. INTRODUCTION 
Life on Earth can be hazardous without the right personal protective  
equipment (PPE), which can prevent or reduce injury. Radiation degrades, disrupts, and 
destroys living tissue. Life in space requires a lot more PPE, because there is insufficient 
air to breathe or absorb harmful radiation. Fortunately, electronics do not breathe, drink, or 
eat. This reduces, but does not eliminate, the set of problems which can interfere with their 
proper operation. Great swings in temperature, orbital debris, and radiation remain threats. 
Insulation and heat management techniques mitigate temperature fluctuation. Thick metal 
shells can deflect and absorb debris and radiation. However, radiation can penetrate light 
shielding, and shielding sufficiently dense to prevent radiation damage is prohibitively 
heavy. 
The effects of radiation on electronics range from the change of electrical state to 
burns and physical damage. Shielding blocks physical damage and reduces the energy of 
radiation which passes through it but does not entirely negate the electromagnetic effects 
of radiation. To get around these limitations, techniques must be designed to mitigate 
single-event effects (SEEs) caused by radiation. The goal of this thesis is to provide 
additional improvements and functionality to the Triple Modular Redundancy (TMR) 
project through modularization of the modules and updating of system components with 
ones not previously available. 
SEEs can “affect both the sequential and combinational logic. In the first case, they 
are called single-event upsets (SEUs) and in the second one, they are called single-event 
transients (SETs)” [1].  When sufficient charge builds up to cause a change in the state of 
a bit located in memory or a flip-flop, the effects of the resulting SEU will continue to 
propagate through all circuits downstream from it in the sequential logic tree. SETs are less 
common due to the nature of the change made. If a transient signal is shorter than hold time 
of a sensor the gate will fail to latch onto the different value and the transient will not be 
detected as a valid signal. The high frequency noise would therefore be filtered out. “Hence 
small SETs will be unobservable” [2]. 
2 
Both types of SEEs occur as a result of ionizing radiation interacting with the 
semiconductor directly. Ionizing radiation can be in the form of charged particles or the 
radiation caused by the impact of non-charged particles on nuclei. Radiation not in the form 
of particles does not induce SEEs [3]. 
The effects of SEEs on a field-programmable gate array (FPGA) can potentially 
have a longer duration, when they occur in the configuration memory of the device. FPGAs 
are logic devices and are commonly implemented in memory. They are able to be 
reprogrammed repeatedly without being sent back to their manufacturer. Many modern 
FPGAs have functionality defined by externally provided data, which is loaded onto the 
FPGA in a type of memory known as configuration memory. The configuration defines 
interconnections of not and (NAND), not or (NOR) gates, flip-flops, or more complex logic 
elements. The source for this configuration data is typically flash memory, which is non-
volatile (electrically stable even without power) and can be electrically erased and rewritten 
many times. Configuration memory is volatile, to allow changes to occur in the states of 
the transistors which make it up. Changes in configuration memory will affect whatever 
calculations are being controlled by that cell and can be persistent or transient. For this 
project, persistent errors are defined to be errors which remain after 100 clock cycles. Any 
errors which disappear (due to correction or other reasons) prior to 100 clock cycles, are 
considered transient, whether or not they are SETs. Unlike normal transient errors, 
configuration errors tend to be persistent, as they occur in volatile memory which normally 
does not change much after powerup. The FPGA used in the configurable fault-tolerant 
processor (CFTP) is designed to load its initial configuration from flash memory into 
volatile configuration memory at power up. 
The list of commands which can be directly executed by a processor is called the 
instruction set. Processors have two types of instruction sets, complete and reduced. Each 
has advantages. Complete instruct set computers (CISC) take fewer clock cycles to execute 
commands, however, they are more complex than reduced instruction set computer (RISC) 
processors. This complexity results in comparatively slower clock cycles. The choice 
between the two often comes down to the number ratio of multi-clock-cycle commands 
(such as video or audio commands) to single-clock-cycle commands (such as addition and 
3 
subtraction commands). Because the CFTP architecture can use simple mathematic 
functions to control the external communications with the ground and the TMR module 
without the need for complex multimedia-specific commnds, a RISC processor was 
selected. The module which handles this is called the advanced RISC machine (ARM). In 
addition to controlling the external communications, the ARM also updates the 
configuration of the CFTP with data from its bulk memory storage, as needed. 
The CFTP is designed to fix transient and persistent errors in the TMR logic and 
registers and to report these errors to its controlling processor, an ARM processor. When a 
persistent error is detected by the TMR, the ARM reloads the FPGA’s configuration 
memory from flash and restarts testing, if desired. Any persistent error is assumed to be an 
error in configuration and hence uncorrectable by logic on the FPGA and will be fixed by 
reloading the configuration. Under the current CFTP architecture, if a persistent error is 
detected that can’t be fixed otherwise, the ARM processor is informed so that it can 
reconfigure the FPGA. Additionally, the TMR is able to simulate transient and persistent 
errors by changing the values of bits in its internal registers while in test execution mode. 
A. OBJECTIVES 
The purpose of this thesis is to improve upon the design from Andrew Jackson’s 
thesis [4], the work preceding it,  and subsequent work, specifically, in the areas of updating 
and extending the longevity of the satellite once the initial goals have been met. These will 
be achieved by addng a Xilinx IP soft-error mitigation (SEM) module to repair single and 
double errors in the configuration memory, enabling partial reconfiguration (PR) of the 
field-programmable gate array (FPGA) used by the configurable fault-tolerant processor 
(CFTP), and modularizing the project. 
The SEM is a COTS solution produced by Xilinx, Inc. which is user-configurable 
at design time and capable of detecting SEUs in configuration memory of Xilinx  
FPGAs [5]. If configured appropriately, the SEM is also capable of injecting and fixing the 
errors it detects. During initialization, the SEM controller calculates the overhead data 
needed to detect errors. Once detected, the SEM attempts to determine if the error is in a 
region which affects the operation of the design (e.g., it is essential). If the error is 
4 
determined to be essential, it determines if it can fix the error. When fixing errors, the SEM 
uses PR to write the corrected affected frame to configuration memory [5].  
Partial reconfiguration offers advantages in reducing the time between running 
experiments and recovering from SEUs in the configuration, by allowing the processor to 
reload only the affected module(s), allowing a changes to a different configuration where 
only a portion of the configuration needs to change, and, as in the case of the CFTP 
processor, allows the continued operation of a the modules not being update while other 
sections are reconfigured [6]. 
Modularization of code divides the design into smaller more manageable pieces, 
often with the same interfaces, ordering, or structures. The advantages of this are three-
fold. First, modifying the design in the future becomes easier. Second, reconfiguration is 
quicker when only one module must be reconfigured. Third, individual modules can be 
uploaded into the system independently of others, reducing uplink time from remote 
locations, when only one module needs to be updated. 
B. ORGANIZATION 
An introduction to the subject matter and objectives of this thesis is laid out in this 
chapter. Chapter II contains an overview of pertinent research and development of the 
triple-modular redundancy (TMR) used on the CFTP. Chapter III covers the design 
decisions and rationale behind them in implementing this thesis to the CFTP. Chapter 0 
covers the incremental and final testing of the modularized code. Chapter V summarizes 
the thesis and its results. Appendices contain the existing, changed, and hardware 
descriptor language (HDL) code used in this thesis. They are grouped by overall function 
into four sections:  the top-level and miscellaneous code, TMR code modules, soft-error 
mitigation (SEM) code modules, PR code modules and new code modules. An additional 
appendix contains the settings used to define Xilinx commercial off-the-shelf (COTS) 
modules used in the thesis. 
5 
II. BACKGROUND AND PRIOR WORK 
This thesis is not so much into how to implement a configurable fault-tolerant 
processor (CFTP), rather, it is how to improve the current design and architecture, thereby 
overcoming some design limitations and developing issues. 
One issue that cropped up during the implementation phase of this thesis is the 
progressive failure of bulk memory storage on the main CFTP board. This occurs due to 
the age of the memory and the number of times data has been written and erased from the 
memory. To compensate, rather than using large monolithic blocks in memory, smaller 
blocks will be loaded, reducing the memory requirements to update the firmware loaded 
on the CFTP. Previously, the Advanced RISC Machine (ARM) processor would load the 
CFTP board from bulk memory storage at power-up. This will not be a functional option 
in the long term. 
This thesis project will use two methods for error mitigation: the TMR multiplier 
and the Xilinx SEM Module. The TMR multiplier is previously implemented by the CFTP 
team, based on a project in the Naval Postgraduate School course EC3830, Digital 
Computer Design Methodology, which uses a linear shift register derived from chapter 3 
of [7]. The Soft-error mitigation (SEM) module [5] is newly applied to the TMR 
experiment. 
A. TRIPLE MODULAR REDUNDANCY (TMR) AND ERROR MITIGATION 
TMR uses three sets of parallel registers, each nominally containing the same data, 
to decide what the correct values held within. When the data in any of the registers 
disagrees with that of any other register, an error has occurred, and the TMR must 
determine which register is in error. Through a simple majority rule, the TMR determine 
the minority to be in error, and then the error. This method can fix SEEs, and double-bit 
errors, as long as the errors occur in different bit positions of any of the three registers. 
Several types of TMR exist to mitigate SEUs and are differentiated by their scope 
and how they mitigate errors. The general types are No TMR, Localized TMR, Distributed 
TMR, Global TMR, and Block TMR. The definitions of each follow as quoted from [2]: 
6 
 No-TMR: no additional circuitry is added to the design pertaining to 
SEU mitigation. [No error detection or correction—baseline.] 
 LTMR: Localized Triple Modular Redundancy. Only FFs are 
triplicated. Combinatorial logic paths, Clocks, and resets are shared 
and consequently single sources of failure. With this mitigation 
strategy, only the effects of FF SEUs are reduced (because they are 
masked). However, susceptible circuitry remain as such: transients in 
data path combinatorial logic can be captured by End-Point FFs and 
Global routes [(clocks, resets, and high fanout enables)] can cause 
Single Event Functional Interrupts (SEFI). Figure 1 is an illustration 
of applied LTMR. 
 DTMR: Distributed Triple Modular Redundancy. The entire design is 
triplicated except for global routes…. This mitigation strategy 
reduces data path upsets. However, since the global routes are not 
mitigated, then transients on global routes can still disrupt the system. 
Figure 2 is an illustration of applied DTMR. 
 GTMR: Global Triple Modular Redundancy. The entire design is 
triplicated including global routes (clocks, resets, and high fanout 
enables). This strategy mitigates most upsets. However, some FPGA 
have additional logic outside of the data path that cannot be mitigated. 
In this case, GTMR will effectively reduce the upset rate, but will still 
have some points of failure. 
 BTMR: Block level Triple Modular Redundancy. The entire design is 
triplicated. The outputs of the replicated blocks are voted. The inputs 
may or may not come from a common source. However, if the I/O are 
not fanned out to the replicated blocks from a common source, voting 
will be unreliable due to synchronization issues. This scheme only 
provides masking capability and does not correct errors. 
Consequently, this technique is only practical for a design that can 
regularly be reset. In this case, upsets are regularly flushed and the 
design can be forced to reach a deterministic state [2]. 
7 
 
Figure 1. Localized Triple Modular Redundancy (LTMR) Example. Source:  [2]. 
The TMR experiment has two triplicated voters following the triplicated 
combinational logic that perform the array multiplication of two 18-bit numbers, as well as 
triplicated voters following each of the triplicated product register blocks, as in a DTMR 
architecture. This is done to be able to distinguish between SETs in the logic and SEUs in 
the registers. A block diagram of a generic DTMR implementation is depicted in Figure 2. 
 
Figure 2. Distributed Triple Modular Redundancy (DTMR) Example. Source: 
[2]. 
8 
The specific architecture of the TMR array multipliers is depicted in Figure 3. 
 
Figure 3. TMRed Array Multiplier 
The mult1 and mult2 operands for the array multiplier are provided by a linear 
recursive shift register (LRS) sequence generator. This sequential machine employs 
feedback of state information, or Loopback, and requires a modification of the TMR 
structure. The new generalized form of a one-byte TMR structure is illustrated in Figure 4. 
9 
 
Figure 4. TMR with Next-State Logic. Adapted from [8]. 
The LRS is a maximal-length 31-bit linear recursive shift register generator that 
uses the generator polynomial: 
 31, 3

or Z  D
31Z  D3Z .  Equation II-1 
The block diagram of the TMR LRS is depicted in Figure 5. 
10 
 
Figure 5. TMRed LRS Operand Generator 
The protective measures afforded by the LRS and array multipliers only apply to 
the TMR-protected registers and not the controlling and reporting portions of the design. 
The TMR experiment itself does not utilize block random-access memory (RAM) 
(dedicated memory blocks), nor does it check it. It does use distributed RAM (logic which 
stores data in a similar fashion as RAM). 
B. SEM CONTROLLER 
The TMR does not monitor the FPGA configuration directly and can only detect 
the effect of a configuration error if that error causes a change in the logic or 
interconnections that produces a TMR-correctable persistent error. To detect an error in 
configuration requires a different module. The Xilinx 7-Series FPGAs can use the SEM 
Controller. The SEM Controller cannot be classified fully as any TMR method. The SEM 
Controller monitors soft errors in configuration memory, only. Soft errors in other types of 
11 
memory devices must be addressed by user logic and preventive measures such as 
redundancy or error detection and correction codes [5]. Errors are identified in the 
configuration by the SEM Controller in the same way that it repairs errors, through ECC 
and cyclic redundancy check (CRC) checks [5]. Errors are located by frame and bit 
addresses within the frame they reside in. “Frames are one [logic or memory] element wide 
by one clock region high” [6].  “All frames in 7 series devices have a fixed, identical length 
of 3,232 bits (101 32-bit words)” [9]. It offers three methods to mitigate errors, Repair, 
Enhanced Repair, and Replacement. 
The Repair Method fixes errors by using an ECC algorithm for error detection. 
“The ECC syndrome is used to identify the exact location of the error in a frame. The frame 
containing the error is read, the relevant bit inverted, and the frame is written back. This is 
signaled as correctable” [5]. 
The Enhanced Repair Method uses the same ECC as the Repair Method to fix SEEs 
and CRCs to fix two-bit errors [5]. “For one-bit errors, the behavior is identical to 
correction by repair. For two-bit errors, an enhanced CRC-based algorithm capable of 
correcting two-bit adjacent errors is used. The frame containing the error is read, the 
relevant bits inverted, and the frame is written back” [5]. 
“The repair methods use active partial reconfiguration to perform a localized 
correction of Configuration Memory using a read-modify-write scheme” [5]. After 
determining that an error exists, 
The frame containing the error is read. The controller requests replacement 
data for the entire frame from the Fetch Interface. When the replacement 
data is available, the controller compares the damaged frame with the 
replacement frame to identify the location of the errors. Then, the 
replacement data is written back. [5] 
“Partial Reconfiguration allows for the dynamic change of modules within an active 
design” [6].  When a module is partially reconfigured, only data contained within that 
module is affected. A pblock is virtual representation of a physical region of an FPGA 
consisting of blocks of allocated logical blocks or memory. The implementation of this 
thesis does not utilize multiple configurations of any pblocks, so the number of bitstreams 
12 
created would be reduced to one bitstream for all pblocks which are partially reconfigurable 
(made up of partial bitstreams for each Reconfigurable Module) and one for all logic not 
contained in partially reconfigurable pblocks. 
One effect of this is that, in the presence of configuration errors in logic which are 
not partially reconfigurable, the error can only be fixed by reloading the entire 
configuration from flash memory. The ARM is the source for the signal to reload the entire 
configuration, and this reload would be reset to the entire CFTP. Thus, it is desirable for as 
much of the design to be in reconfigurable modules (RM) as possible. Consideration should 
also be made to ensure that the replacement should also trigger a reset of currently 
executing tests. 
Block memory units in Xilinx FPGAs have the built-in capability of correcting 
single-bit and double-bit errors. Errors are detected and corrected using the same methods 
as the Enhanced Repair Method. One difference between the two is that the block memory 
checks for errors at read out, rather than just on a continuous scan of the entire 
configuration. The CFTP and TMR experiments do not utilize block memory, and so 
protection of block memory is not addressed in the implementation of this thesis. 
The TMR experiment utilized by the CFTP uses a partial GTMR method. Three 
sets of voting registers, each with three voters for every bit in each register ensure data 
correctness. These are grouped into the LRS module (previously shown in Figure 5) and 
the two multiplier modules, Mult_X and Mult_Y. The Mult_X and Mult_Y modules are 
identical code-wise, differing in name only, and each implement the logic structure 
previously shown in Figure 3. Due to the way that partial reconfiguration is managed in 
the Vivado IDE, each module which is capable of being partially reconfigurable has to be 
in a separate file with a different file name. This is inherently not modular, because it 
arbitrarily forces identical objects to be one entity instead of copies handled in the same 
fashion. To get around this the Mult_X file was copied to a new file with the only difference 
in content being the name of the code module. 
The TMR experiment utilized by the CFTP uses a partial GTMR method. Three 
sets of voting registers, each with three voters for every bit in each register ensure data 
13 
correctness. These are grouped into the LRS module and the two multiplier modules, 
Mult_X and Mult_Y. The Mult_X and Mult_Y modules are identical code-wise, differing 
in name only. Due to the way that partial reconfiguration is managed in the Vivado IDE, 
each module which is capable of being partially reconfigurable has to be in a separate file 
with a different file name. This is inherently not modular, because it arbitrarily forces 
identical objects to be one entity instead of copies handled in the same fashion. To get 
around this the Mult_X file was copied to a new file with the only difference in content 
being the name of the code module. 
C. CURRENT DESIGN 
The CFTP is included as one of the experiments which make up NPSAT-1, a small 
satellite which is a part of the Department of Defense’s Space Test Program. NPSAT-1 
includes experiments designed by Naval Research Labs (NRL) and NPS to examine space 
weather and  demonstrate new spacecraft technologies. Other experiments on NPSAT-1 
include a Coherent Electromagnetic Radio Tomography Experiment (CERTO), a 
Langmuir probe, a solar cell measurement system and a demonstration of various COTS 
technologies. At conclusion of the mission, NPSAT will autonomously perform an 
uncontrolled atmospheric reentry utilizing a drag device to ensure negligible risk to 
terrestrial objects from falling debris [11]. 
The current CFTP-7 NPSAT-1 design consists of three poly-chloride boards 
(PCBs), which are the ARM, the CFTP board, and a daughterboard. The CFTP-7 NPSAT-
1 architecture is depicted in Figure 6. 
14 
 
Figure 6. CFTP-7 NPSAT-1 Implementation for Spaceflight – June 2019 
The ARM manages the execution of tests, collects test results, tracks current status, 
and communicates with the outside world. It communicates with the CFTP board through 
the PC-104 interface and is capable of loading a configuration onto CFTP from its own 
flash memory. 
The CFTP board is primarily used as a host for the daughterboard and to provide 
connection to the ARM via the PC-104 bus. It should allow the ARM processor to read and 
burn data to the daughterboard’s flash as well as its own, but currently lacks the capability 
to write to flash memory. Once the ARM gains the capability to write to flash, it will be 
able to use on-board flash memory as supplemental non-volatile memory to support uplink 
and downlink functions. Writes to flash on a different board can be in a direct or indirect 
mode. In direct access mode, the processor reads and writes to addresses of flash directly. 
In indirect access mode, the processor requests that the other boards use its local resources 
15 
to read or write to its flash. Unfortunately, the CFTP and ARM currently lack the capability 
to write to flash memory. 
The daughterboard FPGA was selected by A. Jackson for his thesis and is a COTS 
Mercury KX-1 board (depicted in Figure 7)  The board has 32 MB of configuration flash, 
2.5 GB of SDRAM, and 64 MB of non-volatile flash storage, on board. It uses a Xilinx 
XC7K325T-2FFG676I Kintex-7 processor [4]. 
 
Figure 7. Mercury KX1 Module Architecture. Source: [10]. 
D. CONTRIBUTIONS FROM EARLIER THESES 
Approximately four months prior to the completion of this thesis, an issue was 
identified with the bulk memory storage of the ARM hardware that was slated to go to 
space on NPSAT-1. The primary symptom of this failure was a reduction in the indicate 
amount of available memory during built-in test (BIT). The architecture of the CFTP at 
16 
that time was that the ARM would load the TMR experimentfrom its own bulk memory 
storage during its own initialization. Repeated erasures and writes to this memory were 
further degrading it. To mitigate this, the design needed to change, such that the flash 
memory on the KX-1 daughter board, where the TMR runs, would be programmed by the 
ARM. Additionally, any firmware uploads sent to NPSAT-1 would need to be stored in a 
different location prior to their verification and burning to the flash of the KX-1 daughter 
board. 
Andrew Jackson’s FPGA design did not fully implement the SEM. The design does 
not report errors to the TMR. The design lacks pblocks, which are required for the SEM to 
fix errors. Andrew provided the hardware design for the CFTP experiment about to be 
launched. He also developed an FPGA implementation of the MIPS processor [4]. The 
CFTP team has developed a configuration of the CFTP FPGA that implements the TMR 
multiplier previously discussed. This means that there is currently no means to correct 
errors except within the TMR memory array, which made up less than one percent of the 
total silicon used on the CFTP. The implementation of this thesis adds the ability to detect 
and inject configuration errors using the LogiCORE IP Soft Error Mitigation (SEM) 
Controller, included with the version of Vivado (2016.3) used by the CFTP as well as a 




Hardware descriptor language (HDL) is a textual representation of the logic which 
makes up a circuit. The two most common HDLs are Very High-Speed Integrated Circuit 
Hardware descriptor language (VHDL) and Verilog. The TMR experiment is written in 
Verilog, so this thesis will also use Verilog. HDL is human readable and must be converted 
into a form which can be represented on a chip. Three processes do this: synthesis, 
implementation, and bitstream generation. 
Synthesis is the process which turns HDL code into a collection of logic cells and 
nets (or connections) which most closely matches it. After the logic is synthesized, a 
particular implementation has to be created. The implementation process determines the 
optimal location of all logic and memory defined by the synthesis and the inter-connections 
between them on the target FPGA. Bitstream generation turns the locations of logic and 
memory and the connections between them into binary file(s) which can be loaded directly 
into configuration memory on a FPGA. A fourth process can be used to create file(s) which 
can be loaded into non-volatile flash memory for later loading into configuration memory. 
This thesis uses the Vivado Integrated Development Environment (IDE) to generate 
the binary data files which represent the design described herein. The target for this thesis 
is the ARTIX XC7A100TCSG324-3 chip found on the Nexys 4 DDR development board. 
This target was selected to provide direct access to the debug probes which are not 
accessible in the CFTP. Debug probes use a serial interface to collect snapshots of internal 
data when triggered. Triggers can be set to retrieve the values of all connected probes when 
certain values on one or more of the various probes, or forced triggers. Either type of these 
can be set to automatically reset to wait for the next event after triggering, with an 
approximately one second dwell time before rearming. During updates no data is displayed. 
When set to continually update the probes, the time to update can be longer than the dwell 
time, resulting in data not being displayed by the probes for most of the time. Using the 
Nexys 4 DDR development board also provides limited real-time visual feedback through 
LEDs (used as SEM/switch status indicators) and text through the seven-segment displays 
(used to give text messages from the SEM Monitor Interface). Choosing a development 
18 
board also eliminated the need to rewrite the CFTP, ARM and external interface code to 
provide the desired debug data, which changes as each module is functionally tested singly 
and in groups. 
A. DESIGN ARCHITECTURE AND IMPLEMENTATION 
The final implementation is made up of three modules, and several sub-modules. 
The first module is the TMR experiment. The second module is the SEM module. The third 
module is the display driver. 
1. TMR Architecture and Implementation 
The TMR experiment was minimally changed for this thesis. Two changes were 
made. The first change was to reduce the number of multiplier modules to one. The TMR 
experiment would not fit on the NEXYS 4 DDR development and test board as is, and this 
change allows it to fit, as well as saving compilation. This is accomplished by changing 
the parameter num_mult_module in TMR_exp.v and in err_gen.v from six to one. The 
parameter sets the number of redundant copies generated based on the parameter to make 
full use of the available logic gates and run parallel experiments on each copy 
simultaneously. The reduction would increase the total time to complete testing, but not 
degrade the quality of data produced by the testing. The second change was to constrain 
the placement of logic in the FPGA. This is required for partial reconfiguration, which is 
required for error mitigation by the SEM in both the Repair Methods and Replacement 
Method [5]. A frame consists of all logic or memory cells in a single vertical column of 
one clock region [6]. PR requires that pblocks extend from one clock region border up to 
the next, because configuration memory is written to one frame at a time. The pictorial 
representation of the allocation of the pblocks is depicted in Figure 8. There are eight clock 
regions in the figure, arranged in four rows of two clock regions. About 23% of the 
available gates are assigned to the TMR and its submodules. The area of one frame is boxed 
in the top-right of the figure. 
19 
 






When the design goes through Implementation, the Vivado tools places logic within 
the areas in which they are constrained to be placed. All logic cells for each of the TMR 
submodules are placed in the corresponding pblocks. Figure 9 depicts which logic cells are 
used in the TMR pblocks. Unused logic cells and empty space are black. The reduction of 
the number of multipliers reduced the logic usage to roughly one-sixth. As can be seen, 
over 80% of the logic cells allocated to the TMR are filled in Figure 9. An error can not be 
detected by the TMR if it occurs in an unused cell. One consequence of the lower density 
of used cells in the LRS pblock is that there are fewer locations, which can then be detected 
by the TMR. The area of the same frame which is boxed in Figure 8 is boxed in the right 
side of Figure 9, too. 
 
Figure 9. Implementation Usage 
Calculating the effective real estate to implement the CFTP implementation of the 
TMR would require: times the space availiable on the FPGA. 
 




 80%  120%






Additional space would still be needed for the SEM. This required scaling back the 
number of multipliers to a more manageable amount. In the interests of simplicity, it was 
decided to use a single multiplier to establish the simplest case and demonstrate the how 
the TMR handled configuration errors. The ability to inject and remove configuration 
errors is a function of the second largest block of code, the SEM Module. 
2. SEM Architecture and Design 
The SEM Module is the second largest block of code and is also the source of most 
of the additional code developed for this thesis. Much of its was based on sample code 
automatically generated by the Vivado IDE based on the customization settings of the SEM 
(see APPENDIX D.B). The source of the sample code was an automatically generated 
example (as recommended by Xilinx for all implementations using the SEM [5]). 
The SEM Module can detect soft configuration errors and can also be configured 
to inject or fix them. This thesis uses the ability to inject configuration errors to identify 
the behavior of the TMR when exposed to configuration errors. The SEM’s ability to detect 
errors is also verified, as a precursor to having it fix configuration errors. The verification 
of these functions is detailed in Chapter 0. 
The SEM reads the FRAME_ECCE2 primitive to detect ECC and CRC errors 
errors [5]. Once it detects an error, the SEM sends messages via the Monitor Interface 
indicating the nature of the error and the status of the SEM. 
SEM status is provided through two ways. The first is a group of eight discrete 
signals, called the Status Interface. The Status Interface has one signal for a heartbeat 
(which is asserted for one clock cycle at least once every150 cycles), five signals indicating 
the state of the SEM and two bits which indicate the severity of a detected error [5]. The 
second is the Monitor Interface. The Monitor Interface uses binary strings of  American 
Standard Code for Information Interchange (ASCII) text to send information on changes 
of the status of the SEM. Each state change, except for the heartbeat has one or more 
messages associated with it. When any of the five state signals changes, a State Change 
Report is sent via the Monitor Interface. When the severity bits change value, a Flag 
Change Report is sent via the Monitor Interface. Every message sent by the SEM via the 
22 
Monitor Interface has a line-feed (0x10) character appended to it. The reports sent by the 
SEM are listed in Table 1. 
Table 1. Monitor Interface Reports. Source: [5]. 
Report Name ID Description Size of Data [Bytes]
State Change SC 
Reports new value of 5-bit field of 
Status Interface 
2 
Flag Change Report FC 




Response to a Status Report Request 
Message 
A, B 
Error Detection  B 
One or more messages indicating 
location and type of detected error 
VariesB 
Error Correction COR 
Location Report of each detected error 
in a frame 
0C 
Error Classification CLA 
Location Report of each correctable 
essential error in a frame 
0C,D 
Maximum Frame MF 
Number of Frames on the FPGA 





ID of controller instance in multiple 
processorsD 
2 
Feature Set FS SEM Controller Core OptionsB, E 2 
Initialization -B 




Location with a frame of the error, 
made up of a word and bit location 
8 
List End END 
Message indicating the end of a list of 
errors 
0 
A. Maximum Frame, Hardware SLR Number, State Change, Flag Change, and Feature Set 
reports. 
B. See [5] for details. 
C. Location report for each error followed by a List End Report and Flag Change Report. 
D. If error classification is not enabled the list will be empty, but all other parts of report are 
generated and sent. 
E. Fixed at “00” for chips discussed in this thesis. 
F. See APPENDIX D.B for the the options used in this thesis.  
 
