Radiation Hardened System Design with Mitigation and Detection in FPGA

Sandberg, Hampus

January 2016

FPGAs are attractive devices as they enable the designer to make changes to the system during its lifetime. This is important in the early stages of development when all the details of the final system might not be known yet. In a research environment like at CERN there are many FPGAs used for this very reason and also because they enable high speed communication and processing. The biggest problem at CERN is that the systems might have to operate in a radioactive envi- ronment which is very harsh on electronics. ASICs can be designed to withstand high levels of radiation and are used in many places but they are expensive in terms of cost and time and they are not very flexible. There is therefore a need to understand if it is possible to use FPGAs in these places or what needs to be done to make it possible. Mitigation techniques can be used to avoid that a fault caused by radiation is disrupting the system. How this can be done and the importance of under- standing the underlying architecture of the FPGA is discussed in this thesis. A simulation tool used for injecting faults into the design is proposed in order to verify that the techniques used are working as expected which might not always be the case. The methods used during simulation which provided the best protec- tion against faults is added to a system design which is implemented on a flash based FPGA mounted on a board. This board was installed in the CERN Proton Synchrotron for 99 days during which the system was continuously monitored. During this time 11 faults were detected and the system was still functional at the end of the test. The result from the simulation and hardware test shows that with reasonable effort it is possible to use commercially available FPGAs in a radioactive environment.

FPGA

radiation

TMR

fault mitigation

fault injection

fault detection

Fault mitigation strategies for reliable FPGA architectures / Stratégies de tolérance aux fautes pour des architecture fiables de circuits reconfigurables

Basheer Ahmed, Chagun Basha

31 March 2016

Les circuits reconfigurables (Field Programmable Gate Arrays - FPGAs) sont largement utilisés dans divers domaines d'application en raison de leur flexibilité, de leur haute densité d'intégration, de leur niveau de performance et du faible coût de développement associé. Toutefois, leur grande sensibilité aux défauts dus aux rayonnements électromagnétiques tels que les "Single Event Effets" (SEE), est un défi qui doit être abordée pendant la conception du système. Ces SEE sont une préoccupation majeure dans la sécurité et pour les systèmes critiques tels que les systèmes de l'automobile et de l'avionique. En général, la plupart des FPGA d'aujourd'hui ne sont pas conçus pour fonctionner dans ces environnements difficiles, sauf pour les circuits spécifiques qui ont été durcies par construction au niveau du processus de fabrication. Ces circuits ont un surcoût très élevé et des performances moindres, ce qui les rend moins intéressant que leur équivalent non protégé. Le projet ARDyT vise à développer une architecture FPGA fiable à faible coût avec une suite d'outils de conception, offrant un environnement complet pour la conception d'un système tolérant aux fautes. Ce travail de thèse présente l'architecture du FPGA ARDyT, qui intègre des stratégies de prises en charge des fautes adaptées aux différents éléments de l'architecture. L'un des principaux objectifs du projet ARDyT est de gérer les changements de valeurs multiples (multi bit upsets (MBUs)) dans le flux binaire de configuration du FPGA. Ces stratégies de tolérance aux fautes pour protéger les ressources logiques et le flux binaire de configuration sont discutées en détail. Une architecture spécifique du bloc logique élémentaire configurable est proposée afin de simplifier la stratégie de prise en compte des fautes dans les ressources logiques. Un nouveau système de correction d'erreur intégrée (3-Dimensional Hamming - 3DH) est proposé pour gérer les MBU dans le flux binaire de configuration. L'ensemble de la stratégie de gestion des fautes est implémenté dans l'architecture au travers d'un manager de la fiabilité centralisée nommée R3M (Run-time Reconfigurable Resource Manager), et d'une suite d'outils adaptée. / Reconfigurable Field Programmable Gate Arrays (FPGAs) are extensively employed in various application domains due to their flexibility, high-density functionality, high performance and low-cost development compared to ASICs (Application Specific Integrated Circuits). However, the challenge that must be tackled during system design is their high susceptibility to the radiation induced faults such as Single Event Effects (SEEs). These radiation induced faults are a major concern in safety and mission critical systems such as automotive and avionics systems. In general, most of today’s COTS FPGAs are not designed to work under these harsh environments, except for specific circuits that have been radiation-hardened at the fabrication process level, but at a very high cost overhead, which makes them less interesting from an economic and performance point of view. The project ARDyT is aimed to develop a low-cost reliable FPGA architecture with supporting EDA tool-suite that offers a complete environment for a fault tolerant system design. This thesis work presents the proposed ARDyT FPGA architecture, which incorporates appropriate fault mitigation strategies at different levels. One of the main objectives of ARDyT project is to handle multi-bit upsets (MBUs) in the configuration bistream. Fault mitigation strategies to protect logic resources and configuration bitstream are discussed in detail. A fault-aware customized configurable logic block architecture is proposed to support logic resource fault mitigation strategy. A new built-in 3-Dimensional Hamming (3DH) error correcting scheme is proposed to handle MBUs in the configuration bitstream. The additional features introduced in this architecture ensure complete reliability with the help of centralized reliability manager named R3M (Run-time Reconfigurable Resource Manager), corresponding tool-suite and increased flexibility in the design.

