Laser Injection of Soft Faults for the Validation of Dependability Design

Abstract: The expanding application of computing systems and the continuing advances in semiconductor technology are forcing the on-chip inclusion of design for dependability features (concurrent fault tolerance). These features detect, log and provide recovery from errors induced by faults concurrently with the operation of the system. A very difficult task is the hardware validation of concurrent fault tolerant design features in a nondestructive, unobtrusive manner. A semi-automated facility has been developed at the University of South Florida for this purpose using Laser Fault Injection (LFI) to simulate soft errors during system operation. The facility provides means to extract target coordinates from the CAD database, synchronize the laser pulse with the operation of and capture health warnings issued by the system under test. The key fault tolerant features (automatic instruction retry on single soft errors) of a state of the art fault tolerant computer for space applications were validated at this facility.

Key Words: Dependability validation, concurrent fault tolerance, hardware fault injection, laser fault injection.

1 Introduction

Fault Tolerant Design (FTD) is a discipline that seeks to detect and resolve conditions that would result in erroneous operation or system failure. Until recently, and because of its inherent cost, FTD has been implemented at very high levels in the system hierarchy and only for critical applications. Examples of these systems include Railway Control Systems [Arlat et al. 96], the Space Shuttle Control [Marciniak 94], and air traffic control such as the French Air Traffic Control System [Kanoun et al. 96]. In general, this means that the system will detect errors produced by hardware or

software faults to prevent catastrophic results. The FT approach here is one of full redundancy of computers and software. Recently, with increased dependence on computerized data, FT has been applied to distributed and clustered computing and database services to insure system availability. Examples of these approaches are the Unix based Continuum 400 [Hewlett-Packard webpage 98] and the NT server based RADIO cluster [Stratus webpage 98]. The approach here is still one of redundant and replicated modules with special hardware and software to support FT features such as system reconfiguration.

With the appearance of VLSIC, it has become possible to provide on-chip circuits to detect, report and recover from errors, concurrently with normal operation. These features are usually referred to as "on-chip", "on-line" or "concurrent" FTD. Concurrent FTD has been applied to high reliability systems that are required to operate in environments such as outer space [Honeywell 89], [George 95], [Samson 95], where transient faults generated by high energy particles cause soft errors known as Single Event Upsets (SEU). However, continuing advances in semiconductor processes are beginning to have a negative effect on the ability of advanced VLSIC to perform free of error [Saw et al. 98], [Johnston et al. 98], [Johnston et al. 97], [Falquez 98]. A figure of merit in [Falquez 98] estimates that a 0.4 micron system operating at 500 Mhz from a 1.5 V supply is relatively six orders of magnitude more susceptible to noise or SEU disturbances than a 4 micron system operating at 1 MHz from a 9 volt supply. An emerging need for the general application of concurrent FTD is readily apparent.

2 Design Approach to Fault Tolerance

The approach to FTD must be comprehensive and inclusive of all system aspects from requirements to implementation. A thorough treatment of the proper approach to FTD is given in [Samson 92]. Characteristically, FTD is hierarchical, and follows the partitioning and flow-down of requirements from a very high system level, down to the functional block. The availability, reliability, and performance requirements of the Global Positioning System (GPS), for example, ensure that more than three satellites are available for navigation anywhere in the world, at any time, while exposed to the environments associated with an earth orbit 20,000 kilometers high. While satellite availability, reliability and performance requirements are supported to a great extent by redundancy, the designed characteristics of the electronic subsystems on board, help to minimize the total number of satellites required in the constellation. In a similar fashion, the requirements of the functional blocks flow down from the availability, reliability and performance requirements of the electronics subsystems. With respect to fault tolerance, the requirement may be to reconfigure the system after a hard failure, or to recover autonomously from a soft failure.

2.1 Elements of FTD

The key elements of FTD are the detection, containment and recovery from fault conditions on components of the system. Three key measures of the system FT are fault detection latency, fault recovery latency, and fault coverage.

