OpenSEA: Semi-Formal Methods for Soft Error Analysis by Klampfl, Patrick et al.
OpenSEA:
Semi-Formal Methods for Soft Error Analysis
Patrick Klampfl, Robert Ko¨nighofer, Roderick Bloem, Ayrat Khalimov (TU Graz, Austria)
Aiman Abu-Yonis, Shiri Moran (IBM Research Lab, Haifa, Israel)
Abstract—Alpha-particles and cosmic rays cause bit flips in
chips. Protection circuits ease the problem, but cost chip area
and power, and so designers try hard to optimize them. This
leads to bugs: an undetected fault can bring miscalculations, the
checker that alarms about harmless faults incurs performance
penalty. Such bugs are hard to find: circuit simulation with tests
is inefficient since it enumerates the huge fault time-location
space, and formal methods do not scale since they explore the
whole inputs. In this paper, we use formal methods on designer’s
input tests, while keeping time-location open. This idea is at
the core of the tool OpenSEA. OpenSEA can (i) find latches
vulnerable to and protected against faults, (ii) find tests that
exhibit checker false alarms, (iii) use fixed and open inputs, and
(iv) use environment assumptions. Evaluation on a number of
industrial designs shows that OpenSEA produces valuable results.
I. INTRODUCTION
In 1965 Moore’s law was born [1]: chips density doubles
every few years. Aside from good things like improving
performance, increasing chips density also increases sensi-
tivity to cosmic radiation and alpha-particles [2]–[4]. These
external influences can cause bit flips — the sudden change
of internal memory values — that can lead to hardware
misbehaviours [5]. Such errors are called soft errors, because
the hardware is not harmed permanently.
There are ways to protect the circuit against soft errors [6]–
[9]. Triple modular redundancy copies the circuit three times,
computes three results in parallel, and chooses the result by
majority vote, thus overcoming soft errors. Error correcting
codes (ECCs) introduce spare bits that are used to restore
the original values after the bit flip happens [10]. Parity
computations [11] can detect bit flips.
But such protection methods are too expensive, since often
circuits are intrinsically protected [12], for example, when the
computation will not be used (think of branch predictions in
processors). Thus, designers carefully optimize the protection
logic to save area and power, which is difficult and error-prone.
We present tool OpenSEA to help the designer to verify and
optimize the protection circuit. We assume that the protection
circuit has a special output “alarm” (risen when a fault is
detected), and consider only single fault scenarios [13].
OpenSEA provides three kinds of algorithms. First, it
searches for vulnerable latches. Roughly, a latch is vulnerable
if the fault in it can escape to the user without being alarmed.
Second, OpenSEA searches for protected latches. Roughly,
a latch is protected if the fault in it is always alarmed
or recovered from before propagating to the user. Third,
OpenSEA searches for spurious alarms. Roughly, an alarm
is raised spuriously when the fault is always recovered from
without being noticed. Spurious alarms hurts performance.
The idea behind the algorithms is to compare a fault-free
circuit with a modified circuit where we model a fault, see
Fig. 1. For example, if run a given test case on two circuits,
inserting a fault into the second circuit, and check if the
outputs can diverge without the alarm, then we get, roughly,
the simulation based algorithm. Such two-circuits-comparison
check can be offloaded to a SAT solver. Then, we can keep the
fault location and time “symbolic” (“free”), thus asking a SAT
solver if there is a fault latch and time that can escape without
raising the alarm. Such approach is not new and was explored
in [14]–[16], but to our knowledge no tools are available. Also,
we allow the designer to use fixed tests, partially fixed tests
(with some inputs left open), or completely open tests. Thus,
our algorithm ranges from model checking to simulation. We
call such approach semi-formal.
We evaluated OpenSEA on made-up examples, and started
evaluation on industrial designs.
The source code and benchmark results are available at
https://extgit.iaik.tugraz.at/scos/soft-error-analysis/.
II. PRELIMINARIES
A. Faults, Vulnerable and Protected Latches, Alarm
A (transient) fault is a nondeterministic change of the latch
value for one time step. We assume there can be at most one
transient fault in a circuit during the execution. We do not
consider other types of faults (stuck-at-zero, byzantine, etc.).