Architecture à tolérance de faute

FPGA

Fiabilité

FPGA

Reconfigurable architectures

Reliability

Fault-Mitigation

Fault Attacks on Embedded Software: New Directions in Modeling, Design, and Mitigation

Yuce, Bilgiday

16 January 2018

This research investigates an important class of hardware attacks against embedded software, which uses fault injection as a hacking tool. Fault attacks use well-chosen, targeted fault injection combined with clever system response analysis to break the security of a system. In case of a fault attack on embedded software, faults are injected into the underlying processor hardware and their effects are observed in the executed software's output. This introduces an additional difficulty in mitigation of fault attack risk. Designing efficient countermeasures requires first understanding software, instruction-set, and hardware level components of fault attacks, and then, systematically addressing the vulnerabilities at each level. This research first proposes an instruction fault sensitivity model to capture effects of fault injection on embedded software. Based on the instruction fault sensitivity model, a novel fault attack method called MAFIA (Micro-architecture Aware Fault Injection Attack) is also introduced. MAFIA exploits the vulnerabilities in multiple abstraction layers. This enables an adversary to determine best points to attack during the execution as well as pinpoint the desired fault effects. It has been shown that MAFIA breaks the existing countermeasures with significantly fewer fault injections than the traditional fault attacks. Another contribution of the research is a fault attack simulator, MESS (Micro-architectural Embedded System Simulator). MESS enables a user to model hardware, instruction-set, and software level components of fault attacks in a simulation environment. Thus, software designers can use MESS to evaluate their programs against several real-world fault attack scenarios. The final contribution of this research is the fault-attack-resistant FAME (Fault-attack Aware Microprocessor Extensions) processor, which is suited for embedded, constrained systems. FAME combines fault detection in hardware and fault response in software. This allows low-cost, performance-efficient, flexible, and backward-compatible integration of hardware and software techniques to mitigate fault attack risk. FAME has been designed as an architectural concept as well as implemented as a chip prototype. In addition to protection mechanisms, the chip prototype also includes fault injection and analysis features to ease fault attack research. The findings of this research indicate that considering multiple abstraction layers together is essential for efficient fault attacks, countermeasures, and evaluation techniques. / Ph. D.

