450 likes | 627 Views
CMP238: Projeto e Teste de Sistemas VLSI. Marcelo Lubaszewski Aula 3 - Teste PPGC - UFRGS 2005/I. Lecture 3 - Fault Simulation and Fault Injection. Fault simulation Fault simulation algorithms Serial Parallel Deductive Concurrent Random Fault Sampling Fault Injection ASIC FPGAs.
E N D
CMP238: Projeto e Teste de Sistemas VLSI Marcelo Lubaszewski Aula 3 - Teste PPGC - UFRGS 2005/I
Lecture 3 - Fault Simulation andFault Injection • Fault simulation • Fault simulation algorithms • Serial • Parallel • Deductive • Concurrent • Random Fault Sampling • Fault Injection • ASIC • FPGAs
Problem and Motivation • Fault simulation Problem: Given • A circuit • A sequence of test vectors • A fault model • Determine • Fault coverage - fraction (or percentage) of modeled faults detected by test vectors • Set of undetected faults • Motivation • Determine test quality and in turn product quality • Find undetected fault targets to improve tests
Fault simulator in a VLSI Design Process Verification input stimuli Verified design netlist Fault simulator Test vectors Modeled fault list Remove tested faults Test compactor Delete vectors Low Fault coverage ? Test generator Add vectors Adequate Stop
Fault Simulation Scenario • Circuit model: mixed-level • Mostly logic with some switch-level for high-impedance (Z) and bidirectional signals • High-level models (memory, etc.) with pin faults • Signal states: logic • Two (0, 1) or three (0, 1, X) states for purely Boolean logic circuits • Four states (0, 1, X, Z) for sequential MOS circuits • Timing: • Zero-delay for combinational and synchronous circuits • Mostly unit-delay for circuits with feedback
Fault Simulation Scenario (continued) • Faults: • Mostly single stuck-at faults • Sometimes stuck-open, transition, and path-delay faults; analog circuit fault simulators are not yet in common use • Equivalence fault collapsing of single stuck-at faults • Fault-dropping -- a fault once detected is dropped from consideration as more vectors are simulated; fault-dropping may be suppressed for diagnosis • Fault sampling -- a random sample of faults is simulated when the circuit is large
Fault Simulation Algorithms • Serial • Parallel • Deductive • Concurrent
Serial Algorithm • Algorithm: Simulate fault-free circuit and save responses. Repeat following steps for each fault in the fault list: • Modify netlist by injecting one fault • Simulate modified netlist, vector by vector, comparing responses with saved responses • If response differs, report fault detection and suspend simulation of remaining vectors • Advantages: • Easy to implement; needs only a simulator, less memory • Most faults, including analog faults, can be simulated
Serial Algorithm (Cont.) • Disadvantage: Much repeated computation; CPU time prohibitive for VLSI circuits • Alternative: Simulate many faults together Test vectors Fault-free circuit Comparator f1 detected? Circuit with fault f1 Comparator f2 detected? Circuit with fault f2 Comparator fn detected? Circuit with fault fn
Parallel Fault Simulation • Exploits inherent bit-parallelism of logic operations on computer words • Storage: one word per line for two-state simulation • Multi-pass simulation: Each pass simulates w-1 new faults, where w is the machine word length • Speed up over serial method ~ w-1 • Not suitable for circuits with timing-critical and non-Boolean logic
Parallel Fault Sim. Example Bit 0: fault-free circuit Bit 1: circuit with c s-a-0 Bit 2: circuit with f s-a-1 1 1 1 c s-a-0 detected 1 0 1 a 1 0 1 1 1 1 e b 1 0 1 c s-a-0 g 0 0 0 d s-a-1 f 0 0 1
Deductive Fault Simulation • One-pass simulation • Each line k contains a list Lk of faults detectable on k • Following simulation of each vector, fault lists of all gate output lines are updated using set-theoretic rules, signal values, and gate input fault lists • PO fault lists provide detection data • Limitations: • Set-theoretic rules difficult to derive for non-Boolean gates • Gate delays are difficult to use
Deductive Fault SimulationExample Notation: Lk is fault list for line k kn is s-a-n fault on line k Le = La U Lc U {e0} = {a0 , b0 , c0 , e0} {a0} 1 a {b0 , c0} 1 e 1 b 1 c {b0} g f 0 d Lg = (LeLf ) U {g0} = {a0 , c0 , e0 , g0} U {b0 , d0} {b0 , d0 , f1} Faults detected by the input vector
Concurrent Fault Simulation • Simulation of fault-free circuit and only those parts of the faulty circuit that differ in signal states from the fault-free circuit. • A list per gate containing copies of the gate from all faulty circuits in which this gate differs. List element contains fault ID, gate input and output values and internal states, if any. • All events of fault-free and all faulty circuits are implicitly simulated. • Faults can be simulated in any modeling style or detail supported in simulation (offers most flexibility.) • Faster than other methods, but uses most memory.