23 
a. SEM Interfaces 
The example project was designed to function while connected to a PC through RS-
232 interfaces to send commands to the SEM Controller and receive responses through the 
Monitor Interface. This is not feasible for this thesis, because the architecture of the CFTP 
does not have an RS-232 interface. The SEM also has the capability to inject errors through 
the injection interface, however no code was included in the sample project to control  
it [5]. Because of these facts, a communications interface had to be developed to be 
compatible with the SEM Monitor Interfaces, the SEM Injection Interface, and the other 
modules. 
The first interface is the Monitor Interface, which transfers data one byte at a time, 
in both directions. The data buffer code provided in the sample project was reused as-is, in 
two instances which are in series with both the decoder and encoder modules. The encoder 
module converts discrete signals from outside the SEM into canned messages to be sent to 
the SEM Monitor Interface. The decoder module collects the bytes received from the SEM 
Monitor Interface and translates the completed messages into a text format that can be 
displayed on the Nexys 4 DDR’s eight-character seven-segment display and SEM state 
signals. 
The second interface is the SEM Injection Interface, comprising a 40-bit parallel 
data bus and a handshaking bit [5]. As stated before, the sample project did not implement 
this interface. The implementation includes the ability to send messages with pre-canned 
data or pass through for externally generated data. Pre-canned data is used for manual 
injection of errors, which are limited in the number of bits by the number of switches 
allocated. Externally generated data is used during automatic testing to inject errors to a 
larger number of addresses than can be used with the manual interface. See Chaper III.C 
for more details on the error injection addressing. 
The Injection Interface and Monitor Interface messages overlap in function. Most 
messages to the SEM can be sent in either interface. To simplify communications with the 
SEM, messages to the SEM used the one interface, where possible. This was done to for 
consistency and to avoid having multiple message simultaneously sent to the SEM. During 
24 
functional testing (documented in Chapter IV.E), it was determined that the addresses 
derived from the .ll files were not compatible with the error injection message used in the 
Monitor Interface. Conversely, the Status Report Request Message, which is only used in 
manual testing and is tied to Switch 3, is the only message exclusive to the Monitor 
Interface. Since a rarely used message was only one used for the Monitor Interface and a 
commonly used message was only useable on the Injection Interface, the Injection Interface 
was selected for all messages except the Status Report Request Message. An added benefit 
of using the the Injection interface was that an external state machine could control 
communications more easily with it than using the Monitor Interface, because the SEM 
reads messages from the Injection Interface in one clock cycle, while it always  
takes multiple clock cycles for the SEM to read any message sent through the  
Monitor Interface [5]. 
Implementing these fixes necessitated a change to the architecture used in the CFTP 
TMR experiment. That design is loaded by the ARM, on top of a basic bootloader operating 
from flash. To offset the degradation of bulk memory storage of the ARM, some error-
mitigation functions needed to be offloaded from the ARM. The errors detected by Andrew 
Jackson’s design were not detected by the SEM, rather they were errors which were 
reported by the ICAP interface during the initial loading from flash. The design would 
report errors in configuring the FPGA, but lacked the ability to repair errors, due to the lack 
of PR code [4]. Two methods were available to mitigate errors beyond those previously 
implemented: the Repair Method and the Replace Method. 
b. Partial Reconfiguration 
Without a module similar in function to the SEM, the only way to fix configuration 
errors is to reconfigure the FPGA as at power-up. This is often undesirable, because all 
operations are interrupted and the previous system state is lost during this. The purpose of 
the SEM is to reduce the occurance of full reconfiguration by detecting and fixing those 
errors in smaller blocks at execution time, thus allowing other processes to continue 
operating unhindered. 
25 
When fixing errors in configuration memory, the SEM uses two general methods, 
repair and replace. To fix single-bit errors with any Repair Method, the SEM reads the 
entire frame where the error is detected using PR, then determines the correct value and 
finally writes the entire frame to configuration memory using PR. The correct values for 
single-bit errors are determined using ECC. The correct values for 2-bit errors (Enhanced 
Repair Method only), are determined using the CRC. To fix errors using the Replace 
Method, the SEM reads the replacement data for the damaged frame from flash memory, 
via the fetch interface, and writes all the received data to configuration memory using 
partial reconfiguration. Repair methods can only fix one or two bit errors in a frame, more 
errors are uncorrectable. The Replace Method fixes all errors in the frame, if the 
replacement data can be read from flash memory. If the number of errors within a frame 
excedes the maximum number of errors which can be fixed by the correction method 
selected for the SEM, the uncorrectable flag is set and the only means to fix the errors is to 
reconfigure the entire FPGA [5]. 
Partial reconfiguration is the process by which a portion of configuration memory 
in a design is changed, rather than the whole of the design. The rules and procedures for 
implementing partial reconfiguration are detailed in [6]. Due to the issues with accessing 
flash memory on the CFTP described in Chapter II.D, PR was not implemented within this 
thesis. 
3. Other Code Modules 
The final block of code added was the display driver, which was implemented to 
provide visual text-based output of the messages received from the SEM without using the 
Vivado-generated probes. This function only works on the Nexys Board, but it 
demonstrates a portion of the information that can be provided to the ARM, if desired. 
B. ERROR CORRECTION 
One of the biggest design decisions for this thesis is which method will be used to 
mitigate errors. The SEM offers several options: Detection Only, Repair, Enhanced Repair, 
and Replace. With Detection only, an external entity must decide how to handle the error. 
With normal repair, the SEM can fix single bit errors and some two-bit errors using an 
26 
ECC. With Enhanced Repair, the SEM uses ECC and CRC to fix two-bit errors. In the 
Replace mode, the SEM will access flash memory and reload the module through partial 
reconfiguration. Based on the analysis of the latencies of three cases and the current 
inability to access flash, it was decided to use the Repair Method. 
When repairing an error in the configuration with the Repair Method, the SEM 
reads the entire frame from configuration memory in which the error is located, changes 
the incorrect bit using ECC, and then writes the entire frame back to configuration memory. 
Information on the other methods (which are not used in this thesis) can be found in [5].The 
placement constraints for the TMR modules and the SEM module are depicted in Figure 
8. The TMR modules are allocated over 20 % of available gates on the chip. This means 
that the bitstreams can be loaded into flash over the pre-existing blocks, as long as the 
Physical region of an FPGA consisting of blocks of allocated logical blocks (pblock) 
allocated to the module(s) or submodule(s) [11], on the FPGA does not change. Changes 
which are completely internal to a pblock would not prevent direct replacement of the 
affected bitstream in flash or the configuration. All logical blocks used by all modules and 
submodules which assigned to the pblock must be contained within the pblock. Pblocks 
which are partially reconfigurable each have their own bitstreams and are stored 
contiguously with other partially reconfigurable bitstreams, as a part of the whole 
configuration, which includes one section for the static blocks and one for the partially 
reconfigurable blocks [6]. The constraints for this thesis which relate to the placement of 
logic can be found in Appendix A.3 
The clocks used in this thesis are listed in Table 2.The clocks used in the TMR 
project are retained, with the 100MHz ICAP clock added and the 200 MHz clock, which 
was intended for debug probes to capture the high and low states of signals, is not used. 
The ICAP clock is set to the maximum frequency of 100 MHz per the data sheet for the 
processor on the Nexys board [12], to minimize the time to detect and mitigate errors. 
Additional copies of the TMR Master Clock were also generated, to stabilize the clocks 
during partial reconfiguration. The IP settings of the clock wizard which generates all the 
derived clocks are detailed in APPENDIX D.A. The 200 MHz clock was removed so that 
27 
more signals could be captured without running out of block memory, which is used to 
capture the probe outputs. 











Primary Board 100     
TMR Master Derived 50 0 50 151.636 98.575 
ICAP Derived 100 0 50 Not Specified Not Specifed
TMR ClockA Derived 50 0 50 114.829 98.575 
TMR ClockB Derived 50 0 50 151.636 98.575 
TMR ClockC Derived 50 0 50 151.636 98.575 
 
As laid out before, the method used for error mitigation is one of the biggest design 
decisions for this thesis. 
1. Latency Analysis  
For the first two analysis cases, the actual latency is derived from the generalized 
case of Equation III-2, using on the Equation III-1. ICAP_FMax for both the XC7K325T 
and XC7A100T devices, is 100MHz [5], so the only difference in latency calculations 
comes from the time required to scan the entirety of configuration memory, as listed in 
Table 3. 
Table 3. Maximum SEM Scan Times. Source: [5]. 
Device Scan Time at ICAP FMax
XC7A100T 8.0 ms 
XC7K325T 23.5 ms 
 
 
MitigationLatency  DetectionLatency 
CorrectionLatency ClassificationLatency
  Equation III-2 
28 
The standard operation of the TMR is to detect and fix SEUs in one clock cycle. 
The SEM’s scan time is at best 8ms (per Table 3), which is 400,000 times greater than one 
TMR clock cycle. This means that the TMR will detect and correct an error much faster 
than the SEM. When a pblock is updated via PR, the logic cells contained within the 
updated cells are reset to an initial configuration, causing errors which the TMR will fix in 
one clock cycle. The next clock cycle, the TMR will be operating with the repaired and 
then corrected values as a new working state. If the SEM can’t fix the configuration error, 
all of the FPGA will need to be reconfigured by the ARM. 
Configuration memory errors can be classified as either essential or non-essential. 
Essential errors are errors which affect the function of the FPGA, while non-essential errors 
do not. In the Classification State, the SEM determines if an error is essential or not [5]. If 
error classification is not enabled on the SEM, it still transistions through the Classification 
State between the Observation State and the Correction State. “Without error classification, 
all Configuration Memory errors must be considered ‘essential’” [5].  When an error is 
determined to be non-essential, it does not need to be repaired or replaced. Error 
classification is achieved by using a lookup table, stored in flash memory, which is similar 
to the logic location (.ll) file which can be file generated with the bitstream files. Because 
most errors will be assessed ‘non-essential’ the number of false alarms and the frequency 
of errors that require a potentially disruptive system-level mitigation response can be 
reduced significantly by using error classification [5]. Because error classification requires 
flash access, it is not used. Based on this analysis of the error correction latency and the 
current inability to access flash on the CFTP, it was decided to use the Repair Method. 
C. ERROR INJECTION ADDRESSING 
Once the method was selected for error correction, the next step was to inject errors 
into the address space belonging to the TMR registers. When an error is injected by the 
SEM, a single bit error is injected into configuration at an address specified by the injection 
command. This address is made up of two addresses which define the location of the 
injection, the frame address and the bit address within that frame. These may be further 
broken down to more addresses. The .ll file provides the physical addresses of all logic and 
29 
memory cells used by the design. The physical frame address corresponds to the 
concatenation of the row, column, and minor addresses. The physical bit address 
corresponds to the concatenation of the word and bit addresses. Using the locations 
identified by the .ll file, addresses were selected in which to inject the errors and then coded 
into the top level design. Unfortunately, the Vivado IDE optimization places logic such 
that the locations where errors are be injected are non-essential locations. While this would 
be optimal for verifying the SEM on a normal circuit, it prevents the TMR from detecting 
the injected errors. To verify the TMR’s ability to detect the effects of configuration errors, 
the locations of logic elements had to be fixed and errors injected into a range of locations. 
When verifying this, it was discovered that the Vivado’s optimization routine was 
optimizing the layout so that the addresses selected for injection were not used by the TMR 
registers. To get around this, specific registers locations from each TMR register were fixed 
to specific slices of the FPGA within their assigned pblock. To fix a cell’s location, two 
properties have to be in the constraints file. The first is the IS_LOC_FIXED property which 
must have the value of 1 or true, and the second is the LOC property, which must have the 
logic location on the FPGA. The cells and their locations are listed in Table 4. 
Table 4. TMR Register Fixed Locations 
Reg Cell Name Slice 










Once the locations are inserted into the constraints file, it is necessary to determine 
the corresponding address for each. To do so, find the cell name in the optional .ll file 
generated along with the bitstream files (EX:  The entry for the LRS injection  
address is “Bit  8446918 0x0002081f   1702 Block=SLICE_X24Y176 Latch=A5FF.Q 
Net=TMR_exp/TMR_LRS_gen/LRSAr” [1]). This yields an address and an offset for each 
cell. These addresses are then hard-coded as the base addresses for the three insertion 
30 
points. Due to the optimization and randomization, the addresses should be verified after 
generating new bitstream files which incorporate these addresses. The addresses which 
correspond to the cells listed in Table 4 are listed in Table 5. 
Table 5. TMR Module Testing Information 
TMR Module Center Address Error Offset Error Switch 
LRS 0x0002059F 1702 6 
Mult X 0x0002109F 1701 7 
Mult Y 0x00020E9F 1701 8 
 
The 16 switches are depicted in in Figure 10. They are numbered from 0 to 15, 
beginning at the right and going to the left. 
 
Figure 10. Lower half of Nexys 4 DDR Board. Adapted from [13]. 
Because each cell/slice can contain multiple signal inputs or outputs, depending on 
the type of cell that is assigned to it, the randominzation performed during implementation, 
and the fact that some inputs or outputs of the logic cell may not be used, multiple errors 
need to be injected in adjacent locations to ensure that an error will occur on a location 
which the TMR can detect its effect. One frame of slices has 50 slices in a clock region, 
while there are 1032 possible bit locations in a frame [9]. This equates to a little more than 
20 possible single-bit addresses per cell. To ensure the insertion of an error into the location 
corresponding to the fixed logic, an automated algorithm that injects 32 single-bit errors in 
31 
contiguous bit address locations immediately below the address, the address specific 
address, and 31 contiguous locations immediately above each location (for a total of 64 
bits in each frame in which errors are automatically injected). Generating bitstream with 
error classification on indicates that only about 9 % of all bit locations have an effect on 
the design and are termed as essential bits. These bits correspond to logic devices used by 
the user modules (e.g., the TMR, debug probes and etc.) in the project. Non-essential bits 
of the bitstreams include the SEM, top-level IP objects, and their corresponding code plus 
all unused logic cells. The error switch listed in Table 5 allows the user to inject a single 
error at the corresponding address or a nearby one. Switches 11 through 15 on the Nexys 
development board control the bit address. To determine the bit location to be inserted, 
subtract four from the base address of the switch 
 location  CenterAddress ErrorOffset  4 SwitchValue Equation III-3 
With switches 12 and 13 On, an error injected by switch 6 would be at frame 
address 0x0002081F and bit address 1701+ 6 -4 = 1703. Because these switches are 
externally available, incorporating the code would make them available to the ARM with 
minimal effort. Switches 11 through 15 are the five left-most switches in the bottom of the 
Nexys 4 DDR board depicted in Figure 10. The operation of the switches is detailed in 
Chapter 0. 
D. TMR ERROR REPORTING 
The TMR reports errors by creating a text string named “report” which is 104 bits 
(13 bytes) long and raising the report_ready signal. The report is made up of a four-
character string which is the version number of the TMR, a four-byte string which indicates 
the report type and number, and a three-byte string which indicates the error syndrome, 
with a space in between each messge part. The version string used in this thesis is “TMHY.” 
The report type is one of three choices:  Routine Report (“RE00”), Transient Error Report 
(“TEn”), or Persistent Error Report (“PEn”). The “n” is the array/register index of the voter 
where the error originates. The only valid indices for the TMR used in this thesis are zero 
through six, as shown in Table 6. In the CFTP’s TMR, there are a total of six dual multiplier 
modules implemented (compared to the single one used in this thesis), so the possible error 
32 
indices can be as large as 30. The final part of a report is the error syndrome (“SYm”), 
where “m” is an octal number that reports in which of the three TMR modules the voter 
detected an error. 
Table 6. TMR Error Indices 
Numeric Value Name Type 
00 No error N/A 
01 LRS Register
02 multX Array 
03 multX Register
04 multY Array 
05 multY Register
 
The error locations that are fixed in code for testing this thesis correspond only to 
LRS and multiplier register locations, not the multiplier arrays. Five syndromes exist for 
each multiplier. The syndrome for a reset message is always “00.”  The valid syndromes 
for this thesis transient and persistent error messages are “SY01” through “SY05.” 
E. FUNCTIONAL TESTING 
During development, the various interfaces with the SEM were functionally 
verified in five stages. The first stage verified the ability to receive and parse messages 
from the SEM’s Monitor Interface during initialization. The second stage was to verify the 
ability to send messages to the SEM’s Monitor Interface and receive the response(s). The 
third stage was to verify the ability to send single commands through the Injection Interface 
and receive the response(s). The fourth stage was to verify the ability of the SEM and TMR 
to detect an error injected by the SEM which was manually generated. The final stage was 
to characterize the responses of the SEM and TMR to a variety of errors. 
33 
Verification of the messaging from the SEM’s Monitor Interface utilized the probes 
to capture the data streams sent out by the SEM while also sending them to the seven-
segment display and storing the received messages in memory. 
Messages received from the SEM were parsed out to the seven-segment display. 
Because some messages are made up of multiple other messages or are longer than eight 
characters, long and multi-part messages were broken up into character strings and stored 
in memory. Based on the last message received, the message decoder would choose which 
string would be displayed. Partial messages were displayed one second at a time, before 
the next partial message was displayed. All of the parts of a message were continuously 
sent until a new message was receieved. 
Once the SEM completed initialization and the message parsing was verified, the 
next stage could commence. During this stage, all message types possible to send to the 
SEM were verified by using the switches on the Nexys 4 DDR development board. 
Switches 2 through 6 were used to send canned messages to the SEM. These messages 
changed the state of the SEM, but did not inject any errors. It was determined during this 
phase that the error injection command available on the Monitor Interface did not use the 
same addresses numbering as the addresses acquired from .ll files. 
Once the SEM state could be successfully controlled, it was possible to test the 
injection of errors. It was relatively easy to inject errors through the Injection Interface, 
transition the SEM to the Observation State and then receive the messagesm because the 
commands take one clock cycle to be sent in their entirety, compared to multiple clock 
cycles required to send messages via the Monitor Interface. For this reason, all further 
functional testing used the Injection interface, where possible. During this stage, errors 
were injected one at a time, as decribed in Chapter III.C in hopes of triggering an error in 
the TMR. Few manually injected errors were actually detected by the TMR, but all were 
detected by the SEM. 
Although error detection was not reliable when using the switches, sufficient 
progress had been made to transition to the next stage, where it was hoped that the 
automated injection of errors into a block of contiguous addresses would ensure at least 
34 
one error was detected. During this final stage of functional testing, a series of commands 
were generated to send an error into enough locations to ensure an error was detected by 
the TMR. This automated error injection command routine is controlled by one switch. It 
allowed error injection to be successfully tested, although there were issues. The resulting 
code was used for the Test and Evaluation Phase. 
35 
IV. TESTING AND EVALUATION 
The goals of testing are: 
1. Demonstrate the ability to use the SEM to inject configuration errors into each 
type of TMR register. 
2. Demonstrate the ability to use the SEM to inject configuration errors into 
logic used by the TMR. 
3. Demonstrate the ability to use the SEM to inject configuration errors into 
logic locations which were not used by the TMR. 
4. Demonstrate the detection of injected errors by the SEM. 
5. Demonstrate the detection and mitigation of injected errors by the TMR. 
6. Identify other effects, caused by the injection of configuration errors, in the 
TMR. 
This chapter is divided into three sections: the testing architecture, the test plan used 
to verify the functionality of the TMR and SEM with respect to configuration errors, and 
the results of executing the test plan. The test architecture section lays out how the test plan 
was developed. The test plan was designed to meet the the first five goals. The last goal 
will be met by analyzing the test results and the behavior of the TMR during testing. 
A. TEST ARCHITECTURE 
This project uses a process similar to commercial industry for code testing. This is 
a layered approach where each round of testing builds upon previous testing. Due to the 
embedded design, testing is done on the modules with the testing structured to exercise the 
logic in specific targeted groups, based on the functionality. Using the switches on the 
Nexys 4 DDR board, canned messages are created and then sent to the SEM for processing. 
The effects of these commands are then observed in either the 8-character seven-segment 
display, in the Vivado probe, or a combination of the two. The tests use the SEM to inject 
36 
configuration errors within each type of TMR voter type of register. The injection interface 
allows single and double-bit errors to be injected at addresses specified. 
Once a module in the project is declared as partially reconfigurable, access to probe 
inputs is not allowed in that constraints file. This would cause issues during testing, due to 
the lack of visibility of the TMR data on the Nexys 4 DDR board. To get around this 
problem, all probes are declared in a separate constraints file which is compiled first in the 
hierarchy, then the layout constraints can be compiled in a separate file, with all the 
commands which meake the modules partially reconfigurable. Adding the command 
“set_property HD.RECONFIGURABLE TRUE [get_cells module_name]” in a constraints 
file causes all of the settings required to for the module named “module_name” to be 
partially reconfigurable on the module to be set at the cell level. 
The HD.RECONFIGURABLE property implies a number of underlying 
constraints and tasks: 
 Sets DONT_TOUCH on the specified cell and its interface nets. 
This prevents optimization across the boundary of the module. 
 Sets EXCLUDE_PLACEMENT on the cell’s Pblock. This 
prevents static logic from being placed in the reconfigurable 
region. 
 Sets CONTAIN_ROUTING on the cell’s Pblock. This keeps all 
the routing for the Reconfigurable Module within the bounding 
box. 
 Enables special code for DRCs, clock routing, etc. [6] 
If any HD.RECONFIGURABLE commands are present in a constraints file, the 
debug probes are not allowed in that file and if both are present, errors occur during the 
implementation step, prior to the generation of bitstream files. These commands can be 
added and deleted freely, unlike the project-level setting as being partially reconfigurable. 
Once a project, as a whole, is defined as partially reconfigurable, it is irrevocable. The only 
way to use a debug probe on code in a partially reconfigurable module is to use a different 
project, either by creating project from scratch with the same files and setting (except for 
the partial reconfiguration setting), or by using a saved copy. This requires all functionality 
37 
be tested prior to making the project partially reconfigurable. The simplest method is to 
create two projects in adjacent directory structures which use the same source directories, 
one partially reconfigurable and the other not. Both projects would use all the same source 
files, but different project settings. 
The addresses which are specific to the various modules are needed for testing. 
They are extracted from the .ll file generated with the bitstream files. This file “shows the 
bitstream position of latches, flip-flops, LUTs, Block RAMs, and I/O block inputs and 
outputs. Bits are referenced by frame and bit number in the location file” [14].  See  
Chapter III.C for the details on the address determination process. 
B. TEST PLAN 
1. In the Vivado IDE, generate bitstream files. Note:  If the project generates the 
logical location file, bitstream can take up to an hour and a half. If the .ll file is 
not generated, it should complete in about 15 minutes. The .ll file generated 
by this setting lists the logical addresses, bit locations and physical/memory 
locations of logic where injection of configuration errors can potentially affect 
the performance of the design. 
2. In the Vivado IDE, generate the memory configuration files. The memory 
configuration part should be set to s25fl128sxxxxxx1. The Interface should be 
SPIx1. The bitstream file should be the one generated in Step 1. 
3. Connect the computer to the NEXYS 4 DDR board via the USB-micro USB 
cable, as depicted in Figure 11. 
38 
 
Figure 11. Nexys 4 DDR with USB connection to JTAG Port. Source: [15]. 
4. Ensure the power switch is in the ON Position and all other switches are in the 
OFF Position (locations of other switches depicted in Figure 12). The switches are 
located below the green light-emitting diodes (LEDs). 
 
Figure 12. Lower Half of Nexys 4 DDR Board. Source: [13]. 
39 
5. In the Hardware Manager, right click on the flash memory device 
(s25fl128sxxxxxx1-spi-x1_x2_x4_0) and select Program Configuration Memory 
Device. Set the Configuration file(s) to be those generated in Step 2. Select PRM 
file with the same name, but different extension as the Configuration file selected. 
Check the Erase, Program, and Verify boxes, if not already checked.  Left-click 
the OK Button. This is done so that the Replace method can be verified, so that 
mitigation can occur when Error Classification is enabled on the SEM, both of 
which access flash, or to reconfigure the FPGA more quickly. Because error 
classification and the Replace Method are not used in this thesis, this is not 
required, but is convenient for reducing reconfiguration time. 
6. From the Hardware Manager, right-click on “xc7a100t_a” and select “Program 
Device ….”  Select the bitstream file generated in Step 1 and left-click Program. 
This will start the probes. An alternate method is to press the PROG Button on the 
Nexys 4 DDR board. 
7. Verify the seven-segment displays indicate “obSErUE,” This means that the SEM 
is in the Observation Mode. 
8. Set the probe for hw_ila_1 to trigger on report_ready having a value of 1 and 
report having a value “0xXX_XXXX_XXXX_5045_XXXX_XXXX_XXXX.”  
The ASCII representation of a persistent error in the voterA of LRS is “TMHY 
PE1 SY01.”  This will capture the first error injection to be detected by the TMR. 
The following signals must be captured: errors_detected_by_TMR[191:0], 
injection_count [7:0], status_injection, u_ila_1_sem_idle (or sem_idle), 
injection_state, injection_testing, injection_sent, injection_strobe, report [103:0], 
report_ready, run, and test_exp. The waveform should look similar to Figure 13. 
Note: there are no waveforms displayed in the figure, because the debug probe 
has not been triggered. 
40 
 
Figure 13. Waveform Initial 
9. Move Switch 0 (the right most switch in Figure 12) to the ON Position. This will 
set the TMR Experiment in to the run mode. In this state, the TMR will report 
transient and persistent errors which can be captured by the probe. 
10. Set the probe to trigger by pressing the button which looks like an arrow which 
points to the right at a vertical bar. 
11. Move Switch 2 to the ON Position and verify that the seven-segment display says 
“IdLE”. 
12. Wait for up to 45 seconds. This should allow the probe to detect the triggering 
event. 
13. Verify that probe has triggered. This is achieved by looking to the right of the 
Name Heading. Other indications of the triggering is that the report text is 
“TMHY PE01 SY1” and the probe status indicating “Idle” after “Waiting to 
Trigger.”  If there is no text, the probe has not fully triggered. 
14. On hw_ila_1, verify that status_injection and sem_idle goes up and down in value 
over the captured waveform. Verify injection_testing has a constant value of 1, 
indicating that the test is running. Verify injection_state has a constant value of 7, 
which indicates that the SEM was ready for testing when the first injection 
41 
command was sent. Because the majority of bit locations within the address space 
are not essential, it is not expected to have multiple error detection messages 
simultaneously displayed in the same waveform. Additionally, almost all of the 
iterations of testing resulted in the TMR reporting a single error in a voter in the 
LRS, due to the high percentage of unused cells in it pblock. 
15. Save the waveform. There are two methods for this:  using a snip tool to capture 
an image of the window, and exporting the ILA data. To export the data, click the 
button (located immediately below the stop button) in the Waveform Panel, then 
select the format and filename before left-clicking the OK Button. 
16. On hw_ila_1, left-click the Run trigger immediate for this ILA core Button 
(looks like two adjacent triangles pointing to the right). This will capture the 
current values without waiting for the trigger values to be achieved. 
17. On hw_ila_1, verify that injection_count is 0xc0 in the first capture (all the way to 
the left). This indicates that all errors were injected. 
18. Verify that there are values other than 0 in each 16-hexadecimal character group 
in errors_detected_by_TMR[191:0]. The left-most 16-hexadecimal characters 
correspond to the errors injected into the register multY addresses. The middle 
group of 16 hexadecimal characters correspond to the errors injected into the 
register multX addresses. The right-most 16 hexadecimal characters indicate the 
errors detected while injecting errors into the LRS registers. Each non-zero bit in 
the corresponding 16 characters, indicates an error was detected by the TMR. 
19. Save the waveform as in Step 15 
20. Flip Switch 2 to the Off Position. 
21. Flip Switch 4 to the On Position. This will shift the SEM to the Observation State. 
In this state, errors will be detected. The seven-segment display should display 
“2BIT Err” along with the physical address, logical address, and the word address 
where the errors were detected. This indicates the SEM detected at least two 
errors in the same frame. Subsequent errors which are detected are not displayed. 
42 
C. TEST RESULTS 
Figure 14 depicts the waveforms of signals to and from the SEM starting with the 
first injection of an error. No errors were detected by the TMR within the three injections 
that occur in the capture. 
 
Figure 14. SEM Signals during First Injections in Series. 