Embedded Systems

Fault Attacks

Countermeasures

Fault Models

Fault Simulation

Fault Mitigation

Duplicate with Choose: Using Statistics for Fault Mitigation

Anderson, Jon-Paul

01 June 2016

This dissertation presents a novel technique called duplicate with choose (DWCh) which is a modification of the fault detection technique duplicate with compare (DWC). DWCh adds a smart decider block to DWC that monitors the duplicated circuits and decides which circuit is fault free when a fault occurs. If chosen correctly, DWCh is able to mask faults at a lower cost than conventional techniques like TMR.This dissertation derives reliability expressions for DWCh showing that under ideal conditions its reliability exceeds the most commonly used fault masking technique for spacecraft, triple modular redundancy. For non-ideal conditions, DWCh provides a lower cost alternative than TMR but with lower reliability as well. Three types of DWCh smart deciders were developed for use with digital communications receivers. The first type used histograms as the statistical basis for the decider. The second type made use of moments for decision. The third type, although not generally applicable to other systems, used a signal common to communications receivers with excellent results. The communications receivers were subjected to hardware fault injection to gather datastreams affected by real world faults. The captured datastreams were used with Simulink models of the different deciders to quantify their performance and discover how a practical implementation of DWCh differs from the theoretical model. The increase in mean time to failure for DWCh when compared to simplex ranged from 20x to 130x depending on the specific smart decider tested.

reliability

fault mitigation

fault injection

concurrent error detection

DWC

DWCh

FPGA

Electrical and Computer Engineering

Engineering

New Fault Detection, Mitigation and Injection Strategies for Current and Forthcoming Challenges of HW Embedded Designs

