IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 65, NO.
4, APRIL 2018
An Efficient Methodology for On-Chip SEU
Injection in Flip-Flops for Xilinx FPGAs
Anees Ullah , Pedro Reviriego, and Juan Antonio Maestro
Abstract— Field-programmable gate array (FPGA)-based
single-event upset (SEU) emulation in user flip-flops is essential
for reliability evaluation of mapped designs. Previous approaches
to inject SEUs in user flip-flops utilized the configuration memory
bits that control the set and reset settings of the flip-flops.
In contrast, this paper presents a novel approach for SEU
emulation in user flip-flops contents through single-frame on-chip
partial reconfiguration (PR). The presented methodology exploits
the inherent architectural features of the latest Xilinx FPGAs to
support state initialization of flip-flops during PR. The proposed
approach does not require instrumentation overhead for flip-flops
and reduces the fault-injection times by orders of magnitude.
Index Terms— Fault injection, radiation effects, reliability
evaluations.
I. I NTRODUCTION
F AULT injection is an important tool for low-cost
reliability evaluation of electronic circuits against
radiation-induced soft errors. There are two approaches to
injecting faults and evaluating their effects: through simula-
tion or emulation. Fault injection through simulation utilizes
the traditional circuit modeling and simulation tools (with
their corresponding technology libraries). This minimizes the
experimental setup times and provides higher observability on
a per-cycle basis, but suffers from very slow processing times.
On the other hand, fault injection by emulation utilizes a
hardware platform for this purpose and provides much faster
injection and evaluation times, but limited observability [1].
Field-programmable gate arrays (FPGAs) provide an ideal
fault-emulation platform due to their higher logic densities
and reconfigurability. The design mapped to an FPGA could
represent the end product on a deployed FPGA or it may be
an ASIC design utilizing the FPGA as emulation platform [2].
For an FPGA system, the most relevant fault model is a single-
event upset (SEU) due to their dependence on SRAM tech-
nology. Since in such a design the configuration memory bits
Manuscript received September 26, 2017; revised December 6, 2017 and
January 29, 2018; accepted February 26, 2018. Date of publication
March 6, 2018; date of current version April 12, 2018. This work was
supported by the Spanish Ministry of Economy and Competitiveness under
Grant ESP2014-54505-C2-1-R.
A. Ullah is with the Center for Advanced Studies in Engineering,
Islamabad 44000, Pakistan, and also with the ARIES Research Center, Escuela
Politécnica Superior, Universidad Antonio de Nebrija, 28015 Madrid, Spain
(e-mail: anees.ullah@case.edu.pk; aullah@nebrija.es).
P. Reviriego and J. A. Maestro are with the ARIES Research Center, Escuela
Politécnica Superior, Universidad Antonio de Nebrija, 28015 Madrid, Spain
(e-mail: previrie@nebrija.es; jmaestro@nebrija.es).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TNS.2018.2812719
0018-9499 © 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
989
significantly outnumber the user memory bits, SEU-emulation
in user memories may not be critical for reliability evaluation
of FPGA designs [3]. However, a fault-injection methodology
may support it for completeness. In contrast, when the FPGA
is used as substitute hardware for fault emulation in ASICs,
only SEU injection in user memory elements is of interest;
in particular, in FFs due to their dynamic per-clock cycle
nature. Similarly, single-event transients (SETs) effects can be
indirectly emulated as SEUs in an SRAM-FPGA in the case
of substitute use, since SETs become observable only when
registered by memory elements. Therefore, SEU-emulation in
user flip-flops is vital for reliability evaluation of ASICs.
There are two main approaches for SEU-emulation in flip-
flops on an FPGA, i.e., instrumentation and reconfiguration
based. Instrumentation-based approaches add extra logic for
run-time bitflip insertion through flip-flops logical ports.
These modifications of the circuits can be done at different
levels of abstractions, i.e., HDL, netlist, mapping, or place
and route. These approaches are significantly fast, but they
have to instrument each design flip-flop, resulting in huge
resource overhead. Reconfiguration-based approaches utilize
the configuration memory for run-time SEU injection using
a methodology called readback capture and restore [4]. The
capture operation updates the shadow configuration cells
(i.e., captured cells) with instantaneous flip-flop values while
the clock is stopped. Then, a readback procedure accesses the
corresponding configuration memory and flips the cell state
on which the error is to be injected. This is followed by a
configuration memory write-back and a restore operation. The
restore operation reinitializes the flip-flops with the modified
values. The clock is then allowed to resume after this operation
is completed. This methodology has been widely used for
flip-flops fault injection by the well-known FT-UNSHADES
framework [5]. The platform supports fault injection in
configuration memory as well as in flip-flop contents.
However, injection in flip-flops is based on total reconfig-
uration which is a time-consuming process. Furthermore,
FT-UNSHADES is based on a custom printed circuit board
hosting multiple-FPGAs for controlling the whole injection
process. A recent work in [3] combines both instrumentation
and reconfiguration-based approaches to achieve a tradeoff
between the area and the reconfiguration delay. This is based
on the utilization of the local reset lines of flip-flops in addition
to using the configuration memory control bits that define the
functionality of the local reset lines. Although, the proposed
method is an improvement compared to the previous ones,
990
it limits the utilization of the FPGA slice resources to one
flip-flop out of the available “n” (this value depends on the
FPGA family for Virtex-5 it was 4; for 7-series FPGAs, it is
8) flip-flops due to architectural limitations. This limitation
is due to the fact that the slice’s flip-flops have shared
control lines and they cannot be triggered independently.
