Improvement of Fault Injection Techniques Based on
VHDL Code Modification
J.C. Baraza, J. Gracia, D. Gil and P.J. Gil
Fault Tolerant Systems Research Group (GSTF) - Department of Computer Engineering (DISCA)
Technical University of Valencia, Spain
e-mail: {jcbaraza, jgracia, dgil, pgil}@disca.upv.es
Abstract Fault injection techniques based on the use of VHDL
as design language offer important advantages with regard to
other fault injection techniques. First, as they can be applied
during the design phase of the system, they allow reducing the
time-to-market. Second, this type of techniques present high
controllability and reachability. Among the different techniques,
those based on the use of saboteurs and mutants are especially
attractive due to their high capability of fault modelling.
However, it is difficult to implement automatically these
techniques in a fault injection tool, mainly the insertion of
saboteurs and the generation of mutants. In this paper we
present new models of saboteurs and mutants that can be easily
applicable in VFIT, a fault injection tool developed by the Fault-
Tolerant Systems Research Group (GSTF) of the Technical
University of Valencia.
Index Terms VHDL-based fault injection, Saboteurs, Mutants.
I. INTRODUCTION
During last years, the utilisation of Fault-Tolerant Systems
has been continuously growing. As the use of these systems is
generalising, a diagnosis in early phases of the design cycle
allows saving time and money during their development. A
common experimental method for diagnosis is Fault Injection
[1].
Fault injection techniques can be classified in three main
categories [2]: physical (or Hardware Implemented Fault
Injection, HWIFI), software implemented (SWIFI) and
simulation-based.
Simulation-based fault injection is a useful experimental
way to evaluate the dependability of a system during the
design phase. An early diagnosis allows saving costs in the
design process, avoiding redesigning in case of error, and thus
reducing the time-to-market [3]–[5]. Another interesting
advantage of this group of techniques with regard to others is
that those based on simulation offer both high observability
and controllability of all the modelled components [6].
Particularly, there exist a group of fault injection
techniques based on the use of VHDL [7] as modelling
language. These techniques are widely applied, due to the
advantages of employing a standard hardware description
language. This work is framed in this group of techniques.
Fig. 1 shows a classification of VHDL-based fault injection
techniques.
Simulator commands technique is based on the use of
simulator commands to modify the value or timing of the
model signals and variables, without altering the VHDL code
[3]. In the remaining techniques, the original VHDL code of
the model is modified, either inserting saboteurs [3], [8], [9]
or mutating the model components [3], [10], [11].
Signals
Simulator
commands
VHDL-based Variables
fault injection Saboteurs
VHDL code
modification
Mutants
Other techniques
Figure 1. VHDL-based fault injection techniques
The techniques labelled as Other techniques are
implemented extending the VHDL language, either by adding
new data types and signals, or modifying the VHDL
resolution functions [4], [12]. The new data types and signals
defined include the fault behaviour description. Nevertheless,
these techniques require developing ad-hoc compilers and
simulators, and introducing control algorithms to manage the
language extensions.
Our research group has developed VFIT [13], [14], a
VHDL-based fault injection tool that applies several of the
techniques described above. In fact, only the Other
techniques group have not been implemented due to their
excessive complexity.
The objective of this work is to present new designs of
saboteurs and mutants, and to show how these new designs
can be automatically inserted in a model in order to perform a
fault injection campaign. Some models of saboteurs and
mutants [15] will be discussed and revised, and new models
will be proposed.
The distribution of the paper is as follows. In Section II we
explain summarily VHDL-based fault injection techniques.
Section III describes VFIT, the fault injection tool developed.
In Section IV, the models of saboteurs included in VFIT are
discussed, and a new set of models are proposed. Section V
analyses the models of mutants currently used in VFIT, and
presents a new implementation method. Some results of
implementing the new methods proposed are shown in
Section VI. Finally, both a discussion of the results and a
proposal of future work are provided in Section VII.
II. VHDL-BASED FAULT INJECTION TECHNIQUES
A. Fault Injection Using Simulator Commands
This fault injection technique is based on using the
commands of the simulator at simulation time, in order to
modify the value or timing of the signals and variables of the
model [15]. Moreover, VHDL generic parameters are
managed as special variables. This enables the injection of
some non-usual fault models, such as delay faults [5].