Figure 15. Initial SEM Signals. 
44 
Errors detected by the TMR are tallied in the variable errors_detected_by_TMR. 
This information is compiled into a 192 bit array, which indicates whether each of the 64 
single bit errors injected into each of the LRS (locations 0–63), MultX (locations 64–127) 
and MultY (locations 128–191) pblocks by the SEM were detected. See Chapter III.C for 
justification of block error injections. Each bit position in the array indicates a potential 
error to be reported. If a ‘0’ is listed, no error was detected by the TMR. The value of ‘1’ 
indicates an error detection by the TMR. For readability, they are best viewed as a 
hexadecimal string. Configuration errors are persistent by nature. During testing, the SEM 
does not enter the Observation State, so the previous errors are not being repaired during 
this test. Taking these together, it can be seen that the TMR is not continuously reporting 
old persistent errors, but issuing a new error message whenever a new error is detected. If 
this were not the case, then after the first error, all bit locations would contain the value of 
‘1.’ 
Figure 16 depicts the value of recommended probes and a small number of 
additional probes captured after all errors have been injected. Because all injections have 
completed, there is no change in the waveform at this point.  
45 
 
Figure 16. Persistent Errors Detected by TMR. 
The last error report sent by the TMR (“TMHY TE03 SY1”) indicates a transient 
error was detected in the MUL X register (see Table 6 for the lookup table), however 
injection_count (“be”) indicates the last error was injected into the range of MUL Y 
register. This discrepancy originates from the way that the TMR reports errors. The TMR 
was not designed to handle multiple simultaneous errors with different syndromes. The 
result is a race condition where the first active syndrome is latched into the error report 
46 
string and reported while other errors are not. The best way around this is to inject errors 
and after determining if it was detected or not, clearing it. There are two options for clearing 
the error:  reconfiguring the entire FPGA (which stops all code execution and clears all 
memory) or having the SEM repair or replace the configuration memory, neither of which 
is possible programmatically without partial reconfiguration. With the ability to write to 
flash memory, some memory could be stored across resets, but that functionality has not 
yet been implemented in the CFTP. Attempting to inject errors manually did not result in 
detections by the TMR, despite the errors being detected by the SEM when it transitioned 
into the Observation State. In light of these factors, it was decided to inject multiple errors 
and track the detections by the TMR. 
Not all errors detected by the TMR were reported as persistent. When a persistent 
error is first detected, the TMR remembers the register where the error occurred. If the 
same error occurs within that same register or array location, the error is not reported again 
unless the error went away. When a persistent error clears, the error is reported initially as 
a transient error, as depicted in Figure 17. Testing showed that a small percentge (about 
one out of 64) of injections resulted in a transient error reported by the TMR. One 
hypothesis which could explain this is that the SEM is only able to inject a limited number 
of errors, and once this number is exceeded, earlier injected errors are released to allow the 
new injections. The occurance of transient errors is repeatable in the short term, however, 
they sometimes occur differently over hours/days. Temperature may also play a factor, as 
the highest ambient temperature accompanied the greatest occurance of transient errors. 
Data recorded at the highest temperatures is included in this thesis, because they best 
demonstrate the behavior of the TMR and SEM in the presence of errors. Further research, 
with either controlled or recorded temperatures, is needed to prove this hypothesis.  
Figure 17 depicts a series of runs with temperatures at least ten degrees higher than those 
of other runs. Due to the randomization of memory locations in successive compiles 
between collecting data for these figures, the number of errors and placement within the 
bitstreams cannot always be directly correlated. It should be noted that the error messages 
which are depicted do not correspond with the new error which was detected by the TMR. 
Rather, the TMR is reporting the first error in its list of currently active errors. When the 
47 
source of an error goes away (in this case, because it is no longer being injected), a 
Transient Error Message is issued for the absent error, which indicates the error no longer 
exists. 
 
Figure 17. Transient Error Detection by TMR 
For readability, the variable names and their values at the point of the detection of 
the transient error are depicted in Figure 18, separately from the waveform.  
48 
 
Figure 18. Transient Error Detection Variable Names and Values 
Figure 19 depicts the waveform during the injection of the first three bits of the last 
nibble (four bits or half a byte) of bits injected. It is rotated to allow more resolution. This 
provides the relative timing of when injected errors are detected by the TMR and the time 
it takes for the SEM to be ready to inject another error, when it is not transitioned into the 
Observation State to fix errors. Due to the Xilinx implementation process intentionally 
randomizing the locations of cells, and the necessity of reloading the entire FPGA after 
encountering an error which can’t be fixed, the current method was used of injecting 
multiple errors and tracking the results over all regions. 
49 
 
Figure 19. Transient Error Detections 
50 
After the waveforms were captured, transitioning the SEM into the Observation 
State display errors, as expected. This was evidenced by the 7-segment display indicating 
a 2-bit error and the frame and word addresses which correspond with the LRS (the first 
errors injected during testing). Additional information was also provided. The two left-
most LEDs immediately above the switches were lit, indicating that there was at least one 
essential error and that it was uncorrectable. This is expected when there are more than two 
errors in the same frame. Once this is detected by the SEM, the FPGA will need to be 
reconfigured for proper execution of the SEM. There were no strings of 0xF in the array 
errors_detected_by_tmr, so the TMR was fixing the errors. More errors are detected, 
however only the first are displayed. If the SEM were set up to automatically enter the 
Observation State and repair the error, only single-bit errors would be displayed, because 
every error would be removed once detected. Based on the timing of the TMR detecting of 





This project set out to add further protection and functionality to the CFTP 
experiment. Incorporation of the SEM for error correction and injection and adding 
constraints would reduce the errors incurred during testing. It was also hoped that means 
could be found to reduce the size of uploads, however that still requires further engineering 
beyond the scope of this thesis. 
Analyzing the time to detect and correct errors by the SEM and the current state of 
the CFTP resulted in the decision to attempt to correct errors using the Repair Method, 
which uses ECC to find and fix errors in a frame of the configuration memory. 
Errors were successfully injected into the system, and were detected by both the 
SEM and the TMR. Although the SEM failed to correct the errors, the TMR was successful 
in reporting and correcting errors. The SEM failure to correct can be attributed to 
incomplete implementation of partial reconfiguration. The project used was not a partial 
reconfiguration project. This was done to facilitate testing with probes, which do not work 
with partial reconfiguration. This resulted in the inability of the SEM to repair and/or 
replace errors. Errors are detected by the SEM, however when they are not fixed, currently 
active errors increase in number. When multiple errors are detected, the entire list is sent 
to the monitor interface by the SEM [5], however the code developed for this thesis only 
stores the first error in the list. This error, which may be a single-bit or double-bit error, is 
displayed on the seven-segment display, along with the addresses to identify the location 
of the error. 
Although the total of errrors reported by the TMR is not 100% of the errors injected, 
this was expected, because most errors are not essential. The SEM adds an additional vector 
for persistent error injection. Injecting errors into a range of addresses can increase the 
likelihood of the error being injected into an address which would generate an error which 
was detectable by the TMR, when the registers are constrained to a small area. 
52 
B. FUTURE WORK 
(1) Error injection in all five sections of TMR 
Errors should be injected into all five sections of the TMR. Currently, only LRS, 
register multX, and register multY have errors injected into them. Array multX and array 
multY should also have errors injected during testing, for completeness. Additional testing 
and development is necessary for the manual injection of single-bit errors. 
(2) Review the behavior of the TMR when multiple errors are reported 
During testing, errors in configuration sometimes were initially reported as 
transient, despite being persistent in nature. Every identified instance of a transient error 
was followed by a persistent error in the same register. A persistent error should be more 
important, as it doesn’t go away. This should be reflected in the reporting priorities. 
(3) Determine the reason for transient errors in the reporting of configuration 
errors 
Configuration errors do not go away without repair or replacement. The TMR 
experiment is set up to wait to determine if an error is persistent or not. It needs to be 
determined why the TMR declares an error as transient and then turns around to declare it 
as persistent, in as little as 10 TMR clock cycles, as depicted in Figure 17. 
(4) Characterize and incorporate error repair and/or error replacement by the 
SEM into the CFTP 
This task will take the project generated for this thesis and incorporate it into the 
CFTP experiment. It will also allow the full capabilities of the SEM to be used to protect 
the CFTP process. To achieve this, full partial reconfiguration will have to be implemented 
on the CFTM TMR experiment. Full characterization requires that single bit error 
injections also incorporporate error mitigation to provide an equivalent comparison. 
(5) Enable the uploading of non-monolithic bitstreams 
This remains an open issue, however, due to the launch of the spacecraft with the 
CFTP, achieving this will be more difficult. Both the ARM and the CFTP will require 
53 
updates to accomplish this task. Part of the groundwork exists for the CFTP, however the 
added multiplier require larger pblocks and the FPGA on the CFTP is different in size and 
capabilities. 
(6) Add watchdog timer to code to verify the SEM watchdog timer 
Watchdog timers ensure that software is still operating, even though the current 
operations are not generating an output. Watchdogs are usually included as a part of a loop, 
causing a signal to be driven high briefly at a fixed interval. This indicates both that the 
process is working, and that the pin is not stuck at one value. The SEM has a watchdog 
timer, called “status heartbeat” which activates about once every 150 clock cycles while in 
the Observation Mode [5]. While in normal operation, the TMR needs to know that it is 
being protected from configuration errors. Implementing a watchdog that monitors the 
heartbeat will ensure the continued functioning of the SEM. 
(7) Add ECC to RAM modules 
Currently, there are no checks on normal RAM. The SEM does not verify RAM, 
and the TMR experiment does not use any RAM in its operation. It is relatively simple to 
check for ECC errors on RAM modules, however the lack of usage leaves out this 
protection. The RAM modules built in to Vivado have the capability to inject, detect, and 
repair errors in much the same way as the SEM, but no logic guides this, so the user must 
insert their own into each RAM module is desired to inject errors, and then handle the 
indicator of errors. 
  
54 
THIS PAGE INTENTIONALLY LEFT BLANK  
55 
APPENDIX A. TOP-LEVEL AND MISCELLANEOUS CODE 
This section contains the top-level code module (Pr_example.v), a module to 
display text messages on the Nexys 4 DDR board’s 8-segment LED bank 
(Nexys5_8_segment_LED_driver.v), the constraints file which defines the Nexys 4 DDR 
board (Nexys4ddr_Master.xdc), and the logic and memory allocations for the project 
(Pr_example.xdc). 
Pr_example.v  and pr_example.xdc contain code copied from the Xilinx sample 
project and modified to instantiate the instances of code which are accessed directly for the 
SEM.  The Xilinx code copied from the sample project requires the use of Xilinx 







//   ____  ____ 
//  /   /\/   / 
// /___/  \  / 
// \   \   \/    Vendor:        Xilinx 
//  \   \        Module:        pr_example 
//  /   /        Filename:      pr_example.v 
// /___/   /\    Purpose:       Example top level. 
// \   \  /  \ 




// (c) Copyright 2014-2015 Xilinx, Inc. All rights reserved. 
56 
// 
// This file contains confidential and proprietary information 
// of Xilinx, Inc. and is protected under U.S. and 




// This disclaimer is not a license and does not grant any 
// rights to the materials distributed herewith. Except as 
// otherwise provided in a valid license issued to you by 
// Xilinx, and to the maximum extent permitted by applicable 
// law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND 
// WITH ALL FAULTS, AND XILINX HEREBY DISCLAIMS ALL 
WARRANTIES 
// AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
// BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON- 
// INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and 
// (2) Xilinx shall not be liable (whether in contract or tort, 
// including negligence, or under any other theory of 
// liability) for any loss or damage of any kind or nature 
// related to, arising under or in connection with these 
// materials, including for any direct, or any indirect, 
// special, incidental, or consequential loss or damage 
// (including loss of data, profits, goodwill, or any type of 
// loss or damage suffered as a result of any action brought 
// by a third party) even if such damage or loss was 
// reasonably foreseeable or Xilinx had been advised of the 
// possibility of the same. 
// 
// CRITICAL APPLICATIONS 
// Xilinx products are not designed or intended to be fail- 
// safe, or for use in any application requiring fail-safe 
57 
// performance, such as life-support or safety devices or 
// systems, Class III medical devices, nuclear facilities, 
// applications related to the deployment of airbags, or any 
// other applications that could lead to death, personal 
// injury, or severe property or environmental damage 
// (individually and collectively, "Critical 
// Applications"). Customer assumes the sole risk and 
// liability of any use of Xilinx products in Critical 
// Applications, subject only to applicable laws and 
// regulations governing limitations on product liability. 
// 
// THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS 




// Module Description: 
// 
// This module instantiates the Partial Reconfiguration reference design. 
// It includes the SEM IP example design that has been modified to 
// include two Reconfigurable Partitions (RPs).  The first RP is a counter 
// that either counts up or down, and the second RP is a block RAM shifter 
// that either shifts data from left-to-right or right-to-left.  Both RPs are 




// Port Definition: 
// 
// Name                          Type   Description 




// clk                           input  System clock; the entire system is 
//                                      synchronized to this signal, which 
//                                      is distributed on a global clock 




// Parameter and Localparam Definition: 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// TCQ                           int    Sets the clock-to-out for behavioral 








// +- sem_ultra_0_support_wrapper  (SEM controller and helper blocks) 
// | 
// | 
// \- IBUF (unisim) 
// 
///////////////////////////////////////////////////////////////////////////// 





module pr_example ( 
    input  wire        clk, 
// Switches 
    input  wire [15:0] SW, 
// LED signals 
    output wire        led_16bits_tri_o_15, 
    output wire        led_16bits_tri_o_14, 
    output wire        led_16bits_tri_o_13, 
    output wire        led_16bits_tri_o_12, 
    output wire        led_16bits_tri_o_11, 
    output wire        led_16bits_tri_o_10, 
    output wire        led_16bits_tri_o_9, 
    output wire        led_16bits_tri_o_8, 
    output wire        led_16bits_tri_o_7, 
    output wire        led_16bits_tri_o_6, 
    output wire        led_16bits_tri_o_5, 
    output wire        led_16bits_tri_o_4, 
    output wire        led_16bits_tri_o_3, 
    output wire        led_16bits_tri_o_2, 
    output wire        led_16bits_tri_o_1, 
    output wire        led_16bits_tri_o_0, 
//  7-segment display lines 
    output wire        CA, 
    output wire        CB, 
    output wire        CC, 
    output wire        CD, 
    output wire        CE, 
    output wire        CF, 
    output wire        CG, 
    output wire        DP, 




// Define local constants. 
/////////////////////////////////////////////////////////////////////////// 
    localparam TCQ = 1; 
// Injection points from .ll file 
// LRS Address is for TMR_exp/TMR_LRS_gen/LRSAr_reg[1] 
    parameter [11:0]    LRS_OFFSET          = 1701, 
// MultX Address is for 
TMR_exp/red_mult[1].TMR_multX/prod_voted_rA_reg[0] 
                        MULTX_OFFSET        = 1702, 
// MultY Address is for 
TMR_exp/red_mult[1].TMR_multY/prod_voted_rA_reg[0] 
                        MULTY_OFFSET        = 1702, 
// Double-bit Offset is for TMR_exp/TMR_LRS_gen/LRSAr_reg[17] 
                        DOUBLEX_OFFSET      = 1700; 
    parameter [31:0]    LRS_ADDR            = 32'h0002059f, 
                        MULTX_ADDR          = 32'h0002109f, 
                        MULTY_ADDR          = 32'h00020e9f; 
// The double bit uses the LRS Address and the DOUBLEX_OFFSET 
    parameter [13:0]    INITIAL_MESSAGE     = 14'h3000; 
    parameter [2:0]     TMR_CLOCK_DELAY     = 5, 
                        WAITING_TO_INJECT   = 0, 
                        REQUESTING_INJECTION= 1, 
                        INJECT_REQUESTED    = 2, 
                        INJECTION_BEGUN     = 3, 
                        INJECTION_DONE      = 4, 
                        RESET_REQUESTED     = 5, 
                        INIT_INJECTION      = 6, 
                        RESETTING           = 7; 
    parameter [3:0]     UNKNOWN             = 0, 
                        RESET_SENT          = 1, 
                        INITIALIZING        = 2, 
61 
                        INITIALIZED         = 3, 
                        OBSERVING           = 4, 
                        IDLE_REQUESTED      = 5, 
                        IDLE_SENT           = 6, 
                        SEM_READY           = 7; 
    parameter           TRUE                = 1'b1, 
                        FALSE               = 1'b0; 
    parameter [7:0]     MAX_INJECT          = 8'hc0; 
/////////////////////////////////////////////////////////////////////////// 
// Internal signals. 
/////////////////////////////////////////////////////////////////////////// 
    (* mark_debug = "true" *) wire        switch_valid; 
    (* mark_debug = "true" *) wire [15:0] switches; 
    (* mark_debug = "true" *) reg  [15:0] last_valid_switch; 
    reg         last_SW2, heartbeat_detected; 
//////////////////////////////////////////////////////////////// 
// Other SEM variables 
//////////////////////////////////////////////////////////////// 
    wire            icap_clk; 
    wire            sem_idle; 
    wire [31:0]     icap_o; 
    wire [31:0]     icap_i; 
    wire            icap_csib; 
    wire            icap_rdwrb; 
    (* mark_debug = "true" *) wire        status_heartbeat; 
    (* mark_debug = "true" *) wire        status_initialization; 
    (* mark_debug = "true" *) wire        status_observation; 
    (* mark_debug = "true" *) wire        status_correction; 
    (* mark_debug = "true" *) wire        status_classification; 
    (* mark_debug = "true" *) wire        status_injection; 
    (* mark_debug = "true" *) wire        status_essential; 
    (* mark_debug = "true" *) wire        status_uncorrectable; 
62 
    (* mark_debug = "true" *) wire        enter_idle_state; 
    (* mark_debug = "true" *) wire        sem_icap_grant; 
    (* mark_debug = "true" *) wire        sem_icap_request; 
    (* mark_debug = "true" *) wire        injection_strobe; 
    wire [63:0]     decoded_message; 
    reg  [3:0]      injection_prep_state; 
    reg  [15:0]     idle_count; 
    (* mark_debug = "true" *) reg  [7:0]      injection_count; 
    (* mark_debug = "true" *) reg             injection_testing; 
    wire            reset_sem, enter_observation_state; 
    (* mark_debug = "true" *) reg  [191:0]    errors_detected_by_TMR; 
    wire [31:0]     injection_address; 
    wire [11:0]     injection_offset; 
    (* mark_debug = "true" *) reg  [2:0]      injection_delay, injection_state; 
    (* mark_debug = "true" *) wire [3:0]      sem_prep; 
    wire            status_received; 
    reg             waiting_for_status, got_status; 
//////////////////////////////////////////////////////////////// 
// TMR Variables 
//////////////////////////////////////////////////////////////// 
    (* dont_touch = "true" *) wire [15:0] serial_no; 
    (* dont_touch = "true" *) wire [15:0] exp_status; 
    (* dont_touch = "true" *) wire [31:0] q_graphw; 
    (* mark_debug = "true" *) wire  report_ready; 
    (* dont_touch = "true" *) wire clk_50i, clk_50a, clk_50b, clk_50c, clk_200, 
TMR_reset, locked_master; 
    (* dont_touch = "true" *) wire report_rcvd, run, test_exp;  //Set by X1 when 
report received and outputting to ARM started 
    (* mark_debug = "true" *) wire [103:0] report; //13 Bytes - ASCII 
    wire [7:0]  led_out; 
//////////////////////////////////////////////////////////////// 
// Initialize Variables 
63 
//////////////////////////////////////////////////////////////// 
    initial begin 
        injection_state <= INIT_INJECTION; 
        injection_count <= 8'hff; 
    end 
    assign TMR_reset = 0; 
//////////////////////////////////////////////////////////////// 
// Instantiate the clock source 
//////////////////////////////////////////////////////////////// 
//---------------------------------------------------------------------------- 
//  Output     Output      Phase    Duty Cycle   Pk-to-Pk     Phase 






// Input Clock   Freq (MHz)    Input Jitter (UI) 
//---------------------------------------------------------------------------- 
// __primary_________100.000____________0.010 
    master_clock clock_1( 
        // Clock in ports 
        .clk_in1(clk),          // input clk_in1 
        // Clock out ports 
        .clk_50(clk_50i),       // output clk_50 
        .clk_200(clk_200), 
        .clk_100(icap_clk), 
        .clk_outa(clk_50a), 
        .clk_outb(clk_50b), 
        .clk_outc(clk_50c), 
        // Status and control signals 
        .reset(TMR_reset),      // input reset 
64 
        .locked(locked_master)  // output locked 
    ); 
///////////////////////////////////////////////////////////////////////////// 
// Instantiate the TMR 
///////////////////////////////////////////////////////////////////////////// 
    TMR_mult_exp TMR_exp( 
        .clock (clk_50i),  // 50 MHz master clock 
        .clk_50A (clk_50a),  //50 MHz clock, TMR mod A enabled by run_exp 
        .clk_50B (clk_50b),  //50 MHz clock, TMR mod B enabled by run_exp 
        .clk_50C (clk_50c),  //50 MHz clock, TMR mod C enabled by run_exp 
        .run (run),  //from GX command 
        .test_exp (test_exp), // from TX command 
        .report_rcvd (report_rcvd),   //flag that report received from experiment 
        .report_ready (report_ready), //report msg available from experiment 
        .reportw (report), //13 Bytes - ASCII 
        .exp_status (exp_status),  // wire [15:0] error status from experiment  3/15/18 
        .vers_q_graph  (q_graphw) 
    ); 
    assign serial_no = q_graphw[31:16]; 
    assign report_rcvd = report_ready; 
///////////////////////////////////////////////////////////////////////////// 
// SEM Architectural Code 
///////////////////////////////////////////////////////////////////////////// 
    assign sem_icap_grant = TRUE; 
    assign reset_sem = ((sem_prep == RESET_SENT) || (SW[5] && sem_idle)) ? 
TRUE : FALSE; 
    assign enter_observation_state = ((sem_prep == INITIALIZED) || (SW[4] && 
sem_idle)) ? TRUE : FALSE; 
    assign enter_idle_state = ((sem_prep == OBSERVING) || (SW[3] && 
status_observation)) ? TRUE : FALSE; 
    assign sem_idle = !(status_initialization || status_observation || 
                                status_correction || status_classification || status_injection); 
    assign injection_address = (injection_count[7:6] == 2'b00) ? LRS_ADDR : 
65 
                               (injection_count[7:6] == 2'b01) ? MULTX_ADDR : 
                               (injection_count[7:6] == 2'b10) ? MULTY_ADDR : 0; 
    assign injection_offset  = (injection_count[7:6] == 2'b00) ? LRS_OFFSET   + 
injection_count [5:0] - 32 : 
                               (injection_count[7:6] == 2'b01) ? MULTX_OFFSET + 
injection_count [5:0] - 32 : 
                               (injection_count[7:6] == 2'b10) ? MULTY_OFFSET + 
injection_count [5:0] - 32 : 0; 
    assign injection_strobe  = injection_state == REQUESTING_INJECTION; 
    assign sem_prep   = injection_prep_state; 
/////////////////////////////////////////////////////////////////////////// 
// Instantiate the support wrapper layer, which includes the SEM 
// controller, configuration primitives, and the IP helper blocks 
/////////////////////////////////////////////////////////////////////////// 
  sem_0_support_wrapper sem_wrapper ( 
    .icap_clk (icap_clk), 
    .status_heartbeat(status_heartbeat), 
    .status_initialization(status_initialization), 
    .status_observation(status_observation), 
    .status_correction(status_correction), 
    .status_classification(status_classification), 
    .status_injection(status_injection), 
    .status_essential(status_essential), 
    .status_uncorrectable(status_uncorrectable), 
    .switch_valid(switch_valid), 
    .decoded_message(decoded_message), 
    .request_sem_status(FALSE), 
    .enter_idle_state(enter_idle_state), 
    .enter_observation_state(enter_observation_state), 
    .reset_sem(reset_sem), 
    .injection_strobe(injection_strobe), 
    .injection_address(injection_address[24:0]), 
    .injection_offset(injection_offset), 
66 
    .inject_LRS_error(SW[6]), 
    .inject_persistent_seu(SW[10]), 
    .inject_MultX_error(SW[7]), 
    .inject_MultY_error(SW[8]), 
    .inject_temporary_deu(SW[9]), 
    .icap_o(icap_o), 
    .icap_i(icap_i), 
    .icap_csib(icap_csib), 
    .icap_rdwrb(icap_rdwrb), 
    .icap_grant(sem_icap_grant), 
    .icap_request(sem_icap_request), 
    .error_addr(switches[15:11]), 
    .status_received(status_received) 
); 
    always @(posedge icap_clk) begin 
// Check if switch set to start injection testing 
        if(!injection_testing && SW[2]) begin 
            injection_testing <= TRUE; 
            injection_prep_state <= UNKNOWN; 
        end 
// Check if last injection has been made 
        else if(injection_testing && injection_count == 8'hc0) injection_testing <= 
FALSE; 
// Check for starting point in LRS_cycle to begin injecting errors. 
        else if(injection_testing) begin 
            case(sem_prep) 
                UNKNOWN         : begin 
                        if(status_essential || status_uncorrectable) begin 
                            if(sem_idle) begin 
                                injection_prep_state <= RESET_SENT; 
                            end 
                        end 
67 
                        else if(status_observation) injection_prep_state <= OBSERVING; 
                        else if(sem_idle) injection_prep_state <= SEM_READY; 
                    end 
                RESET_SENT      : begin 
                        waiting_for_status <= TRUE; 
                        injection_prep_state <= INITIALIZING; 
                     end 
                INITIALIZING    : if(!status_initialization && ((waiting_for_status && 
heartbeat_detected) || !waiting_for_status)) injection_prep_state <= INITIALIZED; 
                INITIALIZED     : begin 
                        if(status_observation) injection_prep_state <= OBSERVING; 
                        else if(sem_idle) injection_prep_state <= SEM_READY; 
                    end 
                OBSERVING       : begin 
                        injection_prep_state <= IDLE_REQUESTED; 
                        idle_count <= 0; 
                    end 
                IDLE_REQUESTED  : begin 
                        if(sem_idle) begin 
                            injection_prep_state <= SEM_READY; 
                            idle_count <= 0; 
                        end 
                        else if(idle_count == 10'h3ff) injection_prep_state <= 
OBSERVING; 
                        else idle_count <= idle_count + 1; 
                    end 
                SEM_READY       : begin 
                        if(!SW[2] && (injection_count != MAX_INJECT)) begin 
                            injection_testing <= FALSE; 
                            injection_prep_state <= UNKNOWN; 
                            waiting_for_status <= FALSE; 
                        end 
68 
                    end 
                default         : ; 
            endcase 
        end 
        if(!SW[0]) injection_prep_state <= UNKNOWN; 
    end 
    always @(posedge icap_clk) begin 
        case(injection_state) 
            WAITING_TO_INJECT: begin 
                    if(injection_delay == TMR_CLOCK_DELAY) begin 
                        if(sem_idle && ((MAX_INJECT > injection_count ) || 
(injection_count == 8'hff))) begin 
                            injection_state <= REQUESTING_INJECTION; 
                            injection_count <= injection_count + 1; 
                        end 
                    end 
                end 
            REQUESTING_INJECTION: injection_state <= INJECT_REQUESTED; 
            INJECT_REQUESTED    : if(status_injection) injection_state <= 
INJECTION_BEGUN; 
            INJECTION_BEGUN     : if(!status_injection) injection_state <= 
INJECTION_DONE; 
            INJECTION_DONE      : begin 
                    if(injection_count == MAX_INJECT) injection_state <= 
INIT_INJECTION; 
                end 
            INIT_INJECTION : begin 
                    if((SW[2] && !last_SW2) && (injection_count >= MAX_INJECT)) 
begin //Reinitialize testing values 
                        injection_state <= WAITING_TO_INJECT; 
                        injection_count <= 8'hff; 
                    end 
                end 
69 
        endcase 
        last_SW2 <= SW[2]; 
        if(!SW[2]) injection_state <= INIT_INJECTION; 
    end 
    always @(posedge clk_50i) begin 
        if(injection_testing && (sem_prep == SEM_READY)) begin 
            if((injection_delay == 0) && (report_ready) && (report[71:48] == " RE")) 
injection_delay <= 1; 
            else if((injection_delay > 0) && (injection_delay < 
TMR_CLOCK_DELAY)) 
                injection_delay <= injection_delay + 1; 
            else if(injection_count < MAX_INJECT) begin 
                if (report_ready && (report[71:48] == " PE")) 
errors_detected_by_TMR[injection_count] <= TRUE; 
            end 
        end 
        else if(!injection_testing || (sem_prep != SEM_READY)) injection_delay <= 
0; 
        if(injection_count == 8'hff) errors_detected_by_TMR <= 
19'h0000000000000000000000000; 
    end 
    always @(posedge icap_clk) begin 
        if(waiting_for_status) begin 
            if(status_received) got_status <= TRUE; 
            if(status_heartbeat) heartbeat_detected <= TRUE; 
        end 
        else begin 
            got_status <= FALSE; 
            heartbeat_detected <= FALSE; 
        end 
    end 
///////////////////////////////////////////////////////////////// 
// Route signals to LEDs 
70 
///////////////////////////////////////////////////////////////// 
    assign led_16bits_tri_o_8 = status_heartbeat; 
    assign led_16bits_tri_o_9 = status_initialization; 
    assign led_16bits_tri_o_10 = status_observation; 
    assign led_16bits_tri_o_11 = status_correction; 
    assign led_16bits_tri_o_12 = status_classification; 
    assign led_16bits_tri_o_13 = status_injection; 
    assign led_16bits_tri_o_14 = status_essential; 
    assign led_16bits_tri_o_15 = status_uncorrectable; 
    assign led_16bits_tri_o_7 = SW[7]; 
    assign led_16bits_tri_o_6 = SW[6]; 
    assign led_16bits_tri_o_5 = SW[5]; 
    assign led_16bits_tri_o_4 = SW[4]; 
    assign led_16bits_tri_o_3 = SW[3]; 
    assign led_16bits_tri_o_2 = SW[2]; 
    assign led_16bits_tri_o_1 = SW[1]; 
    assign led_16bits_tri_o_0 = SW[0]; 
///////////////////////////////////////////////////////////////// 
// Route Switches for initiating canned TMR and SEM Messages 
///////////////////////////////////////////////////////////////// 
    assign run         = SW[0];     // Start the TMR interface to track status. 
    assign test_exp    = SW[1];     // Execute the TMR error testing 
    assign switches[0] = FALSE; 
    assign switches[1] = FALSE; 
    assign switches[2] = SW[2];     // Request Status 
    assign switches[3] = SW[3];     // Go into Idle State 
    assign switches[4] = SW[4];     // Enter Observe State 
    assign switches[5] = SW[5];     // Enter Reset State 
    assign switches[6] = SW[6];     // Inject Single-bit Error in TMR_LRS Module 
    assign switches[7] = SW[7];     // Inject Persistent Single-bit Error in TMR_LRS 
Module 
    assign switches[8] = SW[8];     // Inject Single-bit Error in TMR_MultX Module 
71 
    assign switches[9] = SW[9];     // Inject Single-bit Error in TMR_MultY Module 
    assign switches[10] = SW[10];   // Inject Double-bit Error in TMR_LRS Module 
    assign switches[11] = SW[11]; 
    assign switches[12] = SW[12]; 
    assign switches[13] = SW[13]; 
    assign switches[14] = SW[14];    // Inject Error 
    assign switches[15] = SW[15]; 
/////////////////////////////////////////////////////////////////////////// 
// Switch validation code to prevent activation of multiple swithches simultaneously 
/////////////////////////////////////////////////////////////////////////// 
    always @(posedge icap_clk) begin 
        if(switch_valid) begin 
            last_valid_switch <= switches; 
        end 
        else if(!switch_valid && (switches == 0)) last_valid_switch <= switches; 
    end 
    assign switch_valid =  ((((switches & 10'h3ff) == 16'h0004) || ((switches & 
10'h3ff) == 16'h0008) || 
                            ((switches & 10'h3ff) == 16'h0010) || ((switches & 10'h3ff) == 
16'h0020) || 
                            ((switches & 10'h3ff) == 16'h0040) || ((switches & 10'h3ff) == 
16'h0080) || 
                            ((switches & 10'h3ff) == 16'h0100) || ((switches & 10'h3ff) == 
16'h0200)) && 
                            (last_valid_switch != switches)) || (injection_state == 
REQUESTING_INJECTION) || 
                            (sem_prep == RESET_SENT) || (sem_prep == OBSERVING) || 
                            ((sem_prep == UNKNOWN) && status_observation); 
///////////////////////////////////////////////////////////////////////////// 
// 7-segment display driver code 
///////////////////////////////////////////////////////////////////////////// 
    nexys5_8_segment_led_driver display_driver( 
        .clk(icap_clk), 
72 
        .text_in(decoded_message), 
        .AN(AN), 
        .CA(CA), 
        .CB(CB), 
        .CC(CC), 
        .CD(CD), 
        .CE(CE), 
        .CF(CF), 
        .CG(CG), 
        .DP(DP) 
    ); 
// ICAPE2: Internal Configuration Access Port 
//         7 Series 
// Xilinx HDL Libraries Guide, version 14.7 
    ICAPE2 #( 
       .DEVICE_ID(32'h3631093),     // Specifies the pre-programmed Device ID 
value to be used for simulation 
                                   // purposes. 
                                   // Device ID for XC7A100T is 3631093 
                                   // Device ID for XC7K325T (the default value) is 3651093 
       .ICAP_WIDTH("X32"),         // Specifies the input and output data width. 
       .SIM_CFG_FILE_NAME("None")  // Specifies the Raw Bitstream (RBT) file 
to be parsed by the simulation 
                                   // model. 
    ) 
    ICAPE2_inst ( 
       .O(icap_o),         // 32-bit output: Configuration data output bus 
       .CLK(icap_clk),     // 1-bit input: Clock Input 
       .CSIB(icap_csib),   // 1-bit input: Active-Low ICAP Enable 
       .I(icap_i),         // 32-bit input: Configuration data input bus 
       .RDWRB(icap_rdwrb)  // 1-bit input: Read/Write Select input 
    ); 
73 
// End of ICAPE2_inst instantiation 
endmodule 
1. Nexys5_8_segment_LED_driver.v 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: Naval Postgraduate School 
// Engineer: Stuart Archer 
// 
// Create Date: 01/29/2019 12:17:25 PM 
// Design Name: TMR_SEM 
// Module Name: nexys5_8_segment_led_driver 
// Project Name: 
// Target Devices: 