Detection latency refers to the length of time that a fault condition goes undetected in the system. Long latency impacts the throughput and integrity of the system. The cost and impact of the failure to contain a fault at its originating level increases significantly as erroneous results are passed on to other parts of the system. Fault detection coverage refers to the number of faults from a given set the system will detect. Fault recovery coverage refers to the number of detected faults from which the system will recover.

2.2 Fault Sets, Fault Models and Error Sets

A fault set establishes the measure applied to the system in order to determine its fault tolerance. Its derivation is a critical part of the system requirements definition because it drives the FTD effort. To each fault or fault type, there corresponds a model of the behavior of the system. The resulting behavior is described in terms of erroneous results from which an error set can be derived. The FTD effort then proceeds to identify the most cost effective means to detect, contain and recover from any of the errors in the set. A distinction is made between soft errors, which can be handled by soft recovery, and hard errors, which must be handled by reconfiguration of the system. The extent to which the system performs these tasks is a measure of the system FTD.

3 FTD Validation, Related Research and Techniques

A significant challenge facing the design team once the design is done, is how to validate the design, i.e., show that the concurrent FT requirements were met. That is, how to inject a transient fault in a specific area of a system while it is executing a specific function, without introducing additional embedded hardware or software overhead, and then observe that the system handled the fault in real time and continued its normal operation. Validation of FTD has been performed through software means, and at high levels in the overall system FT hierarchy [Geoghegan 96], [Ayache 96], [Gupta 93], [Dawson 96], [McIntyre 95], [Benjo 93]. The approach to validation is generally through software injection of faults at interfaces or protocols, or through the implementation of self-checking computing systems with checkpoints and rollback. Validation of concurrent FTD at the microinstruction level can be simulated within the design environment or with special software tools. Hardware methods of validation are generally performed at SEU testing facilities. Laser injection of faults has been used for component threshold determination.

3.1 Simulation-based fault injection

Simulation of faults during the design phase may be required in order to verify the proper implementation of concurrent fault tolerance. This can be achieved within design environments such as VERILOG and VHDL. However, simulation of a complete system including firmware, is very expensive and time consuming so that time to market requirements and budget constraints tend to limit this approach to a minimum.

3.2 Fault Injection with Particle beams

High-energy particle beams have been used to determine the Linear Energy Transfer (LET), and therefore the susceptibility of components to SEU. However, validation of concurrent fault tolerance at the microinstruction level at a particle beam facility is limited by the ability to synchronize, locate and control the beam. Design and implementation of a test to produce a single soft error at a specific location in the VLSIC, during the execution of a particular micro-instruction, in order to force a specific fault recovery mode is a very difficult if possible task. In addition, the test environment requires precautions for handling a radioactive source, and working through a vacuum interface.

3.3 Laser Injection of Faults for SEU Threshold Determination

Laser energy deposited in semiconductor material generates free charge carriers that can upset the Logic State of an operating microcircuit. The effects of laser induced faults in microcircuits are similar to SEU effects produced by energetic particles. This similarity has been researched by a group of scientist [Richter 87], [Buchner 87], [Buchner 88], [Buchner 90], [Gossett 92], [Schneiderwind 92], [Johnston 93], [Buchner 94], [Melinger 94], [Buchner 96], concerned with the correlation of SEU thresholds of bipolar, CMOS, GaAs technology, memory and logic components. They have sought methods to correlate upset thresholds found with the laser technique vs. the thresholds found with ion beams and particle beams [Sexton 96]. They stress the importance of the choice of laser beam wavelength and spot size with respect to the target material, its doping levels and surface passivation, when attempting to establish correlation between laser and ion energy. The absorption characteristics and charge generation processes are described and compared for the two techniques. The information developed through the research above can be used as a guide for the choice of laser and laser parameters when considering Laser Fault Injection (LFI) for FTD validation.

