Assertion Based On-line Fault Detection Applied on
UHF RFID Tag
Ibrahim Mezzah, Omar Kermia
Centre for Development of Ferhat Abbas University
Advanced Technologies
Algiers, Algeria chemalih@univ-setif.dz
imezzah, okermia@cdta.dz
Abstract—In this paper, we propose a new RFID tag
monitoring approach, based on adding an infrastructure circuit
to simultaneously monitor and save faulty tag behaviour, in
order to enable the implementation of advanced RFID diagnosis
functions and mainly to reinforce tag security against fault
attacks. The added infrastructure circuit is essentially composed
of hardware assertions exclusively devoted to on-line fault
detection on the tag. Saved information about detected faults can
then be read using RFID readers. Our approach is initially
evaluated and implemented in a developed tag emulator platform
based on an FPGA board, then thoroughly exercised to
demonstrate its valuable contribution to diagnosis means.
Experimental results, obtained via random fault injection
mechanism, show the effectiveness of the proposed approach.
Keywords—RFID; EPC UHF Class1 Gen2; On-line fault
detection; Diagnosis; Security; Fault attack.
I. INTRODUCTION
Nowadays, Radio Frequency Identification (RFID) is
widely deployed to a vast range of applications including
supply chain management, access control, identity recognition,
passports, localization, wireless sensor networks and much
more important applications.
Just as usual electronic devices, RFID tag is subject to
faults and errors due to internal defect or external disturbance.
A tag when defective leads to RFID detection and
identification failures and thus derogates the availability, the
reliability and the safety of the whole RFID systems [1].
However, security and privacy are the major factors that
interest the RFID community. There is a serious menace for
RFID systems delivered by malicious attacks that cannot be
caught and then may lead to disastrous consequences on the
people life. RFID tags are vulnerable to fault injection attacks
through several means like power variation, electromagnetic
interference and optical induction to obliging the tag to
perform inaccurate behaviours like jumping a cryptographic
task or buck in a secured state and finally delivering secured
data [2] [3]. Although important efforts have been deployed to
improve RFID systems reliability and security, much more
researches are still needed to meet the ever increasing fault
sources.
In this paper, we propose a new approach which consists
of adding an infrastructure circuit to an RFID tag chip in order
978-1-4799-3525-3/13/$31.00 ©2013 IEEE
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
Hamimi Chemali Omar Abdelmalek, Vincent Beroulle
and David Hély
Setif, Algeria Grenoble Institute of Technology
Valence, France
firstname.lastname@lcis.grenoble-inp.fr
to enable advanced diagnosis within RFID systems by
monitoring and saving faulty tag behaviours, on the one hand,
and to increase the tag security against fault attacks, on the
other hand. Hardware checkers which permit on-line fault
detection on the tag circuit are the main element of the extra
infrastructure circuit. Some of these checkers are provided by
the OVL library (Open Verification Library) whereas other
needed ones are to be designed to monitor tag state machines
transitions. The faults detected by checkers are counted and
saved within the tag memory. Then, reading this specific
information is possible through RFID reader and consequently
diagnosis could be developed.
Such approach has several benefits on RFID systems as
summarized in the following points:
x The added infrastructure circuit feedbacks the number
of detected faults within the tag, if this number is not
zero, this indicates that either the tag is defective or
that there is an external cause that influences the
operation of the tag.
x Existing methods allowing the detection of tags defects
and diagnosis failures of RFID system components are
based essentially on readers results [4] [5]. Though, the
proposed approach provides more information by
delivering the number of detected faulty tag behaviours
and permits therefore a better diagnosis on RFID
systems.
x The present approach allows to detecting faults
produced by fault attacks and thereafter permitting two
several actions: 1) Secure the tag against this type of
attacks by resetting the tag function when a susceptible
behaviour is detected. This action constitutes an
efficient way to prevent adverse to capture any usual
information from the tag or introduce undesired
modification within it. 2) Saving incorrect tag
behaviours in the tag memory would permit the owner
of the tag to access the saved information and identify
whether its tag has been subjected to fault attacks.
x The integration of sensors into semi-passive RFID tags
becomes widely used in Wireless Sensor Networks
(WSN) [6]. In order to keep an WSN application
running accurately, it is essential to detect failed sensor
 nodes and adopt an efficient diagnosis mechanism for detection in RFID tag. Standard OVL checkers have been
sensor nodes failures and then take appropriate actions selected to build these assertions with a benefit of portability
to continue using the correct parts while dealing with and effectiveness of OVL as well demonstrated in [16].
the failed ones [7]. Our approach allows better
recognizing failed and disturbed sensor nodes, Making multiple and efficient hardware OVL assertions in
improves working conditions of WSN and permits the a circuit allow to monitor its activity. When the circuit works
development of new enhanced diagnosis methods. properly, no violation is produced neither detected. Once a
violation is detected by an assertion checker, its error signal is
The proposed approach has been implemented and set indicating the presence of this violation which signifies
evaluated on a developed tag emulator based on FPGA board that one or multiple faults are produced inside the circuit.
compatible with EPC UHF Class 1 Generation 2 (EPC UHF
Gen2) RFID. The evaluation phase was realized by fault III. RFID TAG SELF MONITORING APPROACH
injection procedure into this tag emulator. We have used an
UHF reader to get the number of faults detected by the added In this part of the paper, we present our new approach
circuitry. which consists of implementing assertion checkers within
RFID tag in order to monitor its functionality. To validate the
The rest of this paper is organized in three main sections. proposed approach, a developed RFID tag circuit compatible
Section II introduces the principle of assertion based on-line with EPC UHF Gen2 standard [17] has been used. Figure 1
fault detection, section III explains the proposed RFID tag shows the block diagram of this tag where all blocks are
monitoring technique and the last section presents the elaborated in VHDL.
implementation of the proposed approach on evaluation FPGA
INPUT
platform using fault injection mechanism and discusses the PIE Command CRC module
obtained results. Decoder Decoder
Session Flags
Tag
FSM
II. ASSERTION BASED ON-LINE FAULT DETECTION OUTPUT PRNG
FM0/Miller Backscatter
Complexity of new systems involved the emergence of Encoder Generator Slot Counter
new verification methods for full system debugging. For this
purpose, Assertion Based Verification (ABV) has been
Backscatter Memory Tag
introduced and becomes widely used by designers to validate clock Generator Controller Memory
their products. An assertion refers to a property that must hold
globally in a system. If an assertion is ever violated, this Fig. 1. Experimented RFID tag block diagram.
indicates that a bug is present [8].
Assertion languages such as PSL (Property Specification The main characteristics of this architecture are: 2.56 MHz
Language) and SVA (System Verilog Assertion subset) tag clock frequency, 96 bits EPC (Electronic Product Code)
appeared with the aim of satisfying debugging need at a high length, support all mandatory commands plus the Access
level. Moreover, making efficient assertions at RTL level command, support FM0 and Miller response modes and User
(Register Transfer Level) throughout these languages and memory length up to 128 words. For experimental needs, the
following formal methods, simulation and emulation allows whole tag functionality is solely hardware implemented; the
yielding to an important bug coverage ratio and leading to Tag FSM (Finite State Machine) block is an 89 state machine
more accurate systems [9]. Assertions are introduced in a coded on 8 bits and constitutes the principle module which
design with the aid of dedicated libraries which contain a set controls the tag behaviour.
of assertion checkers that verify specific properties of a The added monitoring circuit includes thirteen assertions
design. Several ABV libraries are delivered by numerous checkers distributed all over the tag as shown in figure 2 and
companies. Among these libraries, the standard Open described in table 1.
Verification Library (OVL) developed by Accellera Inc.
provides designers vendor-independent interfaces [10]. INPUT c1 c3 c4
c2
Although assertion is used for design verification, several c12
c13