We assume a circuit has a special output alarm: alarm =
true means a fault has been detected, and a higher-level service
handles it (e.g., it restarts the computation).
Consider an execution where a fault happens in latch x
at moment t. The fault escapes if outputs diverge at some
moment t′ and the alarm is not raised before or at t′. The
fault is alarmed if alarm is risen in the fault moment or later.
Note that a fault can escape and yet be alarmed (too late).
A latch is vulnerable if there is an execution with an
escaping fault in the latch. Otherwise, the latch is protected.
I.e., a latch is protected if on all executions, a fault in the latch
is either always detected before or at the moment when the
outputs diverge, or the outputs never diverge.
Consider an execution with a fault at moment t in latch
x. An alarm is spurious at moment ≥ t if the circuit states
converge on all evolutions of that execution from t.
ar
X
iv
:1
71
2.
04
29
1v
1 
 [c
s.O
H]
  1
2 D
ec
 20
17
Output 1
State
Next
State
clk
State
Next
State
Circuit
 
Output 2
 
Copy
 
Alarm 2
Input
clk clk
Alarm 1
vuln_check
Fig. 1: Composed circuit used for vulnerability check
B. Transition Relations
Notation. We assume the reader is familiar with the notions
of literal, clause, cube, CNF, DNF, sequential circuit. Tu-
ples of Boolean variables are usually overlined, e.g., x =
(x1, . . . , xn), while tuples of their values are also bolded, e.g.,
x = (1, 0, ..., 1). We assume
∧j
i (..) is true when j < i.
Consider Fig. 1: the top boxed area “Circuit” represents
the circuit under test: it is divided into latches (the rectangle)
and the combinatorial part (the cloud), it has inputs, outputs
“Output 1”, and the special output “Alarm 1”.
A circuit can be represented as a Boolean formula
T (x, i, o, a, x′) over variables x, i, o, a, x′, called transition
relation. Given values x, x′, i, o, and a, T (x, i,o, a,x′) is
true if the circuit, starting with latch values x and reading
inputs i, outputs o, alarms a, and updates latch values to x′.
Latch values are called circuit state.
To model the faults, we introduce new inputs c (where |c| =
|x|) and f , and use T (x, i, f, c, o, a, x′) defined as
T (x, i, o, a, x′)[x′i ← [ x′orig] ∧∧
i
x′i ↔ x′orig ⊕(f ∧ ci).
Intuitively, T  flips the original x′i when ci and f are set; f
encodes whether or not to inject a fault, and ci = true means
that the latch i should be flipped. The single-fault assumption
is modelled later.
III. CLASSIFICATION ALGORITHMS
In this Section we describe two algorithms used by
OpenSEA. The first one searches for vulnerable latches and
spurious alarms: it can accept (fixed or open) tests. The second
algorithm searches for protected latches. Both algorithms are
sound but incomplete: the classification of the latches they
produce is correct, but some latches may be unclassified.
A. Searching for Vulnerable Latches and Spurious Alarms
Algorithm 1 searches for vulnerable latches. The input is
a test case (i1, i2, ..., it) of length t, the output is the set
of vulnerable latches, and F is the main Boolean formula.
Conceptually, F encodes signal “vuln check” on Fig. 1. We
initialize the latches to 0, then in Line 4 and 6 add to F the
constraints ensuring the single-fault assumption. The for-loop
incrementally unrolls (Line 7) the transition relations of the
non-faulty and faulty circuits up to the length of the test, while
reading the test inputs. Lines 8–13 are specific to vulnerable
latches (we later change them for spurious alarms): we encode
that the outputs differ while the alarm is low, and use a SAT
solver to incrementally find all vulnerable latches (Lines 10–
13)). SAT(F∧A) denotes a SAT call: it returns 0 if the formula
is unsatisfiable, otherwise it returns a satisfying assignment
for variables f and c. On algorithm termination, vulnerable
contains vulnerable latches.