Espinosa García, Jaime

03 November 2016

[EN] Relevance of electronics towards safety of common devices has only been growing, as an ever growing stake of the functionality is assigned to them. But of course, this comes along the constant need for higher performances to fulfill such functionality requirements, while keeping power and budget low. In this scenario, industry is struggling to provide a technology which meets all the performance, power and price specifications, at the cost of an increased vulnerability to several types of known faults or the appearance of new ones. To provide a solution for the new and growing faults in the systems, designers have been using traditional techniques from safety-critical applications, which offer in general suboptimal results. In fact, modern embedded architectures offer the possibility of optimizing the dependability properties by enabling the interaction of hardware, firmware and software levels in the process. However, that point is not yet successfully achieved. Advances in every level towards that direction are much needed if flexible, robust, resilient and cost effective fault tolerance is desired. The work presented here focuses on the hardware level, with the background consideration of a potential integration into a holistic approach. The efforts in this thesis have focused several issues: (i) to introduce additional fault models as required for adequate representativity of physical effects blooming in modern manufacturing technologies, (ii) to provide tools and methods to efficiently inject both the proposed models and classical ones, (iii) to analyze the optimum method for assessing the robustness of the systems by using extensive fault injection and later correlation with higher level layers in an effort to cut development time and cost, (iv) to provide new detection methodologies to cope with challenges modeled by proposed fault models, (v) to propose mitigation strategies focused towards tackling such new threat scenarios and (vi) to devise an automated methodology for the deployment of many fault tolerance mechanisms in a systematic robust way. The outcomes of the thesis constitute a suite of tools and methods to help the designer of critical systems in his task to develop robust, validated, and on-time designs tailored to his application. / [ES] La relevancia que la electrónica adquiere en la seguridad de los productos ha crecido inexorablemente, puesto que cada vez ésta copa una mayor influencia en la funcionalidad de los mismos. Pero, por supuesto, este hecho viene acompañado de una necesidad constante de mayores prestaciones para cumplir con los requerimientos funcionales, al tiempo que se mantienen los costes y el consumo en unos niveles reducidos. En este escenario, la industria está realizando esfuerzos para proveer una tecnología que cumpla con todas las especificaciones de potencia, consumo y precio, a costa de un incremento en la vulnerabilidad a múltiples tipos de fallos conocidos o la introducción de nuevos. Para ofrecer una solución a los fallos nuevos y crecientes en los sistemas, los diseñadores han recurrido a técnicas tradicionalmente asociadas a sistemas críticos para la seguridad, que ofrecen en general resultados sub-óptimos. De hecho, las arquitecturas empotradas modernas ofrecen la posibilidad de optimizar las propiedades de confiabilidad al habilitar la interacción de los niveles de hardware, firmware y software en el proceso. No obstante, ese punto no está resulto todavía. Se necesitan avances en todos los niveles en la mencionada dirección para poder alcanzar los objetivos de una tolerancia a fallos flexible, robusta, resiliente y a bajo coste. El trabajo presentado aquí se centra en el nivel de hardware, con la consideración de fondo de una potencial integración en una estrategia holística. Los esfuerzos de esta tesis se han centrado en los siguientes aspectos: (i) la introducción de modelos de fallo adicionales requeridos para la representación adecuada de efectos físicos surgentes en las tecnologías de manufactura actuales, (ii) la provisión de herramientas y métodos para la inyección eficiente de los modelos propuestos y de los clásicos, (iii) el análisis del método óptimo para estudiar la robustez de sistemas mediante el uso de inyección de fallos extensiva, y la posterior correlación con capas de más alto nivel en un esfuerzo por recortar el tiempo y coste de desarrollo, (iv) la provisión de nuevos métodos de detección para cubrir los retos planteados por los modelos de fallo propuestos, (v) la propuesta de estrategias de mitigación enfocadas hacia el tratamiento de dichos escenarios de amenaza y (vi) la introducción de una metodología automatizada de despliegue de diversos mecanismos de tolerancia a fallos de forma robusta y sistemática. Los resultados de la presente tesis constituyen un conjunto de herramientas y métodos para ayudar al diseñador de sistemas críticos en su tarea de desarrollo de diseños robustos, validados y en tiempo adaptados a su aplicación. / [CAT] La rellevància que l'electrònica adquireix en la seguretat dels productes ha crescut inexorablement, puix cada volta més aquesta abasta una major influència en la funcionalitat dels mateixos. Però, per descomptat, aquest fet ve acompanyat d'un constant necessitat de majors prestacions per acomplir els requeriments funcionals, mentre es mantenen els costos i consums en uns nivells reduïts. Donat aquest escenari, la indústria està fent esforços per proveir una tecnologia que complisca amb totes les especificacions de potència, consum i preu, tot a costa d'un increment en la vulnerabilitat a diversos tipus de fallades conegudes, i a la introducció de nous tipus. Per oferir una solució a les noves i creixents fallades als sistemes, els dissenyadors han recorregut a tècniques tradicionalment associades a sistemes crítics per a la seguretat, que en general oferixen resultats sub-òptims. De fet, les arquitectures empotrades modernes oferixen la possibilitat d'optimitzar les propietats de confiabilitat en habilitar la interacció dels nivells de hardware, firmware i software en el procés. Tot i això eixe punt no està resolt encara. Es necessiten avanços a tots els nivells en l'esmentada direcció per poder assolir els objectius d'una tolerància a fallades flexible, robusta, resilient i a baix cost. El treball ací presentat se centra en el nivell de hardware, amb la consideració de fons d'una potencial integració en una estratègia holística. Els esforços d'esta tesi s'han centrat en els següents aspectes: (i) la introducció de models de fallada addicionals requerits per a la representació adequada d'efectes físics que apareixen en les tecnologies de fabricació actuals, (ii) la provisió de ferramentes i mètodes per a la injecció eficient del models proposats i dels clàssics, (iii) l'anàlisi del mètode òptim per estudiar la robustesa de sistemes mitjançant l'ús d'injecció de fallades extensiva, i la posterior correlació amb capes de més alt nivell en un esforç per retallar el temps i cost de desenvolupament, (iv) la provisió de nous mètodes de detecció per cobrir els reptes plantejats pels models de fallades proposats, (v) la proposta d'estratègies de mitigació enfocades cap al tractament dels esmentats escenaris d'amenaça i (vi) la introducció d'una metodologia automatitzada de desplegament de diversos mecanismes de tolerància a fallades de forma robusta i sistemàtica. Els resultats de la present tesi constitueixen un conjunt de ferramentes i mètodes per ajudar el dissenyador de sistemes crítics en la seua tasca de desenvolupament de dissenys robustos, validats i a temps adaptats a la seua aplicació. / Espinosa García, J. (2016). New Fault Detection, Mitigation and Injection Strategies for Current and Forthcoming Challenges of HW Embedded Designs [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/73146 / TESIS