researches suggest the use of assertion for post-silicon purpose c9 c10

such as post-fabrication silicon debug, on-line testing and
fault-tolerant systems design [11] [12] [13]. When assertions OUTPUT c7 c6 c5
c8
cannot be directly implemented in hardware because they are
written in a higher-level language and dedicated to be
monitored by simulation, multiple approaches are proposed to
synthesize assertions given in PSL or SVA languages and
c11
thereafter permit the hardware implementation [11] [12].
Furthermore, there are few checker generators that permit an Activate reset signal
efficient generation and the implementation of hardware FSM fault counter Mapped at top
User memory
checkers [14] [15]. OVL checker FSM checker
OVL fault counter address

In this field, we have used assertions for on-line fault Fig. 2. Hardware assertions based proposed self monitoring tag.

Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
 TABLE I. TYPE OF USED ASSERTIONS
One symbol
Assertion name clk
Assertion checker type Assertion number
(figure 2)
ovl_always 3 c2, c4 and c5 Tag input 0 1 0 1

ovl_implication 4 c6, c7, c8 and c10

Symbol FSM 11 00 11 00
ovl_next 1 c1 S2 S3 S0 S1 S2 S3 S0

ovl_one_hot 1 c9

ovl_zero_one_hot 2 c3 and c11 Fig. 4. Symbol FSM transition sequence.