Algorithm 1 Searching for vulnerable latches
1: procedure FINDVULNERABLE(test case (i1, ..., im))
2: vulnerable := {}
3: set x1 and x1 to (0, ..., 0)
4: F :=
(
(
∑
i∈[n] ci) = 1
)
5: for s = 1 to m do
6: F ∧= ∧j<s(fs → ¬fj)
7: F ∧= T (xs, is, os, a, xs+1) ∧ ¬a∧
T

(xs, is, fs, c, o

s, a

s, x

s+1)
8: F ∧= ¬as
9: A := (os 6= os)
10: while (f , c) := SAT
(
F ∧A) do
11: vulnerable.add(i) with c[i] = 1 . i is unique
12: F ∧= ¬ci
13: end while
14: end for
15: end procedure
To search for spurious alarms, OpenSEA uses the modified
Algorithm 1 where lines 8–13 are replaced by
F ∧= (os = os) . outputs are equal
A := (xs+1 = x

s+1) ∧
∨
j≤s a

j . states converge, but
alarm is raised
while (f , c) := SAT
(
F ∧A) do
spurious.add(i) with c[i] = 1 . i is unique
F ∧= ¬ci
end while
On termination, the variable spurious contains the latches
whose faults can lead to spurious alarms (initially empty).
1) Implementation: We implemented these algorithms in
OpenSEA. The relevant to these checks tool’s arguments are:
• Circuit is in the AIGER format [17]. Optionally, you
can provide the environment assumptions circuit, which
purpose is to filter out traces not interesting for testing.
• Input test case is a file that contains input vectors. An
inputs value can be left open by writing “?”.
• OpenSEA supports several variations of the algorithms:
– stla: fault time and location are symbolic (Alg. 1),
– sta: only fault time is symbolic while latches are
enumerated in the for-loop
– sim (vulnerability only): enumeration of fault time
and location, and of symbolic inputs
– bdd (vulnerability only): Algorithm 1 using BDDs
• OpenSEA outputs: vulnerable latches (or latches causing
spurious alarms) and the witnessing traces
Fig. 2: Cactus plot. Detecting vulnerable latches: 3 concrete
test cases, 15 time steps. We used a subset of IWLS’02 and
IWLS’05 benchmarks, with added by us protection circuit.
The benchmarks have up to 10k latches.
Cactus plot in Fig. 2 shows how the algorithm variations
perform on tests with no open inputs, where, surprisingly, the
simulation approach is the fastest (in this experiment setup).
But the stla variation scales much better with the increasing
of open inputs: freeing inputs turned out to have almost no
effect on performance, while it exponentially increases the
simulation time. In the extreme of all inputs open: we com-
pared stla with model checking approach, where we created
the circuit in Fig. 1 and passed it to a model checker (BLIMC)
— they perform comparably. Also, with the increasing length
of test cases, the simulation approach scales linearly, while
stla roughly exponentially. Thus, the designer can choose the
appropriate algorithm variation depending on the tests at hand.
As for spurious alarms algorithm variants, stla and sta, the
first version performed several orders faster.
B. Searching for protected latches
A latch i is 1-step protected if the formula
T
(
(x1, ..., xi, ..., xn), i, o, a, x
′) ∧ ¬a
∧ T ((x1, ...,¬xi, ..., xn), i, o, a, x′)
∧ ¬a ∧ (o 6= o ∨ x′ 6= x′)
(1)
is unsatisfiable. Such a check means: no matter in which state
the circuit is and no matter which inputs are used, if latch i
flips its value, the error is either already gone in the next time
step and the outputs are equal, or the alarm is raised.
Some error-detection and correction methods may take more
than one clock cycle to raise an alarm or to recover, making
this check too conservative. Hence we similarly define a k-
protected latch by unrolling the transition relation for k steps.
Another source of over-conservativeness is that the check
allows the circuit to start from any state, including unreach-
able. We use formula approx to restrict the starting states x1:
for j ≥ 0,
approx(j) :=
(
j∧
i=1
T (xi−j , ii−j , oi−j , a, x(i−j)+1) ∧ ¬a
)
∨ x1 = reach(0, j)
where reach(0, j) encodes all states reachable from the initial
state 0 within j time steps, the term in parentheses encodes all
reachable states from any state after exactly j steps. Thus, in
Eq. 1 we can replace the starting states x by x1 and conjunct it
with approx(j). This way we can define a jk-protected latch
where j ≥ 0, k ≥ 1.