1 0 1 1 1 1 1 0 0 0 1 1 0 1 0 0 1 1 0 1 0 0 0 0 0 1 1 1 0 0 0 1 1 1 1 Conc. Fault Sim. Example a0 c0 e0 b0 0 1 1 0 0 0 0 0 1 1 a 1 1 e b 1 1 c g 1 0 0 e0 a0 c0 b0 f d b0 d0 f1 g0 d0 f1
1 0 1 1 0 1 1 0 0 0 1 0 1 0 0 1 0 1 0 1 0 1 1 0 0 0 1 0 0 1 1 1 Conc. Fault Sim. Example a0 c0 e0 b0 0 1 1 0 0 0 0 0 1 1 -> 0 a 1 -> 0 1->0 1->0 1 e b 1 1->0 1 c g 1 0 0 e0 a0 c0 b0 f d b0 d0 f1 g0 d0 f1
0 1 1 1 1 1 1 0 0 1 0 1 1 1 1 1 1 1 1 1 0 1 0 0 1 0 1 1 1 Conc. Fault Sim. Example a1 c0 e1 b0 1 1 1 1 0 0 1 0 0 1 a 1 1 e b 1 1 c g 1 0 0 b0 e1 f d d0 f1 a1 1 b0 1 d0 f1 g1 0
Fault Sampling • A randomly selected subset (sample) of faults is simulated. • Measured coverage in the sample is used to estimate fault coverage in the entire circuit. • Advantage: Saving in computing resources (CPU time and memory.) • Disadvantage: Limited data on undetected faults.
Motivation for Sampling • Complexity of fault simulation depends on: • Number of gates • Number of faults • Number of vectors • Complexity of fault simulation with fault sampling depends on: • Number of gates • Number of vectors
Random Sampling Model Detected fault Undetected fault All faults with a fixed but unknown coverage Random picking Np = total number of faults (population size) C = fault coverage (unknown) Ns = sample size Ns << Np c = sample coverage (a random variable)
Example A circuit with 39,096 faults has an actual fault coverage of 87.1%. The measured coverage in a random sample of 1,000 faults is 88.7%. The above formula gives an estimate of 88.7% 3%. CPU time for sample simulation was about 10% of that for all faults.
Fault Injection • ASIC (general) • performed by simulation or • emulation to speed up the process • FPGAs • directly into the bitstream
Fault Injection General: ASIC performed by simulation or emulation to speed up the process
core ... application [7] [5] [4] [0] Enable_registers clock Fault Injection Enable Signals time Pseudo-random number generator Fault mask reset location Reset_core bit Enable_memory Memory location 8-bit pseudo-random register Fault Injection Block Fault Injection Control Block • When should a fault be inserted? • Where should a fault be inserted?
mask Hamming Code FI_EN CLK RST FI_EN EN Hamming Decode Device Under Test Core Registers • Special paths are required in the high-level description to ensure the full controllability of a fault insertion. • No major performance penalties are observed ... mask FI_EN CLK RST FI_EN EN
WEA ENA RSTA CLKA ADDRA DIA Hamming Code DOA Hamming Decode WEA WEB ENB RSTB CLKB ADDRB DIB FI_enable_memory FI_memory location DOB mask Device Under Test Core Memory • Dual-port memories allows high flexibility with low extra logic. • Good fault model approximation: the faults can be injected in the memory at any time (all micro-controller states) without perturbing the normal operation. WEA ENA RSTA CLKA ADDRA DIA DOA WEA WEB ENB RSTB CLKB ADDRB DIB FI_enable_memory FI_memory location DOB mask
Monitor Block • Observability of an error in response of a fault injected in the DUT. • What is the best method to analyze the results? • Assumption: application results will be stored in the internal memory, implemented using BlockRam in the Virtex FPGA. • Two main tasks are performed by the monitor block: • Clear all the internal memory in order to avoid accumulation of faults; • Read all the internal memory to analyze if there is an error or not.
computer jtag clock Fault injection block reset Chipscope Analyzer Reset_core data error Fault injection Soft-core Monitor Block status Lost of sequence data “Golden” Soft-core Monitor Block status Virtex FPGA Fault Injection Platform • “Golden” chip approach was used to observe the faults in the system. • Comparing: • Data memory error • Application_end signal in the end lost of sequence.