4 Laser Fault Injection (LFI) for FTD Validation

The objective of LFI testing for FTD validation is to force an error in the state of a component in an operating FT system and to verify that the corresponding fault tolerant design features came into play to detect, record and take the next appropriate action. If the fault is locally recoverable, operation should resume with the correct present state (automatic instruction retry). If the fault is not locally recoverable, the fault should be reported to the next level of the system hierarchy. The design and implementation of a LFI FTD validation test requires the use of a special laser facility and the development of a sound methodology to setup and control the test and observe the results.

4.1 Laser Restructuring Laboratory at USF - CMR

The Laser Restructuring Lab (LRL) facility at the Center for Microelectronics Research (CMR) of the University of South Florida (USF) was established in the late 1980?s to investigate Wafer Scale Integration (WSI) restructuring techniques [Moreno 93]. A diagram of the facility is shown in Figure 1. The laboratory has a high precision 6 axis (x, y, z, x-tilt, y-tilt, and x/y planar rotation) translation table with a x/y positioning accuracy of 0.1 micron. This x y positioning accuracy is attained using a HP interferometer system. The system was originally built by MIT Lincoln Laboratory and later moved to USF/CMR to support Wafer Scale Restructuring research as part of the AMMP (Advanced Microelectronics and Materials Program). Three lasers can be used with the system table, a Nd:YLF laser, an Argon laser, and an Excimer laser. The control of the lasers and the translation table is completely automated. The control station is a 200 MHz Pentium based PC running a Microsoft Windows 95tm operating environment. Communication with the table, the z-axis and the laser is through an IEEE 488 bus. Communication with the tilt and rotation mechanism is through an RS232 channel. Another RS232 channel is used for communication with the system under test. External timing and control of the laser is through a digital I/O interface.

The Q-switched Nd:YLF laser is used as the light source in the LFI experiments. The laser has a fundamental component at 1046 nanometers. A frequency doubler is used to create laser pulses at a wavelength of 523 nanometers.

The laser is fired manually, or through a synchronization facility. Figure 2 illustrates the LFI experimental setup. Both mechanical and electrical control of the Device Under Test (DUT) is necessary to perform the test. The 0.1-micron positioning accuracy of the laser table is needed to precisely locate the target area. This is very important for testing the state-of-the-art chips whose target diffusions may have dimensions on the order of a micron and which may be obscured by up to three levels of metal.

The laser beam is directed from the source to the device under test (DUT) through a series of mirrors and optics as shown. The DUT is mounted on the translation table. The actual laboratory facility including the lasers, the optics, and the translation stage used in these experiments is shown in Figure 3. A video camera mounted on top of the optics tower passes through the same optics as the laser beam and allows the operator to see the area being exposed. This facility is convenient, not only for component registration and alignment, but also to confirm the component location and the laser injection point with the output of the VLSI design and layout tools.

4.2 LFI Development

The use of Laser Fault Injection for FTD validation was demonstrated as reported in [Landis 95], [Yoder 94], [Yoder 95], [Moreno 97], [Samson 97] and [Samson 98]. Samson, Moreno, Landis and Yoder progressed from laser pulse characterization and manual control, to the demonstration of LFI on components (gates, flip-flops, ring oscillators and a multiplier), to an initial demonstration of LFI on a single board space computer. The 10 ns, 523 nanometer green light output of the Nd:YLF laser was found to produce soft errors at a power setting of 630 milliwatts without evidence of damage to the DUT after repeated applications of the pulse. Moreno and Falquez [Falquez 98] developed semi-automated facilities for extraction of target coordinates, synchronization of the laser pulse with the operation of the FT system under test and means to capture health warning messages on line with the test.

5 LFI Test Vehicle

The selected target for the FTD validation test with LFI was an advanced RISC processor design with on-chip concurrent error detection. This included Concurrent Error Detection (CED) and fault/error handling logic implemented as a Single Board Computer (SBC). This design has concurrent error detection circuitry built into the instruction pipeline, the data pipeline, and the error-handling pipeline as shown in Figure 4. Parity and EDAC on registers, multiplexers, and busses, residue checkers on the arithmetic units, and redundant self-checking on decoders and other logic elements, are examples of concurrent error detection techniques employed to detect transient and permanent faults/errors in the design.