Algorithm 2 finds all jk-protected latches. It uses the above
two ideas, but instead of checking every latch, it checks them
all incrementally (this happened to be faster). This algorithm
starts by assuming that all latches are jk-protected. Line 4
encodes the single-fault assumption. Lines 5–7 encode whether
it is possible, without raising the alarm, to diverge the outputs
within k steps or the states at step k + 1. If yes, then the
SAT solver returns latch i which leads to divergent outputs
or states, and we exclude it from protected. We repeat this
until the formula becomes unsatisfiable, whereupon declare
the remaining latches jk-protected.
Algorithm 2 Searching for Protected Latches
1: procedure FINDPROTECTED(j ≥ 0, k ≥ 1)
2: protected := all latches
3: F := approx(j)
4: F ∧= f1 ∧
∧k
s=2 ¬fs ∧
(
(
∑
i∈[n] ci) = 1
)
5: F ∧= ∧ks=1 T (xs, is, os, as, xs+1) ∧ ¬as
6: F ∧= ∧ks=1 T (xs, is, fs, c, os, as, xs+1)
7: F ∧= (¬a1 ∧ o1 6= o1)
∨(¬a1 ∧ ¬a2 ∧ o2 6= o2)
∨ . . .
∨(¬a1∧ . . .∧¬ak ∧ (ok 6= ok ∨xk+1 6= xk+1))
8: while c := SAT(F ) do
9: protected.remove(i) with c[i] = 1 . i is unique
10: F ∧= ¬ci
11: end while
12: end procedure
1) Implementation: For searching protected latches,
OpenSEA accepts a circuit, numbers j and k. It does not
accept neither test cases nor an environment model. We
experimented with made-by-us triple module redundancy
adder, whose latches are 10-protected (thus, j = 1, k = 10).
Search of 10-protected latches took ≈ 100 times longer than
that of 1-protected latches.
IV. EXPERIMENTS ON INDUSTRIAL DESIGNS
We present preliminary OpenSEA experiments on circuits
from IBM microprocessor. We start with some preliminaries
definitions and then describe our experiments.
Macros: Large industrial designs are usually divided into
sub-components, called macros, and in many cases the pro-
tection logic spans over more than one macro. E.g., the parity
check may reside in one macro while the parity generation
resides in a neighboring macro. For example, in Fig. 3 the
parity generation associated with data bus D2 is performed in
a neighboring macro.
Gating: In high performance designs in majority of the cases
a fault has no effect on the application [18], since the affected
alarm 
non gated 
alarm 
output 
output 
8 
8 
0 
1 
1 bit parity 
1 bit parity 
0 
1 
8 
Parity
check 
1 bit parity 
parity 
gen 
1 bit parity 
D1 
D3 
D4 
D2 
D5 
mux 
D6 
c_enable input 
input 
input 
Fig. 3: Typical industrial circuit. Latches D1, D3, and D5 are
parity-protected in this macro, while parity generation for D2
and D4 is done externally and the result is given as the bottom
input. Signal mux is used to choose the data path between D1-
D3 and D2-D4, signal c enable is used to disable (to gate)
the alarm.
data will not be actually used. Thus, to avoid unnecessary
recoveries and also to save power, circuits include dedicated
logic to mask out the alarm signal when the relevant protected
data is not used. For example, in Fig. 3 the signal c enable
is used to disable the alarm when the output of D5 and of
D6 do not effect the application. We call such masking of the
alarm signal gating. This introduces an additional verification
challenge, since it is not sufficient to verify that a given
sequential element is protected, it is also required to verify
that it is not over gated—namely, that when ever it is gated it
indeed does not affect the output. In addition, it is desirable to
also detect spurious alarms—cases in which the alarm rises
even though the contaminated value will have no effect.
