Abstract-As technology shrinks, critical industral applications have to be designed with special care. VLSI circuits become more sensitive to ambient radiation: it affects to the internal structures, combinational or sequential elements. The effects, known as Single Event Effects (SEEs), are modeled as spontaneous logical changes in a running netlist. They can be mitigated at netlist design level by means of inserting massive redundancy logic in the IC memory elements, as well as designing robust deadlock-free state machines. Current techniques for the analysis and verification of the protection logic for VLSI are inefficient and expensive, lacking either speed or analysis. This paper presents the FT-UNSHADES system. This system is a low cost emulator focused on bit-flip insertion and SEE analysis at hardware speed, based on a Xilinx Virtex-IT. Radiation tests are emulated in a highly controlled process, using a non-intrusive method. As a result the system can insert and analyse at least 80K faults per hour in a system with 2 million test vectors.
I. INTRODUCTION V LSI designs for critical industry applications like
Vautomotive, health support, aeronautics, and others have to consider new effects when they are implemented using nanometric technologies, like 90nm, 65nm or less. Ambient neutrons have enough energy to change the logic state of a logic gate or the state of a flip-flop . Although the probability for the phenomena is extremely low, the above applications are managed using large electronic silicon areas and widespread implemented into many applications. The impact of radiation particles can force transient changes in electronic structures that can modify their electrical states. One consequence is that internal flip-flops can spontaneously change their state (bit-flip). These errors are known as Single Event Upsets (SEUs) and they do not represent any physical damage to the circuit but produce an abnormal functioning (they a re also called soft errors). The typical techniques for improving circuit reliability are based on redundancy insertion. For example, Triple Modular Redundancy (TMR), triplicates every flip-flop and inserts a majority voter to resolve the actual state of the Flip-flop.
Another example is Error Detection and Correction (EDAC) subcircuit for memories. VLSI designs consequently grow in size with a factor of 3.2, and power consumption. Costs are increased design time and Non Recurring Engineering.
One solution reduce the impact of redundancy insertion is to search the hierarchical modules of the circuit that are critical for the global system and insert protections only to those sections. This technique is known as selective protection. A deep analysis of the circuit is then needed.
Several problems have been addressed in the introduction of redundancies [2] . The main problem comes from the essence of the synthesis tool, where the netlist is optimized for redundancy elimination, second, because the TMR is inserted manually without any restriction and verification. The tools for this latter purpose are too slow.
In space applications, tests are made by means of reproducing the out space environment using radiation chambers, testing the circuit "in system". Radiation effects are measured using a fully functional hardware system and faults are detected by I/0 comparison cycle-by-cycle between the tested system and a non ex-posed twin system. These techniques are expensive and non affordable for industry applications. Radiation effects analysis has been traditionally performed using simulators that work using a model of the effect, called bit-flip. The radiation environments are reproduced using fault-injection techniques. They are slow and need many trials to detect a weak FF [3] inserted using a read-modify-write strategy of the configuration memory of the FPGA. This scheme is an application of the previous experience UNSHADES-1 and UNSHADES-2 [6] [7] . This paper is organized as follows: first, we introduce to the SEU measurement problem. Next we describe the internals of the FT-UNSHADES solution. The fourth section describes the tools for producing testers and fifth section shows results of the FT-UNSHADES behavior.
II. SEU AS FAULT INSERTION PROBLEM The fault insertion problem is exposed in this section in order to achieve a solution for the implementation strategy. It is accepted that when energetic particles hit to sensitive areas of a digital circuit, it produces soft errors, that are equivalent to one or several bit-flips in the set of FFs (flipflops), changing the currently stored value at the same clock cycle of the impact. The state is corrupted and can be propagated to primary outputs, if the sequence of inputs drives the circuit to an unexpected behavior of its I/Os (primary input/outputs), this fault can cause a damage to the system. Another possibility is that the fault remains latent in the circuit without any effect to the system. The fault activity should be detected if the complete circuit state is compared with the theoretical state, at the end of the test cycle.
Reliability against radiation of a circuit depends on circuit architecture and the functionality which the circuit is designed for. Designers can protect every FF using redundancy techniques. Circuit protections increase the area and power consumption. It is desirable to select the critical FFs as candidates for being protected or guarantee that the complete circuit is reliable. In both cases the fault injection study has to be performed. Several Opposed to software approaches, tests performed by hardware emulators (eg. using FPGAs) are an attractive solution that allows speeding-up the tests. The main problem is that additional circuits have to be inserted during synthesis for hardware access to the FF contents. Additionally a poor analysis can be performed because the observability is oriented to external pin observation and little internal information is obtained.
The present approach is based on Xilinx Virtex technology. It has two unique features that can be exploited intensively for solving the problem. The first feature is called the capture and readback mechanism, described in [xx] , and provides a non intrusive way to observe the entire internal state without any design modification and overhead in time or resources. The second is that the configuration can be partially read and written. Using an adequate approach, it is possible to force the desired values into selected FFs whilst the rest of the system state remains constant.
