Jan Torin

Evaluation of error detection schemes using fault injection by heavy-ion radiation

Several concurrent error detection schemes suitable for a watch-dog processor were evaluated by fault injection. Soft errors were induced into a MC6809E microprocessor by heavy-ion radiation from a Californium-252 source. Recordings of error behavior were used to characterize the errors as well as to determine coverage and latency for the various error detection schemes. The error recordings were used as input to programs that simulate the error detection schemes. The schemes evaluated detected up to 79% of all errors within 85 bus cycles. Fifty-eight percent of the errors caused execution to diverge permanently from the correct program. The best schemes detected 99% of these errors. Eighteen percent of the errors affected only data, and the coverage of these errors was at most 38%.<<ETX>>

Two software techniques for on-line error detection

Two software-based techniques for online detection of control flow errors were evaluated by fault injection. One technique, called block signature self-checking (BSSC), checks the control flow between program blocks. The other, called error capturing instructions (ECIs), inserts ECIs in the program area, the data area, and the unused area of the memory. To demonstrate these techniques, a program has been developed which modifies the executable code for the MC6809E 8-b microprocessor. The error detection techniques were evaluated using two fault injection techniques: heavy-ion radiation from a californium-252 source and power supply disturbances. Combinations of the two error detection techniques were tested for three different workloads. A combination BSSC, ECIs, and a watchdog timer was also evaluated.<<ETX>>

Evaluating processor-behavior and three error-detection mechanisms using physical fault-injection

An approach for assessing the impact of physical injection of transient faults on processor execution is described and evaluated. The fault injection is based on two complementary methods using: (1) heavy-ion radiation; and (2) power supply disturbances. 12000 transient faults were injected into the target microprocessor, a Motorola MC6809E 8-bit CPU, running 3 different workloads. In the evaluation, the control-flow errors were distinguished from those that had no effect on the correct flow of control. The errors that led to wrong results are separated from those that did not affect the correct results. The errors that affected neither the correct control flow nor the correct results are specified. Effects of errors on the registers and signals of the processor are characterized, Workload dependency on error rates is demonstrated. Three error-detection mechanisms, (2 software-based mechanisms and 1 watchdog timer) were combined and used to characterize the detected and undetected errors. More than 87% of all errors and 93% of the control-flow errors could be detected. In a different test, the efficiency of an isolated watchdog timer was evaluated. The coverage of the isolated watchdog timer was only 62%. The results indicate that fault-injection methods, workloads, and programming languages all differently affect the control flow, coverage, latency, and error rates. >

Evaluation of fault handling of the time-triggered architecture with bus and star topology

Arbitrary faults of a single node In a time-triggered architecture (TTA) bus topology system may cause error propagation to correct nodes and may lead to inconsistent system states. This has been observed in validation work using software implemented fault injection (SWIFI) and heavy-ion fault injection techniques in a TTA cluster. In a TTA system, the membership and the clique avoidance algorithms detect state inconsistencies and force the nodes that do not have the same state with the state of majority of nodes, to restart. Changing the interconnection structure of the cluster to a star topology allows the use of star couplers that will isolate faults of a node, thus guaranteeing consistency, even in the presence of arbitrary node failures. The same SWIFI and heavy-ion fault injection experiments that caused error propagation in bus-based TTA clusters, were performed in the star configuration. No error propagation was observed in a TTA system with the star topology during the execution of SWIFI and heavy-ion experiments.

On microprocessor error behavior modeling

A microprocessor error behavior function (EBF) is introduced, mapping faults into errors on the functional level. The errors are obtained using a functional model of the processor. By applying the EBF to a fault and instruction distribution, it is possible to obtain the corresponding error distribution. A case study is described, in which (i) the EBFs for simulated bit-flip and pin-level faults are designed and used to compare the bit-flip and pin-level fault models, and (ii) the obtained error distribution for the bit-flip faults is used in an error injection experiment on the functional level to emulate these faults. For the processor used in the case study, it was found that only 9-12% of the bit-flip faults could be emulated using pin-level faults, while a tentative evaluation of the possibility to emulate bit-flip faults with software-implemented fault injection showed that 98-99% could be emulated. Finally, the results of the emulated bit-flip errors corresponded well to the real results obtained using bit-flip faults, thus indicating that the injected errors are good approximations of the faults.<<ETX>>