Moreover, their approach is based on reverse engineering
to locate the part of the configuration memory which
controls the behavior of local reset lines of the flip-flop. This
limits the applicability of the method across other device
families.
This paper presents an efficient partial-reconfiguration-
based SEU injection approach in user flip-flops without insert-
ing any extra hardware, while achieving significant increase
in fault-injection speeds over existing reconfiguration-based
approaches. The presented methodology is based on single-
frame fault injection at a selected fault site (flip-flop) with the
assertion of the chip-wide global reset line in a controlled
manner to avoid corruption of other state elements of the
design. Since, the presented methodology utilizes standard
Xilinx partial reconfiguration (PR) flow and does not require
any reverse engineering it is generic and can be applied across
several Xilinx FPGA families. Moreover, because of the usage
of standard design components the overall methodology is
quite simple to implement. Therefore, the design and the
subsequent nonrecurring engineering efforts are minimized.
The rest of this paper is organized as follows. Section II
presents the state-of-the-art SEU fault-injection platforms
supporting flip-flops. Section III outlines the presented
approach. Section IV presents the developed test vehicle and
Section V shows the experimental results, while Section VI
provides the conclusion of this paper.
II. R ELATED W ORK
SRAM-based FPGAs have been used for SEU-emulation
in user design flip-flops by many researchers over the last
two decades. The existing techniques can be broadly classi-
fied into three categories: instrumentation-based approaches,
reconfiguration-based approaches, and combined approaches.
A. Instrumentation-Based Approaches
The instrumentation-based approaches insert extra hardware
in the design’s flip-flops providing anchor points to the logical
layer for run-time injection at the design’s speed. Some of
the early works that use scan-chains-based methodologies for
transient fault injection in flip-flops contents were reported
in [6] and [7]. A complete solution based on a variation
of scan-chain-based instrumentation was proposed by Lopez-
Ongil et al. [8] to increase the fault-injection speed and to
minimize the error logging and the communication time with
the PC. A fault injection and fault masking analysis platform
is presented by Naviner et al. [9]. It is based on saboteur
insertion for supporting fault injection in any node of interest.
It can support multiple-fault models and is highly parameter-
izable. However, this flexibility and completeness is achieved
with very high resource overhead. Similarly, the Netlist Fault
Injection tool [10] modifies the FPGA primitive’s library
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 65, NO. 4, APRIL 2018
for instrumentation of flip-flops and automates the mapping
process from HDL level, thereby incurring slightly less over-
head compared to the previous approaches. The downside
of instrumentation-based approaches is that they have huge
resource overheads. Moreover, the modifications have to be
often applied at a postsynthesis level, imposing the need
to develop ad hoc methodologies and tools for these tasks,
thereby increasing design effort.
B. Reconfiguration-Based Approaches
Reconfiguration-based approaches modify the correspond-
ing captured cells in the configuration memory related to
the flip-flops for fault injection. This process requires the
capturing of the current state of the flip-flops in the captured
cells of the configuration memory, reading back the bitstream,
modifying it and writing it back to the captured cells for fault
injection. Swift et al. [11] show the partial reconfiguration-
based injection in input–output configuration bits, the adjacent
bits and the bits used for their registers’ settings (i.e., set and
reset) of an input–output block. Through single or multiple-
frames partial or full reconfiguration, the same employed fault-
injection technique can be extended to inject faults in all the
user accessible resources in the FPGA, such as the FPGA
configuration bits as well as the FFs. However, the method-
ology does not target the FFs but only their configuration
settings that affect their behavior. Antoni et al. [12] utilize a
reconfiguration-based fault injection through the JBits API in
flip-flops. In order to not affect other flip-flops, a complicated
mechanism is adopted to avoid unintended state corruption.
Moreover, the JBits API is obsolete and not applicable to
state-of-the-art FPGAs. The reported fault-injection times are
3.5 s per injection. Similarly, FADES [13] is another platform
based on JBits and reports 3.3 s per fault injection. FT-
UNSHADES [14]–[16] is a well-known platform for flip-flop
fault injection based upon the Xilinx captures and restores
approach. This platform utilizes full-bitstream-based recon-
figuration for flip-flop injection through the JTAG interface.
For fault injection in flip-flops, the platform reads back the
bitstream and the current state of the flip-flops from the FPGA.
Then, it iterates over the bitstream and readback file and
updates the INIT values of the flip-flops while the intended
flip-flop state is inverted. This merging is a serial process and
is off-chip; therefore, it takes a long time compared to on-
chip PR-based approaches. Although, an improved version in
the form of FT-UNSHADES2 [5] improves upon the previous
versions to include various features, the platform is still
using full-bitstream-based fault injection for flip-flops. The
drawback of full-reconfiguration-based approaches is that they
have significant overhead with respect to the fault-injection
time compared to the instrumentation-based approaches.
C. Combined Approaches and Limitations
Both instrumentation and reconfiguration approaches are
limited due to their resource and reconfiguration overheads.