Using simulator commands permits injecting transient,
permanent and intermittent faults. Though, there exists one
restriction: due to the special nature of variables in VHDL, it
is not possible to inject permanent faults in variables.
This technique is the easiest one to implement, and its
temporal cost (to perform the simulation) is by far the lowest.
B. Fault Injection with Saboteurs
A saboteur is a special VHDL component added to the
original model [9], [5]. When activated, the mission of this
component is to alter the value, or timing characteristics, of
one or more signals when a fault is injected. During the
normal operation of the system, instead, the component
remains inactive. Saboteurs affect to the ports of the
components in the model. Thus, this technique is applicable
only to structural descriptions.
Attending to how saboteurs are inserted in the model, two
types can be distinguished: serial and parallel [3]. As Fig. 2-a
shows, a serial saboteur interposes between a component port
and its source signal, whereas a parallel saboteur (Fig. 2-b) is
added as an additional source of a given signal.
O I
Original model O I
O I
n
Control
O I
Sabotaged model O S I O
n logic (i.e. Single Event Transients, SETs).
S An injection experiment is performed in three phases:
(a) (b)
Control
Figure 2. Types of saboteurs. (a) Serial. (b) Parallel
Parallel saboteurs have two important drawbacks respect to
serial: first, implementing them is noticeably more complex,
because it is necessary to modify the data type of the signal
affected, as well as the resolution function associated to the
type. And second, they allow injecting fewer fault models.
For these reasons, their implementation has no special
interest. So, in this work, only serial saboteurs will be
considered.
C. Fault Injection with Mutants
A mutant is a component that replaces another component.
While inactive, it works like the original component, but
when it is activated, it behaves like the component in
presence of faults. The mutation can be made in three ways:
• By adding saboteurs to structural model descriptions.
• By modifying structural descriptions replacing sub-
components (i.e., a NAND gate can be replaced by a
NOR gate).
• By modifying syntactical structures of behavioural
descriptions.
There could exist lots of possible mutations in a VHDL
model, but representative subsets of faults at logical and RT
levels can be considered [10], [11]: replacement of values of
conditions of if and case statements (called stuck-then,
stuck-else, dead clause, etc.), disturbing assignment
statements (assignment control, global stuck-data, etc.),
disturbing operators in expressions (micro-operation, local
stuck-data), etc.
III. THE FAULT INJECTION TOOL
The Fault Tolerant Systems Research Group (GSTF) has
developed a fault injection tool called VFIT (VHDL-based
Fault Injection Tool) [13], [14], whose main features are:
• It runs on PC computers (or compatible) under
Windows.
• It is model-independent.
• It has been built around a commercial simulator,
ModelSim [17], by Model Technology. The reason
is that ModelSim allows controlling the simulation by
using Tcl1 commands, being possible to inject faults.
• It is able to inject faults automatically applying
simulator commands technique. It also allows injecting
faults using saboteurs and mutants, but in this case the
injection process needs the intervention of the user
because the insertion of the saboteurs and the
generation of mutants are not automatic.
• It can inject permanent, transient and intermittent faults.
• As Table I shows, it has a wide set of fault models that
try to be representative of deep submicron technologies.
This set surpasses the classical stuck-at (for permanent
faults) and bit-flip (for transient faults). The model
I
called pulse represents transient faults in combinational
• Set-up, where the parameters of the experiment are
specified. These parameters are related to the model
(i.e. workload file, workload duration, etc.), the
injection of the faults (i.e. injection technique, number
of faults, fault target selection, fault duration, fault
models, selection of injection instant, etc.), and the type
of analysis to carry out (error syndrome or validation of
a Fault-Tolerant System).
• Simulation. Here, the model is simulated in presence of
faults, generating a golden run and a number of faulty
simulation traces.
• Analysis. In this phase, every faulty trace is compared
to the golden run, extracting different measures
depending on the type of analysis selected.
The main elements of VFIT, shown in Fig. 3, are:
• Tool Configuration. The mission of this module is to
configure the tool, considering the simulator as a part of
it, setting both the tool and simulator parameters.