5.1 Automatic Instruction Retry

The key feature of the design implemented by the error handling pipeline is the ability to complete the micro-instructions that were in progress prior to the occurrence a recoverable soft error, and to automatically retry the micro-instruction impacted by the soft error. This is "automatic instruction retry". It can be appreciated that this process is not observable unless a message is produced or a history that can be examined is maintained in special registers in the device.

5.2 Special Registers of the FT SBC

The FT SBC selected for LFI validation tests contains a number of special registers where health status and history of detected errors and the recovery action taken is kept. Examination of these registers, or programmed routines to issue health warnings when an error is handled, allows the observation of the process. Two such registers are the ERROR COUNTER and the DETAIL REGISTER.

The ERROR COUNTER register is incremented for every occurrence of an error- handling event. The DETAIL REGISTER contains a code that describes the type of error and the functional block affected. The information contained in these and other special registers such as the INSTRUCTION COUNTER and embedded SRAMs (REGISTER FILES), can be reported in a HEALTH WARNING issued by the error handling facility.

5.3 Health Warning Messages

The SBC resident software can be programmed to issue health warnings from the data stored in the special registers by the error handling facility during the processing of an error. A sample health warning from the SBC following the LFI of a single error is given below.

00090BFA
00090BFC
*** A0900 Health Warning
003FF43C: 0091FEC0 <> 00000000
003FF440: 00004EA2 <> 00000000
000000E8: 00004EA2 <> 00000000
000000EC: 0091FEC0 <> 00000000
000000F0: 18181818 <> 00000000
000000F4: 19191919 <> 00000000
000000F8: 0000A438 <> 00000000
000005DC: 00004EA2 <> 00000000
80F20428: 00000001 <> 00000000
00090BFD
00090BFE
00090BFF

The SBC is reporting completion of a test routine by incrementing a pass count when a recoverable error was handled. The resident software issued a health warning and reported the present and previous value (all zeroes) of nine special registers, and then continued with the test routine. Within the health warning fields, the first column gives the address of the special register; the second column gives the contents of the register after the error was handled; the third column gives the previous contents of the register.

The address of the Detail Register is 000000F8. Its content (0000A438) indicates that there has been a retryable single error in the register file. The address of the Error Count Register is 80F20428. Its content (00000001) indicates that the error count is now 1.

6 LFI Test Procedure

The implementation of the system level LFI test will depend on the set of tools used for product development and laser control environment. In the following, references to specific tools can be replaced by the appropriate equivalent. Prior to the beginning of the tests, a number of preparations will be required. The specific objective of the test will define the requirements of the instrumentation and of the test software that the DUT will be executing during the test. Initialization, synchronization and reporting will also be a function of the test environment and the test objective. The LFI tests presented here were aimed at validating the automatic instruction retry requirements of the FT SBC selected as test vehicle. The procedure steps were as follows:

1. Establish a list of targets and the expected test results. It is important that simulation data be available for some of the expected results in order to establish correlation between simulation and test.
2. Generate a place and route report. Within the CADENCE GATE ENSEMBLE tool, this is accomplished by executing the "report placement" command with the "detail" switch option. This option is necessary because the component may be placed in a North (N), East (E), South (S), West (W) orientation. In addition the placement can also be Flipped (F). Therefore, the placement detail affects the actual location of the particular area that may be the target within the component.
3. Determine the coordinate orientation, origin and scale factor. The chip x and y coordinate orientation with respect to the laser table must be determined in order to locate the targets properly, and in order to mount the DUT such that the table travel-limits do not prevent reaching the desired location on the chip. In general, the units used by the place and route tool will not be the same as the units available at the laser table, so the appropriate scale factor needs to be determined. Also, the origin of the chip coordinates will not necessarily fall at a corner of the chip, so the proper offset must be determined.
4. Extract the target coordinates from the place and route report. The place and route report is a very large file because it contains a line for every physical library component in the design. The Unix filter `grep' can be used to extract the few lines associated with the target. A sample extraction for a hypothetical register from a place and route report is shown in Figure 5. "cpup2" is a place and route report that contains entries for tens of thousands of components. The extraction is the location of the 22 bits of the register called RGIDA. The command catalogs the "cpu2" file, extracts the lines containing RGIDA, sorts on increasing values of the x coordinate and writes the output to the file called RGIDA. Steps 1 through 4 above can be performed with a single Unix script that