Researchers have developed hybrid approaches to achieve an
optimal solution. López-Ongil et al. [17] presented a unified
fault-injection platform achieving results with injection in
ULLAH et al.: EFFICIENT METHODOLOGY FOR ON-CHIP SEU INJECTION IN FLIP-FLOPS
configuration memory through reconfiguration while in the
user flip-flops through instrumentation. Similarly, a recent
work by Serrano et al. [3] presented an interesting approach
utilizing both instrumentation and partial reconfiguration for
SEU injection in flip-flops. They achieve flip-flops content
inversion through local reset lines. The inversion is achieved
by modifying some configuration bits that control the behavior
of local reset line for each flip-flop. The position of these
bits in configuration memory is achieved through reverse
engineering of portions of the bitstream. Moreover, it has a
resource overhead of three look-up tables (LUTs) per flip-
flop that needs to be controlled. In contrast to [3], this
paper uses a global reset line for state inversion of the flip-
flops. A nonintrusive PR-based methodology is used, which
results in very fast fault-injection times and does not require
any modifications to the standard FPGA design flow. Simi-
larly, the methodology used in [5] cannot be applied to on-
chip injectors. This is because the total-reconfiguration may
result in state corruption of the injector control circuitry and
other memory elements. Section III presents the proposed
methodology.
III. P ROPOSED M ETHODOLOGY
The proposed methodology supports SEU injection in the
design’s flip-flops mapped on Xilinx SRAM-based FPGAs.
In particular, the fault injection is achieved through PR.
A read–modify–write (RMW) operation is performed on a
single-configuration frame followed by asserting the chip-wide
global signals. This proposed methodology protects against
unintentional state corruption resulting from the activation of
the global reset signal, hence making it feasible to be used with
on-chip fault injection in flip-flops. The proposed methodology
achieves fast injection times without incurring any hardware
overhead for FF instrumentation. Moreover, the methodology
does not require any reverse engineering and is based on the
standard PR flow. Therefore, it is applicable across different
Xilinx FPGA families. In Section III-A explain the details of
our proposal.
A. SEU Injection in Flip-Flops Through Xilinx PR
This section outlines the architectural features of the Xilinx
SRAM-based FPGAs which are essential for fault injection
in the flip-flop contents through the proposed methodology.
Sequential logic elements, for example flip-flops, need to
be initialized to predefined user values for correct execution
of circuits mapped onto SRAM-based FPGAs. The RT-level
user defined initialization of memory elements is embedded
inside the generated configuration bitstream. During the initial
bitstream download process, captured cells are initialized with
these values. As this process is done before the FPGA enters
the user mode of operation, the global asynchronous signals
which are vital for transferring captured cells values to the
flip-flops do not cause any synchronization issues. However,
to achieve fault injection while the design is in operation,
changing the flip-flop contents through the captured cells needs
particular considerations. This is due to the asynchronous
nature of the global signals along with the fact that they are
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
991
Fig. 1. SEU Injection in flip-flops using shadow registers.
connected to every memory element in the FPGA. Therefore,
it could result in unintentional state corruption of the design.
Fig. 1 shows the approach for SEU injection in flip-flops,
while the design is active utilizing PR. Fig. 1 consists of
configuration control logic, clock regions, and a magnified
view of a flip-flop inside an FPGA. Fig. 1 shows a functional
model of the flip-flop’s capture and restores circuitry along
with the masking logic that locally controls the behavior of the
global signals and is extracted from [18] and [19]. The flip-
flop is augmented with circuitry to control its initialization
and state capture from the shadow storage (INIT) memory
element. The INIT memory element is usually implemented
with reduced functionalities as opposed to the actual flip-
flop to save silicon area. The flip-flop itself is implemented
as a master–slave configuration and can be utilized as a
latch. While the design is in operational mode, the current
state of a flip-flop can be captured in the INIT storage by the
assertion of Global CAPture (GCAP) signal. It can be noted
that the INIT storage can be initialized from bitstream or from
the current state of the flip-flop through a GCAP signal
which controls a multiplexer “M2.” The GCAP is a global
signal that connects to every memory element of the FPGA.
Before the capture process is initiated, the clock to the par-
tially reconfigurable design [which represents a design under
test (DUT)] has to be stopped to freeze the state of flip-
flops. The captured values (now stored in the INIT captured
cells) can then be readback from the configuration memory
to invert the contents of a flip-flop and written back to the
configuration memory. This is followed by asserting the global
set reset (GSR) [4] signal to transfer capture cell values to
actual flip-flops. Fig. 1 also shows that the shadow storage
output is connected to the flip-flop through a multiplexer
“M1” controlled by GSR and the logical OR of the local set
reset (SR) line. This means that the GSR or SR signal can
be used to allow the INIT storage output to affect the flip-
flop contents. The FPGA internal architecture is designed in
a way that the SR line is shared by all the flip-flops inside
a slice keeping in view that the neighboring flip-flops will
be fed by the same clocking and reset signals. Furthermore,
992
it can be noted that the other input to the multiplexer “M1” is
from the configurable logic block (CLB) logic (e.g., LUTs).
In the normal operation of the device, the multiplexer always
forward the CLB outputs to the flip-flop. Although, GSR and
SR can both be used for transferring the INIT storage value
into the flip-flop, the utilization of the local SR signal needs
instrumentation methods that would add resource overhead for
fault injection, as was done in [3]. It can be noted that the
global write enable (GWE) signal enables the usage of the
flip-flop for writing purposes and acts in a similar fashion to
the clock enable (CE) signal local to the slice. The GWE signal
disables writing to memory elements during the bitstream
download process until the configuration memory is initialized.