• Graphic Interface. With this utility, the user can specify
the injection parameters and analysis conditions needed
to perform an injection campaign. To allow the user to
select the injection targets, it uses the syntactic tree of
the model, generated by the Syntactical and
Lexicographical Analyser.
1
Tool Command Language, it is a standard macro language.
 TABLE I. FAULT MODELS INJECTED BY VFIT

Injection technique Transient faults Permanent/Intermittent faults

Simulator commands Pulse*, Bit-flip**, Indetermination, Delay Stuck-at (0,1), Indetermination, Open-line, Delay
Saboteurs Pulse*, Bit-flip**, Indetermination, Delay Stuck-at (0,1), Indetermination, Open-line, Delay,
Short, Bridging, Stuck-open
Mutants Syntactical changes Syntactical changes
* In combinational logic. Represents a Single Event Transient (SET)
** In storage elements (registers and memory). Represents a Single Event Upset (SEU)

2000-25425). In FIT project, TTPTM/C [18], a real TTP-based

User communications controller was validated [19]. In DBench
project, the representativeness of fault models was studied by
analysing the error syndrome of several micro-controllers
VHDL
Syntactical and syntactic Graphic
[20].
Lexicographical tree
model Analyser of the Interface
model

IV. AUTOMATING THE INSERTION OF SABOTEURS

VHDL
In this Section, after discussing the main advantages and
injection analysis
injector
library
config. config.
drawbacks of other saboteur models previously developed,
we describe a new set of saboteur models implemented. Also,
injection Injection
we include an example of how to automate the insertion of
macro
library
Manager saboteurs using the new proposal.
A. Previous Models
Tool
injection
Nowadays, VFIT can inject faults using serial saboteurs
Configuration
inserted manually in the design. The models of saboteurs
macro

implemented are [15]:

VHDL
Simulator
Result
trace
Analyser
files
VFIT
Figure 3. VFIT block diagram
• Injection Manager. This module controls the injection
process. Using the injection configuration file generated
by the Graphic Interface, it 1) creates a series of
injection macros, in order to perform an error-free
simulation (that is, a golden run) and the number of
fault-injected simulations specified in the parameters,
and 2) invokes the simulator to run the macros,
obtaining the simulation traces. The simulator is
launched in background, thus the overhead introduced
by VFIT to the execution time is almost negligible.
• VHDL Simulator. As indicated above, we have used the
commercial VHDL simulator ModelSim, by Model
Technology.
• Result Analyser. This module takes as input the analysis
configuration file generated by the Graphic Interface.
According to the parameters there, it compares all the
faulty-traces to the golden run trace, looking for any
mismatches and extracting the analysis parameters
specified.
VFIT has been applied in various research projects. The
most important are “Fault Injection for TTA” (FIT, IST-1999-
10748) and “Dependability Benchmarking” (DBench, IST-
• Serial Simple Saboteur, SSS: It interrupts the
connection between an unidirectional local port of a
component and its formal port, modifying either its
value or its timing.
analysis
results
• Serial Simple Bi-directional Saboteur, SSBS: It has two
bidirectional ports, and a read/write signal (R/W) that
determines the direction of the perturbation.
• Serial Complex Saboteur, SCS: It breaks the connection
between two unidirectional local ports and their formal
ports, modifying either their values or their timing.
• Serial Complex Bi-directional Saboteur, SCBS: It has
two couples of bi-directional ports, and a read/write
signal (R/W) that determines the direction of the
perturbation.
• n-bit Unidirectional Simple Saboteur, nUSS: It applies
to n-bit unidirectional buses (for instance, address and
control). It has been implemented by means of a
structural description, using n Serial Simple Saboteurs.
• n-bit Bi-directional Simple Saboteur, nBSS: It is used
with n-bit bi-directional buses (for instance, data and
control), and it is composed by n Serial Simple Bi-
directional Saboteurs.
• n-bit Unidirectional Complex Saboteur, nUCS: It
applies to n-bit unidirectional buses, and it is composed
by n/2 Serial Complex Saboteurs.