   Page 721

   reads the target list, invokes the place and route tool in a Unix shell in the background, opens the layout database, generates the report, extracts the coordinates and writes out a target location file.



Figure 5. Extraction of Target Coordinates from Place and Route Report

5. Download the target coordinate information to the LFI facility. The target coordinate file generated above can be easily transferred to the LFI facility where the proper adjustments for offset and scaling can be performed. Layout views of the physical components in the design can be downloaded also to aid in the adjustment for placement orientation. The coordinate adjustment can be automated through a series of linear transformations on the reported chip x y location.
6. Setup the experiment. Setting up the experiment requires the mounting of the
7. DUT on the x y table and aligning the de-lidded chip to be injected with laser pulses under the laser beam. Figure 6 shows a diagram of the LFI test setup.

Page 722



Figure 6. LFI Test Setup

The alignment process is controlled by the Windows application. A functional check of the DUT executing the LFI test routine should be performed at this time. The experiment controller can request the DUT through its serial port, to perform basic memory read, write, clear, reset and run commands. The controller can also receive responses from the DUT through the same port. The setup should verify that the DUT can issue discrete outputs, and that the laser can be triggered with them. Finally, the laser power should be adjusted and verified using a practice target. The laser pulse delivered by the Nd:YLF laser head is 10 Ns wide. The power level is controlled from the Windows application and the level required to produce errors will vary depending on the clock rate and the semiconductor technology. As the clock rate increases, the laser power required to produce a soft error decreases. This effect has been observed and reported [Samson 98a]. For the test sample used and for clock rates of 4 to 6 MHz, a power setting of 650 down to 625 milliwatts should produce repeatable results. The laser can be fired asynchronously from the Windows application through a zap command or through a programmable delay synchronized by a discrete output form the FT system under test. Another important setup step is to verify that the facility to capture warning messages in real time is operational. For the present test, the reset command contains a warning header that is recognized by this facility. Therefore, when the DUT is reset to start the test, a

Page 723

warning message should be recorded. Subsequent messages contain the status data generated by the soft errors induced by the LFI.

8. Load the target coordinates and jog the translation stage to the target. An inspection of the intended target should be performed in order to verify that it is not obstructed from view by metallization. The on-line video camera allows examination of the target area. If required, the beam spot can be repositioned in 0.1-micron increments. Changes to original target coordinates should be recorded in the target file. Run the test. To start the LFI test, reset the DUT and issue the run command. The DUT should respond with a warning message and with a count of the passes through the test program. A warning produced by a soft error will interrupt the pass count. The pass count will be resumed upon completion of the warning. If the laser is to be fired synchronously, the variable delay trigger to the laser can be programmed through the Windows application for a single pulse mode. Once the location is fine-tuned and the laser power is properly adjusted, production of soft errors at a given target is very repeatable. In the asynchronous mode, the timing of the pulse with respect to the program step under execution and with respect to the next clock edge will require repeated applications of the laser pulse in order to induce an error. The test program in the DUT continues to run after issuing the warning message. The pass count is not issued until the end of the pass, therefore, analysis of the micro-instruction sequence execution immediately following the injected error is necessary in order to validate the automatic instruction retry FT feature. This analysis can be performed by examination of the assembly code listing of the test program and the warning message, which shows the contents of the Instruction Counter. By following the thread of the listing from this point, the microinstructions executed to return to the main flow of the test program can be determined. This analysis was performed for samples of instruction retry test data. Once this is done, the sequence of warnings issued by the DUT can be relied on for the validation tests.