The assertion of these global signals has to be done carefully
to avoid undesired effects on the design. The asynchronous
nature of these signals along with signal propagation delays
across the chip means that timing violation can be caused if
the clocking constraints are not met. This could be ensured by
the reconfiguration controller in the user design. For example,
when a microprocessor is used for controlling the internal
configuration access port (ICAP), a few no operations can
ensure timing, although, in most cases the software processing
delay is enough. In addition to these global signals, there are
other important signals that avoid data contention during full
or PR as mentioned in [20]. After the flip-flop is reinitialized
from the captured cell, the propagation and analysis of the
injected fault can be resumed by activating the clock again.
The global signals, GCAP, and GSR, necessary for state
saving and restoring in the proposed methodology, can cause
state corruption of other memory elements. Therefore, it is
imperative to protect other memory elements from uninten-
tional state corruption. To achieve such a selective injection,
the FPGA architecture should be considered. Fig. 1 shows
that memory elements are grouped into clock regions for
local control over clock and reset circuitry and ease of clock
distribution. Each clock region can be separately controlled
with tristate buffers to enable or disable GSR and the GCAP
signals. This capability allows the masking of the GSR and
GCAP effects for the static region and their unmasking for the
DUT region. This requires knowledge of certain configuration
memory frames and individual control over particular bits
that enable GSR and GCAP to a region. These configuration
frames belong to a special configuration memory space that
is responsible for controlling the clock and reset circuitry to
the FPGA clock regions. Since this depends on the FPGA
architecture, only vendor design automation tools can generate
such configuration as part of the bitstream. Such capability is
not only important for fault injection but also for dynamic PR
for state initialization [21]. These architectural features can
be leveraged for run-time fault injection in flip-flops given
that the DUT region conforms to PR rules particularly at
the floor planning and the bitstream generation phases. The
safe reinitialization of flip-flops in a partially reconfiguration
region is ensured when the user applies the reset after recon-
figuration (RAR) constraint [21]. These constraints embed
certain configuration frames specific to the floor-planned PR-
region in the partial bitstream. Although, these configuration
frames increase the size of the partial bitstream they are vital
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 65, NO. 4, APRIL 2018
for proper reinitialization of the PR-region after the partial
bitstream is delivered to the FPGA. The purpose of this feature
is to ensure that the partial reconfigurable design’s flip-flops
are initialized to user defined RT-level description. In our case,
we utilize this configuration frame to protect the static region
from undesired state corruption during the capture and restores
operations when the GSR is asserted. Furthermore, we utilize
the partial bitstream once for unmasking the PR-region and
masking the rest of the FPGA. The described fault-injection
technique uses single-frame modifications, achieving hence
significant fast injection times. In Section III-B illustrates the
implementation flow for achieving fault injection in flip-flops
through PR.
B. Design Flow and Fault Site List Generation
The design and fault list generation flow for Xilinx FPGAs
is shown in Fig. 2. The flow starts with the description of
static and reconfiguration regions. The static region contains
the portion of design that is fixed during run time while the
reconfigurable region undergoes changes. The static region
consists of a microprocessor and its peripheral connected
through a standard bus protocol. The static region is described
with block design in Xilinx flow while the reconfigurable
region is defined through HDL for description of the DUT.
A standard PR-flow is followed for floor planning the design
and generating the full and partial bitstreams. It is worth
mentioning that the partial bitstreams are generated with
settings for RAR and the generation of the logic allocation
file. The RAR partial bitstream is essential for masking the
static region and unmasking the reconfigurable region and is
downloaded once for these configuration settings. It remains
active during the rest of the fault-injection operation. The logic
allocation file contains the design flip-flop information only
related to the reconfiguration region housing the DUT. The
logic allocation file uniquely identifies every memory element,
for example, flip-flops, in the configuration memory space. The
information is vital for SEU injection in a specific flip-flop as
it contains the exact bit address of the corresponding capture
cell. All the generated files are fed to the developed fault
site list generator block which is responsible for generating
a fault dictionary to be used during SEU injection in run
time. The fault dictionary represents a mapping of the flip-
flop locations of the mapped design on FPGA to the exact
location in the configuration memory space. The format is
designed to uniquely identify the flip-flop position in terms
of its configuration frame and corresponding capture cell bit
offset. This fault dictionary is converted into a binary format to
be stored in off-chip nonvolatile memories (DRAM or SDcard)
to be later used for fault injection.
C. SEU Injection Algorithm
The fault-injection flow is presented in Algorithm 1 to
be used with an on-chip processor on Xilinx FPGAs. The
algorithm starts by loading the RAR partial bitstream from the
external nonvolatile memory into the configuration memory.