// Revision 0.01 - File Created 




    input wire clk, 
    input wire [63:0] text_in, 
    output wire [7:0] AN, 
    output wire CA, 
    output wire CB, 
    output wire CC, 
    output wire CD, 
74 
    output wire CE, 
    output wire CF, 
    output wire CG, 
    output wire DP 
); 
    (* mark_debug = "true" *) reg  [2:0]  cycle, next_cycle; 
    reg  [13:0] count; 
    (* mark_debug = "true" *) wire [7:0]  text_char, out_cells; 
    (* mark_debug = "true" *) reg  [7:0]  new_text[7:0]; 
    integer     i; 
    assign DP = out_cells[7]; 
    assign CA = out_cells[0]; 
    assign CB = out_cells[1]; 
    assign CC = out_cells[2]; 
    assign CD = out_cells[3]; 
    assign CE = out_cells[4]; 
    assign CF = out_cells[5]; 
    assign CG = out_cells[6]; 
    parameter [7:0] SE0 = ~8'h3f, 
                    SE1 = ~8'h06, 
                    SE2 = ~8'h5b, 
                    SE3 = ~8'h4f, 
                    SE4 = ~8'h66, 
                    SE5 = ~8'h6d, 
                    SE6 = ~8'h7d, 
                    SE7 = ~8'h07, 
                    SE8 = ~8'h7f, 
                    SE9 = ~8'h67, 
                    SEA = ~8'h77, 
                    SEB = ~8'h7c, 
                    SEC = ~8'h39, 
                    SED = ~8'h5e, 
75 
                    SEE = ~8'h79, 
                    SEF = ~8'h71, 
                    SEG = ~8'h6f, 
                    SEH = ~8'h74, 
                    SEI = ~8'h30, 
                    SEJ = ~8'h1e, 
                    SEK = ~8'h76, 
                    SEL = ~8'h38, 
                    SEM = ~8'h49, 
                    SEN = ~8'h54, 
                    SEO = ~8'h5c, 
                    SEP = ~8'h73, 
                    SER = ~8'h50, 
                    SES = ~8'h4d, 
                    SET = ~8'h31, 
                    SEU = ~8'h1c, 
                    SEV = ~8'h3e, 
                    SEW = ~8'h7e, 
                    SEX = ~8'h76, 
                    SEY = ~8'h72, 
                    SEdash = ~8'h40, 
                    SE_ = ~8'h08; 
    parameter [7:0] ZERO2  = 8'h01, 
                    ONE2   = 8'h02, 
                    TWO2   = 8'h04, 
                    THREE2 = 8'h08, 
                    FOUR2  = 8'h10, 
                    FIVE2  = 8'h20, 
                    SIX2   = 8'h40, 
                    SEVEN2 = 8'h80; 
    parameter [2:0] ZERO   = 8'd0, 
                    ONE    = 8'd1, 
76 
                    TWO    = 8'd2, 
                    THREE  = 8'd3, 
                    FOUR   = 8'd4, 
                    FIVE   = 8'd5, 
                    SIX    = 8'd6, 
                    SEVEN  = 8'd7; 
    initial begin 
        next_cycle = ZERO; 
    end     // initial 
    always @(posedge clk) begin 
        count <= count + 1; 
        if(count == 13'h1fff) begin 
            cycle <= next_cycle; 
            case(cycle) 
                7 : new_text[cycle] = text_in[63:56]; 
                6 : new_text[cycle] = text_in[55:48]; 
                5 : new_text[cycle] = text_in[47:40]; 
                4 : new_text[cycle] = text_in[39:32]; 
                3 : new_text[cycle] = text_in[31:24]; 
                2 : new_text[cycle] = text_in[23:16]; 
                1 : new_text[cycle] = text_in[15:8]; 
                0 : new_text[cycle] = text_in[7:0]; 
            endcase 
            next_cycle = next_cycle + 1; 
        end 
    end 
    assign text_char =  (cycle == 7) ? new_text[7][7:0]: 
                        (cycle == 6) ? new_text[6][7:0]: 
                        (cycle == 5) ? new_text[5][7:0]: 
                        (cycle == 4) ? new_text[4][7:0]: 
                        (cycle == 3) ? new_text[3][7:0]: 
                        (cycle == 2) ? new_text[2][7:0]: 
77 
                        (cycle == 1) ? new_text[1][7:0]: 
                        (cycle == 0) ? new_text[0][7:0]:8'h00; 
    assign out_cells =  (text_char == 8'h30) ? SE0 : 
                        (text_char == 8'h31) ? SE1 : 
                        (text_char == 8'h32) ? SE2 : 
                        (text_char == 8'h33) ? SE3 : 
                        (text_char == 8'h34) ? SE4 : 
                        (text_char == 8'h35) ? SE5 : 
                        (text_char == 8'h36) ? SE6 : 
                        (text_char == 8'h37) ? SE7 : 
                        (text_char == 8'h38) ? SE8 : 
                        (text_char == 8'h39) ? SE9 : 
                        ((text_char == 8'h41) || (text_char == 8'h61)) ? SEA : 
                        ((text_char == 8'h42) || (text_char == 8'h62)) ? SEB : 
                        ((text_char == 8'h43) || (text_char == 8'h63)) ? SEC : 
                        ((text_char == 8'h44) || (text_char == 8'h64)) ? SED : 
                        ((text_char == 8'h45) || (text_char == 8'h65)) ? SEE : 
                        ((text_char == 8'h46) || (text_char == 8'h66)) ? SEF : 
                        ((text_char == 8'h47) || (text_char == 8'h67)) ? SEG : 
                        ((text_char == 8'h48) || (text_char == 8'h68)) ? SEH : 
                        ((text_char == 8'h49) || (text_char == 8'h69)) ? SEI : 
                        ((text_char == 8'h4a) || (text_char == 8'h6a)) ? SEJ : 
                        ((text_char == 8'h4b) || (text_char == 8'h6b)) ? SEK : 
                        ((text_char == 8'h4c) || (text_char == 8'h6c)) ? SEL : 
                        ((text_char == 8'h4d) || (text_char == 8'h6d)) ? SEM : 
                        ((text_char == 8'h4e) || (text_char == 8'h6e)) ? SEN : 
                        ((text_char == 8'h4f) || (text_char == 8'h6f)) ? SEO : 
                        ((text_char == 8'h50) || (text_char == 8'h70)) ? SEP : 
                        ((text_char == 8'h52) || (text_char == 8'h72)) ? SER : 
                        ((text_char == 8'h53) || (text_char == 8'h73)) ? SES : 
                        ((text_char == 8'h54) || (text_char == 8'h74)) ? SET : 
                        ((text_char == 8'h55) || (text_char == 8'h75)) ? SEU : 
78 
                        ((text_char == 8'h56) || (text_char == 8'h76)) ? SEV : 
                        ((text_char == 8'h57) || (text_char == 8'h77)) ? SEW : 
                        ((text_char == 8'h58) || (text_char == 8'h78)) ? SEX : 
                        ((text_char == 8'h59) || (text_char == 8'h79)) ? SEY : 
                        (text_char == 8'h2d) ? SEdash : 
                        (text_char == 8'h5f) ? SE_ : 8'hff; 
    assign AN =         (cycle == ZERO)  ? ~ZERO2  : 
                        (cycle == ONE)   ? ~ONE2   : 
                        (cycle == TWO)   ? ~TWO2   : 
                        (cycle == THREE) ? ~THREE2 : 
                        (cycle == FOUR)  ? ~FOUR2  : 
                        (cycle == FIVE)  ? ~FIVE2  : 
                        (cycle == SIX)   ? ~SIX2   : ~SEVEN2 ; 
Endmodule 
2. Nexy4ddr_Master.xdc 
## This file is a general .xdc for the Nexys4 DDR Rev. C 
## To use it in a project: 
## - uncomment the lines corresponding to used pins 
## - rename the used ports (in each line, after get_ports) according to the top level 
signal names in the project 
## - FPGA is Artix-7, (xc7a100tcsg324-3)  Speed Class 1 
## - 12/13/17 HHL LED[0:15] activated 
## Clock signal 
set_property -dict {PACKAGE_PIN E3 IOSTANDARD LVCMOS33} [get_ports 
clk] 
set_property CLOCK_DEDICATED_ROUTE FALSE [get_nets 
clock_1/inst/clk_50] 
##Switches 
set_property -dict {PACKAGE_PIN J15 IOSTANDARD LVCMOS33} [get_ports 
SW[0]] 
set_property -dict {PACKAGE_PIN L16 IOSTANDARD LVCMOS33} 
[get_ports SW[1]] 
79 
set_property -dict {PACKAGE_PIN M13 IOSTANDARD LVCMOS33} 
[get_ports SW[2]] 
set_property -dict {PACKAGE_PIN R15 IOSTANDARD LVCMOS33} 
[get_ports SW[3]] 
set_property -dict {PACKAGE_PIN R17 IOSTANDARD LVCMOS33} 
[get_ports SW[4]] 
set_property -dict {PACKAGE_PIN T18 IOSTANDARD LVCMOS33} 
[get_ports SW[5]] 
set_property -dict {PACKAGE_PIN U18 IOSTANDARD LVCMOS33} 
[get_ports SW[6]] 
set_property -dict {PACKAGE_PIN R13 IOSTANDARD LVCMOS33} 
[get_ports SW[7]] 
set_property -dict {PACKAGE_PIN T8 IOSTANDARD LVCMOS18} [get_ports 
SW[8]] 
set_property -dict {PACKAGE_PIN U8 IOSTANDARD LVCMOS18} [get_ports 
SW[9]] 
set_property -dict {PACKAGE_PIN R16 IOSTANDARD LVCMOS33} 
[get_ports SW[10]] 
set_property -dict {PACKAGE_PIN T13 IOSTANDARD LVCMOS33} 
[get_ports SW[11]] 
set_property -dict {PACKAGE_PIN H6 IOSTANDARD LVCMOS33} [get_ports 
SW[12]] 
set_property -dict {PACKAGE_PIN U12 IOSTANDARD LVCMOS33} 
[get_ports SW[13]] 
set_property -dict {PACKAGE_PIN U11 IOSTANDARD LVCMOS33} 
[get_ports SW[14]] 
set_property -dict {PACKAGE_PIN V10 IOSTANDARD LVCMOS33} 
[get_ports SW[15]] 
## LEDs 
set_property -dict {PACKAGE_PIN H17 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_0] 
set_property -dict {PACKAGE_PIN K15 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_1] 
set_property -dict {PACKAGE_PIN J13 IOSTANDARD LVCMOS33} [get_ports 
led_16bits_tri_o_2] 
set_property -dict {PACKAGE_PIN N14 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_3] 
80 
set_property -dict {PACKAGE_PIN R18 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_4] 
set_property -dict {PACKAGE_PIN V17 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_5] 
set_property -dict {PACKAGE_PIN U17 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_6] 
set_property -dict {PACKAGE_PIN U16 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_7] 
set_property -dict {PACKAGE_PIN V16 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_8] 
set_property -dict {PACKAGE_PIN T15 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_9] 
set_property -dict {PACKAGE_PIN U14 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_10] 
set_property -dict {PACKAGE_PIN T16 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_11] 
set_property -dict {PACKAGE_PIN V15 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_12] 
set_property -dict {PACKAGE_PIN V14 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_13] 
set_property -dict {PACKAGE_PIN V12 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_14] 
set_property -dict {PACKAGE_PIN V11 IOSTANDARD LVCMOS33} 
[get_ports led_16bits_tri_o_15] 
##7 segment display 
set_property -dict {PACKAGE_PIN T10 IOSTANDARD LVCMOS33} 
[get_ports CA] 
set_property -dict {PACKAGE_PIN R10 IOSTANDARD LVCMOS33} 
[get_ports CB] 
set_property -dict {PACKAGE_PIN K16 IOSTANDARD LVCMOS33} 
[get_ports CC] 
set_property -dict {PACKAGE_PIN K13 IOSTANDARD LVCMOS33} 
[get_ports CD] 
set_property -dict {PACKAGE_PIN P15 IOSTANDARD LVCMOS33} 
[get_ports CE] 
set_property -dict {PACKAGE_PIN T11 IOSTANDARD LVCMOS33} 
[get_ports CF] 
81 
set_property -dict {PACKAGE_PIN L18 IOSTANDARD LVCMOS33} 
[get_ports CG] 
set_property -dict {PACKAGE_PIN H15 IOSTANDARD LVCMOS33} 
[get_ports DP] 
set_property -dict {PACKAGE_PIN J17 IOSTANDARD LVCMOS33} [get_ports 
AN[0]] 
set_property -dict {PACKAGE_PIN J18 IOSTANDARD LVCMOS33} [get_ports 
AN[1]] 
set_property -dict {PACKAGE_PIN T9 IOSTANDARD LVCMOS33} [get_ports 
AN[2]] 
set_property -dict {PACKAGE_PIN J14 IOSTANDARD LVCMOS33} [get_ports 
AN[3]] 
set_property -dict {PACKAGE_PIN P14 IOSTANDARD LVCMOS33} 
[get_ports AN[4]] 
set_property -dict {PACKAGE_PIN T14 IOSTANDARD LVCMOS33} 
[get_ports AN[5]] 
set_property -dict {PACKAGE_PIN K2 IOSTANDARD LVCMOS33} [get_ports 
AN[6]] 
set_property -dict {PACKAGE_PIN U13 IOSTANDARD LVCMOS33} 
[get_ports AN[7]] 
#### Debug Probes 
create_debug_core u_ila_0 ila 
set_property ALL_PROBE_SAME_MU true [get_debug_cores u_ila_0] 
set_property ALL_PROBE_SAME_MU_CNT 1 [get_debug_cores u_ila_0] 
set_property C_ADV_TRIGGER false [get_debug_cores u_ila_0] 
set_property C_DATA_DEPTH 8192 [get_debug_cores u_ila_0] 
set_property C_EN_STRG_QUAL false [get_debug_cores u_ila_0] 
set_property C_INPUT_PIPE_STAGES 0 [get_debug_cores u_ila_0] 
set_property C_TRIGIN_EN false [get_debug_cores u_ila_0] 
set_property C_TRIGOUT_EN false [get_debug_cores u_ila_0] 
set_property port_width 1 [get_debug_ports u_ila_0/clk] 
connect_debug_port u_ila_0/clk [get_nets [list icap_clk]] 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe0] 
set_property port_width 104 [get_debug_ports u_ila_0/probe0] 
82 
connect_debug_port u_ila_0/probe0 [get_nets [list report[0] report[1] report[2] 
report[3] report[4] report[5] report[6] report[7] report[8] report[9] report[10] report[11] 
report[12] report[13] report[14] report[15] report[16] report[17] report[18] report[19] 
report[20] report[21] report[22] report[23] report[24] report[25] report[26] report[27] 
report[28] report[29] report[30] report[31] report[32] report[33] report[34] report[35] 
report[36] report[37] report[38] report[39] report[40] report[41] report[42] report[43] 
report[44] report[45] report[46] report[47] report[48] report[49] report[50] report[51] 
report[52] report[53] report[54] report[55] report[56] report[57] report[58] report[59] 
report[60] report[61] report[62] report[63] report[64] report[65] report[66] report[67] 
report[68] report[69] report[70] report[71] report[72] report[73] report[74] report[75] 
report[76] report[77] report[78] report[79] report[80] report[81] report[82] report[83] 
report[84] report[85] report[86] report[87] report[88] report[89] report[90] report[91] 
report[92] report[93] report[94] report[95] report[96] report[97] report[98] report[99] 
report[100] report[101] report[102] report[103]]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe1] 
set_property port_width 1 [get_debug_ports u_ila_0/probe1] 
connect_debug_port u_ila_0/probe1 [get_nets [list report_ready]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe2] 
set_property port_width 1 [get_debug_ports u_ila_0/probe2] 
connect_debug_port u_ila_0/probe2 [get_nets [list run]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe3] 
set_property port_width 1 [get_debug_ports u_ila_0/probe3] 
connect_debug_port u_ila_0/probe3 [get_nets [list test_exp]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe4] 
set_property port_width 8 [get_debug_ports u_ila_0/probe4] 
connect_debug_port u_ila_0/probe4 [get_nets [list status_heartbeat 
status_initialization status_observation status_correction status_injection status_essential 
status_uncorrectable status_classification]] 
create_debug_port u_ila_0 probe 
83 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe5] 
set_property port_width 10 [get_debug_ports u_ila_0/probe5] 
connect_debug_port u_ila_0/probe5 [get_nets [list sem_wrapper/sem_idle 
sem_wrapper/status_received sem_wrapper/switch_valid]] 
connect_debug_port u_ila_0/probe5 [get_nets [list sem_wrapper/command_active 
sem_wrapper/last_command_sent[0] sem_wrapper/last_command_sent[1]]] 
connect_debug_port u_ila_0/probe5 [get_nets [list 
sem_wrapper/last_command_sent[2] sem_wrapper/last_command_sent[3] 
sem_wrapper/last_command_sent[4]]] 
connect_debug_port u_ila_0/probe5 [get_nets [list 
sem_wrapper/request_sem_status]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe6] 
set_property port_width 87 [get_debug_ports u_ila_0/probe6] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[0]} 
{decoded_message[1]} {decoded_message[2]} {decoded_message[3]} 
{decoded_message[4]} {decoded_message[5]} {decoded_message[6]} 
{decoded_message[7]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[8]} 
{decoded_message[9]} {decoded_message[10]} {decoded_message[11]} 
{decoded_message[12]} {decoded_message[13]} {decoded_message[14]} 
{decoded_message[15]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[16]} 
{decoded_message[17]} {decoded_message[18]} {decoded_message[19]} 
{decoded_message[20]} {decoded_message[21]} {decoded_message[22]} 
{decoded_message[23]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[24]} 
{decoded_message[25]} {decoded_message[26]} {decoded_message[27]} 
{decoded_message[28]} {decoded_message[29]} {decoded_message[30]} 
{decoded_message[31]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[32]} 
{decoded_message[33]} {decoded_message[34]} {decoded_message[35]} 
{decoded_message[36]} {decoded_message[37]} {decoded_message[38]} 
{decoded_message[39]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[40]} 
{decoded_message[41]} {decoded_message[42]} {decoded_message[43]} 
84 
{decoded_message[44]} {decoded_message[45]} {decoded_message[46]} 
{decoded_message[47]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[48]} 
{decoded_message[49]} {decoded_message[50]} {decoded_message[51]} 
{decoded_message[52]} {decoded_message[53]} {decoded_message[54]} 
{decoded_message[55]}]] 
connect_debug_port u_ila_0/probe6 [get_nets [list {decoded_message[56]} 
{decoded_message[57]} {decoded_message[58]} {decoded_message[59]} 
{decoded_message[60]} {decoded_message[61]} {decoded_message[62]} 
{decoded_message[63]}]] 





connect_debug_port u_ila_0/probe6 [get_nets [list sem_wrapper/message_busy 
sem_wrapper/message_strobe sem_wrapper/monitor_txwrite 
sem_wrapper/monitor_txfull]] 









create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe7] 
set_property port_width 47 [get_debug_ports u_ila_0/probe7] 






























connect_debug_port u_ila_0/probe7 [get_nets [list 
sem_wrapper/injector/reset_sem]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe8] 
set_property port_width 192 [get_debug_ports u_ila_0/probe8] 
connect_debug_port u_ila_0/probe8 [get_nets [list errors_detected_by_TMR[0] 
errors_detected_by_TMR[1] errors_detected_by_TMR[2] errors_detected_by_TMR[3] 
errors_detected_by_TMR[4] errors_detected_by_TMR[5] errors_detected_by_TMR[6] 
errors_detected_by_TMR[7] errors_detected_by_TMR[8] errors_detected_by_TMR[9]]] 















































































































connect_debug_port u_ila_0/probe8 [get_nets [list errors_detected_by_TMR[190] 
errors_detected_by_TMR[191]]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe9] 
set_property port_width 1 [get_debug_ports u_ila_0/probe9] 
connect_debug_port u_ila_0/probe9 [get_nets [list injection_strobe]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe10] 
set_property port_width 8 [get_debug_ports u_ila_0/probe10] 
connect_debug_port u_ila_0/probe10 [get_nets [list injection_count[0] 
injection_count[1] injection_count[2] injection_count[3] injection_count[4] 
injection_count[5] injection_count[6] injection_count[7]]] 
create_debug_port u_ila_0 probe 
set_property PROBE_TYPE DATA_AND_TRIGGER [get_debug_ports 
u_ila_0/probe11] 
set_property port_width 26 [get_debug_ports u_ila_0/probe11] 
connect_debug_port u_ila_0/probe11 [get_nets [list sem_prep[0] sem_prep[1] 
sem_prep[2] sem_prep[3] injection_testing]] 
connect_debug_port u_ila_0/probe11 [get_nets [list injection_delay[0] 
injection_delay[1] injection_delay[2] injection_state[0] injection_state[1] 
injection_state[2]]] 
89 
connect_debug_port u_ila_0/probe11 [get_nets [list idle_count0[0] idle_count0[1] 
idle_count0[2] idle_count0[3] idle_count0[4] idle_count0[5] idle_count0[6] 
idle_count0[7]]] 
connect_debug_port u_ila_0/probe11 [get_nets [list idle_count0[8] idle_count0[9] 
idle_count0[10] idle_count0[11] idle_count0[12] idle_count0[13] idle_count0[14] 
idle_count0[15]]] 
set_property C_CLK_INPUT_FREQ_HZ 100000000 [get_debug_cores dbg_hub] 
set_property C_ENABLE_CLK_DIVIDER false [get_debug_cores dbg_hub] 
set_property C_USER_SCAN_CHAIN 1 [get_debug_cores dbg_hub] 
connect_debug_port dbg_hub/clk [get_nets icap_clk] 
set_property CFGBVS VCCO [current_design] 









##   ____  ____ 
##  /   /\/   / 
## /___/  \  / 
## \   \   \/    Core:          sem 
##  \   \        Module:        pr_example 
##  /   /        Filename:      pr_example.xdc 
## /___/   /\    Purpose:       Constraints for the example design. 