IBM has an internal tool, a preliminary version of which was
presented in [19], that is able to identify protected logic along
with relevant gating, using mix of functional, structural and
formal analysis. The tool reports which latches are protected
under which gating conditions, but it does not verify that the
gating conditions are proper and that there is no over gating
or under gating; detection of over gating given a functional
verification environment is presented in [18]. Thus, given the
results of that tool (which is executed anyway), adding the
results of OpenSEA provides the following additional insights:
• Vulnerable latches due to over gating: Latches that are
detected as protected by InsightER, but whose flipped
value propagates to the macro output due to over gating.
Such latches may cause silent data corruption.
• Latches causing spurious alarms: Latches for which the
alarm rises, although their flipped values do not propagate
to the macro output. Such latches may cause redundant
recoveries, impairing the circuit performance.
We run OpenSEA’s vulnerability and spurious alarms check
on 15 macros of varying functionality and sizes from 500 to
7k latches. All the experiments were finished within 30min.
We ran tests in which all inputs were kept open. The ad-
vantage of keeping the inputs open is that this way OpenSEA
can be executed as soon as there is a compiled RTL, and a
full functional simulation environment is not required. Table
I shows for a few macros the number of latches identified
by IBM’s tool as not-protected and also as vulnerable by
OpenSEA. This is mainly for validation of the new OpenSEA
technology—it demonstrates that OpenSEA indeed detects a
significant fraction of the not-protected latches.
not-protected (I) not-protected (I) ∧vulnerable (O)
162 119
32 19
1851 535
279 109
133 110
807 606
274 111
TABLE I: The number of latches found vulnerable by
OpenSEA (column “vulnerable (O)”) and not-protected by
InsightER (column “not-protected (I)”)
Table II presents the number of latches that are identified as
protected by IBM’s tool but as vulnerable by OpenSEA. From
a practical point of view, this table is significant since its con-
tent could indicate a bug in the circuit protection mechanism.
However, some of the detected cases are actually irrelevant:
cases in which the parity bit was generated externally and
passed as input and the vulnerability is due to an mismatching
value of this parity bit, which as input was left open. For these
cases the tool should be re-executed and analyzed in a larger
scope; also, environment assumptions supported by OpenSEA
could help to filter out such results. Thus, the last column
omits these cases and presents latches that have gating on the
way to the alarm and OpenSEA gives an indication that these
gating are over-gating. These cases indicate a potential bug
and should be reviewed by the design team, along with the
counter example provided by the tool.
protected (I) protected (I) ∧vulnerable (O)
protected (I) ∧
vulnerable (O) ∧
non-trivial
202 52 21
548 174 110
151 54 54
834 206 90
1932 208 199
104 27 4
615 80 26
1320 133 91
TABLE II: The number of latches found vulnerable by
OpenSEA (written “vulnerable (O)”) and protected by In-
sightER (written “protected (I)”)
In the second batch of experiments we used OpenSEA to
find spurious alarms. Namely, cases in which the alarm is
being raised even though the output is not being affected.
The results are in Table III. At first, we found many spurious
alarms. But many of them were irrelevant due to injecting
faults into protection circuit itself. OpenSEA allows one
to configure latches into which to inject faults. When we
excluded the latches of the protection circuit, the number
of spurious alarms dropped. Each case left is a potential
performance/power issue which may indicate that the existing
gating is not tight enough and should be improved. This
indication is not provided by IBM’s internal tool or by any
other tool we are familiar with.
protected (I) spurious alarm (O) spurious alarm (O)excl. protection logic
202 86 57
660 244 122
1932 4 4
2104 3 0
439 51 28
TABLE III: The number of latches whose faults can cause
spurious alarms found by OpenSEA (written “spurious alarm
(O)”) and protected by InsightER (written “protected (I)”). For
spurious alarms, we run OpenSEA only on the latches found
to be protected by InsightER.
Finally, Table IV presents the time consumption of
OpenSEA’s search algorithms for vulnerable latches and for
spurious alarms. Obviously, time consumption is very low.
# latches Time: searchingvulnerable latches
Time: searching
spurious alarms
434 7.45 sec. <1 sec.
582 9.65 sec. <1 sec.
590 9 sec. 1.84 sec.
7061 22 min. 23 sec. 2 min. 31 sec.