This is an essential one-time step for masking the static region
and unmasking the reconfigurable region. The next step is
to load the fault dictionary from the external memory into
ULLAH et al.: EFFICIENT METHODOLOGY FOR ON-CHIP SEU INJECTION IN FLIP-FLOPS
Fig. 2. Implementation flow for Xilinx FPGAs.
the system memory. This is followed by applying a “reset”
to the reconfigurable DUT region. Then, the algorithm picks
up a fault (frame and bit pair) from the fault dictionary for
injection. The algorithm enters the frame formatting phase to
convert the frame and bit pair to the frame address register
format [4]. The top/bottom fields identify the FPGA half in
which the flip-flop resides. The row address identifies the cor-
responding resource row inside the half. The column address
pin-points the resource column (e.g., CLB and BRAM) while
the minor offset locates the exact frame inside the resource
column (each resource has different number of frames; the
CLB has 36 minor frames). Last, the bit offset is the position
of captured cells (INT0/INT1) related to a flip-flop. These
parameters are extracted from the fault dictionary entry with
several masking operations (lines 5–12 of the algorithm)
carried out according to [4]. This leads the algorithm to state
capture, readback, and modify phase. The algorithm picks
up an injection cycle either serially or randomly, resets the
benchmark circuit (and starts DUT execution) and waits for
the injection cycle to reach. This is supported by the clock
and reset manager in hardware. When the injection cycle
is reached, the clock to the benchmark circuit is stopped
immediately. The clock and reset manager then interrupts
the processor to start the fault-injection procedure using the
Xilinx software libraries. The first of the executed commands
is the GCAPTURE, which is issued through the ICAP to
the configuration memory. As an RAR partial bitstream is
already downloaded (line 1) to the FPGA, this command only
captures the state of reconfigurable region as the static region
is masked. After the current state of flip-flops is captured in
the configuration memory shadow cells, a readback() function
utilizes the fault dictionary format (lines 5–12) to readback
the exact configuration memory frame. Once the frame is in
the processor memory space, the corresponding word and bit
position from the fault dictionary is used to invert a specific
bit. These operations are achieved by using the logic outlined
in lines 20–22. The next phase is configuration memory write-
back and GSR triggering. The Writeback() function transfers
the modified FF content to the configuration memory. This is
followed by a software-level trigger of the GSR port located
on the Startup peripheral of the system. This results in the
inversion of the selected single flip-flop in the reconfigurable
region while avoiding any changes in the static region as
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
993
it is masked. Note that after the TriggerGSR() function at
line 24, there is a software delay introduced to enable the
physical signal propagation and avoid timing violations. In this
case, the delay involved due to the Advanced eXtensible Inter-
face (AXI) protocol is enough to ensure no timing violation
will occur. However, if the proposed methodology is to be used
without a processor, a delay of some cycles after the triggering
of GSR is necessary. The injection of an SEU is followed
by its testing in the final phase. This is accomplished by the
application of test patterns from the processor to the DUT.
After the completion of the fault insertion, the DUT design
is resumed and is concurrently checking its inputs for errors.
The software counter is automatically incremented upon the
detection of an error. Also, the detected fault site is saved.
These steps are outlined in lines 28–32. Note that the algorithm
is equipped with additional techniques that allow the count of
the elapsed clock cycles between the start and the end of the
operations of interest, as shown in line 17 and lines 26 and
27. Finally, once all the fault sites are evaluated the algorithm
reports the final results to the PC using UART interface.
IV. T EST V EHICLE
The experimental results are collected on a ZynQ-based
system-on-chip (SoC) integrating a dual-core Cortex-A9
processor and an Artix-7 FPGA available on the Zedboard. It is
worth mentioning that any other microprocessor, for example,
a Xilinx Microblaze or a custom hardware architectural imple-
mentation is also possible such that the configuration memory
is accessed through the ICAP. The processor in the static
region is realized through an ARM core in the programmable
system (PS) region while the rest of static region and the
reconfigurable region maps into the programmable logic (PL).
Several AXI peripherals including ICAP, Startup primitive (for
control over GSR line), timer, UART controller are used from
Xilinx IP catalogs. A custom HDL clock manager module is
designed and connected through the AXI bus to control the
CE signal to both copies of the benchmark circuit i.e., the
DUT and the GOLD modules. This enables a cycle-by-cycle
application of inputs to the benchmarks from the processor.
This module also keeps track of the benchmark cycles and
enables selection of specific cycle for SEU injection and
gives a feedback to the processor in case such a cycle event
occurs. Apart from these responsibilities, the clock manager
also resets the benchmark circuit when the evaluation of an
SEU is completed. This is necessary to avoid unintended SEU
accumulation in registers. The comparator module is respon-
sible for detecting any mismatches between the GOLD and
the DUT copies of the benchmark circuit while the inputs are
being applied from the processor. An error event interrupts the
processor when an error is detected. The processor keeps count
of the detected faults and resets the benchmark circuit for the
next SEU evaluation. Note that it is also possible to duplicate
the execution in time without hardware replication. In such
case, two runs will be required for the expected and the FI
results collection and then the comparison can be done offline.
V. R ESULTS AND D ISCUSSION
The experimental results are collected using the commonly
adopted International Test Conference (ITC) benchmarks and
994 IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 65, NO. 4, APRIL 2018

Algorithm 1 Fault Injection in Flip-Flop

Inputs: Partial Bitstream, Fault Dictionary
Outputs: Log file, Timing measurements
∗∗∗∗∗∗∗∗∗∗∗∗ Initialization Phase ∗∗∗∗∗∗∗∗∗∗∗∗∗
1: LoadPartialBitstram();
2: fd_array[size] = LoadFaultDictionary();
3: ApplyDutReset();
4: foreach fault site “fs” in fd_array do
// frame formatting
5: frame = fs.frame;
6: Bit = fs.bit;
7: Top = (frame & 0x00400000)  22;
8: Row = (frame & 0x003E0000)  17;
9: Major = (frame & 0x0001FF80)  7;
10: Minor = (frame & 0x0000001F)  0;
11: word = Bit/32;
12: INITbit = Bit%32;
// state capture, readbackand modify
operation Fig. 3. Processor-based implementation.