Fault tolerance

Fault injection

Error detection

Fault mitigation

Fault recovery

Fugacious faults

FALLES

CODESH

Estudo de falhas transientes e técnicas de tolerância a falhas em conversores de dados do tipo SAR baseados em redistribuição de carga

Lanot, Alisson Jamie Cruz

January 2014

Conversores A/D do tipo aproximações sucessivas (SAR) baseados em redistribuição de carga são frequentemente utilizados em aplicações envolvendo a aquisição de sinais, principalmente as que exigem um baixo consumo de área e energia e boa velocidade de conversão. Esta topologia está presente em diversos dispositivos programáveis comerciais, como também em circuitos integrados de propósito geral. Tais dispositivos, quando expostos a ambientes suscetíveis a radiação, como é o caso de aplicações espaciais, estão sujeitos à colisão com partículas capazes de ionizar o silício. Estes podem causar falhas temporárias, como um efeito transiente, uma inversão de bit em um elemento de memória, ou até mesmo danos permanentes no circuito. Este trabalho visa descrever o comportamento do conversor SAR baseado em redistribuição de carga após a ocorrência de efeitos transientes causados por radiação, por meio de simulação SPICE. Tais efeitos podem causar falhas nos componentes da topologia: chaves, lógica de controle e comparador. Estes são propagados por todo o estágio de conversão, devido à sua característica sequencial de conversão. Por fim, uma discussão sobre as possíveis técnicas de mitigação de falhas para esta topologia é apresentada. / Successive Approximation Register (SAR) Analog to Digital Converters (ADCs) based on charge redistribution are frequently used in data acquisition systems, especially those requiring low power and low area, and good conversion speed. This topology is present on several mixed-signal programmable devices. These devices, when exposed to harsh environments, such as radiation, which is the case for space applications, are prone to Single Event Effects (SEEs). These effects may cause temporary failures, such as transient effects or memory upsets or even permanent failures on the circuit. This work presents the behavior of this type of converter after the occurrence of a transient fault on the circuit, by means of SPICE simulations. These transient faults may cause an inversion on the conversion due to a transient on the control logic of the switches, or a charge or discharge of the capacitors when a transient occur on the switches, as well as a failure on the comparator, which may propagate to the remainder stages of conversion, due to the sequential nature of the converter. A discussion about the possible fault mitigation techniques is also presented.

Conversor analogico/digital

Circuitos integrados

Analog to digital converters

Successive approximation register

Single event effects

Single event transients

Fault mitigation techniques

Estudo de falhas transientes e técnicas de tolerância a falhas em conversores de dados do tipo SAR baseados em redistribuição de carga