## (c) Copyright 2014-2015 Xilinx, Inc. All rights reserved. 
## 
90 
## This file contains confidential and proprietary information 
## of Xilinx, Inc. and is protected under U.S. and 




## This disclaimer is not a license and does not grant any 
## rights to the materials distributed herewith. Except as 
## otherwise provided in a valid license issued to you by 
## Xilinx, and to the maximum extent permitted by applicable 
## law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND 
## WITH ALL FAULTS, AND XILINX HEREBY DISCLAIMS ALL 
WARRANTIES 
## AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
## BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON- 
## INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and 
## (2) Xilinx shall not be liable (whether in contract or tort, 
## including negligence, or under any other theory of 
## liability) for any loss or damage of any kind or nature 
## related to, arising under or in connection with these 
## materials, including for any direct, or any indirect, 
## special, incidental, or consequential loss or damage 
## (including loss of data, profits, goodwill, or any type of 
## loss or damage suffered as a result of any action brought 
## by a third party) even if such damage or loss was 
## reasonably foreseeable or Xilinx had been advised of the 
## possibility of the same. 
## 
## CRITICAL APPLICATIONS 
## Xilinx products are not designed or intended to be fail- 
## safe, or for use in any application requiring fail-safe 
## performance, such as life-support or safety devices or 
91 
## systems, Class III medical devices, nuclear facilities, 
## applications related to the deployment of airbags, or any 
## other applications that could lead to death, personal 
## injury, or severe property or environmental damage 
## (individually and collectively, "Critical 
## Applications"). Customer assumes the sole risk and 
## liability of any use of Xilinx products in Critical 
## Applications, subject only to applicable laws and 
## regulations governing limitations on product liability. 
## 
## THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS 





## Constraint Description: 
## 
## These constraints are for physical implementation of the system level 
## design example. 
## 
## The SEM controller initializes and manages the FPGA integrated silicon 
## features for soft error mitigation.  When the controller is included 
## in a design, do not include any design constraints related to these 





## Example Design: Master Clock Timing 
######################################## 
set_max_delay -datapath_only -from [get_pins 
sem_wrapper/sem_cfg/FRAME_ECCE2_inst/*] 10.000 -quiet 
92 
set_max_delay -datapath_only -from [get_pins 
sem_wrapper/sem_cfg/FRAME_ECCE2_inst/*] -to [all_outputs] 20.000 -quiet 
## SEM Status Interface Constraints 
set_property DRIVE 8 [get_ports led_16bits_tri_o_8] 
set_property SLEW FAST [get_ports led_16bits_tri_o_8] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_9] 
set_property SLEW FAST [get_ports led_16bits_tri_o_9] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_10] 
set_property SLEW FAST [get_ports led_16bits_tri_o_10] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_11] 
set_property SLEW FAST [get_ports led_16bits_tri_o_11] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_12] 
set_property SLEW FAST [get_ports led_16bits_tri_o_12] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_13] 
set_property SLEW FAST [get_ports led_16bits_tri_o_13] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_14] 
set_property SLEW FAST [get_ports led_16bits_tri_o_14] 
set_property DRIVE 8 [get_ports led_16bits_tri_o_15] 
set_property SLEW FAST [get_ports led_16bits_tri_o_15] 
set_property CONFIG_MODE SPIx1 [current_design] 
set_property LOC FRAME_ECC_X0Y0 [get_cells 
sem_wrapper/sem_cfg/FRAME_ECCE2_inst] 
set_property LOC ICAP_X0Y1 [get_cells ICAPE2_inst] 
######################################## 




add_cells_to_pblock [get_pblocks SEM_CONTROLLER] [get_cells -quiet [list 
sem_wrapper]] 
add_cells_to_pblock [get_pblocks SEM_CONTROLLER] [get_cells -quiet [list 
ICAPE2_inst]] 
93 
resize_pblock [get_pblocks SEM_CONTROLLER] -add 
{SLICE_X28Y50:SLICE_X37Y99} 
resize_pblock [get_pblocks SEM_CONTROLLER] -add 
{RAMB36_X0Y14:RAMB36_X0Y19} 
#### TMR Acreate_pblock pblock_TMR 
create_pblock pblock_TMR 
add_cells_to_pblock [get_pblocks pblock_TMR] [get_cells -quiet [list TMR_exp]] 
remove_cells_from_pblock [get_pblocks pblock_TMR] [get_cells -quiet [list 
TMR_exp/TMR_LRS_gen]] 
remove_cells_from_pblock [get_pblocks pblock_TMR] [get_cells -quiet [list 
TMR_exp/red_mult[1].TMR_multX]] 
remove_cells_from_pblock [get_pblocks pblock_TMR] [get_cells -quiet [list 
TMR_exp/red_mult[1].TMR_multY]] 




add_cells_to_pblock [get_pblocks pblock_LRS] [get_cells -quiet [list 
TMR_exp/TMR_LRS_gen]] 
resize_pblock [get_pblocks pblock_LRS] -add 
{SLICE_X8Y150:SLICE_X15Y199} 
resize_pblock [get_pblocks pblock_LRS] -add {DSP48_X0Y60:DSP48_X0Y79} 
resize_pblock [get_pblocks pblock_LRS] -add 
{RAMB36_X0Y30:RAMB36_X0Y39} 
resize_pblock [get_pblocks pblock_LRS] -add 
{RAMB18_X0Y60:RAMB18_X0Y79} 
set_property HD.RECONFIGURABLE TRUE [get_cells 
TMR_exp/TMR_LRS_gen] 
set_property IS_LOC_FIXED 1 [get_cells 
TMR_exp/TMR_LRS_gen/LRSAr_reg[1]] 
set_property LOC SLICE_X15Y176 [get_cells 
TMR_exp/TMR_LRS_gen/LRSAr_reg[1]] 
set_property IS_LOC_FIXED 1 [get_cells 
TMR_exp/TMR_LRS_gen/LRSAr_reg[17]] 





add_cells_to_pblock [get_pblocks pblock_Mult_X] [get_cells -quiet [list 
{TMR_exp/red_mult[1].TMR_multX}]] 
resize_pblock [get_pblocks pblock_Mult_X] -add 
{SLICE_X52Y150:SLICE_X77Y199} 
resize_pblock [get_pblocks pblock_Mult_X] -add 
{DSP48_X1Y60:DSP48_X1Y79} 
resize_pblock [get_pblocks pblock_Mult_X] -add 
{RAMB36_X1Y30:RAMB36_X2Y39} 
resize_pblock [get_pblocks pblock_Mult_X] -add 
{RAMB18_X1Y60:RAMB18_X2Y79} 
resize_pblock [get_pblocks pblock_Mult_X] -add {PCIE_X0Y0:PCIE_X0Y0} 
set_property HD.RECONFIGURABLE TRUE [get_cells 
TMR_exp/red_mult[1].TMR_multX] 
set_property IS_LOC_FIXED 1 [get_cells 
TMR_exp/red_mult[1].TMR_multX/prod_voted_rA_reg[0]] 




add_cells_to_pblock [get_pblocks pblock_Mult_Y] [get_cells -quiet [list 
{TMR_exp/red_mult[1].TMR_multY}]] 
resize_pblock [get_pblocks pblock_Mult_Y] -add 
{SLICE_X20Y150:SLICE_X49Y199} 
set_property HD.RECONFIGURABLE TRUE [get_cells 
TMR_exp/red_mult[1].TMR_multY] 
set_property IS_LOC_FIXED 1 [get_cells 
TMR_exp/red_mult[1].TMR_multY/prod_voted_rA_reg[0]] 
set_property LOC SLICE_X48Y176 [get_cells 
TMR_exp/red_mult[1].TMR_multY/prod_voted_rA_reg[0]] 
######################################## 
## Vivado Properties: Essential Bits 
######################################## 
## This property enables essential bits generation in Vivado. 
set_property BITSTREAM.SEU.ESSENTIALBITS YES [current_design] 
95 
## note that it generates the file, but without the SEM IP being configured for 
classification, it does nothing. 
96 
THIS PAGE INTENTIONALLY LEFT BLANK 
97 
APPENDIX B. TMR CODE 
This appendix contains the TMR code used in the CFTP.  It is unmodified except 
were noted in Chapter III.B.1B.1 
A. TMR_MULT_EXP.V 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: Naval Postgraduate School 
// Engineer: HLOOMIS 
// 
// Create Date: 11/8/2017 
// Design Name: 
// Module Name:top_level 
// Project Name: TMR multiplier experiment for CFTP-7 
//      Based on EC3830  Lab 5 
// Target Devices: Artix-7 (xc7a100tcsg324-3)-nexys 4 
//                 Kintex-7 





// Revision 0.01 - File Created 
// Revision 0.11 - 50 and 100 MHz clocks added 1/16/17 
// Revision 1.00 - 36-bit LRS driver added 
// Revision 1.10 - Change to 31-bit LRS, period = 43 seconds at 50 MHz 
// Revision 2.00 - Add 31-bit voters to convert to internal TMR for LRS 
// Revision 3.00 - Add 36-bit voters to convert to internal TMR for array multiplier 
//      imported from EC3830 lab 417 
// Revision 3.01 - Add LEDs to display S/N 
// Revision 3.1  - Added run_exp, test_exp from x1 commands GX, SX, TX 
98 
// Revision 3.11 - Added exp_status[15:0] to report error summary status 
// Revision 3.2  - Sends report to x1 when run is set and when run is cleared 4/17/18 
// Revision 3.21 - also sends report when test_exp set or cleared 4/17/18 
// Revision 4.0  - Gives 12-character error report when non-zero syndrome 
generated 
// revision 4.1  - monitors transient and persistent errors. 
// Revision 5.0  - Multi-stage pipeline, monitor errors in logic and registers 
//                  Contains 1 triplicated LRS, 1 TMR Multiplier, 1 TMR product register 
// Revision 5.1  - dubugging error_index 
// Revision 6.0  - Introduce 2 TMR Multipliers, 2 TMR product registers using 
generate function TMHR 
//                  Report gives error module # as hex digit 
// Revision 6.1  - Use 3 TMR Multipliers, 3 TMR product registers using generate 
function TMHS, T 
// Revision 6.1  - Use 4 TMR Multipliers, 4 TMR product registers using generate 
function TMHU (nmult = 4) 
// Revision 6.2  - Use 4 TMR Multiplier/register pairs but display module # in report 
as 2-digit octal 
//                  Report expanded to 96 + 8 = 104 bits 
// Revision 6.3 - Parameterize the size of error_v - 6*num_mult_module + 2, 
num_mult_modules=6 
// Revision 6.4 - Introduce logic to avoid issuing duplicate persistent-error reports 
// Additional Comments: 
// 
////////////////////////////////////////////////////////////////////////////////// 
// Can't use vector notation even for 1 bit in the config file, e.g. LED[0] 
// 
// Error detection stages use wire [0:2*num_mult+1] [2:0] err_syn 
//                                   |      | 
//                             stage #     ID of module, if 0 no error 
module TMR_mult_exp( 
    input wire clock, //50 Mhz Master clock 
    input wire clk_50A, 
    input wire clk_50B, 
99 
    input wire clk_50C, 
    input wire run,  //run set true upon receipt of GX command, reset by receipt of 
SX command 
    input wire test_exp,  //toggled by receipt of TX command, reset by SX command 
    input wire report_rcvd,  //Set by X1 when report received and outputting to ARM 
started 
    output reg report_ready, //Set true when experiment generates message 
    output wire [103:0] reportw, //12 Bytes - ASCII 
    output reg [15:0] exp_status, //Error summary status word 
    output wire [31:0] vers_q_graph 
); 
   parameter interval_thresh = 12'h01f; 
   parameter num_mult_module = 1; 
   parameter err_v_size = 6*num_mult_module+2; 
 // dont_touch == "true" prevents optimizer from eliminating signals that may only 
be used in waveform 
    (* dont_touch = "true" *)wire [1:31] LRSA,LRSB,LRSC; 
    (* dont_touch = "true" *)wire [1:err_v_size] error_v; 
    (* dont_touch = "true" *)wire [2:0] err_syn[0:4*num_mult_module+1] ; 
//4*num_mult_module + 2 syndrome 
              //elements, 3-bits wide 
    (* dont_touch = "true" *)reg [2:0] err_syn_r[0:4*num_mult_module+1] ; 
    (* dont_touch = "true" *)reg [3:0] val_param[0:15] ;// 16 values, 3-bits wide 
    (* dont_touch = "true" *)wire [17:0] mult1A, mult1B, mult1C, mult2A, mult2B, 
mult2C; 
    (* dont_touch = "true" *)wire [35:0] prodA[1:2*num_mult_module]; 
    (* dont_touch = "true" *)wire [35:0] prodB[1:2*num_mult_module]; 
    (* dont_touch = "true" *)wire [35:0] prodC[1:2*num_mult_module]; 
    (* dont_touch = "true" *)wire [30:0] counter; 
    (* dont_touch = "true" *)wire [31:0] LRS_cycle; 
    (* dont_touch = "true" *)reg [41:0] time_stamp; // * 2e-8 secs/count 
    (* dont_touch = "true" *)wire INIT,TRIGGER ; 
    (* dont_touch = "true" *)reg [15:0] serial_no; 
100 
    (* dont_touch = "true" *)wire [239:0] titlew; 
    (* dont_touch = "true" *)wire [239:0] datew; 
    (* dont_touch = "true" *)reg [103:0] report; 
// Typical report looks like TMHV TEnm SYk where n, m, k are octal digits 
    (* dont_touch = "true" *)wire config_running; 
    (* dont_touch = "true" *)reg error_msg, previous_run, startup_msg, 
stopped_msg, testing_msg, previous_test; 
    // Index [0] applies to Error test signal generator - (not implemented at this point) 
    // Index [1] applies to LRS generator switching function and register 
    // Index [k] applies to k/2 Multiplier Switching functions, k = 2;k<=6;k=k+2 
    // Index [k + 1] applies to k/2 product registers 
    (* dont_touch = "true" *)reg [11:0]  fault_counter[0:4*num_mult_module+1]; // 
fault counters, each 12-bits wide 
    (* dont_touch = "true" *)reg [11:0] 
fault_interval_counter[0:4*num_mult_module+1];// fault interval counters, each 12-bits 
wide 
    (* dont_touch = "true" *)reg [0:4*num_mult_module+1] persistent,transient; 
    (* dont_touch = "true" *)wire [0:4*num_mult_module+1] fault1; 
    (* dont_touch = "true" *)reg [5:0] err_index; //2-digit octal error module ID. 
Allows for 32 Array Mult/register pairs 
    integer k; 
    genvar n,m; 
    assign reportw = report; 
    generate 
        for (n=0;n<=4*num_mult_module+1;n=n+1) begin:faultenum 
            assign fault1[n] = ~(err_syn[n] == 3'b000); 
        end 
    endgenerate 
//  err_syn_errgen[2:0] = err_syn[0] [2:0] 
    err_gen error_gen_LRS( 
    .clk (clk_50A), 
    .counterw (counter), 
    .LRS_cyclew (LRS_cycle), 
101 
     .error_vw (error_v), 
     .err_syn_errgen (err_syn[0]), 
    .run    (run), 
    .INIT  (INIT)); 
    TMR_LRS TMR_LRS_gen ( 
        .clkA (clk_50A), 
        .clkB (clk_50B), 
        .clkC (clk_50C), 
        .INITw (INIT), 
        .TRIGGERw (TRIGGER), 
        .err_inj_A (error_v[1] & test_exp), 
        .err_inj_B (1'b0), 
        .err_inj_C ( 1'b0), 
        .err_inj_vote (error_v[2] & test_exp), 
        .LRSA (LRSA), 
        .LRSB (LRSB), 
        .LRSC (LRSC), 
        .mult1A (mult1A), 
        .mult2A (mult2A), 
        .mult1B (mult1B), 
        .mult2B (mult2B), 
        .mult1C (mult1C), 
        .mult2C (mult2C), 
        .err_syn_LRS (err_syn[1]), 
        .run    (run) 
    ); 
    generate 
        for (m=1;m<=num_mult_module;m=m+1) begin:red_mult 
            TMR_arr_mult_X TMR_multX ( 
            .clkA (clk_50A), 
            .clkB (clk_50B), 
            .clkC (clk_50C), 
102 
            .err_injw_A (error_v[6*(m-1)+3] & test_exp), //error_v[3,9,15,21] 
            .err_injw_B ( 1'b0),//no error injected 
            .err_injw_C (1'b0),//" 
            .err_injr_A (1'b0),//" 
            .err_injr_B (error_v[6*(m-1)+4] & test_exp),//error_v[4,10,16,22] 
            .err_injr_C (1'b0),//no error injected 
            .err_inj_wvote (error_v[6*(m-1)+5] & test_exp),//error_v[5,11,17,23] 
            .err_inj_rvote (1'b0),//" 
            .mult1A (mult1A), 
            .mult2A (mult2A), 
            .mult1B (mult1B), 
            .mult2B (mult2B), 
            .mult1C (mult1C), 
            .mult2C (mult2C), 
            .productA (prodA[2*m-1]), //prod.[1,3,...2*num_mult_modules-1] 
            .productB (prodB[2*m-1]), 
            .productC (prodC[2*m-1]), 
            .run      (run), 
            .err_syn_mult (err_syn[4*(m-1)+2]),//err_syn[2,6,10,14] 
            .err_syn_reg (err_syn[4*(m-1)+3])  //err_syn[3,7,11,15] 
        ); 
        TMR_arr_mult_Y TMR_multY ( 
              .clkA (clk_50A), 
              .clkB (clk_50B), 
              .clkC (clk_50C), 
              .err_injw_A ( 1'b0),//no error injected 
              .err_injw_B (error_v[6*(m-1)+6] & test_exp), //error_v[6,12,18,24] 
              .err_injw_C (1'b0),//" 
              .err_injr_A (1'b0),//" 
              .err_injr_B (1'b0),//no error injected 
              .err_injr_C (error_v[6*(m-1)+7] & test_exp),//error_v[7,13,19,25] 
              .err_inj_wvote (1'b0),//" 
103 
              .err_inj_rvote (error_v[6*(m-1)+8] & test_exp),//error_v[8,14,20,26] 
              .mult1A (mult1A), 
              .mult2A (mult2A), 
              .mult1B (mult1B), 
              .mult2B (mult2B), 
              .mult1C (mult1C), 
              .mult2C (mult2C), 
              .productA (prodA[2*m]),//prod.[2,4,...2*num_mult_module] 
              .productB (prodB[2*m]), 
              .productC (prodC[2*m]), 
              .run      (run), 
              .err_syn_mult (err_syn[4*(m-1)+4]),//err_syn[4,8,12,16] 
              .err_syn_reg (err_syn[4*(m-1)+5])  //err_syn[5,9,13,17] 
            ); 
        end 
    endgenerate 
    nuversion7 version1( 
        .clk (clock), 
        .reset (1'b0), 
        .title (titlew), 
        .date (datew), 
        .q_graph (vers_q_graph), 
        .config_runningw (config_running) 
    ); 
    initial begin 
        serial_no = 0; 
        report_ready = 1'b0; 
        report = 104'h00000000000000000000000000; 
        time_stamp = 42'h00000000000; 
        exp_status = 16'h0000; 
        error_msg = 1'b0; 
        previous_run = 1'b0; 
104 
        startup_msg = 1'b0; 
        stopped_msg = 1'b0; 
        testing_msg = 1'b0; 
        persistent = 4'd0; 
        transient = 4'd0; 
        for (k=0;k<=4*num_mult_module+1;k=k+1) begin 
            fault_counter[k] = 0; 
            fault_interval_counter[k] = 0; 
            err_syn_r[k] = 0; 
        end 
    end 
//Monitor errors - transient vs. persistent 
//added 4/20/18 
// New registers needed fault_counter, fault_interval_counter,persistent,transient 
    always@(posedge clock) begin 
        for (k = 0;k <= 4*num_mult_module+1; k = k +1)  begin 
            if(fault1[k] == 1'b1) begin 
                err_syn_r[k] <= err_syn[k]; 
                if(fault_interval_counter[k] >= interval_thresh) begin 
                    if(fault_counter[k] >> 1) begin  //Seeing persistent fault for 
interval_thresh time 
                        persistent[k] <= 1; 
                        transient[k] <= 0; 
                        fault_interval_counter[k] <= 1; //so we will continue to note as 
persistent 
                        fault_counter[k] <= 1; 
                    end 
                    else if(fault_counter[k] == 1) begin  //Accounts for recurring faults 
                        transient[k] <= 0; 
                        persistent[k] <= 1; 
                        fault_counter[k] <= 1; 
                        fault_interval_counter[k] <= 1; 
105 
                    end 
                    else begin// (fault_counter == 0) //First time seen the fault 
                        transient[k] <= 1; 
                        persistent[k] <= 0; 
                        fault_counter[k] <= 1; 
                        fault_interval_counter[k] <= 1; 
                    end 
                end 
                else  begin 
                    fault_interval_counter[k] <= fault_interval_counter[k] + 1; 
                    fault_counter[k] <= fault_counter[k] + 1; 
                end 
            end 
            else if(fault_interval_counter[k] >= interval_thresh) begin  //fault1[k] == 0 
                if(fault_counter[k] >> 1) begin  //Turns on persistent 
                    persistent[k] <= 1; 
                    transient[k] <= 0; 
                    fault_interval_counter[k] <= 1; 
                    fault_counter[k] <= 1; 
                end 
                else if(fault_counter[k] == 1) begin  //turns on transient if have not 
already detected persistent 
                    transient[k] <= 1; 
                    persistent[k] <= 0; 
                    fault_counter[k] <= 0; 
                    fault_interval_counter[k] <= 1; 
                end 
                else begin// (fault_counter == 0)  //turns off transient or persistent when 
fault gone 
                    transient[k] <= 0; 
                    persistent[k] <= 0; 
                    fault_counter[k] <= 0; 
106 
                    fault_interval_counter[k] <= 0; 
                    err_syn_r[k] <= 0; 
                end 
            end 
            else if(fault_interval_counter[k] >> 0) begin  //have had at least one fault 
this interval 
                fault_interval_counter[k] <= fault_interval_counter[k] + 1; 
            end 
       end //for 
    end  //always 
// Issue reports: 
//      initially, when run is set, output {"Experiment", <q_graphw>, "starting"} 
//          when run is reset, output {"Experiment", <q_graphw>, "stopping"} 
//          when error_syn != 0, report {<q_graphw>, error_syn_LRS, error_syn_mult} 
    always@(posedge clock) begin 
        time_stamp <= time_stamp + 1; 
        if(startup_msg | stopped_msg | error_msg | testing_msg == 1'b1) begin 
            if(report_rcvd == 1'b1) begin 
                startup_msg <= 1'b0; 
                error_msg <= 1'b0; 
                stopped_msg <= 1'b0; 
                report_ready <= 1'b0; 
            end 
        end 
        else if(!previous_run & run == 1'b1) begin 
            previous_run <=run; 
            //send experiment starting report 
            serial_no <= vers_q_graph[15:0]; 
            startup_msg <= 1'b1; 
            report <= {"Exp ",vers_q_graph, " sts "}; 
            report_ready <= 1'b1; 
        end 
107 
        if(!previous_test & test_exp == 1'b1) begin 
            testing_msg <= 1'b1; 
            previous_test <= test_exp; 
            report <= {"tsg ",vers_q_graph, " bgns"}; 
            report_ready <= 1'b1; 
        end 
        if(previous_test & !test_exp == 1'b1) begin 
              testing_msg <= 1'b1; 
              previous_test <= test_exp; 
              report <= {"tsg ",vers_q_graph, " ends"}; 
              report_ready <= 1'b1; 
        end 
        //    if(run & previous_run & !report_ready ==1'b1) begin 
        // Issue report if have transient error and fault_interval_counter >= 
interval_thresh 
        err_index <= 0; 
        for (k=0;k<=4*num_mult_module+1;k=k+1) begin 
            if(fault_interval_counter[k] >= interval_thresh) begin //Only send error 
report every interval_thresh 
                if((run & previous_run & transient[k]) == 1'b1) begin 
                    previous_run <=run; 
                    previous_test <= test_exp; 
                    serial_no <= vers_q_graph[15:0]; 
                    error_msg <= 1'b1; 
                    report <= {vers_q_graph," 
TE",5'b00110,err_index[5:3],5'b00110,err_index[2:0], 
                                    " SY",5'b00110,err_syn_r[k]};  //104 bits, 13 Bytes 
                    report_ready <= 1'b1; 
                end 
                // Issue report if have persistent error and fault_interval_counter >= 
interval_thresh 
                if((run & previous_run & persistent[k]) == 1'b1) begin 
108 
                    if (report != {vers_q_graph," 
PE",5'b00110,err_index[5:3],5'b00110,err_index[2:0], 
                                   " SY",5'b00110,err_syn_r[k]}) begin 
                        previous_run <=run; 
                        previous_test <= test_exp; 
                        serial_no <= vers_q_graph[15:0]; 
                        error_msg <= 1'b1; 
                        report <= {vers_q_graph," 
PE",5'b00110,err_index[5:3],5'b00110,err_index[2:0], 
                                       " SY",5'b00110,err_syn_r[k]};  //104 bits, 13 Bytes 
                        report_ready <= 1'b1; 
                    end 
                end 
            end 
            if(err_syn_r[k] != 3'd0) err_index <= k; 
        end //for 
    // Issue report at mid LRS cycle 
        if(((run & previous_run ) == 1'b1) && (counter == 31'h00003000)) begin 
            previous_run <=run; 
            previous_test <= test_exp; 
            serial_no <= vers_q_graph[15:0]; 
            error_msg <= 1'b1; 
            report <= {vers_q_graph," 
RE",5'b00110,err_index[5:3],5'b00110,err_index[2:0], 
                            " SY",5'b00110,err_syn_r[err_index]};  //104 bits, 13 Bytes 
            report_ready <= 1'b1; 
        end 
        if(!run & previous_run == 1'b1) begin 
            previous_run <=run; 
            serial_no <= vers_q_graph[15:0]; 
            stopped_msg <= 1'b1; 
            report <= {"Exp ",vers_q_graph, " stpd"}; 
            report_ready <= 1'b1; 
109 
        end 
    end  //always 
endmodule 
1. err_gen.v
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: NPS 
// Engineer: H. Loomis 
// 
// Create Date: 11/17/2017 09:59:15 AM 
// Design Name: 
// Module Name: err_gen 
// Project Name: 
// Target Devices: 
// Tool Versions: 






// Revision 0.01 - File Created 
// Revision 1.0  - Errors spaced 16 CPP 
// Revision 1.1  - Errors spaced 128 CPP 
// Revision 1.2  - Errors only at beginning of period 
// Revision 1.21 - Only errors 1 and 4 generated 
// Revision 1.22 - All 6 error generated 
// Revision 2.00 - 28 error vectors generated 
// Revision 2.01 - LRS_cycle counter added to keep track of how far along we are 





    input clk, 
    output wire [30:0] counterw, 
    output wire [31:0] LRS_cyclew, 
    output wire [1:err_v_size] error_vw, 
    output wire [2:0] err_syn_errgen  , 
    input wire run, 
    input INIT 
    ); 
    integer k; 
    parameter num_mult_module = 6; 
    parameter err_v_size = 6*num_mult_module+2; 
    (* dont_touch = "true" *)reg [30:0] counter; 
    (* dont_touch = "true" *)reg [31:0] LRS_cycle; 
    (* dont_touch = "true" *)reg [1:err_v_size] error_vr; 
    assign counterw = counter; 
    assign LRS_cyclew = LRS_cycle; 
    assign error_vw = error_vr; 
    assign err_syn_errgen = 3'b000; //use for errors after triplication of err_gen 
    initial begin 
        error_vr = 0; 
        LRS_cycle = 0; 
        counter = 0; 
    end 
    always@(posedge clk) begin 
      if(run == 1'b0) begin 
                error_vr <= 0; 
                counter <= 0; 
      end 
      else begin 
            if (INIT == 1'b1) counter <= 0; // Initialize counter when LRS initializes 
                else counter <= counter + 1; 
111 
            if (counter[30:0] == 31'h00000080) error_vr[1] <= 1; //Generate transient 
into LRSA 
                    else error_vr[1] <= 0; 
            if (counter[30:0] == 31'h00000180) error_vr[2] <= 1;// Generate persistent 
Error into LRSvoter 
            if (counter[30:0] == 31'h00000280) error_vr[2] <= 0;//clear persistent Error 
    // 
            for ( k = 3; k <= err_v_size; k = k+1) 
    //TMR Module k/3 
                if (counter[30:0] == k*(31'h00000100))error_vr[k] <= 1; //Generate 
transient into Array Mult1 A 
                        else error_vr[k] <= 0; 
            end //end for 
            if (counter[30:0] >= 31'h3fffffff) begin 
                error_vr <= 0; 
                counter <= 0; 
                LRS_cycle <= LRS_cycle + 1; 
            end 
      end 
endmodule 
2. TMR_LRS.v 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: 
// Engineer:H. Loomis 
// 
// Create Date: 11/08/2017 01:31:28 PM 
// Design Name: 
// Module Name: TMR_LRS 
// Project Name: CFTP-7 
// Target Devices: 