7 Automatic Instruction Retry Test Results

LFI tests on a number of bits identified by the procedure just described, and by inspection of the layout of the register file, were performed to validate automatic instruction retry features of the FT SBC design. The tests were repeated numerous times with repeatable results. During the test sequence, the laser table was dismantled for maintenance and reassembled. A number of tests were rerun that correlated with initial results. In all over 500 shots were taken. The computer is still functional. The health warnings captured agreed 100 percent with the special register contents predicted by simulation for retryable single soft errors in the data pipeline, in the instruction pipeline and in the register file. Sample data results are given below in Figure 7. The figure shows an image of the target, the x y coordinates of the target, and the captured health warning issued by the computer after handling the soft error induced by the laser pulse.

8 Conclusions

There is an emerging need for the general application of concurrent FTD in order to preserve the dependability of advanced CMOS VLSIC. A reported figure of merit indicates that highly scaled CMOS devices are relatively orders of magnitude more susceptible to soft transient errors than traditional devices. With this need for the general application of FT systems comes the need to verify that the error detection and recovery features of the FT system perform as required. Semi-automated FTD validation methods with Laser Fault Injection (LFI) have been developed at the University of South Florida. These methods were applied in the successful testing of automatic instruction retry features of a state-of-the-art FT single board computer

9 Areas For Future Work

9.1 Fully Automated LFI Test Facility

The LFI test facility provides for semi-automated means to extract target coordinates, setup the laser, control the test and synchronize laser pulse with the operation of the DUT. However, some additional automation and instrumentation enhancements could transform the Laser Laboratory into a full-up concurrent FTD validation facility.

1. 1.Auto alignment. The process of aligning the target can be automated by means of an expert system trained with layout data from the foundry.
2. 2.Auto focusing optics. Auto focusing the laser beam would speed up the test performance and allow fine tuning the power levels required for producing soft errors.
3. 3.Variable laser frequency. The ability to vary the laser frequency would allow to quickly re-setup for different semiconductor target materials.
4. 4.Physical damage detection. A facility such as an infrared camera would allow the detection of hot spots and uncover potential damage produced by the beam. This facility would allow for fine grain characterization of the power limits to perform LFI on different semiconductor technologies.
5. 5.Continuously adjustable optics capable of focusing over a wide range of magnification powers. This facility would speed up the test set up and the test performance.
6. 6.Automated step and repeat programming. Production testing of FT features could be automated with this facility. Items 2 and 5 could be integrated into this capability.
7. Instrumentation for high level tests of an operating FT computer network. This capability could be of significant value to programs such as SBIRS, GLOBALSTAR, SPACEWAY GPSIIF and other emerging space applications. Operation of the system could be simulated during a critical period in the presence of strategically placed and timed soft faults.

9.2 Laser Beam Spot Size

A key issue regarding the continued applicability of LFI to FTD validation is the need to adapt the laser beam physical characteristics to the changing semiconductor process parameters. Dense, multi-layer metalization may obscure the intended targets. Therefore, it is necessary to develop means to shape the beam to diameters below one micron.

References

[Arlat et al. 96] Arlat J. et al.: "Dependability of Railway Control Systems". Proc., 26th Int. Symposium on Fault-Tolerant Computing, Sendai, Japan, 96, 150-155.

[Ayache 96] Ayache S., et. al. :"Formal Methods For The Validation OF Fault Tolerance In Autonomous Spacecraft", Proc. Annual International Conference On Fault-Tolerant Computing 96. IEEE, LosAlamitos, Ca, USA. 96CB35969, 353-357.

[Benjo 93] Benyo B., Pataricza, A., :" Fault Injection Based Dependability Analysis", Periodica Polytechnica, Electrical Engineering v 37 n 2 93, 97-101.