FSM checker 2 c12 and c13 The second FSM checker c13 is devoted to monitor Tag
FSM transitions. Indeed, there is an important need in
monitoring this state machine because it controls a large part
Among implemented checkers, eleven ones are OVL
of the tag. Figure 5 illustrates the activity of this checker: the
checkers used to control the main tag signals composed of
previous tag state is saved in an 8-bit register for each clock
synchronous frame's reception, emission and tag state
period, and then decoded to identify the expected states; an
transition. The used OVL checkers types have been namely
error signal is activated if the current tag state does not
selected to monitor the whole tag behaviour. For example, as
correspond to any expected state. Unlike c12 checker, the
tag functionality is organized in three phases: the frame
transition condition checking is not added in c13 checker since
reception or waiting, the frame processing and finally the
there are several signals with the length of 250 bits that control
response transmission. The main signals that deal with these
the tag state transition; notice that adding the check of
phases are checked by c9 checker “ovl_one_hot” for detecting
transition condition in this case increases considerably the
any overlapping phase.
checker size. However, the error coverage of this checker
Nevertheless, as the synthesizable checkers of OVL library remains high (96.42%).
do not enclose the total reliability aspects that we aim to cover
Tag FSM checker (c13)
in the RFID tag, we developed two other checkers (c12 and clk
c13) in order to monitor two relevant FSMs [18]. As shown in Tag state (8-bit) clk
8-bit register
figure 2, the first FSM checker c12 is implemented in the PIE Current
(Pulse-Interval Encoding) decoder block; its role is to monitor Next tag state tag state Previous state
Symbol FSM transitions in order to detect any false transition
in this state machine. The diagram of the figure 3 illustrates Decode
Combinational
true and false symbol FSM transitions. logic

X
Expected states
‘1’ Error
Transition related signals Compare
Tag input = ‘0’
(250 bits)
‘0’ ‘1’
S0 S1
Fig. 5. Tag FSM checker activity.
True transition

As depicted before, the monitoring circuit provides the

False transition
‘0’
S3 S2 ‘1’
‘1’
‘0’
Fig. 3. Symbol FSM transitions diagram.
Symbol FSM is essential in the PIE decoder functioning
because it is used in each received symbol decoding, during
the frame reception (figure 4), in order to identify whether the
received symbol is 0 or 1 or else [17]. Figure 4 depicts a
Symbol FSM transitions sequence according to the tag input
sequence. For ensuring a well reception of each frame, c12
detects all false transitions including the check of transition
condition; this therefore allows, with the use of c1 and c2
OVL checkers, to detect multiple faulty behaviours of the
receiving module (figure 2).
numbers of faults detected and activates a reset signal in fault
detection case. Therefore, two counter registers, FSM fault
counter and OVL fault counter, are inserted to count detected
faults by each type of checkers (figure 2). These registers are
mapped at the top User tag memory address to permit reading
and erasing contents. Reset signal is generated after fault
detection by any implemented checker for avoiding any
unwanted tag task. We chose to implement two counters in
order to distinguish count detected faults of each type of
checker. However, one can use one or multiple counters in
conformity with the appropriate diagnosis task procedure.
The area occupation of the developed tag before and after
adding on-line fault detection infrastructure is illustrated in
table 2. The obtained results are based on Xilinx Spartan-3E
XC3S500E FPGA implementation and demonstrate that LUTs
(lookup tables) occupation is increasing by 15.23% after
adding the infrastructure circuit. Note that slice occupation of
the tag before and after adding the proposed circuit is 13% and
15% respectively.

Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
 TABLE II. RFID TAG AREA OCCUPATION ON SPARTAN-3E FPGA
BEFORE AND AFTER IMPLEMENTATION OF ON-LINE FAULT DETECTION
Area occupation
Circuit
LUTs Flip Flops
Tag without infrastructure 1195 373
Added infrastructure 182 46
Tag with infrastructure 1377 419
Area increase 15.23% 12.33%
IV. PROPOSED APPROACH EXPERIMENTATION
In order to evaluate the proposed monitoring approach we
have used the experimental platform illustrated in figure 6, it
is composed of the three following elements:
1) Xilinx Spartan-3E Starter Kit: FPGA development
board, used to implement the developed tag circuit.
2) Front-end module: it permits reception and
transmission of UHF signal through its antenna. It is
connected to FPGA I/O pins to form the UHF RFID tag
emulator platform.
3) LinkSprite RFID UHF Gen2 reader: used to
communicate with tag emulator for performing both read and
write operations. It connects to a PC like via USB interface for
getting associated software benefit of changing configuration
parameters and communicating with existing tags.
Fig. 6. Experimental platform.
To evaluate fault detection capability of developed
infrastructure, we have used the fault injection approach
presented in [19]. This approach is based on VHDL fault
inject technique by adding fault injection block in RTL level
(Register-Transfer Level) to allow time and space pseudo-
random fault injection in several targeted signals. By these
means, it is possible to inject permanent or transient fault
according to the case study. Thus, it allows simulation and
emulation of multiple physical faults where SEU (Single
Event Upset) is essential for the present case. Such fault
Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.
injection method is used with some added features to enabling
fault injection to selected main tag signals directly connected
to checkers’ inputs. Figure 7 illustrates fault injection actions
for a formed 24-bit vector.
Fault injection block
Signal 1
Signal 2
Signal 3 Fault insertion logic
24 bits (space pseudo-random)
Signal n
Signal 1_f
Fault activation logic Signal 2_f
1 0 Signal 3_f
(time pseudo-random) enable
Signal n_f
Fig. 7. Fault injection block overall operation.
Fault injection module is VHDL instantiated in the
developed tag circuit and recall that other added logic is
exclusively devoted to build a complete fault emulation
platform. This added logic should provide useful information
about injected and detected faults. After instantiation of the
fault injection block, circuit implementation is completed via
the standard procedures of launching translate, place and route
processes and finally loading generated configuration file on
the FPGA using Xilinx ISE.
Monitoring circuit evaluation has been carried out through
numerous experiments where 2051 faults have been injected.
An experience starts by launching tag scan process by RFID
reader during several seconds. The fault injection with a rate
of 0.006% is automatically activated during communication
while tag is running. During fault injection, only one fault is
injected randomly in one bit within signals vector by inverting
its value. When scan process is stopped, fault injection is
automatically halted and then results are collected in two
ways:
a) The number of faults detected by assertion checkers
is obtained through RFID reader by reading data stored at the
top address (07h) of tag User memory as shown in figure 8.
b) The number of total injected faults and the number of
real detected faults are obtained through 8 LEDs of FPGA
board with the aid of on-board switches by multiplexing
internal data.
This experimental phase is carried on disabling the tag
reset once one error is detected; disabling this option allows
observing the tag behaviour and all detected faults by
checkers. The obtained results are given by table 3, we see that
all number of faults detected by implemented checkers is
3358, knowing that one injected fault can produce multiple
errors and thereafter numerous fault detections by checkers.
Wherefore, we deliver also in the same table the actual
number of detected faults which is the turn of 73% from the
2051 faults initially injected. Actual detected faults number
includes faults injected which have not been missed by
checkers. This percentage represents the fault coverage of all
implemented checkers while fault coverage differs between
different checkers. Note that some undetected faults are
masked and do not provide any effect to the tag behaviour,
leading them to be missed by checkers.
 injections techniques. Experimental results have shown that
73.28% of the injected faults have been detected.
In a future work, we plan to study the effectiveness of our
approach to protect the tag against fault attacks by considering
real attacks conditions and environments. We also plan to
implement new checkers for the tag software parts for
monitoring program execution flows and in consequence
improve security.