13: Cycle = PickUpInjectCycle(); TABLE I
14: EnableClockDUT(); R ESOURCE U TILIZATION OF B ENCHMARKS
15: ApplyDutReset();
16: StopClockDUT(Cycle);
17: Time1 = StartTimer();
18: TriggerCapture();
19: rdframe[] = Readback
(Top,Block,Row,Major,Minor);
20: rdword = rdframe[word];
21: rdword = (word ^(1  INITbit));
22: rdframe[word] = rdword;
// configuration memory writeback and GSR
triggering
23: WriteBack(Top,Block,Row,Major,Minor);
24: TriggerGSR();
25: Wait();
26: Time2 = StopTimer();
27: CyclesTaken = Time2 – Time1;
// testing
28: while (fault is not detected)
29: ApplyDutInputs(); methodology and users can run this comparison in software.
30: if (fault is detected) Table I specifies the resources in terms of LUTs and FFs
31: detected_faults++; for the DUT copy of the implemented benchmark circuit.
32: detectedsites[]=fs; The number of flip-flops is proportional to the size of the
33: end_foreach
34: Report(detected_faults); fault list that needs to be injected. Furthermore, the size of
35: Report(detectedsites[]); partial bitstream with RAR features is also reported. This
36: Report(MeasuredTime); bitstream needs to be downloaded once before the start of the
fault-injection campaign. This is necessary for masking static
region and unmasking the reconfigurable region as discussed
in Section III-A. As shown in Table I, and because of the
a few DSP circuit designs. The considered circuits contain similar floor-planning requirements (the small size of each
feedforward as well as feedback circuits. Also, different archi- benchmark circuit and the enabled RAR features), all the
tectures of the same benchmark circuit are considered for ITC benchmarks have an RAR bitstream size of 149 kB.
their reliability evaluation. For example, the FIR filter has In 7-series FPGAs, RAR features are physically supported
been implemented with two architectural choices; the first by instantiating partition pins in the routing interconnect tile.
is a serial design and the second one is a cascaded serial Since in these FPGA families the routing interconnect tiles
one. Table I shows the resource utilization of the benchmark are located on the left and the right of the CLB columns,
designs mapped into reconfigurable regions. Note that the the PR requirements dictate that the minimum size to support
resource utilization of the static region is not reported. This RAR features is two CLB columns. This is an essential
is due to the fact that the ARM processor is in the PS region consideration ensured by vendors’ design tools through PR
and a few of the required static IPs are in the PL region. design rule checks. Therefore, postreconfiguration flip-flops
Therefore, the static logic in PS and PL regions remains fixed state initialization depends on this kind of physical layout and
for all the benchmarks. However, the size of the comparator will not work without it.
required to implement the scheme in Fig. 3 is variable, but Table II represents the fault-injection statistics of the bench-
it is not reported because it is not a requirement of the mark circuits for different number of SEUs per FF i.e.,

Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
ULLAH et al.: EFFICIENT METHODOLOGY FOR ON-CHIP SEU INJECTION IN FLIP-FLOPS
TABLE II
FAULTS S TATISTICS
100 SEUs/FF, 400 SEUs/FF, and 700 SEUs/FF. The results
appear as a ratio of the number of SEUs that caused failure
at the circuit’s primary outputs (i.e., the numerator) over the
total number of injected SEUs (i.e., the denominator). The
injected SEUs are a subset of the total SEUs which represent
the entire space of all the possible SEUs for a benchmark.
It is the product of the size of inputs, the SEU sites (i.e., flip-
flops in our case) and the total number of cycles taken by the
execution of the benchmark. As the total number of SEUs is
the product of three variables, the entire fault space may be
quite significant and in certain cases infinite, for example, in
finite-state machines (FSMs) with a serial infinite data stream
(i.e., B01 and B02 in our benchmarks). Therefore, the injected
SEUs could be sampled randomly by selecting certain clock
cycles for injection or randomly selecting an input for each
clock cycle. It can be noted from Table II that for different
number of injected SEUs per FF, the obtained benchmark’s
failure rate remains almost the same for 100 SEUs per FF and
above. The experimental test results showed that the failure
rate is quite sensitive to the variations in the input patterns.
The FIR filters were tested exhaustively with all possible 16-bit
input patterns. The cascaded serial architecture shows more
vulnerability to SEUs than the fully serial architecture because
of slow faults propagation and reset postinjection. The Viterbi
decoder is tested with a serial bitstream of inputs. The results
show that it is quite resilient to SEUs in flip-flops due to its
internal error correction capabilities.
Since fault injection should realistically mimic the behavior
of beam irradiation, it is very important to validate any fault-
injection platform. However, separately irradiating flip-flops
are not possible for validation as previously noted in [3]. In
addition, in our case we are only presenting a methodology for
SEU injection in flip-flops and not a fault-injection platform.
Fault-injection platforms are approved when the same test
platform shows consistent results for both fault injections and
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
995
TABLE III
C YCLES TAKEN BY I NJECTION O PERATIONS
radiation test experiments. Our methodology can be easily
integrated into existing approved fault-injection platforms.
Table III gives the minimum and the maximum number of
clock cycles taken by the individual fault-injection operations
required to upset a flip-flop. Modifying the configuration mem-
ory always requires RMW cycle [20] on Xilinx FPGAs. How-
ever, in addition, the flip-flop bit inversion requires capture
and restores operations. Furthermore, the capture operation
is carried out using the Xilinx software routine. However,
the restore operation is carried out using the Startup primitive
instantiated inside the AXI ICAP peripheral instead of the
GRESTORE library command. This is because the restore
routines in the Xilinx software libraries were not working.