• n-bit Bi-directional Complex Saboteur, nBCS: It is used
with n-bit bi-directional buses, and composed by n/2
Serial Complex Bi-directional Saboteurs.
Every saboteur is controlled by means of three inputs:
• Control, whose mission is the timing of the injection:
its activation determines both the injection instant (tinj)
 and the fault duration (∆tinj). It can be seen more clearly
in Fig. 4.
∆tinj
Control fault
tinj t their length is defined by means of a generic parameter.
Figure 4. Timing of fault injection
• Selection, that allows selecting the fault model to be
injected.
• R/W, which indicates, in the bi-directional versions, the
direction of the perturbation.
Although this technique requires an extra complexity due
to the addition of these control signals, saboteurs allow
injecting more fault models than simulator-commands (see
Table I). This makes the technique attractive enough.
However, at the time we intended to incorporate the
models developed to VFIT, some problems were found when
we tried to automate the selection of the most adequate
saboteur model in every case. The main causes were the
excessive number of saboteur models and the way they are
implemented (by means of structural descriptions). We have
tried a new set of models that fix some ambiguity difficulties,
reduce the number of saboteurs, and simplify their
complexity, and consequently, also the complexity of the
sabotaged design.
B. Enhanced Models
The new models of saboteurs proposed, shown in Fig. 5,
are four [21]:
• Unidirectional Serial Saboteur, USS: It is the same
model as the SSS in the previous set, although the USS
allows injecting new fault models.
• Bi-directional Serial Saboteur, BSS: It is similar to the
SSBS in the first set, but like in previous case, the fault
model set that can be injected has been extended. Also,
it eliminates the R/W control signal.
• n-bit Unidirectional Serial Saboteur, nUSS: This model
replaces all the unidirectional multi-bit models in prior
model set.
• n-bit Bi-directional Serial Saboteur, nBSS: It replaces
all bi-directional multi-bit models in the former
proposal, and eliminates the R/W control signal.
Figure 5. New set of saboteurs implemented. (a) Unidirectional Serial
Saboteur; (b) Bi-directional Serial Saboteur; (c) n-bit Unidirectional Serial
Saboteur; (d) n-bit Bi-directional Serial Saboteur [21]
This new set of models has important differences respect
to prior ones:
• All the models have been implemented using
behavioural descriptions. This simplifies greatly their
code and, what is more important, also the code of the
design including the saboteurs. Moreover, the n-bit
versions can be used for vectors of any length, because
Every time a n-bit saboteur is added to the model, the
actual value of the generic parameter must be set.
• The number of saboteurs has been reduced to ease their
automatic insertion. Now, depending on both the length
(1 bit or n bits) and the mode (that is, the directionality)
of the port sabotaged, only one model can be chosen.
• The bi-directional versions have the capability of
injecting the fault only in the direction that data flow. In
this way, the R/W input used in the models of prior
version is not anymore needed, thus reducing the
overhead.
• They can inject more fault models: pulse, short, and
bridging.
C. Automatic Insertion of Saboteurs in the Design
Although the task of modifying automatically a source
code seems apparently very complex, if we consider that it
should be carried out by a tool that includes a parser (in the
case of VFIT, the Syntactical and Lexicographical Analyser)
this is not actually so. The syntactical tree of the model
contains the complete structure of the model, so it is possible
to go over the tree and generate a new copy of the source
files, inserting new sentences or modifying other existing as
needed. The insertion of saboteurs involves three actions:
1. Declaring the signals required to activate the saboteurs
and to select the fault model to be injected.
2. Declaring the components of the saboteurs introduced.
3. Inserting the instances of the saboteurs, interposing
between local and formal ports of the sabotaged
components. This also implies declaring new signals to
connect the saboteurs to local ports, and modifying the
original mapping of ports.
Fig. 6 shows an example of a sabotaged model. Shaded
boxes and dashed lines in lower scheme represent
respectively the saboteurs and the connection signals added to
the model.
i1 o1
i2 o2
4 4
USS
i1 o1
i2 o2 4
4 4 4
nUSS nUSS
Figure 6. Example of perturbation of a model. Distribution of saboteurs [21]
Fig. 7 describes how the three actions affect to the VHDL
code of the model. To simplify, only the insertion of one
saboteur is shown, but the operation is exactly the same for
all of them. In the figure, the original VHDL code is shown at
the left side, and the perturbed code at the right side. Here, the
text in bold types represents the new code.
