The paper is organized as follows. In the succeeding section, the approach for calculating the degradation of the QoS within the system is explained which requires a reliability model. Next, the sensors are briefly discussed which monitor the environmental parameters determining the reliability behavior of the total system. Then, it is shown how the dependability of the health monitor sensors is guaranteed. Next, the possible repair / fault-avoidance options of IPs, health monitors and the required resources are discussed.
Our approach is completely different, and not restricted to certain reliability issues or digital circuits. It relates to environmental circumstances which are responsible for degrading reliability of an electrical integrated system and hence shorter life time.
The parameters concerned are currently, temperature (T), humidity (RH), pressure (P), power-supply overshoot, power dissipation (PS) and current density (I). It is however stressed that this is just an initial list and dependent on the application area of the system. It has no theoretical limitations, rather practical, e.g. computation time and model derivation.. The predicted lifetime II is of function of these parameters:
(1) II = F(T, RH, P, PS, I, ... )
II. ON-BoARD RELIABILITY PREDICTION
The idea of enhancing the dependability is accomplished in two ways. First, the reliability is calculated and monitored; depending on predefmed levels of QoS, it is decided to take action or not. Next, for instance electronic repair is possible via bypass and reconfigurability, which dramatically reduces the repair time and hence increases the availability.
This repair can also be tackled at higher hierarchical levels, by basically compensating using other wireless multi-sensor nodes for its poor behavior.
In literature, several approaches have been suggested for obtaining on-board reliability data. The most physical approach concerns specific reliability issues [2] - [4] , like gate oxide degradation, ESD damage, hot electron injection and electron migration. For these phenomena, special monitors have been designed on-chip in the past.
Another technique [5] , especially used in digital systems, monitors the number of bit errors (BER), for instance on busses, and relates the increased BER to decreased reliability and hence nearing end-of-life. The embedded software calculates the expected degradation of the system based on a reliability model and its guaranteed Quality-of-Service (QoS). If this trajectory exceeds a predefmed range, proper measures are taken.
The measures are two-fold. First a debug and possible repair action takes place of the health monitors by means of digitally-controlled stimuli and digital evaluation to ensure non-degraded input data. Self-calibration is explicitly used for this purpose. If this results in taking satisfactory measures for the monitors, then the system is alerted at a higher hierarchical level if the QoS of the system is endangered and repair can take place.
In this case, and certainly if total loss of QoS occurs, the nearest sensor poles are alerted via message hopping to intensify their sampling efforts, and the home node is alerted 978-1-4244-4617-9/09/$25.00 ©2009 IEEE I. INTRODUCTION W IRELESS sensor network poles for security monitoring under harsh environments require a very high dependability as they are safety-critical [1] . An example of a multi-sensor pole is shown in Fig. 1 . Crucial attribute in these systems for security, especially in harsh environment, is a high robustness and guaranteed availability during lifetime. This environment could include molest. In this paper, two approaches are used which are applied simultaneously but are developed in different projects.
First, the system uses its resident, or specially inserted, sensors for monitoring the environmental conditions which play a role with respect to reliability, which are sometimes referred to as health monitors. Among the physical quantities of importance are temperature, humidity and pressure. The health monitor data is periodically sampled and evaluated in the embedded digital signal processing (DSP) processors.
It is obvious that this relation can be complex for a system like the wireless multi-sensor pole. More parameters could result in more accurate estimations of the reliability / lifetime. A very basic approach is plainly building the system, and carrying out accelerated tests with the parameters varying on a number of systems. From this data the predicted lifetime can be calculated versus the range of parameters. Note that installed systems in the field will gradually improve the accuracy in equation (1) . It is stressed that there are a number of other approaches which are also possible. This reference data, in compressed form, can be stored in the system. It is subsequently compared with the calculations from the onboard system. Note that normal tolerances of the system have been incorporated; the choice on the threshold for taking measures is rather arbitrary and not highly critical, as most phenomena show a gradual decrease before total failure.
When the total system and anticipated environment are known, a partitioning can be made of the system, and reliability pre-analysis is carried out on the basis of this partitioning. This will reveal which parts in the system pose the highest reliability risks. In order to reduce the amount of reliability related hardware and software, as a fITst step, these high-risk blocks will be monitored on the relevant environment parameters concerned. This results, among other, in a dependable implementation scheme of the whole system including required health monitors. For the high-risk blocks, specific avoidance and repair actions are included which are dealt with in generic form in section V. As will be shown later on, the resolution of the measures is currently the Intellectual Property (IP) level in the System-on-Chip (SoC) case, and chip level in the System-in-Package (SiP) case.