// Revision 0.01 - File Created 




    input wire clkA,clkB,clkC, 
    input wire err_inj_A, err_inj_B, err_inj_C, err_inj_vote, 
    output wire INITw, TRIGGERw, 
    output wire [1:31] LRSA, LRSB, LRSC, 
    output  reg [17:0] mult1A, mult2A, mult1B, mult2B, mult1C, mult2C, 
    output wire [2:0] err_syn_LRS, 
    input  wire run 
); 
// dont_touch == "true" prevents optimizer from eliminating signals that may only 
be used in waveform 
    (* dont_touch = "true" *)reg [1:31] LRSAr,LRSBr,LRSCr; 
    (* dont_touch = "true" *)wire [1:31] 
LRS_voteA,LRS_voteB,LRS_voteC,error_vec_vote,error_vec_A,error_vec_B, 
                    error_vec_C; 
    (* dont_touch = "true" *)reg INIT,TRIGGER; 
    (* dont_touch = "true" *)wire ZA,ZB,ZC; 
    (* dont_touch = "true" *)reg [2:0] err_syn_A_reg, err_syn_B_reg, 
err_syn_C_reg; 
    (* dont_touch = "true" *)wire [2:0] err_syn_A, err_syn_B, err_syn_C; 
    assign LRSA = LRSAr; 
    assign LRSB = LRSBr; 
    assign LRSC = LRSCr; 
    assign INITw = INIT; 
113 
    assign TRIGGERw = TRIGGER; 
    assign error_vec_vote = {5'h00000,err_inj_vote,25'h0}; 
    assign error_vec_A = {10'h000,err_inj_A,20'h0}; 
    assign error_vec_B = {15'h000,err_inj_B,15'h0}; 
    assign error_vec_C = {20'h000,err_inj_C,10'h0}; 
    assign err_syn_LRS = err_syn_A | err_syn_B | err_syn_C; 
    initial begin 
        LRSAr <= 31'h00000002; 
        INIT <= 0; 
        TRIGGER <= 0; 
        mult1A <= 18'h00000; 
        mult2A <= 18'h00002; 
        LRSBr <= 31'h00000002; 
        mult1B <= 18'h00000; 
        mult2B <= 18'h00002; 
        LRSCr <= 31'h00000002; 
        mult1C <= 18'h00000; 
        mult2C <= 18'h00002; 
    end 
    a_31_bit_voter voterA( 
        .inputA (LRSAr ^ error_vec_A), 
        .inputB (LRSBr), 
        .inputC (LRSCr), 
        .force_verror (error_vec_vote), 
        .voteout (LRS_voteA), 
        .err_syn (err_syn_A) 
    ); 
    a_31_bit_voter voterB( 
        .inputA (LRSAr ^ error_vec_A), 
        .inputB (LRSBr ^ error_vec_B), 
        .inputC (LRSCr), 
        .force_verror (31'd0), 
114 
        .voteout (LRS_voteB), 
        .err_syn (err_syn_B) 
    ); 
    a_31_bit_voter voterC( 
        .inputA (LRSAr ^ error_vec_A), 
        .inputB (LRSBr), 
        .inputC (LRSCr ^ error_vec_C),  //error here fixed 6/26/18 
        .force_verror (31'd0), 
        .voteout (LRS_voteC), 
        .err_syn (err_syn_C) 
    ); 
    assign ZA = LRS_voteA[3] ^ LRS_voteA[31];  //ML. Should have period 2^31-
1 or 43 seconds at 50 MHz 
    always@(posedge clkA) begin 
        if(run == 1'b1) begin 
            err_syn_A_reg <= err_syn_A; 
//Inject err_inj_A into bit 1 of LRSA 
            LRSAr <= {ZA , LRS_voteA[1:30]}; 
// LRS errors corrected when generating multiplier and multiplicand 
            mult1A <= LRS_voteA[1:18]; 
            mult2A <= LRS_voteA[14:31]; 
            if (LRS_voteA == 31'h20000000) 
                INIT <= 1; 
            else 
                INIT <= 0; 
            if (LRS_voteA == 31'h10000000) 
                TRIGGER <= 1; 
            else 
                TRIGGER <= 0; 
        end 
        else begin  //Experiment not running 
            LRSAr <= 31'h00000002; 
115 
            INIT <= 0; 
            TRIGGER <= 0; 
            mult1A <= 18'h00000; 
            mult2A <= 18'h00002; 
            end 
        end 
//Sub-module LRS-B 
    assign ZB = LRS_voteB[3] ^ LRS_voteB[31];  //ML. Should have period 2^31-
1 or 43 seconds at 50 MHz 
    always@(posedge clkB) begin 
        if(run == 1'b1) begin 
            err_syn_B_reg <= err_syn_B; 
            //Inject err_inj_B into bit 2 of LRSB 
            LRSBr <= {ZB , LRS_voteB[1:30]}; 
            mult1B <= LRS_voteB[1:18]; 
            mult2B <= LRS_voteB[14:31]; 
        end 
        else begin 
            LRSBr <= 31'h00000002; 
            mult1B <= 18'h00000; 
            mult2B <= 18'h00002; 
        end 
    end 
//Sub-module LRS-C 
    assign ZC = LRS_voteC[3] ^ LRS_voteC[31];  //ML. Should have period 2^31-
1 or 43 seconds at 50 MHz 
    always@(posedge clkC) begin 
        if(run == 1'b1) begin 
            err_syn_C_reg <= err_syn_C; 
//Inject err_inj_C into bit 3 of LRSC 
            LRSCr <= {ZC , LRS_voteC[1:30]}; 
            mult1C <= LRS_voteC[1:18]; 
116 
            mult2C <= LRS_voteC[14:31]; 
        end 
        else begin 
            LRSCr <= 31'h00000002; 
            mult1C <= 18'h00000; 
            mult2C <= 18'h00002; 
        end 
    end 
endmodule 
a. A_31_bit_voter.v 





// Create Date: 11/08/2017 03:38:44 PM 
// Design Name: 
// Module Name: a_31_bit_voter 
// Project Name: 
// Target Devices: 






// Revision 0.01 - File Created 





    input wire [1:31] inputA, 
    input wire [1:31] inputB, 
    input wire [1:31] inputC, 
    input wire [1:31] force_verror, 
    output wire [1:31] voteout, 
    output wire [2:0] err_syn 
); 
    wire [2:0] syn [1:31]; 
    genvar k; 
    generate 
    for (k=1;k<32;k=k+1) 
       begin: voterstage 
         one_bit_voter whatevervoter ( 
           .in1 (inputA[k]), 
           .in2 (inputB[k]), 
           .in3 (inputC[k]), 
           .force_verror (force_verror[k]), 
           .voted (voteout[k]), 
           .err_syn (syn[k])  ); 
        end 
    endgenerate 
    assign err_syn = syn[1] | syn[2] | syn[3] | syn[4] | syn[5] | syn[6] | 
            syn[7] | syn[8] | syn[9] | syn[10] | syn[11] | syn[12] | 
            syn[13] | syn[14] | syn[15] | syn[16] | syn[17] | syn[18] | 
            syn[19] | syn[20] | syn[21] | syn[22] | syn[23] | syn[24] | 
            syn[25] | syn[26] | syn[27] | syn[28] | syn[22] | syn[30] | syn[31]; 
endmodule 
3. TMR_arr_mult_X.v 






// Create Date: 11/22/2017 11:35:14 AM 
// Design Name: 
// Module Name: TMR_arr_mult 
// Project Name: 
// Target Devices: 






// Revision 0.01 - File Created 




    input clkA, 
    input clkB, 
    input clkC, 
    input wire err_injw_A, 
    input wire err_injw_B, 
    input wire err_injw_C, 
    input wire err_injr_A, 
    input wire err_injr_B, 
    input wire err_injr_C, 
    input wire err_inj_wvote, 
    input wire err_inj_rvote, 
    input wire [17:0] mult1A, 
    input wire [17:0] mult2A, 
    input wire [17:0] mult1B, 
119 
    input wire [17:0] mult2B, 
    input wire [17:0] mult1C, 
    input wire [17:0] mult2C, 
    output wire [35:0] productA, 
    output wire [35:0] productB, 
    output wire [35:0] productC, 
    input wire run, 
    output reg [2:0] err_syn_mult,  //error in array multiplier sw fct. 
    output reg [2:0] err_syn_reg    //error in product registers 
); 
    (* dont_touch = "true" *) wire [35:0] prodwA, prodwB, prodwC; 
    (* dont_touch = "true" *) wire [35:0] prod_voted_wA, prod_voted_wB, 
prod_voted_wC; 
    (* dont_touch = "true" *) wire [2:0] err_synA, err_synB, err_synC; 
    (* dont_touch = "true" *) wire [2:0] err_syn_rA, err_syn_rB, err_syn_rC; 
    (* dont_touch = "true" *) reg [35:0] prod_voted_rA, prod_voted_rB, 
prod_voted_rC; 
    initial begin 
        prod_voted_rA <= 0; 
        prod_voted_rB <= 0; 
        prod_voted_rC <= 0; 
        err_syn_mult <= 0; 
        err_syn_reg <= 0; 
    end 
    mult18x18arr arr_mult_A( 
        .mul1 (mult1A ^ {3'b000, err_injw_A, 14'b0}), 
        .mul2 (mult2A), 
        .prod (prodwA) 
    ); 
    a_36_bit_voter voter_wA( 
        .inputA (prodwA ^ {3'b000, err_injw_A, 14'b0}), //force retention of 
triplicated voters 
        .inputB (prodwB), 
120 
        .inputC (prodwC), 
        .force_verror ({11'h0,err_inj_wvote, 24'h0}), 
        .voteout (prod_voted_wA), 
        .err_syn (err_synA) 
    ); 
     always@ (posedge clkA) begin 
        if(run == 1'b1) begin 
            prod_voted_rA <= prod_voted_wA; 
            err_syn_mult <= err_synA | err_synB | err_synC; 
            err_syn_reg <= err_syn_rA |err_syn_rB | err_syn_rC; 
        end 
        else begin 
            prod_voted_rA <= 0; 
            err_syn_mult <= 0; 
        end 
    end 
    a_36_bit_voter voter_rA( 
        .inputA (prod_voted_rA^ {3'b000, err_injr_A, 14'b0}), //force retention of 
triplicated voters 
        .inputB (prod_voted_rB), 
        .inputC (prod_voted_rC), 
        .force_verror (36'h0), 
        .voteout (productA), 
        .err_syn (err_syn_rA) 
    ); 
    mult18x18arr arr_mult_B( 
        .mul1 (mult1B), 
        .mul2 (mult2B ^ {4'b0000, err_injw_B, 13'b0}), 
        .prod (prodwB) 
    ); 
    a_36_bit_voter voter_wB( 
        .inputA (prodwA), 
121 
        .inputB (prodwB ^ {4'b0000, err_injw_B, 31'b0}), //force retention of 
triplicated voters 
        .inputC (prodwC), 
        .force_verror (36'h0), 
        .voteout (prod_voted_wB), 
        .err_syn (err_synB) 
    ); 
    always@ (posedge clkB) begin 
        if(run == 1'b1) 
             prod_voted_rB <= prod_voted_wB; 
        else prod_voted_rB <= 0; 
    end 
    a_36_bit_voter voter_rB( 
        .inputA (prod_voted_rA), 
        .inputB (prod_voted_rB ^ {4'b0000, err_injr_B, 31'b0}), //force retention of 
triplicated voters 
        .inputC (prod_voted_rC), 
        .force_verror ({11'h0,err_inj_rvote, 24'h0}), 
        .voteout (productB), 
        .err_syn (err_syn_rB) 
    ); 
     mult18x18arr arr_mult_C( 
        .mul1 (mult1C), 
        .mul2 (mult2C ^ {5'b00000, err_injw_C, 12'b0}), 
        .prod (prodwC ) 
    ); 
    a_36_bit_voter voter_wC( 
        .inputA (prodwA), 
        .inputB (prodwB), 
        .inputC (prodwC ^ {5'b00000, err_injw_C, 30'b0}), //force retention of 
triplicated voters 
        .force_verror (36'h0), 
        .voteout (prod_voted_wC), 
122 
        .err_syn (err_synC) 
    ); 
    always@ (posedge clkC) begin 
        if(run == 1'b1)  prod_voted_rC <= prod_voted_wC; 
        else  prod_voted_rC <= 0; 
    end 
    a_36_bit_voter voter_rC( 
        .inputA (prod_voted_rA), 
        .inputB (prod_voted_rB), 
        .inputC (prod_voted_rC ^ {5'b00000, err_injr_C, 30'b0}), //force retention of 
triplicated voters 
        .force_verror (36'h0), 
        .voteout (productC), 
        .err_syn (err_syn_rC) 
    ); 
endmodule 
a. mult18x18_str.v 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: NPS 
// Engineer: H. H. Loomis 
// 
// Create Date: 02/14/2017 11:28:46 AM 
// Design Name: 
// Module Name: mult18x18_str 
// Project Name: 
// Target Devices: 







// Revision 0.01 - File Created 
// Revision 0.10 - Debugging RR6-3 and ppmodule using generate. 
// Revision 1.0  - Implementing full array multiplier with behavioral 36-bit final 
adder 
// Revision 1.1 - Debugged 4/5/17 
// Additional Comments: 
// Array multiplier switching function - no registers inside 
////////////////////////////////////////////////////////////////////////////////// 
module mult18x18arr( 
    input wire [17:0] mul1, 
    input wire [17:0] mul2, 
    output wire [35:0] prod 
); 
    (* dont_touch = "true" *) wire [35:0] pprod[17:0]; 
    (* dont_touch = "true" *) wire [35:0] 
sum0,C10,C20,sum1,C11,C21,sum2,C12,C22,sum3,C13,C23,sum4,C14,C24,sum5,C15; 
    genvar k; 
    generate 
        for (k=0;k<18;k=k+1) 
            begin: ppstage 
                ppmodule whateverpp ( 
                    .multd (mul2), 
                    .multr (mul1[k]), 
                    .ppout (pprod[k]) 
                ); 
            end 
    endgenerate 
//first level of RR6-3 
    RR_6_3_36bit RR63_0 ( 
        .A (pprod[0]), 
        .B (pprod[1] << 1), 
124 
        .C (pprod[2] << 2), 
        .D (pprod[3] << 3), 
        .E (pprod[4] << 4), 
        .F (pprod[5] << 5), 
        .sum (sum0), 
        .C1 (C10), 
        .C2 (C20) 
    ); 
    RR_6_3_36bit RR63_1 ( 
        .A (pprod[6] << 6), 
        .B (pprod[7] << 7), 
        .C (pprod[8] << 8), 
        .D (pprod[9] << 9), 
        .E (pprod[10] << 10), 
        .F (pprod[11] << 11), 
        .sum (sum1), 
        .C1 (C11), 
        .C2 (C21) 
    ); 
    RR_6_3_36bit RR63_2 ( 
        .A (pprod[12] << 12), 
        .B (pprod[13] << 13), 
        .C (pprod[14] << 14), 
        .D (pprod[15] << 15), 
        .E (pprod[16] << 16), 
        .F (pprod[17] << 17), 
        .sum (sum2), 
        .C1 (C12), 
        .C2 (C22) 
    ); 
//Second level of RR6-3 
    RR_6_3_36bit RR63_3 ( 
125 
        .A (sum0), 
        .B (C10), 
        .C (C20), 
        .D (sum1), 
        .E (C11), 
        .F (C21), 
        .sum (sum3), 
        .C1 (C13), 
        .C2 (C23) 
    ); 
//Third level of RR6-3 
    RR_6_3_36bit RR63_4 ( 
        .A (sum2), 
        .B (C12), 
        .C (C22), 
        .D (sum3), 
        .E (C13), 
        .F (C23), 
        .sum (sum4), 
        .C1 (C14), 
        .C2 (C24) 
    ); 
 //fourth level of RRs, a RR3-2 
    RR_3_2_36bit RR32 ( 
        .A (sum4), 
        .B (C14), 
        .C (C24), 
        .sum (sum5), 
        .C1 (C15) 
    ); 









// Create Date: 11/08/2017 03:38:44 PM 
// Design Name: 
// Module Name: a_31_bit_voter 
// Project Name: 
// Target Devices: 






// Revision 0.01 - File Created 




    input wire [1:36] inputA, 
    input wire [1:36] inputB, 
    input wire [1:36] inputC, 
    input wire [1:36] force_verror, 
    output wire [1:36] voteout, 
    output wire [2:0] err_syn 
); 
    wire [2:0] syn [1:36]; 
    genvar k; 
    generate 
127 
        for (k=1;k<37;k=k+1)begin: 
            voterstage 
            one_bit_voter whatevervoter ( 
                .in1 (inputA[k]), 
                .in2 (inputB[k]), 
                .in3 (inputC[k]), 
                .force_verror (force_verror[k]), //bit 16 
                .voted (voteout[k]), 
                .err_syn (syn[k]) 
            ); 
         end 
     endgenerate 
     assign err_syn = syn[1] | syn[2] | syn[3] | syn[4] | syn[5] | syn[6] | 
             syn[7] | syn[8] | syn[9] | syn[10] | syn[11] | syn[12] | 
             syn[13] | syn[14] | syn[15] | syn[16] | syn[17] | syn[18] | 
             syn[19] | syn[20] | syn[21] | syn[22] | syn[23] | syn[24] | 
             syn[25] | syn[26] | syn[27] | syn[28] | syn[22] | syn[30] | syn[31] | 
             syn[32] | syn[33] | syn[34] | syn[35] | syn[36]; 
endmodule 
4. nuversion7.v
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company: NPS SSAG 
// Engineer: H Loomis 
// 
// Create Date: 01/25/2018 11:56:35 AM 
// Design Name: CFTP-7 experiment wrapper 
// Module Name: nuversion7 
// Project Name: CFTP-7 
// Target Devices: Kintex-7 
// Tool Versions: Vivado 2016.3 
128 
// Description: Returns FPGA configuration title, date and ID quad-graph, sets flag 
when configuration 




// Revision 0.01 - File Created 




    input wire clk, 
    input wire reset, 
    output wire [239:0] title, //max 30 bytes of title 
    output wire [239:0] date,  //max 30 bytes of date & time 
    output wire [31:0] q_graph,//4-byte ID 
    output wire config_runningw 
); 
    (* dont_touch = "true" *)reg [99:0] version_string[7:0]; 
    (* dont_touch = "true" *)wire [103:0] last; 
    (* dont_touch = "true" *)wire [223:0] part; 
    (* dont_touch = "true" *)wire [15:0] cr_lf; 
    (* dont_touch = "true" *)reg config_running; 
   //                      1         2         3 
   //             123456789012345678901234567890 
assign   title = "TMR LRS ARRAY MUL INJ_6_2     ";//Enter exactly 30 characters 
assign   date  = "FRI AUG 31 16:00:00 PST 2018  ";//Enter exactly 30 characters 
assign q_graph = "TMHY";                          //Enter exactly 4 character identifier 
//               32'h544D4859 
// 
// ++++++++++ END variable strings 
//                          1         2         3 
129 
//                 123456789012345678901234567890 
    assign last = "LAST UPDATED:"; 
    assign part = "PART SUCCESSFULLY PROGRAMMED"; 
    assign cr_lf = 16'h0d0a; 
    assign config_runningw = config_running; 
    initial begin 
        config_running <= 0; 
    end 
    always@(posedge clk) begin 
        if(reset == 1) config_running <= 0; 
        else config_running <= 1; 
    end 
endmodule 
130 
THIS PAGE INTENTIONALLY LEFT BLANK 
131 
APPENDIX C. SOFT-ERROR MITIGATION CODE 
Code found in this section originated in the Xilinx sample project, except for the 
sem_0_sample_message_decoder.v, sem_0_sample_message_encoder.v, and 
sem_0_sample_error_injection_handler.v.  All other files were modified for this project 
except for sem_0_sem_mon_fifo.V, which is only modified for readability and style for 







//   ____  ____ 
//  /   /\/   / 
// /___/  \  / 
// \   \   \/    Core:          sem 
//  \   \        Module:        sem_0_sem_wrapper 
//  /   /        Filename:      sem_0_sem_wrapper.v 
// /___/   /\    Purpose:       System level design example. 
// \   \  /  \ 




// (c) Copyright 2010 - 2014 Xilinx, Inc. All rights reserved. 
// 
// This file contains confidential and proprietary information 
// of Xilinx, Inc. and is protected under U.S. and 





// This disclaimer is not a license and does not grant any 
// rights to the materials distributed herewith. Except as 
// otherwise provided in a valid license issued to you by 
// Xilinx, and to the maximum extent permitted by applicable 
// law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND 
// WITH ALL FAULTS, AND XILINX HEREBY DISCLAIMS ALL 
WARRANTIES 
// AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
// BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON- 
// INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and 
// (2) Xilinx shall not be liable (whether in contract or tort, 
// including negligence, or under any other theory of 
// liability) for any loss or damage of any kind or nature 
// related to, arising under or in connection with these 
// materials, including for any direct, or any indirect, 
// special, incidental, or consequential loss or damage 
// (including loss of data, profits, goodwill, or any type of 
// loss or damage suffered as a result of any action brought 
// by a third party) even if such damage or loss was 
// reasonably foreseeable or Xilinx had been advised of the 
// possibility of the same. 
// 
// CRITICAL APPLICATIONS 
// Xilinx products are not designed or intended to be fail- 
// safe, or for use in any application requiring fail-safe 
// performance, such as life-support or safety devices or 
// systems, Class III medical devices, nuclear facilities, 
// applications related to the deployment of airbags, or any 
// other applications that could lead to death, personal 
133 
// injury, or severe property or environmental damage 
// (individually and collectively, "Critical 
// Applications"). Customer assumes the sole risk and 
// liability of any use of Xilinx products in Critical 
// Applications, subject only to applicable laws and 
// regulations governing limitations on product liability. 
// 
// THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS 




// Module Description: 
// 
// This module is the system level design example, the top level of what is 
// intended for physical implementation.  This module is essentially an HDL 
// netlist of sub-modules used to construct the solution.  The system level 




// Port Definition: 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// icap_clk                      input  The controller clock, used to clock 
//                                      the configuration logic as well. 
// 
// status_heartbeat              output Heartbeat signal for external watch 
// dog timer implementation; pulses 
// when readback runs.  Synchronous to 
134 
//                                      icap_clk. 
// 
// status_initialization         output Indicates initialization is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_observation            output Indicates observation is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_correction             output Indicates correction is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_classification         output Indicates classification is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_injection              output Indicates injection is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_essential              output Indicates essential error condition. 
//                                      Qualified by de-assertion of the 
//                                      status_classification signal, and 
//                                      is synchronous to icap_clk. 
// 
// status_uncorrectable          output Indicates uncorrectable error 
//                                      condition. Qualified by de-assertion 
//                                      of the status_correction signal, and 
//                                      is synchronous to icap_clk. 
// 
// external_c                    output SPI bus clock.  When running, this 
//                                      clock is locked in frequency to one 
//                                      half the icap_clk frequency.  This 
//                                      signal is synchronous to icap_clk. 
// 
135 
// external_d output SPI bus data, master to slave. 
// Synchronous to icap_clk. 
// 
// external_s_n output SPI bus slave select.  Synchronous 
// to icap_clk. 
// 
// external_q input  SPI bus data, slave to master. 




// Parameter and Localparam Definition: 
// 
// Name Type   Description 
// ============================= ====== 
==================================== 
// TCQ int    Sets the clock-to-out for behavioral 








// +- sem_0 (sem_controller) 
// | 
// +- sem_0_cfg 
// | 
// +- sem_0_sem_mon_fifo 
// | 
// +- sem_0_sem_ext 
136 
// | 
// +- sem_0_message_encoder 
// | 
// +- sem_0_message_decoder 
// | 




// This module has been modified to remove the serial interface and insert 
// discrete signals in their place. 
///////////////////////////////////////////////////////////////////////////// 
// 
// New Port Definitions 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// decoded_message               output 8-character message for display. 
//                                      Synchronous to icap_clk. 
// 
// request_sem_status            input  Indicates a request for SEM Status. 
//                                      Asynchronous. 
// 
// enter_idle_state              input  Indicates request for SEM to enter 
//                                      the Idle State.  Asynchronous, 
// 
// enter_observation_state       input  Indicates request for SEM to enter 
//                                      the Observation State.  Asynchronous, 
// 
// reset_sem                     input  Indicates request for SEM to reinitialize. 
//                                      This will trigger the SEM to read the 
137 
// FPGA configuration and use that for all 
// future errors.  Asynchronous, 
// 
// inject_LRS_error              input  Indicates a request to inject a single- 
// bit error in the block assigned 
// to the TMR LRS.  Asynchronous. 
// 
// inject_MultX_error            input  Indicates a request to inject a single- 
// bit error in the block assigned 
// to the Mult_X Registers.  Asynchronous. 
// 
// inject_MultY_error            input  Indicates a request to inject a single- 
// bit error in the block assigned 
// to the Mult_Y Registers.  Asynchronous. 
// 
// inject_temporary_deu          input  Indicates a request to inject a double- 
// bit error in the block assigned to 
// the TMR LRS.  Asynchronous. 
// 
// inject_persistent_seu         input  Indicates a request to continuously 
// inject a single-bit error in the block 
// assigned to the TMR LRS.  Asynchronous. 
// 
// icap_o[31:0] output ICAP data output.  Synchronous to 
// icap_clk. 
// 
// icap_i[31:0] output ICAP data input.  Synchronous to 
// icap_clk. 
// 
// icap_csib output ICAP chip select, active low.  Used 
// to enable the ICAP for read or write. 
// Synchronous to icap_clk. 
138 
// 
// icap_rdwrb                    output ICAP write select, active low.  Used 
//                                      to select between read or write. 
//                                      Synchronous to icap_clk. 
// 
// icap_request                  output Indicates a request from SEM to take 
//                                      control of the ICAP Interface. 
// 
// icap_grant                    input  Indicates that the SEM has been granted 
//                                      control of the ICAP Interface. 
// 
/////////////////////////////////////////////////////////////////////////// 
`timescale 1 ps / 1 ps 
/////////////////////////////////////////////////////////////////////////// 
// Module Port Declarations 
/////////////////////////////////////////////////////////////////////////// 
module sem_0_support_wrapper ( 
    input  wire         icap_clk, 
    output wire         status_heartbeat, 
    output wire         status_initialization, 
    output wire         status_observation, 
    output wire         status_correction, 
    output wire         status_classification, 
    output wire         status_injection, 
    output wire         status_essential, 
    output wire         status_uncorrectable, 
    input  wire         switch_valid, 
    output wire [63:0]  decoded_message, 
    input  wire         request_sem_status, 
    input  wire         enter_idle_state, 
    input  wire         enter_observation_state, 
    input  wire         reset_sem, 
139 
    input  wire         injection_strobe, 
    input  wire [24:0]  injection_address, 
    input  wire [11:0]  injection_offset, 
    input  wire         inject_LRS_error, 
    input  wire         inject_persistent_seu, 
    input  wire         inject_MultX_error, 
    input  wire         inject_MultY_error, 
    input  wire         inject_temporary_deu, 
    input  wire [31:0]  icap_o, 
    output wire [31:0]  icap_i, 
    output wire         icap_csib, 
    output wire         icap_rdwrb, 
    output wire         icap_request, 
    input  wire         icap_grant, 
    input  wire [4:0]   error_addr, 
    output wire         status_received 
); 
/////////////////////////////////////////////////////////////////////////// 
// Define local constants. 
/////////////////////////////////////////////////////////////////////////// 
  localparam TCQ = 1; 
/////////////////////////////////////////////////////////////////////////// 
// Declare SEM Status signals. 
/////////////////////////////////////////////////////////////////////////// 
    wire        status_heartbeat_internal; 
    wire        status_initialization_internal; 
    wire        status_observation_internal; 
    wire        status_correction_internal; 
    wire        status_classification_internal; 
    wire        status_injection_internal; 
    wire        status_essential_internal; 
    wire        status_uncorrectable_internal; 
140 
    (* mark_debug = "true" *) wire        sem_idle; 
/////////////////////////////////////////////////////////////////////////// 
// Signals for sem monitor interface 
/////////////////////////////////////////////////////////////////////////// 
    (* mark_debug = "true" *) wire  [7:0] monitor_txdata; 
    (* mark_debug = "true" *) wire        monitor_txwrite; 
    (* mark_debug = "true" *) wire        monitor_txfull; 
    (* mark_debug = "true" *) wire  [7:0] monitor_rxdata; 
    (* mark_debug = "true" *) wire        monitor_rxread; 
    (* mark_debug = "true" *) wire        monitor_rxempty; 
/////////////////////////////////////////////////////////////////////////// 
// Signals from FRAME_ECCE2 
/////////////////////////////////////////////////////////////////////////// 
    wire        fecc_crcerr; 
    wire        fecc_eccerr; 
    wire        fecc_eccerrsingle; 
    wire        fecc_syndromevalid; 
    wire [12:0] fecc_syndrome; 
    wire [25:0] fecc_far; 
    wire  [4:0] fecc_synbit; 
    wire  [6:0] fecc_synword; 
/////////////////////////////////////////////////////////////////////////// 
// Signals for sem monitor interface 
/////////////////////////////////////////////////////////////////////////// 
    (* mark_debug = "true" *) wire        inject_strobe; 
    (* mark_debug = "true" *) wire [39:0] inject_message; 
    (* mark_debug = "true" *) wire        command_strobe; 
    (* mark_debug = "true" *) wire  [7:0] command_code; 
    (* mark_debug = "true" *) wire        command_busy; 
    (* mark_debug = "true" *) wire        message_busy; 
    (* mark_debug = "true" *) wire        message_strobe; 
    (* mark_debug = "true" *) wire  [7:0] message_code; 
141 
    (* mark_debug = "true" *) wire [15:0] msg_hdr; 
    (* mark_debug = "true" *) wire        txfull_p; 
    (* mark_debug = "true" *) wire        rxempty_n; 
    (* mark_debug = "true" *) wire        command_active; 
    (* mark_debug = "true" *) wire  [4:0] last_command_sent; 
/////////////////////////////////////////////////////////////////////////// 
// The controller sub-module is the kernel of the soft error mitigation 
// solution.  The port list is dynamic based on the IP core options. 
/////////////////////////////////////////////////////////////////////////// 
    sem_0 sem_module ( 
        .status_heartbeat(status_heartbeat_internal), 
        .status_initialization(status_initialization_internal), 
        .status_observation(status_observation_internal), 
        .status_correction(status_correction_internal), 
        .status_classification(status_classification_internal), 
        .status_injection(status_injection_internal), 
        .status_essential(status_essential_internal), 
        .status_uncorrectable(status_uncorrectable_internal), 
        .monitor_txdata(monitor_txdata), 
        .monitor_txwrite(monitor_txwrite), 
        .monitor_txfull(monitor_txfull), 
        .monitor_rxdata(monitor_rxdata), 
        .monitor_rxread(monitor_rxread), 
        .monitor_rxempty(monitor_rxempty), 
        .inject_strobe(inject_strobe), 
        .inject_address(inject_message), 
        .fecc_crcerr(fecc_crcerr), 
        .fecc_eccerr(fecc_eccerr), 
        .fecc_eccerrsingle(fecc_eccerrsingle), 
        .fecc_syndromevalid(fecc_syndromevalid), 
        .fecc_syndrome(fecc_syndrome), 
        .fecc_far(fecc_far), 
142 
        .fecc_synbit(fecc_synbit), 
        .fecc_synword(fecc_synword), 
        .icap_o(icap_o), 
        .icap_i(icap_i), 
        .icap_csib(icap_csib), 
        .icap_rdwrb(icap_rdwrb), 
        .icap_clk(icap_clk), 
        .icap_request(icap_request), 
        .icap_grant(icap_grant) 
    ); 
    assign status_heartbeat = status_heartbeat_internal; 
    assign status_initialization = status_initialization_internal; 
    assign status_observation = status_observation_internal; 
    assign status_correction = status_correction_internal; 
    assign status_classification = status_classification_internal; 
    assign status_injection = status_injection_internal; 
    assign status_essential = status_essential_internal; 
    assign status_uncorrectable = status_uncorrectable_internal; 
    assign sem_idle = !(status_initialization || status_observation || status_correction 
|| 
                        status_classification || status_injection); 
/////////////////////////////////////////////////////////////////////////// 
// The cfg sub-module contains the device specific primitives to access 
// the frame crc/ecc status signals. 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_cfg sem_cfg ( 
        .fecc_crcerr(fecc_crcerr), 
        .fecc_eccerr(fecc_eccerr), 
        .fecc_eccerrsingle(fecc_eccerrsingle), 
        .fecc_syndromevalid(fecc_syndromevalid), 
        .fecc_syndrome(fecc_syndrome), 
        .fecc_far(fecc_far), 
143 
        .fecc_synbit(fecc_synbit), 
        .fecc_synword(fecc_synword) 
    ); 
/////////////////////////////////////////////////////////////////////////// 
// Instantiate the SEM Monitor Interface variables 
/////////////////////////////////////////////////////////////////////////// 
    assign command_active = ((last_command_sent[0] && !status_received) || 
(last_command_sent[1] && !sem_idle) || 
(last_command_sent[2] && !status_observation) || 
(last_command_sent[3] && !sem_idle) || 
(last_command_sent[4] && !status_injection)); 
/////////////////////////////////////////////////////////////////////////// 
// Message Handler to send messages to the SEM Monitor Interface 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_message_encoder encoder ( 
        .clk(icap_clk), 
        .status_observation(status_observation), 
        .sem_idle(sem_idle), 
        .request_sem_status(request_sem_status), 
        .status_requested(last_command_sent[0]), 
        .switch_valid(switch_valid), 
        .command_strobe(command_strobe), 
        .command_busy(command_busy), 
        .command_code(command_code), 
        .command_active(command_active) 
    ); 
/////////////////////////////////////////////////////////////////////////// 
// Message buffer to send messages to the SEM Monitor Interface 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_sem_mon_fifo sem_rx_buffer ( 
        .data_in(command_code),         // data from rx buffer to fifo 
        .data_out(monitor_rxdata),      // data from fifo to sem 
144 
        .write(command_strobe),         // signal signal from sem that it has data to write 
        .read(monitor_rxread),          // signal from sem that it has read the data 
        .full(command_busy),            // signal to Encoder that rx buffer is full 
        .data_present(rxempty_n),       // signal to sem that there is que is able to receive 
data 
        .icap_clk(icap_clk)             // clock signal 
    ); 
    assign monitor_rxempty = ~rxempty_n; 
/////////////////////////////////////////////////////////////////////////// 
// Message buffer to receive messages from the SEM Monitor Interface 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_sem_mon_fifo sem_tx_buffer ( 
        .data_in(monitor_txdata),       // data from sem to output buffer 
        .data_out(message_code),        // data from output buffer to decoder 
        .write(monitor_txwrite),        // signal that data is from the SEM is ready to be 
read 
        .read(message_busy),            // signal that decoder has extracted a byte from 
output buffer 
        .full(txfull_p),                // signal to sem that the output buffer is full 
        .data_present(message_strobe),  // signal to decoder that data is ready 
        .icap_clk(icap_clk)             // clock 
    ); 
    assign monitor_txfull = txfull_p; 
/////////////////////////////////////////////////////////////////////////// 
// Message Handler to receive messages from the SEM Monitor Interface 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_message_decoder decoder ( 
        .clk(icap_clk), 
        .msg_hdr(msg_hdr), 
        .message_strobe(message_strobe), 
        .message_busy(message_busy), 
        .message_code(message_code), 
        .decoded_message(decoded_message), 
145 
        .status_requested(last_command_sent[0]), 
        .status_received(status_received) 
    ); 
/////////////////////////////////////////////////////////////////////////// 
// Message Handler to transmit messages from the SEM Injection Interface 
/////////////////////////////////////////////////////////////////////////// 
    sem_0_injection_handler injector( 
        .icap_clk(icap_clk), 
        .inject_strobe(inject_strobe), 
        .inject_message(inject_message), 
        .sem_idle(sem_idle), 
        .status_observation(status_observation), 
        .status_correction(status_correction), 
        .enter_idle_state(enter_idle_state), 
        .enter_observation_state(enter_observation_state), 
        .reset_sem(reset_sem), 
        .injection_strobe(injection_strobe), 
        .injection_address(injection_address), 
        .injection_offset(injection_offset), 
        .inject_LRS_error(inject_LRS_error), 
        .inject_persistent_seu(inject_persistent_seu), 
        .inject_MultX_error(inject_MultX_error), 
        .inject_MultY_error(inject_MultY_error), 
        .inject_temporary_deu(inject_temporary_deu), 
        .switch_valid(switch_valid), 
        .idle_requested(last_command_sent[1]), 
        .observation_requested(last_command_sent[2]), 
        .error_injected(last_command_sent[4]), 
        .reset_requested(last_command_sent[3]), 
        .command_active(command_active), 
        .error_addr(error_addr) 
    ); 
146 
/////////////////////////////////////////////////////////////////////////// 