 Insertion of additional signals (control + connection)
Insertio
n of sa
boteur
declara
ti
Inte
rpos
it ion
o f sa
Figure 7. Example of perturbation of a model. Modification of the VHDL code [21]
It is possible to distinguish in the figure the three actions
mentioned. Remark that in the signal declaration, not only the
control and selection signals are included, but also those
required to connect the saboteurs.
With the new set of models proposed, automating the
insertion of saboteurs in a model (in previously selected
locations) will be relatively easy.
V. AUTOMATING THE GENERATION OF MUTANTS
Injecting faults using mutants is quite more difficult than
with the other two techniques described in Section II. The
main problem lies on the spatial overhead introduced due to
the generation of the mutations of the model. Nevertheless, in
modern computers the storage is not actually a problem, so
implementing this technique is nowadays more feasible.
In this Section, after discussing the drawbacks of two
approaches of implementation of mutants, a new method is
presented. Also, an example of automatic generation is
shown.
A. Previous Approaches
VFIT can inject faults using mutants inserted manually in
the design (see Section III). In this subsection, the methods
followed to implement this technique are described.
ons
bot e
ur s
The first approach to implement mutant-based fault
injection consisted on generating multiple replicas of the
architectures of all the components in the model, where every
replica includes one modification (or mutation) in the VHDL
code [15]. By means of the VHDL configuration mechanism
(that is, the configuration statement), multiple versions
(mutations) of the model can be generated. Also, there exists
another configuration that includes all the original versions of
all the model components.
The injection consists on selecting and simulating one of
the multiple mutated configurations of the model. Due to the
static nature of the configurations, only permanent faults can
be injected using this approach, and moreover, from the very
beginning of the simulation.
To fix this problem, a dynamic approach was developed.
It was based on the use of guarded signals together with
the configuration mechanism [15]. In this way, at simulation
time it is possible to stop the simulation of the original
version of the model, and restart it simulating a faulty
configuration. By using a number of simulator commands, it
is possible to save on a file the status of the simulation (that
includes the simulation time and the value of all the signals
and variables of the model) of the original version of the
model, and restore the same status in the simulation of the
faulty configuration. With the dynamic approach it is possible
to inject (at any injection time) permanent, transient and
intermittent faults.
However, this implementation has a serious drawback: the
synchronisation (that is, saving and restoring the simulation
status) between two simulations involves an enormous
temporal cost. In [15], a comparison of the temporal cost of
the three fault injection techniques implemented in VFIT was
presented. The results showed that the average simulation
time (that is, the duration of simulation phase) was more than
100 times longer when using mutants than when using
simulator commands, evidently due to the synchronisation
between the simulations.
B. A New Proposal to Implement Mutants
To avoid synchronising simulations, we suggest a brute
force implementation. What we propose is simple: to generate
a unique mutated version of every architecture used in the
model, that includes all the possibilities of mutation
considered previously in the configuration phase [21].
Obviously, if no statement is selected to be mutated in a
particular architecture, no mutation is required.
In most cases, the modifications in the code are included
by using if and case statements, although there are other
possibilities, as shown in the example in Fig. 8. The aim of
this type of modifications is to allow choosing among the
correct statement and multiple wrong versions. For this
purpose, a new input port (called Selection) must be
inserted in the interface of the entity. The mission of Selection
port is to specify the particular mutation to be activated, by
asking its value in every “branch” of the mutated code. We
call “branch” to every statement inserted to select between the
correct operation and the wrong ones. The condition to
activate one of the options is that the value of Selection
coincides with the value specified in the selection statement.
Another modification required is to declare a
Fault_Selection signal in the upper level of the model, which
will be associated (mapped) to every local Selection port of
the mutated components inserted, replacing the original ones.
With this approach, also injecting faults becomes very easy.
By using simulator commands, the value of Fault_Selection
signal can be modified at simulation time. In this way, it is
possible to inject faults of the same time characteristics than
with simulator-commands technique: transient, permanent
and intermittent.