Lanot, Alisson Jamie Cruz

January 2014

Conversores A/D do tipo aproximações sucessivas (SAR) baseados em redistribuição de carga são frequentemente utilizados em aplicações envolvendo a aquisição de sinais, principalmente as que exigem um baixo consumo de área e energia e boa velocidade de conversão. Esta topologia está presente em diversos dispositivos programáveis comerciais, como também em circuitos integrados de propósito geral. Tais dispositivos, quando expostos a ambientes suscetíveis a radiação, como é o caso de aplicações espaciais, estão sujeitos à colisão com partículas capazes de ionizar o silício. Estes podem causar falhas temporárias, como um efeito transiente, uma inversão de bit em um elemento de memória, ou até mesmo danos permanentes no circuito. Este trabalho visa descrever o comportamento do conversor SAR baseado em redistribuição de carga após a ocorrência de efeitos transientes causados por radiação, por meio de simulação SPICE. Tais efeitos podem causar falhas nos componentes da topologia: chaves, lógica de controle e comparador. Estes são propagados por todo o estágio de conversão, devido à sua característica sequencial de conversão. Por fim, uma discussão sobre as possíveis técnicas de mitigação de falhas para esta topologia é apresentada. / Successive Approximation Register (SAR) Analog to Digital Converters (ADCs) based on charge redistribution are frequently used in data acquisition systems, especially those requiring low power and low area, and good conversion speed. This topology is present on several mixed-signal programmable devices. These devices, when exposed to harsh environments, such as radiation, which is the case for space applications, are prone to Single Event Effects (SEEs). These effects may cause temporary failures, such as transient effects or memory upsets or even permanent failures on the circuit. This work presents the behavior of this type of converter after the occurrence of a transient fault on the circuit, by means of SPICE simulations. These transient faults may cause an inversion on the conversion due to a transient on the control logic of the switches, or a charge or discharge of the capacitors when a transient occur on the switches, as well as a failure on the comparator, which may propagate to the remainder stages of conversion, due to the sequential nature of the converter. A discussion about the possible fault mitigation techniques is also presented.

Conversor analogico/digital

Circuitos integrados

Analog to digital converters

Successive approximation register

Single event effects

Single event transients

Fault mitigation techniques

Estudo de falhas transientes e técnicas de tolerância a falhas em conversores de dados do tipo SAR baseados em redistribuição de carga

Lanot, Alisson Jamie Cruz

January 2014

Conversores A/D do tipo aproximações sucessivas (SAR) baseados em redistribuição de carga são frequentemente utilizados em aplicações envolvendo a aquisição de sinais, principalmente as que exigem um baixo consumo de área e energia e boa velocidade de conversão. Esta topologia está presente em diversos dispositivos programáveis comerciais, como também em circuitos integrados de propósito geral. Tais dispositivos, quando expostos a ambientes suscetíveis a radiação, como é o caso de aplicações espaciais, estão sujeitos à colisão com partículas capazes de ionizar o silício. Estes podem causar falhas temporárias, como um efeito transiente, uma inversão de bit em um elemento de memória, ou até mesmo danos permanentes no circuito. Este trabalho visa descrever o comportamento do conversor SAR baseado em redistribuição de carga após a ocorrência de efeitos transientes causados por radiação, por meio de simulação SPICE. Tais efeitos podem causar falhas nos componentes da topologia: chaves, lógica de controle e comparador. Estes são propagados por todo o estágio de conversão, devido à sua característica sequencial de conversão. Por fim, uma discussão sobre as possíveis técnicas de mitigação de falhas para esta topologia é apresentada. / Successive Approximation Register (SAR) Analog to Digital Converters (ADCs) based on charge redistribution are frequently used in data acquisition systems, especially those requiring low power and low area, and good conversion speed. This topology is present on several mixed-signal programmable devices. These devices, when exposed to harsh environments, such as radiation, which is the case for space applications, are prone to Single Event Effects (SEEs). These effects may cause temporary failures, such as transient effects or memory upsets or even permanent failures on the circuit. This work presents the behavior of this type of converter after the occurrence of a transient fault on the circuit, by means of SPICE simulations. These transient faults may cause an inversion on the conversion due to a transient on the control logic of the switches, or a charge or discharge of the capacitors when a transient occur on the switches, as well as a failure on the comparator, which may propagate to the remainder stages of conversion, due to the sequential nature of the converter. A discussion about the possible fault mitigation techniques is also presented.

Conversor analogico/digital

Circuitos integrados

Analog to digital converters

Successive approximation register

Single event effects

Single event transients

Fault mitigation techniques