Hazard analysis in object oriented design of dependable systems

Mass produced products are becoming more and more complex, which forces the designers to model the functionality early in the design process. UML Use cases was found to be a useful method for this purpose at Volvo Cars and is currently used for modeling all functions implemented in the electrical network. When using Use cases in the design of complex safety critical systems, there is still an uncovered demand for early hazard analysis at a functional level. This work integrates a modified functional hazard assessment method and Use cases. The analysis generates valuable results used as design requirements and dependability analysis input. The methods results have exceeded our expectations. An example is included, showing how the method works.

TWO FAULT INJECTION TECHNIQUES FOR TEST OF FAULT HANDLING MECHANISMS

Two fault injection techniques for experimental validation of fault handling mechanisms in computer systems are investigated and compared. One technique is based on irradiation of ICs with heavy-ion radiation from a 252Cf source. The other technique uses voltage sags injected in the power supply rails to ICs. Both techniques have been used for fault injection experiments with the MC6809E microprocessor. Most errors generated by the 252Cf method were seen first in the address bus, while the power supply disturbances most frequently affected the control signals. An error classification shows that both methods generate many control flow errors, while pure data errors are infrequent. Results from a simulation experiment show that that the low number data errors in the 252Cf experiments can be explained by the fact that many errors in data registers are overwritten owing to the normal program execution.

Future architecture of flight control systems

The development of fault tolerant embedded control systems such as flight control systems (FCS) are currently highly specialized and time-consuming. We introduce a conceptual architecture for the next decade control system where all control and logic are distributed to a number of computer nodes locally linked to actuators and connected via a communication network. In this way, we substantially reduce the life-cycle cost of embedded systems and attain scalable fault tolerance. All fault tolerance is based on redundancy. Our philosophy is to cover permanent faults with hardware replication and handle all error processing caused by both permanent and transient faults with software techniques. With intelligent nodes and use of inherent redundancy we introduce a robust and simple fault tolerant system that utilizes minimum hardware and has bandwidth requirements of less than 300 kbits/s, which can be met with an electrical bus. The study is based on an FCS for JAS 39 Gripen, a multi-role combat aircraft that is statically unstable at subsonic speed.

Future architecture for flight control systems

The development of fault tolerant embedded control systems, such as flight control systems, FCS, is currently highly specialized and time consuming. We introduce a conceptual architecture for the next decade control system where all control and logic is distributed to a number of computer nodes locally linked to actuators and connected via a communication network. In this way we substantially decrease the lifecycle cost of such embedded systems and acquire scalable fault tolerance. Fault tolerance is based on redundancy and in our concept permanent faults are covered by hardware replication and transient faults, fault detection and processing by software techniques. With intelligent nodes and the use of inherent redundancy a robust and simple fault tolerant system is introduced with a minimum of both hardware and bandwidth requirements. The study is based on an FCS for JAS 39 Gripen, a multirole combat aircraft that is statically unstable at subsonic speed.

Heavy-Ion Fault Injections in the Time-Triggered Communication Protocol

In dependable distributed systems, the communication link is a critical component with strict dependability requirements. The Time-Triggered Protocol (TTP/C) was developed to meet these requirements. To validate this design, one node in a TTP/C cluster was injected with faults using heavy-ions. It was a prototype implementation and cluster sizes of four and five nodes were tested. The experimental results show that arbitrary faults in one node can cause inconsistencies in the cluster and jeopardize the operation of correctly working nodes and the whole cluster. Further, the system’s vulnerability to arbitrary failures in single nodes for a cluster with a broadcast bus is shown. Experiments with varying cluster sizes indicate a relationship between cluster size and system vulnerability thus it seems to be important to further analyze if and why cluster sizes need to be taken into account when validating distributed systems. The described inconsistencies resulted from asymmetric value faults, asymmetric timing faults or arbitrary single node failures.