As a consequence, dependable on-board health monitors are required in the system to provide input for the reliability evaluation. This is treated in the next paragraph.
III. HEALTH MONITORING SENSORS
Central in our approach is the monitoring of crucial parameters with respect to reliability / lifetime. For sensing temperature sensitive PN junctions can be used, but many other implementations are also available.
With regard to pressure, surface-micro machined MEMS can be used, e.g. combining a membrane with stress resistor sensors or capacitive readout [6] . For the relative humidity, a cantilever can be employed using porous polyimide which can absorb fluids [7] . There are also MEMS which combine all three in a single device [8] .
The overshoot and current density sensors are implemented in a standard manner using voltage references and comparators; the current sensor [9] is similar as the ones used for Iddq measurements.
The above sensors can be discrete, included in a SiP, or integrated in Silicon with other IPs. A major problem is usually drift in these devices due to aging, which can be corrected to some degree by electronics, like digital bias control.
actuatolB +I

Electronic System
Fig. 2.
Highly dependable SoC architecture, including reconfigurable spare parts and multi-cores.
However, it is stressed that a high accuracy is not a real issue for these health monitors. Figure 2 shows a set-up using external sensors and the anticipated hardware, including self calibrating ADCs and digital signal processing. The Built-In Self-Diagnosis (BISD) IP takes care for test generation of the proper signals; it uses primarily digital signals. Some other IPs feature reconfigurable repair (rec rep). The control processor (s), like ARM and MIPS, run the software for lifetime calculations and take care of reconfiguration for repair. The sensor interface, consisting of electronics for amplification, filtering and control, are often taken together with the sensors / health monitors. Because of their importance for the calculations, they are each redundant (aI, a2, a3).
IV. ON-BoARD TEST AND EVALUATION OF IPs AND HEALTH MONITORS
The test and evaluation of digital, mixed-signal and health monitors follow different paths. These will be discussed subsequently in the following.
A. Digital and Mixed-Signal IPs
-The digital IPs, more specifically the multi-core reconfigurable data processor (Fig. 2) is tested by a semideterministic structural digital hardware test generator and associated comparator. It basically looks at two or three chosen (identical) cores and compares their result on the fly. More details on this approach can be found in [10] .
-The mixed-signal parts, in particular data converters (ADC), receive on-board digital stimuli using different physical parameters (e.g. amplitude, offset and rise and fall times); subsequently DSP operations on the digital result data run on the embedded general-purpose (control) processors (Fig. 2) . The used reference data comes from comer pre-simulations, so basically a reference model is being stored. More details on this approach for ADCs can be found in [11] , [12] .
The big advantage of the regular IPs is that they operate in the electrical domain. This is of course not the case for the health monitors which usually operate in another domain (e.g. temperature, pressure). Hence, the approach is more complicated, as will be shown below.
One can also make use of integrated domain converters (electrical-to-domain) in the sensors which are more and more used to enable BIST [13] ; a well known example is accelerometers (voltage-to-displacement). For instance in a pressure sensor, a digitally-controlled heater resistor is used to bend a membrane, thus emulating several different (reference) pressures. Its (digital) response is subsequently compared in a lookup table, which stores the original acceptable ranges; possible differences are then the source for calibration, or in worst-case starting up a bypass and replacement operation.
As our system relies on the environmental sensors they should be fault-free, including avoiding drift. The selfcalibration hardware is explicitly used for this purpose [16] . As explained earlier, digital stimuli are used, as previously described for testing ADCs [11] , [12] . This Infrastructural IP (lIP), like a Digital Test Generator (DTG) and Digital Compare Evaluator (DCE) has to be part of the system. Fig. 3 gives an impression of the anticipated hardware involved in the case of a SiP implementation. This enables a low-cost combination of MEMS and digital and mixed-signal electronics. It uses fault-tolerant busses and IEEE 1149.4 Mixed-Signal Boundary-Scan (MSBS) hardware. The DTG as well as the DCE are actually included in the BISD lIP block shown in Fig. 2 .