//   ____  ____ 
//  /   /\/   / 
// /___/  \  / 
// \   \   \/    Core:          sem 
//  \   \        Module:        sem_0_sem_cfg 
//  /   /        Filename:      sem_0_sem_cfg.v 
// /___/   /\    Purpose:       Wrapper file for configuration logic. 
// \   \  /  \ 




// (c) Copyright 2010 - 2014 Xilinx, Inc. All rights reserved. 
// 
// This file contains confidential and proprietary information 
// of Xilinx, Inc. and is protected under U.S. and 




// This disclaimer is not a license and does not grant any 
147 
// rights to the materials distributed herewith. Except as 
// otherwise provided in a valid license issued to you by 
// Xilinx, and to the maximum extent permitted by applicable 
// law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND 
// WITH ALL FAULTS, AND XILINX HEREBY DISCLAIMS ALL 
WARRANTIES 
// AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
// BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON- 
// INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and 
// (2) Xilinx shall not be liable (whether in contract or tort, 
// including negligence, or under any other theory of 
// liability) for any loss or damage of any kind or nature 
// related to, arising under or in connection with these 
// materials, including for any direct, or any indirect, 
// special, incidental, or consequential loss or damage 
// (including loss of data, profits, goodwill, or any type of 
// loss or damage suffered as a result of any action brought 
// by a third party) even if such damage or loss was 
// reasonably foreseeable or Xilinx had been advised of the 
// possibility of the same. 
// 
// CRITICAL APPLICATIONS 
// Xilinx products are not designed or intended to be fail- 
// safe, or for use in any application requiring fail-safe 
// performance, such as life-support or safety devices or 
// systems, Class III medical devices, nuclear facilities, 
// applications related to the deployment of airbags, or any 
// other applications that could lead to death, personal 
// injury, or severe property or environmental damage 
// (individually and collectively, "Critical 
// Applications"). Customer assumes the sole risk and 
// liability of any use of Xilinx products in Critical 
148 
// Applications, subject only to applicable laws and 
// regulations governing limitations on product liability. 
// 
// THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS 




// Module Description: 
// 




// Port Definition: 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// fecc_crcerr                   output FRAME_ECC status indicating a device 
//                                      CRC check at end of readback cycle 
//                                      has failed.  Synchronous to icap_clk. 
// 
// fecc_eccerr                   output FRAME_ECC status indicating a frame 
//                                      ECC check at end of frame readback 
//                                      has failed.  Synchronous to icap_clk. 
// 
// fecc_eccerrsingle             output FRAME_ECC status indicating syndrome 
//                                      appears to be for a single bit error. 
//                                      Synchronous to icap_clk. 
// 
// fecc_syndromevalid            output FRAME_ECC status indicating syndrome 
149 
// is valid in this cycle.  Synchronous 
// to icap_clk. 
// 
// fecc_syndrome[12:0]           output FRAME_ECC syndrome.  Synchronous to 
// icap_clk. 
// 
// fecc_far[25:0]                output FRAME_ECC status showing FAR or EFAR. 
// Synchronous to icap_clk. 
// 
// fecc_synbit[4:0]              output FRAME_ECC status indicating location 
// of error in a word.  Synchronous to 
// icap_clk. 
// 
// fecc_synword[6:0]             output FRAME_ECC status indicating location 
// of error word in a frame.  Synchronous 




// Parameter and Localparam Definition: 
// 
// Name Type   Description 
// ============================= ====== 
==================================== 
// TCQ int    Sets the clock-to-out for behavioral 









// \- FRAME_ECCE2 (unisim) 
// 
///////////////////////////////////////////////////////////////////////////// 




module sem_0_cfg ( 
    output wire        fecc_crcerr, 
    output wire        fecc_eccerr, 
    output wire        fecc_eccerrsingle, 
    output wire        fecc_syndromevalid, 
    output wire [12:0] fecc_syndrome, 
    output wire [25:0] fecc_far, 
    output wire  [4:0] fecc_synbit, 
    output wire  [6:0] fecc_synword 
); 
/////////////////////////////////////////////////////////////////////////// 
// Define local constants. 
/////////////////////////////////////////////////////////////////////////// 
    localparam TCQ = 1; 
/////////////////////////////////////////////////////////////////////////// 




// Instantiate the FRAME_ECC primitive. 
/////////////////////////////////////////////////////////////////////////// 
// FRAME_ECCE2: Configuration Frame Error Correction 
//              7 Series 
// Xilinx HDL Language Template, version 2018.3 
151 
    FRAME_ECCE2 #( 
        .FARSRC("EFAR"), // Determines if the output of FAR[25:0] 
configuration register points to 
// the FAR or EFAR. Sets configuration option register bit 
CTL0[7]. 
       .FRAME_RBT_IN_FILENAME("NONE")   // This file is output by the 
ICAP_E2 model and it contains Frame Data 
// information for the Raw Bitstream (RBT) file. The 
FRAME_ECCE2 model 
// will parse this file, calculate ECC and output any error 
conditions. 
    ) 
    FRAME_ECCE2_inst ( 
        .CRCERROR(fecc_crcerr),         // 1-bit output: Output indicating a CRC 
error. 
        .ECCERROR(fecc_eccerr),        // 1-bit output: Output indicating an ECC 
error. 
        .ECCERRORSINGLE(fecc_eccerrsingle), // 1-bit output: Output Indicating 
single-bit Frame ECC error detected. 
        .FAR(fecc_far),                     // 26-bit output: Frame Address Register Value 
output. 
        .SYNBIT(fecc_synbit),               // 5-bit output: Output bit address of error. 
        .SYNDROME(fecc_syndrome),           // 13-bit output: Output location of 
erroneous bit. 
        .SYNDROMEVALID(fecc_syndromevalid), // 1-bit output: Frame ECC 
output indicating the SYNDROME output is valid. 
        .SYNWORD(fecc_synword)  // 7-bit output: Word output in the frame 
where an ECC error has been detected. 
    ); 
// End of FRAME_ECCE2_inst instantiation 
endmodule 
C. SEM_0_SAMPLE_MESSAGE_DECODER.V 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company:         Naval Postgraduate School 
152 
// Developer:       Stuart Archer 
// 
// Create Date:     01/26/2019 10:35:20 PM 
// Design Name:     TMR SEM 
// Module Name:     sem_0_message_decoder 
// Project Name: 
// Target Devices:  xc7a100tcsg324-3, xc7k325t 
// Tool Versions: 
// Description:     This file implements code to translate the SEM's Monitor 
//                  Interface into discrete signals for use by the TMR 
//                  Experiment. 
// 
// Dependencies:    None 
// 
// Revision: 
// Revision 0.01 - File Created 




    input  wire        clk, 
    output wire [15:0] msg_hdr, 
    input  wire        message_strobe, 
    output wire        message_busy, 
    input  wire [7:0]  message_code, 
    output wire [63:0] decoded_message, 
    input  wire        status_requested, 
    output wire        status_received 
); 
///////////////////////////////////////////////////////////// 




    parameter [15:0] STATE_CHANGE_RPT  = 16'h5343,      //'SC 
FLAG_CHANGE_RPT   = 16'h4643,      //'FC 
FEATURE_RPT       = 16'h4653,      //'FS 
SLR_RPT           = 16'h534e,      //'SN 
STATUS_RPT        = 16'h4d46,      //'MF actually a frame report, but 
it is the first message in response to a status request 
OKAY              = 16'h4f4d,      //'ON 
IDLE_PROMPT       = 16'h493e,      //'I>' 
OBS_PROMPT        = 16'h4f3e,      //'O>' 
PHYSICAL_ADDRESS  = 16'h5041,      //'PA Physical Address of 
error 
LOGICAL_ADDRESS   = 16'h4c41,      //'LA Logical Address of 
error 
WORD_TEXT_ADDRESS = 16'h5744,      //'WD  WORD_TEXT 
address for single-bit ECC errors 
NOT_GOOD          = 16'h4d47;      //'NG 
    parameter [31:0] ICAP_AVAIL_STATUS = 32'h49434150,  //'ICAP 
RDBK_STATUS       = 32'h5244424b,  //'RDBK 
INIT_RPT_B        = 32'h5f565f0d, 
INIT_COMPL_STATUS = 32'h494e4954;   //' 
    parameter [39:0] INIT_RPT_A        = 40'h585f53454d, 
WORD_TEXT         = 40'h574f524420, //'WORD 
BIT_TEXT          = 40'h4249542020; //'BIT 
    parameter [23:0] HALT              = 24'h484c54,     //'HLT 
SINGLE_BIT_ERR    = 24'h534544,     //'SED 
DOUBLE_BIT_ERR    = 24'h444544,     //'DED 
CORRECTION_BEGIN  = 24'h434f52,     //'COR 
END_MESSAGE       = 24'h454b44,     //'END Used for both correction 
and classification message blocks 
CLASS_BEGIN       = 24'h434c41;     //'CLA 
// Message strings for display 
    parameter [63:0] RECONFIG          = 64'h5245434f4d464947,  //'RECONFIG  
Canned message to user informing need to reconfigure 
154 
                     PHYSICAL          = 64'h504859534943414c,  //'PHYSICAL 
                     OBSERVE           = 64'h4f42534552564520,  //'OBSERVE 
                     IDLE              = 64'h49444c4520202020,  //'IDLE 
                     INITIALIZATION    = 64'h494e495420202020,  //'INIT 
                     CLASSIFICATION    = 64'h434c415353494659,  //'CLASSIFY 
                     CORRECTION        = 64'h434f525245435420,  //'CORRECT 
                     INJECTION         = 64'h494e4a4543540000,  //'INJECT 
                     LOGICAL           = 64'h4c4f474943414c00,  //'LOGICAL 
                     ONE_BIT_ERR       = 64'h3142495420455252,  //'1BIT ERR 
                     TWO_BIT_ERR       = 64'h3242495420455252,  //'2BIT_ERR 
                     MAX_FRAME         = 64'h4d41584652414d45;  //'MAXFRAME 
// End of Line Indicator (A Carriage Return character) 
    parameter [7:0]  NEW_LINE          = 8'h0d;         //<CR> 
////////////////////////////////////////////////////////////// 
// Define Constants 
////////////////////////////////////////////////////////////// 
    reg  [15:0] last_message_type; 
    wire        receiving_frame, receiving_state, receiving_flags; 
    wire        receiving_halt; 
    wire        receiving_slr; 
    wire        receiving_init_rpt, receiving_feature_set, receiving_icap, 
receiving_rdbk; 
    wire        receiving_prompt, receiving_complete; 
    reg  [15:0] state_text, flag_text, slr_text, feature_set, icap_state, rdbk_state, 
complete_state; 
    reg  [71:0] maximum_frame_text; 
    reg  [7:0]  last_byte_rcvd; 
    (* dont_touch = "true" *) reg  [63:0] alt_message_buffer1, alt_message_buffer2; 
    (* mark_debug = "true" *) reg  [2:0]  message_num, max_alt_messages, 
status_messages_rcvd; 
    reg  [26:0] counter; 
    integer     i; 
    (* dont_touch = "true" *) reg  [63:0] message_buffer; 
155 
    wire        message_code_is_valid; 
    reg  [63:0] physical_addr, logical_addr; 
    reg  [15:0] word_addr, bit_addr, sed_text, ded_text; 
    reg         se_detected, de_detected, classifying, correcting, receiving_status; 
    (* mark_debug = "true" *) reg  [3:0]  bytes_in_block; 
    (* mark_debug = "true" *) reg  [7:0]  total_bytes_received; 
    (* mark_debug = "true" *) reg  [7:0]  received_bytes[11:0]; 
//Initialization Message States 
    parameter [1:0]  NO_BLOCKS_RCVD    = 2'b00, 
ONE_BLOCK_RCVD    = 2'b01, 
TWO_BLOCKS_RCVD   = 2'b10, 
THREE_BLOCKS_RCVD = 2'b11; 
    parameter        TRUE                = 1'b1, 
FALSE               = 1'b0; 
///////////////////////////////////////////////////////////////////////////////// 
// Initialize variables 
///////////////////////////////////////////////////////////////////////////////// 
    initial begin 
        counter         = 19'h00000; 
        bytes_in_block  = 0; 
        classifying     = 0; 
        correcting      = 0; 
    end 
///////////////////////////////////////////////////////////////////////////////// 
// Procedural Code 
///////////////////////////////////////////////////////////////////////////////// 
    always @(posedge clk) begin 
        if(message_strobe) begin 
            if(message_code_is_valid) begin 
                total_bytes_received <= total_bytes_received + 1; 
                case(bytes_in_block) 
0   : begin 
156 
                            received_bytes[11] <= message_code; 
                            for(i=0; i<11; i=i+1) received_bytes[i] <=8'h00; 
                        end 
                    1   : received_bytes[10] <= message_code; 
                    2   : received_bytes[9] <= message_code; 
                    3   : received_bytes[8] <= message_code; 
                    4   : received_bytes[7] <= message_code; 
                    5   : received_bytes[6] <= message_code; 
                    6   : received_bytes[5] <= message_code; 
                    7   : received_bytes[4] <= message_code; 
                    8   : received_bytes[3] <= message_code; 
                    9   : received_bytes[2] <= message_code; 
                    10  : received_bytes[1] <= message_code; 
                    11  : received_bytes[0] <= message_code; 
                    default ; 
                endcase 
                last_byte_rcvd <= message_code; 
                if(status_requested && (status_messages_rcvd == 6)) 
status_messages_rcvd <= 0; 
                if(message_code == NEW_LINE) begin 
                    case (msg_hdr) 
                        STATE_CHANGE_RPT         : begin 
                                if(!status_requested) begin 
                                    if(status_messages_rcvd == 3) status_messages_rcvd <= 4; 
                                    state_text <= {received_bytes[8], received_bytes[7]}; 
                                    case({received_bytes[8], received_bytes[7]}) 
                                        16'h3030    : begin // Idle State.  Do nothing so that errors 
will remain visible until a new one is injected 
                                                if(max_alt_messages == 0) message_buffer <= 
IDLE; 
                                            end 
                                        16'h3031    : begin //Initialization state begun.  Initialize 
messages 
157 
max_alt_messages <= 0; 
message_buffer <= INITIALIZATION; 
end 
                                        16'h3032    : if(max_alt_messages == 0) message_buffer 
<= OBSERVE; // Injection do nothing so that errors will remain visible until a new one is 
injected 
                                        16'h3034    : if(max_alt_messages == 0) message_buffer 
<= CORRECTION; // Correction do nothing so that errors will remain visible. 
                                        16'h3038    : if(max_alt_messages == 0) message_buffer 
<= CLASSIFICATION; // Classification do nothing so errors will remain visible. 
                                        16'h3130    : if(max_alt_messages == 0) message_buffer 
<= INJECTION;else max_alt_messages <= 0;    //Error injected.  Clear the display buffers 




FLAG_CHANGE_RPT          : begin 
flag_text  <= {received_bytes[8], received_bytes[7]}; 
if(status_messages_rcvd == 4) status_messages_rcvd <= 5; 
end 
STATUS_RPT               : begin 
status_messages_rcvd <= 2; 
message_buffer      <= MAX_FRAME; 
maximum_frame_text  <= {received_bytes[8], 
received_bytes[7], received_bytes[6], received_bytes[5], 
received_bytes[4], received_bytes[3], 
received_bytes[2], received_bytes[1]}; 
alt_message_buffer1 <= {received_bytes[8], 
received_bytes[7], received_bytes[6], received_bytes[5], 
received_bytes[4], received_bytes[3], 
received_bytes[2], received_bytes[1]}; 
se_detected         <= FALSE; 
de_detected         <= FALSE; 
max_alt_messages    <= TRUE; 
receiving_status    <= TRUE; 
158 
                            end 
                        SLR_RPT                  : begin 
                                slr_text <= {received_bytes[8], received_bytes[7]}; 
                                if(status_messages_rcvd == 2) status_messages_rcvd <= 3; 
                            end 
                        FEATURE_RPT              : begin 
                                if(status_messages_rcvd == 5) status_messages_rcvd <= 6; 
                                feature_set <= {received_bytes[8], received_bytes[7]}; 
                                receiving_status <= 0; 
                            end 
                        ICAP_AVAIL_STATUS[31:16] : icap_state  <= 
{received_bytes[6], received_bytes[5]}; 
                        RDBK_STATUS[31:16]       : rdbk_state  <= {received_bytes[6], 
received_bytes[5]}; 
                        INIT_COMPL_STATUS[31:16] : complete_state <= 
{received_bytes[6], received_bytes[5]}; 
                        //  Error-specific Messages 
                        SINGLE_BIT_ERR[23:8]     : begin 
                                sed_text <= {received_bytes[7], received_bytes[6]}; 
                                se_detected <= TRUE; 
                                de_detected <= FALSE; 
                                message_buffer  <= ONE_BIT_ERR;        //'1BIT ERR 
                                if(sed_text == NOT_GOOD) begin 
                                    alt_message_buffer2 <= RECONFIG; 
                                    max_alt_messages <= 5; 
                                end 
                                else max_alt_messages <= 6; 
                            end 
                        DOUBLE_BIT_ERR[23:8]     : begin 
                                ded_text <= {received_bytes[8], received_bytes[7]}; 
                                se_detected <= FALSE; 
                                de_detected <= TRUE; 
                                message_buffer  <= TWO_BIT_ERR;        //'2BIT ERR 
159 
max_alt_messages <= 5; 
end 
PHYSICAL_ADDRESS         : begin 





alt_message_buffer1 <= PHYSICAL; 
end 
LOGICAL_ADDRESS          : begin 






WORD_TEXT_ADDRESS             : begin 
if (!(classifying || correcting)) begin 
alt_message_buffer2 <= {WORD_TEXT, 
received_bytes[8], received_bytes[7], 8'h00};   //'WORD_TEXT ## 
word_addr <= {received_bytes[8], received_bytes[7]}; 
bit_addr  <= {received_bytes[2], received_bytes[1]}; 
end 
end 
CLASS_BEGIN[23:8]         : classifying <= 1; 
CORRECTION_BEGIN[23:8]    : correcting <= 1; 
END_MESSAGE[23:8]         : begin 
classifying <= 0; 
classifying <= 0; 
end 
endcase 
bytes_in_block <= 4'b0; 
160 
                    last_message_type <= {received_bytes[11],received_bytes[10]}; 
                end 
                else if(receiving_prompt) begin     // Prompts don't get NEW_LINEs. => 
Strip them off the message stream. 
                    if(message_code == 8'h20) begin 
                        bytes_in_block <=4'b0; 
                        last_message_type <= {received_bytes[11],received_bytes[10]}; 
                    end 
                end 
                else begin 
                    bytes_in_block <= bytes_in_block + 1; 
                    receiving_status <= 0; 
                end 
            end 
        end 
        if(counter==27'h00001) begin 
            if(message_num >= max_alt_messages) message_num <= 0; 
            else message_num <= message_num + 1; 
        end 
        counter <= counter - 1; 
    end 
//////////////////////////////////////////////////////////////////////////////////////////////////////// 
// Architectural Code 
//////////////////////////////////////////////////////////////////////////////////////////////////////// 
    assign receiving_state       = ((msg_hdr == STATE_CHANGE_RPT) && 
(message_code != NEW_LINE)) ? 1 : 0; 
    assign receiving_flags       = ((msg_hdr == FLAG_CHANGE_RPT) && 
(message_code != NEW_LINE)) ? 1 : 0; 
    assign receiving_frame       = ((msg_hdr == STATUS_RPT) && (message_code 
!= NEW_LINE)) ? 1 : 0; 
    assign receiving_slr         = ((msg_hdr == SLR_RPT) && (message_code != 
NEW_LINE)) ? 1 : 0; 
    assign receiving_feature_set = ((msg_hdr == FEATURE_RPT) && 
(message_code != NEW_LINE)) ? 1 : 0; 
161 
    assign receiving_prompt      = ((msg_hdr == OBS_PROMPT) || (msg_hdr == 
IDLE_PROMPT)) ? 1 : 0; 
    assign receiving_halt        = ((msg_hdr == HALT[23:8]) && (message_code != 
NEW_LINE)) ? 1 : 0; 
    assign receiving_icap        = ((msg_hdr == ICAP_AVAIL_STATUS[31:16]) && 
(message_code != NEW_LINE)) ? 1 : 0; 
    assign receiving_rdbk        = ((msg_hdr == RDBK_STATUS[31:16]) && 
(message_code != NEW_LINE)) ? 1 : 0; 
    assign receiving_complete    = ((msg_hdr == INIT_COMPL_STATUS[31:16]) 
&& (message_code != NEW_LINE)) ? 1 : 0; 
    assign receiving_init_rpt    = ((msg_hdr == INIT_RPT_A[39:24]) && 
(message_code != NEW_LINE)) ? 1 : 0; 
    assign message_code_is_valid = ((message_code == 8'h0d) || (message_code == 
8'h0a) || (message_code == 8'h20) || 
((message_code > 8'h2f) && (message_code < 8'h7f))); 
    assign message_busy = message_strobe; 
    assign status_received = (status_messages_rcvd == 6); 
    assign msg_hdr = {received_bytes[11], received_bytes[10]}; 
    assign decoded_message = (message_num == 1) ? alt_message_buffer1 : 
(message_num == 2) ? physical_addr : 
(message_num == 3) ? LOGICAL : 
(message_num == 4) ? logical_addr : 
(message_num == 5) ? alt_message_buffer2 : 




`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company:     Naval Postgraduate School 
// Developer:    Stuart Archer 
// 
// Create Date: 01/26/2019 10:35:20 PM 
162 
// Design Name: TMR_SEM 
// Module Name: sem_0_message_encoder 
// Project Name: 
// Target Devices: xc7a100tcsg324-3 
// Tool Versions: 
// Description: This file implement the message handler to send messages to the 
//              SEM Monitpr Interface.  It contains all messages which can be 
//              sent (except for error injection messages, but any messages which 
//              can be sent via the SEM Injection Interface will be commented 




// Port Definition: 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// clk                           input  System clock; the entire system is 
//                                      synchronized to this signal, which 
//                                      is distributed on a global clock 
//                                      buffer and referred to as icap_clk. 
// 
// sem_idle                      input  Indicates initialization is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// status_observation            input  Indicates observation is taking 
//                                      place.  Synchronous to icap_clk. 
// 
// request_sem_status            input  Indicates request for SEM Status. 
//                                      Asynchronous. 
// 
163 
// status_requested              output Indicates the last byte of a request 
// for SEM Status has been sent. 
// Synchronous to icap_clk. 
// 
// enter_idle_state              input  Indicates request for SEM to enter 
//                                      the Idle State.  Asynchronous. 
// 
// status_requested              output Indicates the last byte of a request 
// for SEM to transition to Idle State 
// has been sent. Synchronous to icap_clk. 
// 
// enter_observation_state       input  Indicates request for SEM to enter 
//                                      the Observation State.  Asynchronous. 
// 
// observation_requested         output Indicates the last byte of a request 
// for SEM to transition to Observation 
// State has been sent. Synchronous to 
// icap_clk. 
// 
// reset_sem input  Indicates request for SEM to reset and 
// go through Initialization.  Asynchronous. 
// 
// reset_requested               output Indicates the last byte of a request 
// for SEM to reinitialize has been sent. 
// Synchronous to icap_clk. 
// 
// switch_valid input  Indicates that only one command is being 
// sent to the SEM. 
// 
// command_strobe                output Indicates that data is valid for the 