Remark that, respect to prior approaches, the new method
reduces not only the temporal overhead, but also the spatial,
as multiple entire replicas of each architecture are replaced by
only one that includes all the modifications. However, some
temporal overhead could be expected in the simulation time
due to the higher complexity of the mutated model.
C. Automatic Generation of Mutants
This new proposal to implement mutants is so simple that
automating the generation of mutants of a given model is not
complicated at all. Assuming that an injection tool has a
parser, locating in the code the target statements to be
mutated and replacing them with new ones is very easy. Next
we show a practical example.
As mentioned earlier, Fig. 8 represents the mutation of a
component inserted in a given model. At the left side we can
see the original VHDL code of the component, and at the
right side, the mutated code. Here, the text in bold types
represents the modifications introduced. The arrows labelled
with (1) correspond to modifications in the interface, and
those labelled with (2) to the mutation of statements. In the
example, a signal assignment and an if statement have been
mutated. The signal assignment has been replaced with a
conditional signal assignment, and to mutate the if, a case
statement has been inserted. Both operations will be easy to
perform automatically.
The modifications in the top level of the design are not
shown, as they have been already explained before.
VI. COMPARISON OF THE INJECTION TECHNIQUES USING THE
NEW MODELS OF SABOTEURS AND MUTANTS
To compare the performance of the new methods proposed
to implement saboteurs and mutants, we have repeated some
of the experiments described in [15]. The most relevant
injection parameters are the following:
1. System model: An academic fault-tolerant micro-
computer system, duplex with cold stand-by sparing,
parity detection and watchdog timer based on MARK2
microprocessor [22].
2. Injection technique: Simulator commands, saboteurs
and mutants.
3. Number of faults: 3000 single faults per experiment.
4. Fault types and duration: Transient, with a duration
defined according to a Uniform distribution function in
the range [0.1Tcycle, 10.0Tcycle], where Tcycle is the CPU
clock cycle.
5. Fault models: See Table I.
6. Workload: Arithmetic series of 5 integer numbers.
Respect to original experiments, we have changed only the
computer where the simulations have been run. In the original
experiments, the computer had a Pentium II microprocessor
at 350 MHz and 192 Mbytes of RAM. In the experiments
described here, the computer used has a Pentium 4
microprocessor at 2.80 GHz and 1 Gbyte of RAM.
We have inserted the equivalent new models of saboteurs
in the same places as in the original experiments. Also, we
have introduced in the model all the same mutations as in the
original experiments. Finally, we have performed an
experiment using simulator commands technique to be used
as reference in the comparisons.
In order to make a complete comparison of the injection
techniques (and of the different versions), we have measured
the following parameters in all cases:
• The average simulation time (of one experiment).
• The average analysis time (of one experiment). It is the
duration of the analysis phase.
• The average size of the simulation traces. We have
included it to see if the new methods provoke a
significant growth in the number of simulation events.
Table II shows the comparison of the values obtained for
all the injection techniques and versions. From the table we
can observe significant differences between the new and the
old implementations.
A. Comparison of Saboteur Approaches
In the case of saboteurs, we can observe on the one hand,
that the average simulation time is similar to the one with
simulator commands in both cases, although the new models
are slightly slower. The reason can be their higher functional
complexity. However, the average analysis time is a bit lower
in the new models. It may be due to a reduction in the number
of simulation events in the traces, respect to the old approach.
On the other hand, the results obtained in both groups of
experiments are statistically equivalent.
With respect to the trace size, it is slightly bigger than for
simulator commands because of the increment of simulation
events. If we consider that the new set enlarges the fault
model set injected, as pointed in Section IV, we can conclude
that the new set of saboteurs has enhanced the performance of
the technique respect to former models.
B. Comparison of Mutant Approaches
In the new mutant implementation, the average simulation
time has reduced dramatically down to the same order as
when using simulator commands technique. In these
experiments, the temporal overhead is negligible. The reasons
are two: (i) the model is quite simple, and (ii) the total
(1)
(1)
(1)
(2)
(2)
(2
)
Figure 8. Example of mutation of a model. Modification of the VHDL code of a component [21]
number of mutations introduced in the model is not very high
(about 60). The average analysis time is also of the same
order as with simulator commands. Considering the results of
both groups of fault injection experiments, the outcomes
obtained are statistically comparable. This means that these
preliminary data confirm our forecasts.