TABLE IV: Timings of OpenSEA algorithms
V. RELATED WORK
Fey, Frehse and Drechsler [14] classify components into (i)
vulnerable, (ii) protected, (iii) dangerous, and (iv) unknown.
To this end, they use a bounded model-checking based tech-
nique to compute the circuit robustness, which is the ratio of
the protected latches to all the latches. Furthermore, by under-
and over- approximating the reachable states they can compute
upper and lower bounds on the robustness. Our approach for
computing vulnerable and protected latches is very similar to
theirs. The differences are: (i) we can use real test cases, while
they consider only symbolic test cases, (ii) moreover, we study
the question of false alarms, (iii) furthermore, we introduce the
notion of “environment model” which is handy for checking
practical designs, (iv) in contrast, they study ATPG-based
algorithms and consider optimization “dominator”.
A year later, the same three authors together with Arbel and
Yorav in [15] proposed a more efficient approach to classify
the components. This time, they use interpolation for an over-
approximation of the reachable state space and compute fixed-
points. This way, only states that are relevant to the property
to prove are considered.
In 2006, Krautz et al. [16] proposed a way to evaluate the
coverage of error detection logic using BDDs. They used a
fault injection model similar to our BMC based approach in
which they compare a fault-free device with a faulty one. The
output of their fault injection model is defined by a property
checker that defines multiple properties by comparing primary
outputs of both circuit copies. A sequential equivalence check
of this circuit is performed up to a defined number of time
steps by creating a BDD representation. The number of input
combinations that make properties true are counted. Among
other properties, they count a property similar to our definition
of vulnerabilities and the number of injected faults. A coverage
is computed using these numbers.
Holcomb et al. [20] showed another way to compute the
failure in time rate by performing a system-level analysis.
In contrast to our algorithms, their methods rely on formal
specifications. Our approaches only need to know which
output is the alarm output.
In 2014, Arbel, Koyfman, Kudva and Moran published a
structural approach to detect parity-protected memory ele-
ments [19]. For this purpose, they first search for potential
error detection circuits and for latches that are potentially
protected by those using functional analysis. Afterwards, they
use SAT-calls to prove that these latches are indeed protected
by the parity net. The unique characteristic of their method is
that they analyze a circuit locally rather than looking at the
behavior of the entire system. Their method can be applied
whenever error checker latches are present, which is not
always the case though.
Finally, methods that systematically construct robust sys-
tems [21] might make our work and all methods to verify error
detection and error correction obsolete one day. However, as
long as these intelligent compilers are not yet perfect (if they
will ever be) verification of circuits will stay important.
VI. CONCLUSION
In this paper, we presented soft-error analysis framework
OpenSEA to find vulnerable latches, protected latches, and to
find spurious alarms. OpenSEA supports many variations of
the algorithms—SAT-based, BDD-based, and enumerative—
and many SAT solvers as a back end. The algorithms can
use symbolic, semi-symbolic, and concrete tests. In the exper-
iments, we run OpenSEA on industrial macros from IBM to
search for spurious alarms, vulnerable, and protected latches.
We explained why not all the bugs found are real and described
the OpenSEA features to avoid such spurious bugs. The
source code, benchmarks, and documentation can be found
at https://extgit.iaik.tugraz.at/scos/soft-error-analysis/.
ACKNOWLEDGMENT
This work was supported by the European Commission through
the project IMMORTAL (644905) and by the Austrian Science Fund
(FWF) through the research network RiSE (S11406-N23).
REFERENCES
[1] G. E. Moore, “Cramming More Components onto Integrated Circuits,”
Electronics, vol. 38, no. 8, pp. 114–117, Apr. 1965.
[2] T. J. O’Gorman, “The effect of cosmic rays on the soft error rate of a
dram at ground level,” IEEE Transactions on Electron Devices, vol. 41,
no. 4, pp. 553–557, Apr 1994.
[3] J. C. Pickel, “Effect of cmos miniaturization on cosmic-ray-induced error
rate,” IEEE Transactions on Nuclear Science, vol. 29, no. 6, pp. 2049–
2054, Dec 1982.
[4] J. F. Ziegler, “Terrestrial cosmic ray intensities,” IBM Journal of Re-
search and Development, vol. 42, no. 1, pp. 117–140, Jan 1998.