This may be due to limitations of the software library as noted
in [22]. The processor controls the GSR input of the startup
primitive through an AXI GPIO port. Therefore, the capture
operation takes more clock cycles than the restore. A hardware
instantiation of both of the primitives and its direct control
from the EMIO ports of the PS could improve the cycle count
further. The actual fault-injection time depends on several
factors. Firstly, the speed of injection depends on the operating
frequencies of the processor and the interconnect AXI bus.
Second, the frequency with which the ICAP primitive is
toggled determines how fast the data can be accessed and
retrieved from the configuration memory. Finally, the frame
size, which depends on the FPGA family, is also an important
variable that may affect the injection speed.
Table IV measures the faults injected per second con-
sidering these variables. Table IV compares three methods:
the proposed one and two relevant works. Note that the
proposed method has been extrapolated with different bus
frequencies that are supported with various 7-series FPGAs.
These maximum bus frequencies are related to the ICAP bus
interface port and not to the ICAP switching clock port which
always remains at 100 MHz. It can be noted that on Kintex-
7 the maximum supported AXI frequency of 220 MHz can
be achieved. These frequencies are based on Xilinx ICAP
documents [23]. The second parameter that needs to be con-
sidered when evaluating the fault-injection times is the frame
size. For example, in the case of Virtex-5 FPGAs, the frame
is composed of 41 words each of 32 bits. However, in the
case of the 7-series FPGAs, the frame size has increased
to 101 32-bit words. While the frame size has increased,
the ICAP switching frequency has not seen any improvements
in current FPGAs. This frequency determines how fast the
data exchange with the configuration memory can run at.
The overall time taken by a single fault injection using our
methodology requires 142.27 µs when the PS is running at
666.7 MHz while the AXI bus and the ICAP_clk pin is clocked
996
TABLE IV
FAULTS I NJECTED P ER S ECOND
at 100 MHz. Changing the frequency of AXI bus from 100 to
120 MHz, while the ICAP_clk remains at 100 MHz, the fault-
injection time reduced to 118.5 µs. Similarly, when the AXI
bus is clocked at a 220 MHz on Kintex-7, the resulting fault-
injection time reduces to 64 µs. Serrano et al. [3] reported a
fault-injection time of 630 µs on a Virtex-5 FPGA platform.
Therefore, we can achieve 5.3 times improvement in fault-
injection speeds without incurring any hardware overhead
for FF instrumentation. Furthermore, improvements in speed
can be achieved using the ICAP port when highly optimized
hardware controllers are developed or based on streaming
interfaces between the PS and PL. It is worth mentioning that
the smallest granularity to access and change the configuration
memory is a single frame using PR. Since, our proposed
methodology is based on frame-level configuration memory
modifications; we can achieve faster SEU injection times than
in the case of commonly used FI techniques. The reported
faults per second in [3] and [5] are compared with our
proposed method in Table IV. It can be noted that when the
proposed methodology is implemented on a Kintex-7 FPGA,
the supported number of faults per second are 15 625 com-
pared to the 10 000 faults per second supported by FTUN-
SHADES2 [5]. Moreover, if an FSM-based ICAP controller
is developed for the proposed methodology, the fault-injection
speeds will be improved by orders of magnitude. As discussed
by Nazar and Carro [24], the injection cycles depend on
the number of words in the frame and some commands
for setting up the configuration engine. For Virtex-5, they
reported 215 cycles. Similarly, for 7-series FPGAs, the number
of cycles required for injection with an FSM-based solution
would be far less than measured with AXI-timers in Table III.
Therefore, our proposed methodology provides the fastest
achievable fault injection times compared to the recent fault-
injection approaches in flip-flops even though the 7-series
frames are more than twice the size of Virtex-5 FPGA on
which the previous approaches were implemented.
VI. C ONCLUSION
This paper has presented a fast SEU injection approach into
user flip-flops on Xilinx FPGAs. The methodology leverages
the existing state initialization features that are applied post-PR
and does not require any reverse engineering. The exploitation
of this feature allows selective state capture and restores
capabilities, which are vital for fault injection in a target flip-
flop without corrupting other state elements. The presented
methodology is particularly suitable for state-of-the-art FPGA
SoCs due to on-chip availability of a processor along with PL.
Finally, because the methodology is on-chip, it can be easily
reproduced using available FPGAs. As a result, the proposed
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 16:58:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NUCLEAR SCIENCE, VOL. 65, NO. 4, APRIL 2018
FI technique supports very fast fault injection, making it
suitable for large injection campaigns.
R EFERENCES
[1] A. Ullah, E. Sanchez, L. Sterpone, L. A. Cardona, and C. Ferrer,
“An FPGA-based dynamically reconfigurable platform for emulation of
permanent faults in ASICs,” Microelectron. Rel., vol. 75, pp. 110–120,
Aug. 2017.
[2] H. M. Quinn, D. A. Black, W. H. Robinson, and S. P. Buchner,
“Fault simulation and emulation tools to augment radiation-hardness
assurance testing,” IEEE Trans. Nucl. Sci., vol. 60, no. 3,
pp. 2119–2142, Jun. 2013.