C. Comparison of the Injection Techniques
Comparing only the injection techniques, and considering
exclusively the new methods proposed, one could assert that
fault injection with mutants has now the same complexity as
with simulator commands. However, this affirmation is true
under the conditions of these test experiments. Perhaps when
applied to more complex models (or simply inserting more
mutations) it could be expected a higher temporal cost in both
the simulation and analysis times.
The advantages of new saboteurs are not so noticeable,
because their improvements are not numeric, but related to
the easiness of their automatic insertion, as well as to the
number of fault models. This technique introduces a strong
overhead in the model, due to the insertion of new
components (the saboteurs) and signals required to connect
them. In any case, the temporal cost is completely affordable
with modern computers, so the technique still remains
attractive.
 TABLE II. COMPARISON OF THE INJECTION TECHNIQUES USING THE NEW MODELS OF SABOTEURS AND MUTANTS
Injection technique (version)
Parameter Simulator commands Saboteurs (old)
Simulation Time (min.) 25 25
Analysis Time (min.) 6 10
Trace Size (Kbytes) 327 337
VII. CONCLUSIONS
In this paper, new methods to implement and use saboteurs
and mutants into VHDL models in an automatic way have
been proposed.
The new models of saboteurs fix some problems of
ambiguity that the previous approach had. These problems
prevented their automatic insertion. Moreover, the new models
have been implemented in such a way that they diminish the
overhead, by reducing the number of signals required to
manage bi-directional saboteurs. Another enhancement respect
to prior models is that they allow injecting more fault models.
The results of comparing both proposals do not reflect these
improvements. Instead, a little temporal overhead has been
introduced.
The advantages of the new method to implement mutants
are specially relevant: it is easy to automate and reduces
considerably the spatial overhead. But its main success is to
reduce dramatically the temporal overhead. In the results
obtained, the duration of the simulation and analysis phases
are equivalent to the ones when using simulator commands.
Now, it is necessary to confirm the results obtained in these
preliminary experiments, continuing on testing the techniques
by both inserting more saboteurs and mutations, and injecting
faults into more complex models.
After confirming the trends, it will be time to incorporate
the enhanced versions of saboteurs and mutants to VFIT fault
injection tool.
AKNOWLEDGEMENT
This work has been sponsored by the Spanish research
project “Mejora de las técnicas de inyección de fallos en
modelos VHDL”, TIC2002-02491.
REFERENCES
[1] J. Arlat, M. Aguera, L. Amat, Y. Crouzet, J.C. Fabre, J.C. Laprie,
E. Martins, D. Powell, “Fault Injection for Dependability Validation: A
Methodology and Some Applications”, IEEE Transactions on Software
Engineering, vol. 16, no. 2, pp. 166-182, 1990.
[2] A. Benso and P. Prinetto, eds., “Fault Injection Techniques and Tools
for VLSI reliability evaluation”, Kluwer Academic Publishers, 2003.
[3] E. Jenn, J. Arlat, M. Rimén, J. Ohlsson, J. Karlsson, “Fault injection
into VHDL models: the MEFISTO tool”, in Proceedings 24th
International Symposium on Fault-Tolerant Computing (FTCS-24),
pp. 356-363, Austin, TX, USA, 1994.
[4] V. Sieh, O. Tschäche, F. Balbach, “VERIFY: Evaluation of Reliability
Using VHDL-Models with Embedded Fault Descriptions”, in
Proceedings 27th International Symposium on Fault Tolerant
Computing (FTCS-27), pp. 32-36, Seattle, WA, USA, 1997.
Saboteurs (new) Mutants (dynamic) Mutants (new)
28 5970 25
(4 days, 3 hrs., 30 min.)
8 7 7
337 327 327
[5] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “A Study of the effects of
Transient Fault Injection into the VHDL Model of a Fault-Tolerant
Microcomputer System”, in Proceedings 6th IEEE International On-
Line Testing Workshop (IOLTW'2000), pp. 73-79, Palma de Mallorca,
Spain, 2000.