[Buchner 87] Buchner S. P., Wilson, D., Kang, K., Gill, D., Mazer, J. A., Raburn, W. D., Campbell, A. B., Knudson, A. R., :"Laser Simulation Of Single Event Upsets", IEEE Transactions on Nuclear Science, Vol NS-34, Dec 87.

[Buchner 88] Buchner S., Knudson A., Kang K., Campbell, A. B., :" Charge Collection from Focused Picosecond Laser Pulses". IEEE Transactions on Nuclear Science, Vol. 35, No. 6, Dec. 88.

[Buchner 90] Buchner S., Kang K., Stapor W. J., Campbell A. B., Knudson A. R., McDonald, P., Rivet, S., :"Pulsed laser induced SEU in integrated circuits: A method for hardness assurance testing", IEEE Transactions on Nuclear. Science., NS-37, 90, 1825-1831.

[Buchner 94] Buchner S., Langworthy J. B., Stapor W. J., Campbell A. B. Rivet S., :"Implications Of The Spatial Dependence Of The Single-Event-Upset Threshold In SRAMS Measured With A Pulsed Laser". IEEE Transactions on Nuclear Science, Vol. 41, Dec 94.

[Buchner 96] Buchner S., et. al. :"Modification of Single Event Upset Cross Section Of An SRAM At High Frequencies", IEEE Transactions On Nuclear Science, Vol. 43, June 1996.

[Dawson 96] Dawson S., et. al. :"Testing Of Fault Tolerant and Real-Time Distributed Systems Via Protocol Fault Injection". Proceedings- Annual International Conference on Fault-Tolerant Computing 96. IEEE, Los Alamitos, Ca. USA, 96CB35969, 404-414.

[Falquez 98] Falquez F. J., :"Fault Tolerance and Testability Design With Validation by Laser Fault Injection to Improve the Performance and Testabilty of Advanced VLSIC". Ph.D. Dissertation, December 98.

[Geoghegan 96] Geoghegan S. J., Avresky, D. :"Design, Verification, and Validation of Self-checking Software Components"; Proc. International Phoenix Conference on Computers and Communications 96. IEEE, Piscataway, NJ USA, 420-426.

[George 95] George M. D., Brichacek J.: "Radiation Hardened 32-Bit Processor"; 15th International Communications Satellite Systems Conference 95.

[Gossett 92] Gossett C. A., Hughlock B. W., Johnston A. H., :"Laser Simulation Of Single-Particle Effects", IEEE Transactions On Nuclear Science, Vol. 39, Dec 92.

[Gupta 93] Gupta R., :"Phi-Test: Perfect Hashed Index Test For Test Response Validation", Proceedings, IEEE International Conference on Computer Design: VLSI in Computers and Processors 1993. IEEE, Piscataway, NJ USA. p 588-591

[Hewlett-Packard webpage 98] http://www.hp.com/uk/complementary/stratus1.htm 98.

[Honeywell 89] Honeywell Space and Strategic Avionics Division,: "Final Technical Report, Contract No. F30602-88-C-0060" . / October, 89.

[Johnston 93] Johnston A. H., :"Charge Generation And Collection In p-n Junctions Excited With Pulsed Infrared Lasers", IEEE Transactions On Nuclear Science, Vol. 40, Dec 93.

[Johnston et al. 97] Johnston A. H., :"Radiation Effects in Advanced Microelectronics Technologies". Proc. Fourth European Conference on Radiation and Its Effects on Components and Systems. Sep. 97. Cannes, France. IEEE CN 97 TH 294.

[Johnston et al. 98] Johnston A. H., Swift G. M., Shaw D. C. :"Impact of CMOS Scaling on Single-Event Hard Errors in Space Systems. Jet Propulsion Lab. NASA MSREP Program 98.

[Kanoun et al. 96] Kanoun K., Borrel M., Morteveille T., Peytavin A.,: "Modeling the Dependability of CAUTRA, a Subset of the French Air Traffic Control System". Proc. 26th Int. Symposium on Fault-Tolerant Computing, Sendai, Japan, 96.