// command_code                  output Byte of data being sent to the message 
//                                      buffer going to the SEM Monitor Interface. 
// 
// command_busy                  input  Acknowledges that the message buffer going 
//                                      to the SEM Monitor Interfacehas received 
//                                      the data. 
// 
// command_active                input  Indicates that a message has been sent 






// Revision 0.01 - File Created 




    input  wire         clk, 
    input  wire         status_observation, 
    input  wire         sem_idle, 
    input  wire         request_sem_status, 
    output wire         status_requested, 
    input  wire         switch_valid, 
    output wire         command_strobe, 
    input  wire         command_busy, 
    output wire [7:0]   command_code, 






    parameter [15:0] NEW_LINE       = 16'h0d0a; 
// Monitor Interface Message definitions 
    parameter [47:0] STATUS_REQUEST = {32'h00000053, NEW_LINE},  // "S" 
MON_INJECT_ERR = {48'h4e, NEW_LINE}, 
RESET_STATE    = {32'h00000052, NEW_LINE},  // "R" 
IDLE_STATE     = {32'h00000049, NEW_LINE},  // "I" 
OBS_STATE      = {32'h0000004f, NEW_LINE},  // "O" 
ERR_INJECT     = {8'b01001110, NEW_LINE}, 
NULL_CMD       = 48'h000000000000; 
    parameter [7:0]  LAST_STATUS    = 8'h53, 
LAST_RESET     = 8'h52, 
LAST_IDLE      = 8'h49, 
LAST_OBS       = 8'h4f, 
LAST_NULL      = 8'h00; 
    parameter [2:0]  FIVE_TO_SEND   = 3'b101, 
FOUR_TO_SEND   = 3'b101, 
THREE_TO_SEND  = 3'b100, 
THREE_SENT     = 3'b011, 
TWO_TO_SEND    = 3'b010, 
ONE_TO_SEND    = 3'b001, 
LAST_SENT      = 3'b000; 
    parameter        TRUE           = 1'b1, 
FALSE          = 1'b0; 
///////////////////////////////////////////////////////////////////// 
// Declare Variables 
///////////////////////////////////////////////////////////////////// 
    (* mark_debug = "true" *) (* dont_touch = "true" *) reg  [47:0] new_function; 
    (* mark_debug = "true" *) wire [47:0] current_message; 
    (* mark_debug = "true" *) reg         strobe, status_request_sent;//, 
reset_request_sent; 
166 
    (* mark_debug = "true" *) reg  [7:0]  fifo_data_in, last_command_requested; 
    (* mark_debug = "true" *) reg  [2:0]  next_data; 
    (* mark_debug = "true" *) wire [2:0]  bytes_remaining; 
    initial begin 
        next_data = LAST_SENT; 
        new_function = NULL_CMD; 
        fifo_data_in = 8'h00; 
        strobe = 0; 
        status_request_sent = 0; 
    end 
    always @(posedge clk) begin 
        if(!command_active && status_requested) status_request_sent <= FALSE; 
        else if(!command_busy && !command_active) begin 
            if(current_message == NULL_CMD) begin 
                if(switch_valid && !command_active) begin 
                    if(status_observation || sem_idle) begin //Is the SEM in a state to 
receive messages? 
                        if(request_sem_status && (last_command_requested != 
LAST_STATUS)) begin 
                            last_command_requested <= LAST_STATUS; 
                            new_function <= STATUS_REQUEST; 
                            next_data <= TWO_TO_SEND; 
                            fifo_data_in <= STATUS_REQUEST[23:16]; 
                            strobe <= 1; 
                        end 
                    end 
                end 
            end 
            else if (bytes_remaining != LAST_SENT) begin              // Send next byte 
of message 
                case (bytes_remaining) 
                    THREE_SENT  : begin 
                            fifo_data_in <= current_message[23:16]; 
167 
next_data <= TWO_TO_SEND; 
strobe <= TRUE; 
end 
TWO_TO_SEND   : begin 
fifo_data_in <= current_message[15:8]; 
next_data <= ONE_TO_SEND; 
strobe <= TRUE; 
end 
ONE_TO_SEND   : begin 
fifo_data_in <= current_message[7:0]; 
next_data <= LAST_SENT; 
strobe <= TRUE; 




fifo_data_in <= 8'h00; 
next_data <= LAST_SENT; 
strobe <= 0; 
new_function <= NULL_CMD; 
end 
                endcase 
            end 
        end 
        if(!switch_valid) begin 
            last_command_requested <= LAST_NULL; 
            strobe <= 0; 
        end 
    end 
    assign bytes_remaining = next_data; 
    assign command_strobe = strobe; 
    assign command_code[7:0] = fifo_data_in[7:0]; 
168 
    assign status_requested = status_request_sent; 








//   ____  ____ 
//  /   /\/   / 
// /___/  \  / 
// \   \   \/    Core:          sem 
//  \   \        Module:        sem_0_sem_mon_fifo 
//  /   /        Filename:      sem_0_sem_mon_fifo.v 
// /___/   /\    Purpose:       MON Shim 32x8 FIFO. 
// \   \  /  \ 




// (c) Copyright 2010 - 2014 Xilinx, Inc. All rights reserved. 
// 
// This file contains confidential and proprietary information 
// of Xilinx, Inc. and is protected under U.S. and 




// This disclaimer is not a license and does not grant any 
// rights to the materials distributed herewith. Except as 
169 
// otherwise provided in a valid license issued to you by 
// Xilinx, and to the maximum extent permitted by applicable 
// law: (1) THESE MATERIALS ARE MADE AVAILABLE "AS IS" AND 
// WITH ALL FAULTS, AND XILINX HEREBY DISCLAIMS ALL 
WARRANTIES 
// AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
// BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, NON- 
// INFRINGEMENT, OR FITNESS FOR ANY PARTICULAR PURPOSE; and 
// (2) Xilinx shall not be liable (whether in contract or tort, 
// including negligence, or under any other theory of 
// liability) for any loss or damage of any kind or nature 
// related to, arising under or in connection with these 
// materials, including for any direct, or any indirect, 
// special, incidental, or consequential loss or damage 
// (including loss of data, profits, goodwill, or any type of 
// loss or damage suffered as a result of any action brought 
// by a third party) even if such damage or loss was 
// reasonably foreseeable or Xilinx had been advised of the 
// possibility of the same. 
// 
// CRITICAL APPLICATIONS 
// Xilinx products are not designed or intended to be fail- 
// safe, or for use in any application requiring fail-safe 
// performance, such as life-support or safety devices or 
// systems, Class III medical devices, nuclear facilities, 
// applications related to the deployment of airbags, or any 
// other applications that could lead to death, personal 
// injury, or severe property or environmental damage 
// (individually and collectively, "Critical 
// Applications"). Customer assumes the sole risk and 
// liability of any use of Xilinx products in Critical 
// Applications, subject only to applicable laws and 
170 
// regulations governing limitations on product liability. 
// 
// THIS COPYRIGHT NOTICE AND DISCLAIMER MUST BE RETAINED AS 




// Module Description: 
// 




// Port Definition: 
// 
// Name                          Type   Description 
// ============================= ====== 
==================================== 
// icap_clk                      input  The system clock signal. 
// 
// data_in[7:0]                  input  Input to the FIFO. Synchronous 
//                                      to icap_clk. 
// 
// data_out[7:0]                 output Output from the FIFO.  Synchronous 
//                                      to icap_clk. 
// 
// write                         input  Write strobe, used to enable data 
//                                      capture.  Synchronous to icap_clk. 
// 
// read                          input  Read strobe, used to advance data 
//                                      output to next value.  Synchronous 
//                                      to icap_clk. 
171 
// 
// full output Indicates when the FIFO is full. 
// Synchronous to icap_clk. 
// 
// data_present output Indicates when the FIFO has data 




// Parameter and Localparam Definition: 
// 
// Name Type   Description 
// ============================= ====== 
==================================== 
// TCQ int    Sets the clock-to-out for behavioral 








// \- SRLC32E (unisim) 
// 
///////////////////////////////////////////////////////////////////////////// 




module sem_0_sem_mon_fifo ( 
  input  wire        icap_clk, 
172 
  input  wire  [7:0] data_in, 
  output wire  [7:0] data_out, 
  input  wire        write, 
  input  wire        read, 
  output wire        full, 
  output wire        data_present 
  ); 
  /////////////////////////////////////////////////////////////////////////// 
  // Define local constants. 
  /////////////////////////////////////////////////////////////////////////// 
  localparam TCQ = 1; 
  /////////////////////////////////////////////////////////////////////////// 
  // Declare signals. 
  /////////////////////////////////////////////////////////////////////////// 
  reg   [5:0] augend = 6'b011111; 
  reg   [5:0] addend; 
  wire  [1:0] addsel; 
  wire        valid_write; 
  wire        valid_read; 
  /////////////////////////////////////////////////////////////////////////// 
  // Data storage. 
  /////////////////////////////////////////////////////////////////////////// 
  SRLC32E data_srl_0 ( 
    .D(data_in[0]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[0]), 
    .Q31() 
    ); 
  SRLC32E data_srl_1 ( 
    .D(data_in[1]), 
173 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[1]), 
    .Q31() 
    ); 
  SRLC32E data_srl_2 ( 
    .D(data_in[2]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[2]), 
    .Q31() 
    ); 
  SRLC32E data_srl_3 ( 
    .D(data_in[3]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[3]), 
    .Q31() 
    ); 
  SRLC32E data_srl_4 ( 
    .D(data_in[4]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[4]), 
    .Q31() 
    ); 
  SRLC32E data_srl_5 ( 
    .D(data_in[5]), 
174 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[5]), 
    .Q31() 
    ); 
  SRLC32E data_srl_6 ( 
    .D(data_in[6]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[6]), 
    .Q31() 
    ); 
  SRLC32E data_srl_7 ( 
    .D(data_in[7]), 
    .CE(write), 
    .CLK(icap_clk), 
    .A(augend[4:0]), 
    .Q(data_out[7]), 
    .Q31() 
    ); 
  /////////////////////////////////////////////////////////////////////////// 
  // Buffer management. 
  /////////////////////////////////////////////////////////////////////////// 
  assign valid_write = write && !(augend == 6'b111111); 
  assign valid_read = read && augend[5]; 
  assign addsel = {valid_read, valid_write}; 
  always @* 
  begin 
    case (addsel) 
      2'b01: addend = 6'b000001; 
175 
      2'b10: addend = 6'b111111; 
      default: addend = 6'b000000; 
    endcase 
  end 
  always @(posedge icap_clk) 
  begin 
    augend <= #TCQ (augend + addend); 
  end 
  assign data_present = augend[5]; 
  assign full = (augend == 6'b111111); 
endmodule 
F. SEM_0_INJECTION_HANDLER.V 
`timescale 1ns / 1ps 
////////////////////////////////////////////////////////////////////////////////// 
// Company:         Naval Postgraduate School 
// Developer:        Stuart Archer 
// 
// Create Date:     01/29/2019 12:17:25 PM 
// Design Name:      
// Module Name:     sem_0_injection_handler 
// Project Name:  
// Target Devices: 
// Tool Versions:  
// Description:     This file implements code to translate discrete requests 
// to messages to be sent to the SEM Injection Interface. 
// 
176 
// Dependencies:  
//  
// Revision: 
// Revision 0.01 - File Created 






    input  wire         icap_clk, 
    output wire         inject_strobe, 
    output wire [39:0]  inject_message, 
    input  wire         sem_idle, 
    input  wire         status_observation, 
    input  wire         status_correction, 
    input  wire         enter_idle_state, 
    input  wire         enter_observation_state, 
    input  wire         reset_sem, 
    input  wire         injection_strobe, 
    input  wire [31:0]  injection_address, 
    input  wire [11:0]  injection_offset, 
    input  wire         inject_LRS_error, 
    input  wire         inject_persistent_seu, 
177 
    input  wire         inject_MultX_error, 
    input  wire         inject_MultY_error, 
    input  wire         inject_temporary_deu, 
    input  wire         switch_valid, 
    output wire         idle_requested, 
    output wire         observation_requested, 
    output wire         error_injected, 
    output wire         reset_requested, 
    input  wire         command_active, 
    input  wire [4:0]   error_addr 
); 
    reg              inject_message_ready, command_busy; 
    (* dont_touch = "true" *) reg       [39:0] new_function; 
    (* dont_touch = "true" *) reg              half_address; 
    wire      [1:0]  slr_number = 2'b00; 
    (* dont_touch = "true" *) reg       [1:0]  block_type = 2'b00; 
    (* dont_touch = "true" *) reg       [9:0]  column_address; 
    (* dont_touch = "true" *) reg       [6:0]  minor_address, word_address; 
    (* dont_touch = "true" *) reg       [4:0]  row_address, bit_address; 
    (* dont_touch = "true" *) reg       [16:0] frame_address; 
    (* mark_debug = "true" *) reg       [3:0]  msg_header; 
    (* mark_debug = "true" *) reg  injection_requested, idle_request_sent, 
observe_request_sent, reset_request_sent, waiting_for_correction, strobe; 
178 
 
                      
// Injection Interface Message definitions     
    parameter [4:0]  INJ_IDLE_STATE        = {4'b1110},      //  
                     INJ_OBS_STATE         = {4'b1010},      //  
                     INJ_RESET_SEM         = {4'b1011},      // 
                     INJ_PHYSICAL_ADDRESS  = {4'b1100},      // 
                     INJ_LINEAR_ADDRESS    = {4'b0000}, 
                     INJ_NULL_CMD          = {4'b1111}; 
    parameter [11:0] LRS_OFFSET            = 1702, 
                     MULTX_OFFSET          = 1701, 
                     MULTY_OFFSET          = 1701, 
                     DOUBLEX_OFFSET        = 1700; 
    parameter [31:0] LRS_ADDR              = 32'h0002081f, 
                     MULTX_ADDR            = 32'h0002079f, 
                     MULTY_ADDR            = 32'h00020f1f; 
 
//    parameter [1:0]  NO_ERROR              = 2'b00, 
//                     SINGLE_ERROR          = 2'b01, 
//                     DOUBLE_ERROR          = 2'b10, 
//                     TRIPLE_ERROR          = 2'b11; 
 
 
    initial begin 
179 
        msg_header <= INJ_NULL_CMD; 
        observe_request_sent <= 1'b0; 
        injection_requested <= 1'b0; 
        idle_request_sent <= 1'b0; 
    end 
    always @(posedge icap_clk) begin 
        if((msg_header != INJ_NULL_CMD) && (inject_strobe ==1'b0)) begin 
            strobe <= 1'b1; 
        end 
        else if((msg_header != INJ_NULL_CMD) && (inject_strobe ==1'b1)) begin 
            strobe <= 1'b0; 
            msg_header <= INJ_NULL_CMD; 
        end 
        else if(switch_valid && !command_active && !waiting_for_correction) 
begin 
    // IDLE_STATE allows most commands.  It is indicated by the init, observe, 
correct, classify, and Inject signals being low. 
            if(sem_idle) begin 
                if(enter_observation_state) begin 
msg_header = INJ_OBS_STATE; 
observe_request_sent <= 1'b1; 
                end 
                else if(reset_sem) begin 
180 
                    msg_header = INJ_RESET_SEM; 
                    reset_request_sent <= 1'b1; 
                end 
                else if(injection_strobe) begin  // This error can only use the Physical 
                    msg_header              <= INJ_PHYSICAL_ADDRESS; 
                    block_type              <= injection_address[24:23]; 
                    half_address            <= injection_address[22]; 
                    row_address             <= injection_address[21:17]; 
                    column_address          <= injection_address[16:7]; 
                    minor_address           <= injection_address[6:0]; 
                    word_address            <= injection_offset[11:5]; 
                    bit_address             <= injection_offset[4:0]; 
                    frame_address           <= injection_address[16:0]; 
                    injection_requested     <= 1'b1; 
                end 
                else if(inject_LRS_error || inject_persistent_seu) begin  // This error can 
use either the Physical or Linear Frame Address 
                    msg_header              <= INJ_PHYSICAL_ADDRESS; 
                    block_type              <= LRS_ADDR[24:23]; 
                    half_address            <= LRS_ADDR[22]; 
                    row_address             <= LRS_ADDR[21:17]; 
                    column_address          <= LRS_ADDR[16:7]; 
                    minor_address           <= LRS_ADDR[6:0]; 
                    word_address            <= LRS_OFFSET[11:5]; 
181 
bit_address             <= LRS_OFFSET[4:0] + error_addr - 3'b100; 
frame_address           <= LRS_ADDR[16:0]; 
injection_requested     <= 1'b1; 
                end 
                else if(inject_MultY_error) begin          // This error can use either 
the Physical or Linear Frame Address 
msg_header              <= INJ_PHYSICAL_ADDRESS; 
block_type              <= MULTY_ADDR[24:23]; 
half_address            <= MULTY_ADDR[22]; 
row_address             <= MULTY_ADDR[21:17]; 
column_address          <= MULTY_ADDR[16:7]; 
minor_address           <= MULTY_ADDR[6:0]; 
word_address            <= MULTY_OFFSET[11:5]; 
bit_address             <= MULTY_OFFSET[4:0] + error_addr - 3'b100; 
frame_address           <= MULTY_ADDR[16:0]; 
injection_requested     <= 1'b1; 
                end 
                else if(inject_MultX_error) begin // This error can use 
either the Physical or Linear Frame Address 
msg_header              <= INJ_PHYSICAL_ADDRESS; 
block_type              <= MULTX_ADDR[24:23]; 
half_address            <= MULTX_ADDR[22]; 
row_address             <= MULTX_ADDR[21:17]; 
column_address          <= MULTX_ADDR[16:7]; 
182 
                    minor_address           <= MULTX_ADDR[6:0]; 
                    word_address            <= MULTX_OFFSET[11:5]; 
                    bit_address             <= MULTX_OFFSET[4:0] + error_addr - 3'b100; 
                    frame_address           <= MULTX_ADDR[16:0]; 
                    injection_requested     <= 1'b1; 
                end 
                else if(inject_temporary_deu) begin                         // This can only be 
done with a Physical Frame Address message 
                    msg_header              <= INJ_PHYSICAL_ADDRESS;        // Based 
off MultX address 
                    block_type              <= LRS_ADDR[24:23]; 
                    half_address            <= LRS_ADDR[22]; 
                    row_address             <= LRS_ADDR[21:17]; 
                    column_address          <= LRS_ADDR[16:7]; 
                    minor_address           <= LRS_ADDR[6:0]; 
                    word_address            <= LRS_OFFSET[11:5]; 
                    bit_address             <= DOUBLEX_OFFSET + error_addr - 3'b100; 
                    frame_address           <= LRS_ADDR[16:0]; 
                    injection_requested     <= 1'b1; 
                end 
                else msg_header             <= INJ_NULL_CMD; 
            end 
            else if (status_observation) begin 
                if(enter_idle_state) begin 
183 
msg_header              <= INJ_IDLE_STATE; 
idle_request_sent       <= 1'b1; 
                end 
                else msg_header             <= INJ_NULL_CMD; 
            end 
            else msg_header <= INJ_NULL_CMD; 
        end 
        else if(!command_active) begin 
            idle_request_sent       <= 1'b0; 
            observe_request_sent    <= 1'b0; 
            msg_header <= INJ_NULL_CMD; 
        end 
        else begin 
            if(waiting_for_correction && status_correction) waiting_for_correction <= 
1'b0; 
            if(idle_requested && sem_idle) idle_request_sent <= 1'b0; 
            if(observation_requested && status_observation) observe_request_sent <= 
1'b0; 
            if(error_injected)begin 
                if(sem_idle && inject_persistent_seu) begin 
msg_header              <= INJ_PHYSICAL_ADDRESS; 
block_type              <= LRS_ADDR[24:23]; 
half_address            <= LRS_ADDR[22]; 
row_address             <= LRS_ADDR[21:17]; 
184 
                    column_address          <= LRS_ADDR[16:7]; 
                    minor_address           <= LRS_ADDR[6:0]; 
                    word_address            <= LRS_OFFSET[11:5]; 
                    bit_address             <= LRS_OFFSET[4:0] + error_addr - 3'b100; 
                    frame_address           <= LRS_ADDR[16:0]; 
                    injection_requested     <= 1'b1;                     
                end 
                else if(sem_idle && !(inject_LRS_error || inject_MultX_error || 
inject_MultY_error || inject_temporary_deu)) begin 
                    injection_requested <= 1'b0; 
//                    if(inject_status == ERROR_CORRECTING) waiting_for_correction 
<= 1'b0; 
//                else begin 
//                    case(inject_status) 
//                        INJECT_REQUESTED    : if(status_injection) inject_status <= 
ERROR_INJECTED; 
//                        ERROR_INJECTED      : if(status_classification) inject_status <= 
ERROR_CLASSIFYING; 
//                        ERROR_CLASSIFYING   : if(status_correction) inject_status <= 
ERROR_CORRECTING; 
//                    endcase 
//                    if(status_injection) waiting_for_correction <= 1'b1; 
//                    injection_requested <= 1'b0; 
                    end 
185 
APPENDIX D. INTELLECTUAL PROPERTY (IP) SETTINGS 
This section documents the settings used for Xilinx IP which are included in the 
project.  The IP modules used in the project are the Clocking Wizard (v5.3) [16] and SEM 
(v4.1) [5].  Unless specified in their corresponding section, it can be assumed that all 
settings for each module correspond to default values. 
A. CLOCK WIZARD SETTINGS 
The clock wizard module is name master_clock, because the clock wizard is a pass-
down from the TMR code.  It has been modified to add an additional 100 MHz clock for 
the ICAP interface and three additional 50 MHz clocks for the each of the voter registers 
in the TMR_exp project.  All clocks have the BUFG drivers, which include buffers to 
ensure that the power levels on the buffers remain strong enough to drive all circuitry which 
utilize them.  The input clock has input jitter or 0.010 UI. 
Table 7. Clock Wizard IP Settings 
Name Frequency [MHz] Tab 
clk_in1 100 Clocking Tab 
clk_50 50 Output Clocks 
clk_100 100 Output Clocks 
clk_200 200 Output Clocks 
clk_outa 50 Output Clocks 
clk_outa 50 Output Clocks 
clk_outa 50 Output Clocks 
B. SOFT ERROR MITIGATION IP SETTINGS 
The SEM module is named sem_0.  The settings for the SEM IP are listed in Table 
8. Selection of the Replace Error Correction Method or Error Classification requires the
Data Retrieval Shim to be set to “spi flash x1.”  Any other choice requires that Data 
Retrieval Shim be set to “None.”  To determine which bits affect the design function, set 
186 
Enable Error Classification to Checked.  If not enabled, all bits would be considered 
essential. 
Table 8. SEM IP Settings 
Field Name Field Value
Name sem_0 
Enable Error Injection Checked 
Enable Error Correction Checked 
Error Correction Method Repair 
Enable Error Classification Not Checked 
Controller Clock Frequency 100 
Error Injection Shim Pins 
Data Retreival Shim None 
 
                end 
            if(reset_requested && status_observation) reset_request_sent <= 1'b0; 
            msg_header <= INJ_NULL_CMD; 
        end 
    end 
     
    assign idle_requested = idle_request_sent; 
    assign observation_requested = observe_request_sent; 
    assign inject_strobe  = strobe || injection_strobe; 
    assign error_injected = injection_requested; 
    assign reset_requested = reset_request_sent; 
    assign inject_message = (msg_header == INJ_PHYSICAL_ADDRESS) ? {1'b0, 
slr_number, block_type, half_address, row_address, column_address, minor_address, 
word_address, bit_address} : 
187 
(msg_header == INJ_LINEAR_ADDRESS) ? 
{INJ_LINEAR_ADDRESS, 5'b00000, slr_number, frame_address, word_address, 
bit_address} :  
(msg_header == INJ_IDLE_STATE) ? {INJ_IDLE_STATE, 
36'ha5a5a5a5a} : (msg_header == INJ_OBS_STATE) ? {INJ_OBS_STATE, 
36'h5a5a5a5a5} :  
(msg_header == INJ_RESET_SEM) ? {INJ_RESET_SEM, 
36'h000000000} : 40'hffffffffff; 
endmodule 
188 
THIS PAGE INTENTIONALLY LEFT BLANK 
189 
LIST OF REFERENCES 
[1]  S. Rezgui, J. J. Wang, E. C. Tung, B. Cronquist and J. McCollum, “New 
methodologies for SET characterization and mitigation in flash-based FPGAs,” 20 
July 2007. [Online]. Available: https://www.microsemi.com/document-portal/
doc_view/131384-new-methodologies-for-set-characterization-and-mitigation-in-
flash-based-fpgas-report. 
[2]  M. Berg, “Field-programmable gate array (FPGA) single event effect (SEE) 
radiation testing,” 2 February 2012. [Online]. Available: https://nepp.nasa.gov/files/
23779/FPGA_Radiation_Test_Guidelines_2012.pdf. 
[3]  Microsemi Inc., “Neutron-induced single event upset (SEU) FAQ,” 2011. [Online]. 
Available: https://www.microsemi.com/document-portal/doc_view/130760-
neutron-seu-faq,. 
[4]  A. S. Jackson, Implementation of the configurable fault tolerant system experiment 
on NPSAT-1, Monterey, CA: Naval Postgraduate School, 2016.  
[5]  Xilinx Inc., “Soft error mitigation controller (v4.1) LogiCORE IP product guide,” 4 
April 2018. [Online]. Available: https://www.xilinx.com/support/documentation/
ip_documentation/sem/v4_1/pg036_sem.pdf. 
[6]  Xilinx Inc., “Partial reconfiguration (v.2017.1) user guide,” 5 April 2017. [Online]. 
Available: https://www.xilinx.com/support/documentation/sw_manuals/
xilinx2017_1/ug909-vivado-partial-reconfiguration.pdf. 
[7]  J. Newman and F. Kragh, “Flight CFTP architecture for NPSaT1 CFTP-7,” 11 June 
2019. [Online].  
[8]  Brigham Young University National Science Foundation Center for High 
Performance Reconfigurable Computing, “Triple modular redundancy.” [Online]. 
Available: http://slideplayer.com/slide/3565692/12/images/16/
Triple+Modular+Redundancy.jpg. [Accessed 02 May 2019]. 
[9]  Xilinx Inc., “7 Series FPGAs configuration user guide (v1.13.1),” 20 August 2018. 
[Online]. Available: https://www.xilinx.com/support/documentation/user_guides/
ug470_7Series_Config.pdf. 
[10] Naval Postgraduate School Space Systems Academic Group, “NPSAT1 mission 
information,” 2019. [Online]. Available: https://my.nps.edu/web/ssag/research-
satellite. 
190 
[11] Enclustra FPGA Solutions Inc., “Mercury KX1 Xilinx® Kintex®-7 FPGA module 
product site.” [Online]. Available: https://www.enclustra.com/en/products/fpga-
modules/mercury-kx1/. [Accessed 19 April 2019]. 
[12] Xilinx Inc., “Using constraints (v.2017.3) user guide,” 4 October 2017. [Online]. 
Available: https://www.xilinx.com/support/documentation/sw_manuals/
xilinx2017_3/ug903-vivado-using-constraints.pdf. 
[13] Xilinx Inc., “Artix-7 FPGAs data sheet: DC and AC switching characteristics 
(v1.25),” 18 June 2018. [Online]. Available: https://www.xilinx.com/support/
documentation/data_sheets/ds181_Artix_7_Data_Sheet.pdf. 
[14] Digilent Inc., “Nexys 4 DDR XADC demo.” [Online]. Available: 
https://reference.digilentinc.com/_media/nexys/nexys4/
xadc6.jpg?w=500&tok=06a466. [Accessed 16 May 2019]. 
[15] Xilinx Inc., “Vivado programming and debugging,” 30 May 2014. [Online]. 
Available: https://www.xilinx.com/support/documentation/sw_manuals/
xilinx2014_1/ug908-vivado-programming-debugging.pdf. 
[16] Digilent Inc., “Nexys 4 DDR reference manual.” [Online]. Available: 
https://reference.digilentinc.com/reference/programmable-logic/nexys-4-ddr/
reference-manual. [Accessed 16 May 2019]. 
[17] Xilinx Inc., “Clocking Wizard (v5.3) LogiCORE IP product guide,” 5 October 
2016. [Online]. Available: https://www.xilinx.com/support/documentation/
ip_documentation/clk_wiz/v5_3/pg065-clk-wiz.pdf. 
[18] Xilinx Inc., “Partial reconfiguration vivado design suite tutorial (V2017.1),” 5 April
2017. [Online]. Available: https://www.xilinx.com/support/documentation/
sw_manuals/xilinx2017_1/ug947-vivado-partial-reconfiguration-tutorial.pdf. 




[20] Xilinx Inc., “Demonstration of soft error mitigation IP and partial reconfiguration 






INITIAL DISTRIBUTION LIST 
1. Defense Technical Information Center 
 Ft. Belvoir, Virginia 
 
2. Dudley Knox Library 
 Naval Postgraduate School 
 Monterey, California 