[6] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “Impact of faults in
combinational logic of commercial microcontrollers”, Lecture Notes in
Computer Science: Dependable Computing EDCC-5, no. 3463,
pp. 379–390, Springer-Verlag, 2005.
[7] Institute of Electric and Electronic Engineers (IEEE), “IEEE Standard
VHDL Language Reference Manual”, IEEE Std 1076-1993.
[8] A.M. Amendola, A. Benso, F. Corno, L. Impagliazzo, P. Marmo,
P. Prinetto, M. Rebaudengo, M. Sonza Reorda, “Fault Behavior
Observation of a Microprocessor System through a VHDL Simulation-
Based Fault Injection Experiment”, in Proceedings 1996 European
Design Automation Conference with EURO-VHDL (EURO-
DAC'96/EURO-VHDL'96), pp. 536-541, Geneva, Switzerland, 1996.
[9] J. Boué, P. Pétillon, Y. Crouzet, “MEFISTO-L: A VHDL-Based Fault
Injection Tool for the Experimental Assessment of Fault Tolerance”, in
Proceedings 28th International Symposium on Fault-Tolerant
Computing (FTCS-28), pp. 168-173, Munich, Germany, 1998.
[10] S. Ghosh, T.J. Chakraborty, “On behavior fault modeling for digital
design”, Journal of Electronic Testing, no. 2, pp. 135-151, Kluwer
Academic Press, 1991.
[11] J.R. Armstrong, F.-S. Lam, P.C. Ward, “Test generation and Fault
Simulation for Behavioural Models”, in Performance and Fault
Modelling with VHDL (J. M: Schoen ed.), pp. 240-303, Englewood
Cliffs, Prentice Hall, 1992.
[12] T.A. DeLong, B.W. Johnson, J.A. Profeta III, “A Fault Injection
Technique for VHDL Behavioral-Level Models”, IEEE Design & Test
of Computers, vol. 13, no. 4, pp. 24-33, Winter 1996.
[13] J.C. Baraza, J. Gracia, D. Gil, P.J. Gil, “A Prototype of a VHDL-Based
Fault Injection Tool: Description and Application”, Journal of Systems
Architecture, vol. 47, no. 10, pp. 847-867, 2002.
[14] D. Gil, J.C. Baraza, J. Gracia, P.J. Gil, “VHDL simulation-based fault
injection techniques”, Chapter 4.1 in [2], pp. 159-176, 2003.
[15] D. Gil, J. Gracia, J.C. Baraza, P.J. Gil, “Study, Comparison and
Application of different VHDL-Based Fault Injection Techniques for
the Experimental Validation of a Fault-Tolerant System”,
Microelectronics Journal, vol. 34, no. 1, pp. 41-51, 2003.
[16] E. Jenn, “Sur la validation des systèmes tolérant les fautes: injection de
fautes dans des modèles de simulation VHDL”, Ph. D. Thesis
Dissertation, LAAS Reserche Rapport N. 94-361, Laboratoire
d’Analyse et d’Architecture des Systèmes du CNRS, Toulouse, France,
1994.
[17] Model Technology, “ModelSim SE User’s Manual. Version 5.5e”,
2001.
[18] TTTech Computertechnik GmbH, “TTP/C C1 Controller. Specification
of the TTP/C C1 Controller”, available at http://www.tttech.com.
[19] J. Gracia, J.C. Baraza, D. Gil, P.J. Gil. “Using VHDL-based fault
injection for the early diagnosis of a TTP/C controller, IEICE Trans. on
Information and Systems, vol. E86, no. 12, pp. 2634-2641. 2003.
[20] P.J. Gil et al., “Fault Representativeness”, Deliverable ETIE2 of
Dependability Benchmarking Project, IST-2000-25245, 2002.
[21] J.C. Baraza, “Contribución a la Validación de Sistemas Complejos
Tolerantes a Fallos. Nuevos modelos de fallos y técnicas de inyección
de fallos”, Ph. D. Thesis Dissertation, DISCA-UPV, Spain, 2003.
[22] J.R. Armstrong, “Chip-Level Modelling with VHDL”, Prentice Hall,
1989.