[3] F. Serrano, J. A. Clemente, and H. Mecha, “A methodology to emulate
single event upsets in flip-flops using FPGAs through partial reconfig-
uration and instrumentation,” IEEE Trans. Nucl. Sci., vol. 62, no. 4,
pp. 1617–1624, Aug. 2015.
[4] 7 Series FPGAs Configuration User Guide (UG470), Xilinx Inc.,
San Jose, CA, USA, Sep. 2016.
[5] J. Mogollon, H. Guzman-Miranda, J. Napoles, J. Barrientos, and
M. Aguirre, “FTUNSHADES2: A novel platform for early evaluation
of robustness against SEE,” in Proc. 12th Eur. Conf. Radiat. Effects
Compon. Syst., pp. 169–174, Sep. 2011.
[6] P. Civera, L. Macchiarulo, M. Rebaudengo, M. S. Reorda, and
M. Violante, “An FPGA-based approach for speeding-up fault injection
campaigns on safety-critical circuits,” J. Electron. Test., Theory Appl.,
vol. 18, no. 3, pp. 261–271, Jun. 2002.
[7] P. Civera, L. Macchiarulo, M. Rebaudengo, M. S. Reorda, and
M. Violante, “New techniques for efficiently assessing reliability of
SOCs,” Microelectron. J., vol. 34, no. 1, pp. 53–61, Jan. 2003.
[8] C. Lopez-Ongil, M. Garcia-Valderas, M. Portela-Garcia, and L. Entrena,
“Autonomous fault emulation: A new FPGA-based acceleration sys-
tem for hardness evaluation,” IEEE Trans. Nucl. Sci., vol. 54, no. 1,
pp. 252–261, Feb. 2007.
[9] L. A. B. Naviner, J. F. Naviner, G. G. dos Santor, Jr., E. C. Marques,
and N. M. Pavia, Jr., “FIFA: A fault-injection–fault-analysis-based tool
for reliability assessment at RTL level,” Microelectron. Rel., vol. 51,
pp. 1459–1463, Sep. 2011.
[10] W. Mansour and R. Velazco, “An automated SEU fault-injection method
and tool for HDL-based designs,” IEEE Trans. Nucl. Sci., vol. 60, no. 4,
pp. 2728–2733, Aug. 2013.
[11] G. M. Swift et al., “Dynamic testing of Xilinx Virtex-II field program-
mable gate array (FPGA) input/output blocks (IOBs),” IEEE Trans. Nucl.
Sci., vol. 51, no. 6, pp. 3469–3474, Dec. 2004.
[12] L. Antoni, R. Leveugle, and B. Feher, “Using run-time reconfiguration
for fault injection applications,” IEEE Trans. Instrum. Meas., vol. 52,
no. 5, pp. 1468–1473, Oct. 2003.
[13] D. de Andres, J.-C. Ruiz, D. Gil, and P. Gil, “Fault emulation for
dependability evaluation of VLSI systems,” IEEE Trans. Very Large
Scale Integr. (VLSI) Syst., vol. 16, no. 4, pp. 422–431, Apr. 2008.
[14] M. A. Aguirre, J. N. Tombs, A. Torralba, and L. G. Franquelo,
“UNSHADES-1: An advanced tool for in-system run-time hardware
debugging,” in Field Programmable Logic and Application. Springer-
Verlog, Sep. 2003, pp. 1170–1173.
[15] M. A. Aguirre et al., “Microprocessor and FPGA interfaces for in-system
co-debugging in field programmable hybrid systems,” Microprocess
Microsyst., vol. 29, nos. 2–3, pp. 75–85, Apr. 2005.
[16] M. A. Aguirre et al., “Selective protection analysis using a SEU
emulator: Testing protocol and case study over the Leon2 processor,”
IEEE Trans. Nucl. Sci., vol. 54, no. 4, pp. 951–956, Aug. 2007.
[17] C. López-Ongil et al., “A unified environment for fault injection at any
design level based on emulation,” IEEE Trans. Nucl. Sci., vol. 54, no. 4,
pp. 946–950, Aug. 2007.
[18] D. P. Schultz, L. C. Hung, and F. E. Goetting, “Programmable logic
device capable of preserving user data during partial or complete
reconfiguration,” U.S. Patent 6 507 211 B1, Jan. 14, 2003.
[19] M. L. Voogel, “Programmable memory element with power save mode
in a programmable logic device,” U.S. Patent 7 239 173 B1, Jul. 3, 2007.
[20] B. J. Blodget et al., “Reconfiguration of a programmable logic device
using internal logic,” U.S. Patent 6 920 627 B2, Jul. 19, 2005.
[21] Vivado Design Suite User Guide: Partial Reconfiguration (UG909),
Xilinx Inc., San Jose, CA, USA, Apr. 2016.
[22] M. Happe, A. Traber, and A. Keller, “Preemptive hardware multi-
tasking in ReconOS,” in Applied Reconfigurable Computing. Springer,
Mar. 2015, pp. 79–90.
[23] AXI HWICAP v3.0 LogiCORE IP Product Guide (PG134), Xilinx Inc.,
San Jose, CA, USA, Oct. 2016.
[24] G. L. Nazar and L. Carro, “Fast single-FPGA fault injection platform,”
in Proc. IEEE Int. Symp. Defect Fault Tolerance VLSI Nanotechnol.
Syst. (DFT), Oct. 2012, pp. 152–157.