[Landis 95] Landis D., Moreno W., et al., :"Enhancing Fault Coverage of VLSI Circuits: Analysis and Investigation". Unpublished proposal submitted to Rome Air Development Center. 95.

[Marciniak 94] Marciniak J. J.: "Encyclopedia of Software Engineering" / John Wiley and Sons 94.

[McIntyre 95] McIntyre M.D. W., Gossett, Cynthia A. :"BOEING 777 Fault Tolerant Air Data Inertial Reference System, A New Venture In Working Together", Proc. IEEE/AIAA Digital Avionics Systems Conference- 95. IEEE, Piwcataway, NJ, USA, 95CB35873, 178-183.

[Melinger 94] Melinger J. S., Buchner S., McMorrow D., Stapor W. J., Weatherford T. R., Campbell A. B., Eisen H., :"Critical Evaluation Of The Pulsed Laser Method For Single Event Effects Testing And Fundamental Studies". IEEE Transactions On Nuclear Science, Vol. 41, Dec 94.

[Moreno 93] Moreno W. A., "Laser Direct Routing for High Density Interconnects", Ph.D. Dissertation, University of South Florida, Dec. 93.

[Moreno 97] Moreno W. A., Falquez F. J., Samson J. R. Jr. :" First Test Results of System Level Fault Tolerant Design Validation Through Laser Fault Injection". Proc. ICCD97 Conference, Austin, Tex. Oct. 97, 532-541.

[Richter 87] Richter A. K., and Arimura, I., :"Simulation of heavy charged particle tracks using focused laser beams", IEEE Transactions on Nuclear Science, NS-34, 87, 1234-123910.

[Samson 92] Samson J. R. Jr., :"Optimizing Real-Time Fault Tolerance Design in VLSI and Wafer Scale Architectures for Real-Time Parallel Processing". Ph. D. Dissertation, University of South Florida, May 92.

[Samson 95] Samson J. R. Jr., "What Is So Special About the RH32?" Honeywell Engineering Pulse, 95.

[Samson 97] Samson J. R. Jr., Moreno W. A., Falquez F. J." Validating Fault Tolerant Designs Using Laser Fault Injection (LFI). Proceedings, DFT97, Paris, France. Oct 97.

[Samson 98] Samson J. R. Jr., Moreno W. A., Falquez F. J. "A Technique For Automated Validation Of Fault Tolerant Designs Using Laser Fault Injection (LFI)" Proceedings, IEEE Symposium on Fault Tolerant Computing. Munich, Germany. June 98.

[Samson 98a] Samson J. R. Jr., "Technology Seminar-Frequency Dependent SEU in Logic Circuits. Trip Report", Honeywell Internal Correspondence. October 1998.

[Saw et al. 98] Saw D. C., Swift M., Johnston A. H.,: "Space Radiation Effects on Low Power Advanced-Technology. 1) Rams." Jet Propulsion Laboratory. NASA MSREP Program 98.

[Schneiderwind 92] Schneiderwind R., Krening D., Buchner S. Kang K., Weatherford T. R.,:" Laser Confirmation Of SEU Experiments In GaAs MESFET Combinational Logic", IEEE Transactions On Nuclear Science, Vol. 39, Dec 92.

[Sexton 96] Sexton F. W., "Microbeam Studies of Single-Event Effects," IEEE Transactions on Nuclear Science, Vol. 43 No. 2, 96, 687-695.

[Stratus webpage] http://www.gsk.net/profile/products/description/stratus/radio/radio.html 98.

[Yoder 94] Yoder J. and Landis D., :"The Testing of Fault Tolerant Circuits Using Lasers", Proc. of GOMAC Conference, Nov. 94.

[Yoder 95] Yoder J. W., :"Transient Fault Tolerance In 2D Message Passing Networks For ULSI", Ph.D. Dissertation, University of South Florida, Aug. 95.