[5] R. Baumann, “Soft errors in advanced computer systems,” IEEE Des.
Test, vol. 22, no. 3, pp. 258–266, May 2005.
[6] N. D. P. Avirneni and A. Somani, “Low overhead soft error mitigation
techniques for high-performance and aggressive designs,” IEEE Trans-
actions on Computers, vol. 61, no. 4, pp. 488–501, April 2012.
[7] D. P. Siewiorek and R. S. Swarz, Reliable Computer Systems (3rd Ed.):
Design and Evaluation. Natick, MA, USA: A. K. Peters, Ltd., 1998.
[8] T. M. Austin, “Diva: A reliable substrate for deep submicron microar-
chitecture design,” in Microarchitecture, 1999. MICRO-32. Proceedings.
32nd Annual International Symposium on. IEEE, 1999, pp. 196–207.
[9] F. A. Bower, D. J. Sorin, and S. Ozev, “A mechanism for online
diagnosis of hard faults in microprocessors,” in Proceedings of the
38th annual IEEE/ACM International Symposium on Microarchitecture.
IEEE Computer Society, 2005, pp. 197–208.
[10] R. Hamming, “Error Detecting and Error Correcting Codes,” Bell System
Technical Journal, vol. 26, no. 2, pp. 147–160, 1950.
[11] T. M. Austin and V. Bertacco, “Deployment of better than worst-
case design: solutions and needs,” in 2005 International Conference on
Computer Design, Oct 2005, pp. 550–555.
[12] S. S. Mukherjee, C. Weaver, J. Emer, S. K. Reinhardt, and T. M. Austin,
“A systematic methodology to compute the architectural vulnerability
factors for a high-performance microprocessor,” in Proceedings of the
36th Annual IEEE/ACM International Symposium on Microarchitecture,
ser. MICRO 36, 2003, pp. 29–.
[13] P. Liden, P. Dahlgren, R. Johansson, and J. Karlsson, “On latching
probability of particle induced transients in combinational networks,” in
Fault-Tolerant Computing, 1994. FTCS-24. Digest of Papers., Twenty-
Fourth International Symposium on, June 1994, pp. 340–349.
[14] G. Fey, A. Sulflow, S. Frehse, and R. Drechsler, “Effective robustness
analysis using bounded model checking techniques,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, vol. 30,
no. 8, pp. 1239–1252, Aug 2011.
[15] S. Frehse, G. Fey, E. Arbel, K. Yorav, and R. Drechsler, “Complete
and effective robustness checking by means of interpolation,” in Formal
Methods in Computer-Aided Design, FMCAD 2012, Cambridge, UK,
October 22-25, 2012, 2012, pp. 82–90.
[16] U. Krautz, M. Pflanz, C. Jacobi, H. W. Tast, K. Weber, and H. T.
Vierhaus, “Evaluating coverage of error detection logic for soft errors
using formal methods,” in Proceedings of the Design Automation Test
in Europe Conference, vol. 1, March 2006, pp. 1–6.
[17] A. Biere, “Aiger format and toolbox.” [Online]. Available: http:
//fmv.jku.at/aiger/
[18] E. Arbel, E. Barak, B. Hoppe, S. Koyfman, U. Krautz, and S. Moran,
“Gating aware error injection,” in HVC, 2016, pp. 34–48.
[19] E. Arbel, S. Koyfman, P. Kudva, and S. Moran, “Automated detection
and verification of parity-protected memory elements,” in Proceedings
of the 2014 IEEE/ACM International Conference on Computer-Aided
Design, ser. ICCAD ’14, 2014, pp. 1–8.
[20] D. Holcomb, W. Li, and S. A. Seshia, “Design as you see fit: System-
level soft error analysis of sequential circuits,” in 2009 Design, Automa-
tion Test in Europe Conference Exhibition, April 2009, pp. 785–790.
[21] C. Zhao and S. Dey, “Improving transient error tolerance of digital vlsi
circuits using robustness compiler (roco),” in Proceedings of the 7th
International Symposium on Quality Electronic Design, ser. ISQED ’06,
2006, pp. 133–140.