REFERENCES
[1] C.-T. Huang et al., “Construction of an Online RFID Enabled Supply
Chain System Reliability Monitoring Model,” International Symposium
on Computer, Consumer and Control, June 2012, IEEE, pp.626-629.
[2] M. Hutter, J.-M. Schmidt, and T. Plos, “RFID and Its Vulnerability to
Faults number Faults,” Cryptographic Hardware and Embedded Systems, pp. 363–379,
detected by 2008, Springer Berlin Heidelberg.
OVL checkers [3] M. Hutter, S. Mangard, and M. Feldhofer,“Power and EM Attacks on
Faults number Passive 13.56MHz RFID Devices,” Cryptographic Hardware and
detected by Embedded Systems, pp. 320-333, 2007, Springer Berlin Heidelberg.
FSM checkers [4] G. Fritz, V. Beroulle, M. D. Nguyen, and D. Hély, “RFID system on-line
testing based on the evaluation of the tags Read-Error-Rate,” Journal of
Electronic Testing, 2011, Vol. 27, Issue 3, pp. 267-276, Springer.
[5] R. Kheddam et al., “Online monitoring and diagnosis of RFID readers
Fig. 8. Reading detected faults numbers with RFID reader functions.
and tags,” 20th International Conference on Software,
Telecommunications and Computer Networks, Sept. 2012, IEEE, pp.1-9.
TABLE III. FAULT DETECTION EFFECTIVENESS [6] A. Ruhanen, M. Hanhikorpi, F. Bertuccelli et al., “Sensor-enabled RFID
tag handbook,” BRIDGE, IST-2005-033546, January 2008.
All Actual detected faults [7] M. Aliouat, Z. Aliouat, and M. Naidja, “Adaptative nodes diagnosis and
Injected
Assertion type detected recovery for Wireless Sensor Networks,” IEEE Symposium on Computer
faults Number Percentage
faults Applications and Industrial Electronics, Dec. 2012, IEEE, pp.256-261.
FSM checkers 1542 1011 49.29% [8] Y. Tao, “An introduction to assertion-based verification,” IEEE 8th
International Conference on ASIC, October 2009, IEEE, pp. 1318-1323.
OVL checkers 2051 1816 492 23.98%
[9] M. Boulé, and Z. Zilic, “Incorporating Efficient Assertion Checkers into
Total 3358 1503 73.28% Hardware Emulation,” IEEE Intl. Conference on Computer Design,
2005, pp. 221-228.
[10] “Accellera Standard OVL V2 Library Reference Manual,” Accellera
From the proposed approach implementation, it results that Systems Initiative Inc., CA, USA, January 2013, accellera.org.
a 15% tag area increase due to the checkers allowed up to 73% [11] M. Boule, J.-S. Chenard, and Z. Zilic, “Assertion checkers in
fault coverage; this latter may be enhanced by adding more verification, silicon debug and in-field diagnosis,” 8th International
Symposium on Quality Electronic Design 2007, pp. 613-620,
checkers in the circuit but on the behalf a considerable total Washington, DC, USA, IEEE, 2007.
area increase. Indeed, it should be emphasised, at this stage, [12] M. Riazati, S. Mohammadi, A. Afzali-Kusha and Z. Navabi, “Improved
that enhanced error coverage with a minimum added area Assertion Lifetime via Assertion-Based Testing Methodology,”
should be investigated. International Conference on Microelectronics, IEEE, 2006, pp. 48-51.
[13] P. Kubalik, P. Fiser, and H. Kubatova, “Fault tolerant system design
method based on self-checking circuits,” 12th IEEE InternationalOn-
V. CONCLUSION Line Testing Symposium, IEEE, 2006, pp. 2-pp.
In this paper, a new self-monitoring capability of an RFID [14] M. Boule, and Z. Zilic, “Incorporating efficient assertion checkers into
tag chip, based on an added infrastructure circuit, is presented. hardware emulation,” International Conference on Computer Design,
The main goals targeted by integrating this feature to the 2005, IEEE, pp. 221-228.
RFID tag is twofold, building enhanced diagnosis means [15] Katell Morin-Allory, Dominique Borrione, “Proven correct monitors
from PSL specifications,” DATE, Germany, 2006, pp. 1246-1251.
within RFID systems and reinforcing tag protection against
[16] M. R. Kakoee, M. Riazati et al., “Enhancing the testability of RTL
fault attacks. Added infrastructure comprises several hardware designs using efficiently synthesized assertions,” 9th International
blocks and OVL checkers. The fault detection number, saved Symposium on Quality Electronic Design, IEEE, 2008, pp. 230-235.
in internal tag memory can be then, read or reset through any [17] “EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF
RFID reader. RFID, Protocol for Communications at 860 MHz – 960 MHz,” Vertion
1.2.0, October 2008, EPCglobal Inc., gs1.org.
The proposed approach has been implemented and tested
[18] C. Bolchini et al., “Design of VHDL-based totally self-checking finite-
with a developed tag architecture based on finite state state machine and data-path descriptions,” IEEE Transactions on Very
machines very compatible with EPC UHF Gen2 RFID Large Scale Integration Systems, vol.8, no.1, pp.98-103, Feb. 2000.
standard. Tag emulation platform, based on FPGA board, has [19] S. R. Seward, and P. K. Lala, “Fault injection for verifying testability at
been used to evaluate fault detection capabilities of the the VHDL level,” International Test Conference, 2003, pp. 131-137.
proposed approach through building hardware random fault

Authorized licensed use limited to: University of Szeged. Downloaded on February 13,2023 at 17:32:53 UTC from IEEE Xplore. Restrictions apply.