Fault Injection Signals Reset Reset_MEM Clear_MEM Reset_DUT Read_MEM Application_end Clear Memory Application Read Memory Clear Memory Application Time range for Fault Injection Error Lost of sequence
Case Sudy: 8051 Fault Injection Experiment memory • Registers: Datapath, Control block, state machine (16 registers) • Memory: 256 bytes application memory (RAM) • 8051 Application: 6x6 Matrix Multiplication • Multiplication is performed by subsequent addition and left shift register. • According to the TIME: • fault in the memory location < 52h can generate an error or a lost of sequence. 0h 0Ah 0Bh 1Fh 2Fh 52h 53h 76h 100h variables…. 000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000 Matrix 1 Matrix 2 Matrix Result
Case Study: 8051 Fault Injection ExperimentVirtex Platform • The fault injection system and the (DUT) were implemented in Virtex FPGA platform. • Thousands of faults were injected in some seconds • The emulation in FPGA showed a ~120,000 times acceleration • Component: Virtex XCV300 - 240p • 8051-like micro-controller runs at 10 MHz • Fault injection Standard 8051 • 28 % LUTs • Fault injection Hardened 8051 • 30 % LUTs
Case Study: 8051 Fault Injection ExperimentChipscope Analyzer • Results of thousands of injected faults were analyzed in the computer by the Chipscope Analyzer software (ISE).
Fault Injection FPGAs (Directly into the bitstream)
Upset = bit-flip M M M M Introduction Digital designs synthesized in SRAM-based FPGAs are sensitive to upsets in the FPGA customization cells. Design Customization bits Synthesis …10101011110001101010… E1 E2 E1 E3 clk E2 E3 E1 E2 E1 E3 clk E2 E3 fault …10101011100001101010…
Motivation • A way to test the reliability of a (fault-tolerant) design is to perform fault injection, simulating the effects of SEUs, and see how the design responds • The estimated time for injecting one bit fault in a FPGA bitstream is around 1 to 3 seconds • The main steps of the fault injection are: • read the bit file • flip one bit • write the new bit file with the correct CRC • download it to the board by the SelectMAP configuration mode interface • check the output signal
Fault Injection Cost Analysis XCV300 Analysis CLB Rows x CLB Cols 32 x 48 Total of 1.536 CLBs 1.327.104 CLB Bits 31 days! Total of 470 CLBs Used 406.080 CLB Bits 9.5 days!
CLB View in the FPGA Editor Which bit in the bitstream correspond to the logic? Which bit in the bitstream correspond to this connection?
586 bits What does this bit do? Virtex Bitstream CLB BRAM IOB
CLB View in the FPGA Editor Which bit in the bitstream correspond to the logic? Bit: ?, frame:? Which bit in the bitstream correspond to this connection? Bit:?, frame: ?
CLBclass Tool CLB Map
SEUs Effects on FPGAs I Bit Flip in a Single Line bit: 03 frame: 29 Fault effect: - Open Circuit
SEUs Effects on FPGAs II Fault effect: - Open Circuit - Short Cut Circuit Bit Flip in a Hex Line Mux bit: 01 , frame:32
Fault InjectionTool used at Xilinx 3-modes Read: … 011001010101000001100001… step 1: load … 011000010101000001100001… step 2: load … 011001010101000001100001… step 3: reset flip-flops … 011001100101000001100001… Bitstream XCV300 240p (DUT) Error flag List of bits that cause error: Major Address, Frame, Byte Frame, Bit (bit location in the Bitstream) Bitstream: 1,663,200 bits
Responsible for the majority of the errors due to SEU - Open circuits combined to Short cut circuits Fault Injection Time Reduction One can choose where to inject the faults!! This can reduce the fault injection time.