B. Health Monitors
The complexity of testing and evaluating/comparing health monitors heavily depends on the nature of their physical domain. In our approach we also include the signalconditioning electronics in the health monitors. The last stage is normally an ADC, hence providing digital output data.
Test generation of health monitors (for instance for the purpose of self-calibration) can be accomplished in a straight-forward way by applying the relevant physical quantity (e.g. temperature) in the vicinity of the monitor. It is obvious that if one wants to have control over this quantity, one should generate or emulate this quantity internally (domain converter), preferably in a digital way. For some quantities, like pressure and temperature, this is relatively easy (electrical-to-power-to-temperature / pressure) [13] . It has also been shown before, that electrical digital stimuli can evaluate the status of e.g. MEMS [14] , [13] .
-Evaluation is mostly based on comparisons which are carried out in the electrical domain, requiring either:
1. a duplicate (or array) of the health monitor as a reference (domain-to-electrical converter) 2. a separate or integrated reference electrical-todomain converter 3. a stored compact reference model.
As the sensors are crucial in our approach for dependability, normally a duplicate or even an array of sensors is used. For catastrophic faults, a direct electrical comparison can be made in this case, based on a simple range comparator (comer pre-simulation min, max fault-free). In the case no duplicates are present, options two and three are possible, and after detection of a non-repairable failure, the software can be alerted to skip that particular environmental parameter from the reliability prediction calculations.
In the case of more subtle parametric faults, like drift, the previous approach is questionable. Several alternate methods have been suggested for activation and subsequent evaluation, like bias super positioning [15] . 
v. SEVERAL A VOIDANCE AND REPAIR OPTIONS
The partitioning of the system is also of crucial importance for the possible avoidance or repair measures. For repair, basically redundant IP blocks are used, as this is the level of avoidance/repair currently. Although not common in analogue and mixed-signal (MS), often the area involved here is usually a small portion « 15%) of the total silicon area and hence redundancy could be allowed in highly dependable systems. In the digital world, redundancy is certainly not alien, as memories and increasingly processors already include redundancy, even in regular products.
In the case of multi-core processors, for instance, already a complete flow of hardware and software has been developed [10] for increasing the dependability via high-level fault diagnosis and run-time mapping reconfiguration. It involves basically on-chip structural testing, subsequent isolation of a faulty processor and replacement by a redundant processor. Directly related to the speed of (electronic) repair is the down time, which directly relates to the dependability attribute "availability".
Important difference in our current approach in this paper is that fITst the IP does not necessarily has to completely fail before action is taken. Second, if an IP deteriorates more than anticipated as provided by the health monitors and the lifetime prediction model, action can be taken in the framework of fault avoidance instead of replacement.
In the case of a digital IP, for instance, the supply voltage can be reduced and/or the clock frequency lowered. An alternative option is to adapt / change the software running on a block (work load), essentially resulting in the reduction of the number of electronic transitions.
Although less straight-forward, this generic approach can also be applied to analogue / mixed-signal IPs. Similar to the digital case, e.g. power-supply reduction increases the lifetime, but will often result in a reduction of performance, like smaller gain, less resolution, or decreased bandwidth. Simulation can provide sufficient information which decrease of QoS is still acceptable in the system.
In most cases, the avoidance and repair actions will be taken care of by embedded software, running on internal general processors like ARM and MIPS (Fig. 2) ; it will digitally control e.g. routing or voltage regulators, PLLs and digitally controlled bias circuits.
It is obvious that the avoidance scenario is much more sophisticated and requires significantly more logistics than the conventional fault detection and bypass and replacement of faulty blocks. However, adaptive fault avoidance is the next logical step in the development of highly dependable systems.
VI. CONCLUSIONS
This paper has discussed an advanced concept for highly dependable wireless sensor network poles for security under harsh environments. It incorporates inherent sensor health monitors which monitor the environment which are crucial for its reliability.
This data is used to predict the degradation of the reliability / lifetime of the total system via embedded software. This requires the modeling of the reliability of the system under these parameters. Furthermore, the health monitors are monitored on their tum via periodic digital tests employing their self calibration hardware to guarantee their dependability.
Based on this information, several dependability scenarios for the system can be applied, ranging from changing supply voltages and frequencies of functional blocks, to changing locally embedded software to reduce activity, to self calibration and replacement of blocks.
The complete flow heavily depends on massive embedded computer power and embedded software as well as dedicated digital hardware for test generation and evaluation.