A. FPGAs emulating a radiation test. Our study is made on a post-synthesis description of the design, being valid because an incremental synthesis tool is used for the design for test to. Other radiation upset effect such as latch-up is not covered as they must be protected by means of technological solutions and are out of the scope of this paper. The study is concentrated over the flip-flops, so the results can be referred to the VLSI circuit itself. 
B. FTUNSHADES hardwareframework
The framework has been designed in order to achieve a fully controlled test conditions. Because of the necessary readings and writings in the configuration memory, a Xilinx VirtexIl called the System FPGA (S-FPGA) has been selected to do all the workload. Within it, two versions of the MUT will play the role of the design ex-posed to radiation and the shielded version of the circuit. Outputs are compared cycle by cycle, to detect damage faults.
One important issue inside this scheme is time. Time is controlled in terms of clock cycles applied to both, faulty and gold emulations, which is obviously represented by a counter. In the same way, time is the way to address vectors stored in SRAM memory banks. When Tj is achieved for fault injection or a fault is detected, the circuit has to be frozen in order to perform the necessary internal manipulations in the configuration of the S-FPGA. In other words, clock has to be carefully stopped at a precise clock cycle and continued when the accesses are completed. A second FPGA (called C-FPGA) acts as a high performance link between system and computer. Both FPGAs are connected using the SelectMap port and receive from the PC data and commands through parallel or USB port. This scenario needs a highly controlled data transfer scheme between a host computer and the emulated system. A software tool is dedicated to decide which FF is candidate to receive a bit-flip, and the insertion time and fault effects.
C In terms of an RTL netlist the problem consists on deciding which FFs are candidates for being modified. Using the information contained in the bit allocation file (generated by Xilinx Design Flow), a relationship between the FFs logical name joined to its hierarchical path can be established with the layout location in the S-FPGA configuration. The knowledge of the hierarchical path allows the designer to concentrate the testing effort selectively into a subset of the FFs in the netlist.
The configuration frames that contain the information related to selected FF are read from the S-FPGA, modified to infer the desired state, and transferred into the S-FPGA. To avoid synchronization problems the clock signal must be frozen using a glitch free procedure. This procedure is directly controlled by the time counter, where the WHEN variable is defined. For 
and fault detection, but, bidirectional I/Os have potential contention if the input and output are mapped to the same pin, because there are two possibilities: * The fault is in the pin definition (eg.. in faulty it is defined as output and gold it is defined as input) * The fault is in the pin value. Figure 4 shows a schematic the solution adopted. In order to avoid a fail in the contention the outputs never drives memory pins and values are filtered using this circuit and storing in memory the theoretical values. Three extra pins are used to compare the bidirectional connected to two external resistors as depicted. When both signals are inputs, the comparator receives the same value, but if a fault is detected in the pin definition and/or the output value, then the comparator detects the discrepancy safely for the S-FPGA external pins. The test shell uses very little resources for control, equivalent to around 300 system gates, and as they work over resources that only control the clock no delay penalty over the system behaviour is introduced.
A. Preparation ofthe Design for Test Emulation
The most important issue for introducing such a system in a design flow is to avoid special requirements in the design. Figure 5 depicts (WHEN commands) can be han-dled in certain predefined windows. All possibilities can be mixed producing refined test method known as the HOW method.
* Post testing analysis tools. The fault dictionary has enough information for re-producing the test using a stepby-step method. A detailed analysis is possible, even using a waveform viewer.
A command line environment has been created for software services. Figure shows a scheme of the complete environment.
V. EXPERIMENTAL RESULTS
The actual system uses 80MHz crystal oscillator, and SFPGA is fed at 160MHz. The C-FPGA functions act as interface with PC links. The current version works over either EPP 1.9 (1.6MB/sec) or USB 2.0 high speed (1.5MB/sec). Let us assume that the DTE design works at 50MHz and uses 2 million of compressed test vectors.
A single fault injection needs at least 3 reading and writings of VirtexIl frames. For a VirtexIl XC2V6000, the size of a single frame is 984 bytes (this number changes if other VirtexIl device is soldered on the board). A bit-flip insertion therefore requires 40 microseconds. With these conditions 20.000 faults per second could be injected, obviously it's given on the basis that the circuit is robust for the faults, because in other case system halts when a fault is detected.
The system has also been tested using huge and complex benchmark circuits as Leon2 that can be found in [9] . Using different stimuli database the final fault rate has been that fault rate has been reduced to 200 faults per second. A detailed analysis of the system shows that the bottleneck is located in the communication link between the computer and the board.
The system can perform a detailed analysis of how an injected fault is propagated through the netlist. How it is affected until it reaches a primary output. Both, campaign and single fault analysis are supported in the same framework.
CONCLUSIONS
A new framework for fault tolerance measurement has been presented. Xilinx FPGA plays an essential role because of its partial readings and writings of the configuration circuit and the capture and readback scheme accelerates the bit-flip insertion and circuit analysis.
The framework has a software toolbox that allows fault tolerance measurement at any stage of the design. The test is 100% non intrusive, even a post synthesis model of the module under test can be the input of the system. No extra work is needed.
As future work more effort in characterization of the tool is needed. Secondly a study of where are the weaknesses of the technique should lead to an improvement of the tool performance. Finally a study for determine the size of the MUT in which the tool must be used.
