Vous êtes sur la page 1sur 4

Fault-Tolerant Implementation of Direct FIR Filters Protected Using Residue Codes

Stanisaw J. Piestrak
IJL/Universite de Lorraine, F-54000 Nancy, France
Email: stanislaw.piestrak@univ-lorraine.fr

Piotr Patronik
Wrocaw University of Technology, 50370 Wrocaw, Poland
Email: piotr.patronik@pwr.wroc.pl

AbstractThe design of fault-secure and fault-tolerant versions of digital nite input response (FIR) lters implemented
in direct form is studied. The fault-secure versions proposed
are protected using residue codes mod A (A is an odd integer)
and guarantee the 100% error coverage for all single line faults,
should some elementary design rules be respected. The faulttolerant versions rely on duplication of fault-secure versions.
The synthesis results suggest that the hardware overhead
needed could be also as low as for their transposed versions
counterparts proposed recently: for all fault-secure lters with
16-bit operands and protected using the residue code mod 3 it
is about 3%. For fault-tolerant versions with 16-bit operands,
the hardware overhead ranges only from about 105 to 117.5%,
which is signicantly less than over 200% for triplication.

The transposed FIR lter requires N separated multipliersaccumulators (MACs), whereas the direct one can be implemented as a set of N matrices of 2-input AND gates
feeding carry-save adder trees of the n-operand adders of
the multipliers, all followed by a single N -operand adder.
Moreover, the direct FIR lter has a delay line of xed width,
whereas in the transposed lter the width of a delay line
grows along with the lter pipeline (i.e. with the growing
dynamic range), which may negatively affect both the area
and power consumption, especially in smaller lters.
Xk

C0

Direct

I. I NTRODUCTION

C1

CN -2

(a)

CN -1

Yk

Xk

Filters have been used in digital communication systems


for equalization, noise reduction, signal separation, etc.
Space applications are exposed to high-energy particles,
which may cause temporary errors called soft errors [1].
Because error-free communication is mandatory even in
harsh and noisy environments like space, reliable operation
of lters can only be ensured by using some fault-tolerance
techniques. Temporary faults in hardware can be detected
or tolerated by using various redundancy techniques. The
most often are used: (i) information redundancy techniques
like error-detecting codes (EDCs) (e.g., parity codes and
residue codes) allowing to build self-checking units and
error-correcting codes (ECCs) (e.g., Hamming codes); and
(ii) modular redundancy techniques like duplication with
comparison (DWC), triple modular redundancy (TMR), and
duplication of self-checking units (which results in a faulttolerant system).
The function realized by a digital nite input response
(FIR) lter can be expressed as [2]
Yk =

N
1


Cj Xkj ,

(1)

j=0

where: Xkj is the input signal, Cj is the coefcient of the


lter, and Yk is the output signal. The above equation can
be implemented using two general architectures: direct and
transposed, as shown in Fig. 1.
Here, we will consider the N -tap direct FIR lters whose
implementation can also be presented as shown in Fig. 2.
c
978-1-4673-6576-5/15/$31.00 2015
IEEE

Transpose

C0

C1

(b)

CN -2

CN -1

Yk

Figure 1. Basic architectures of FIR lters: (A) direct; and (B) transposed.
Xk

Sum-of-products
Yk

Figure 2.

Implementation of the direct FIR lter.

Design of fault-tolerant direct FIR lters, implemented


using either TMR (introduced on various levels) or Hamming error-correcting codes (ECCs), was considered recently
in [3], [4]. In [3], the FPGA implementations of faulttolerant direct FIR lters using ECCs were shown more
complex than their TMR-based counterparts. The major
difculty encountered while attempting to use Hamming
ECCs to protect direct FIR lters was the necessity to
insert coders and decoders at each tap of the delay line
(although it is well justied, no particular explanation was
given). It has been the only known solution which allows to
avoid that a single fault at some i-th register would cause
multiple errors: should input errors would not be corrected,
all multipliers from the i-th tap to the last (N 1)-th
one would receive incorrect delayed input signal xi , which
would defeat the single error-correcting capability of the
Hamming code. Unfortunately, such a protection method
results not only in signicant extra hardware overhead but
also in delay increase [3]. To avoid the above problems, in

[5] was proposed an essentially different solution that relies


on using the rectangular error-correcting parity code applied
on the bit level (called the knowledge-based technique). The
complexity comparison given in [5] has revealed its slight
advantage over Hamming codes and TMR. In [6], a faulttolerant transposed FIR lter relying on a combination of
duplication and residue checking was proposed. Although, to
avoid some undetected errors, a scheme relying on addition
of 1 to input samples of all three channels was proposed,
it introduces extra hardware and delay overhead; moreover,
the decision circuitry is signicantly more complex than for
triplication (in either case it is a hardcore of the whole
fault-tolerant scheme). Finally, a fault-tolerant lter can
be obtained by duplicating its self-checking (fault-secure)
version protected by any EDC. As far as we know, the only
fault-secure FIR lters, protected using residue codes, were
proposed recently in [7] for their transposed versions only.
It was revealed that the need for checking all multipliers
inputs for errors can be avoided at a minor cost by observing
some design rules, although errors are not corrected (like
in [3], [4]) but only detected. Nevertheless, little hardware
overhead observed for the fault-secure versions in [7] makes
highly competitive an alternative version of a fault-tolerant
architecturecomposed of two self-checking units.
The goal of this paper is to propose fault-secure versions
of direct FIR lters, which has not been considered yet in the
open literature. Obviously, they can serve to build versions
fault-tolerant for temporary faults by duplicating their selfchecking (fault-secure) version.
This paper is organized as follows. Section II presents
the basic properties of residue codes and supporting circuitry. Section III presents the design of the fault-secure
direct FIR lter as well as explains how it can be used
to obtain a fault-tolerant architecture. Section IV provides
the complexity evaluation of various versions of fault-secure
and fault-tolerant direct FIR lters. Section V presents some
conclusions and indicates directions for future research.
II. T HEORETICAL BACKGROUND
A. Arithmetic Error Model
The major problem with protecting arithmetic circuits
(like adders and multipliers) against errors caused by internal
single line faults is the possibility of occurrence of errors of
any multiplicity due the presence of carry circuits. This is
why it is better to take into account the arithmetic value
of the error (2i for 0 1 and 1 0 errors on line of
weight 2i , z {0, 1}) instead of the number of erroneous
bits. Arithmetic errors can be particularly efciently detected
using systematic residue codes mod A, where A is an odd
natural number called the check base of the code. Any
residue code mod A has the following properties: (i) it
detects all errors whose arithmetic value does not accumulate
to a multiple of the check base A; (ii) the check part
C = |X|A (X modulo (mod) A) is the remainder of the

integer division of X by A, which can be obtained using


residue generator mod A; i.e., (X, |X|A ) is a codeword; (iii)
it is not only a systematic code but also a separable code,
because the check part of the result is generated separately
and in parallel by executing mod A the same operation
on check parts of the input operands as in the protected
circuit. The best performance of all supporting circuitry
(residue: adders, multipliers, MACs, generators, checkers,
etc.) is offered by codes with A = 2a 1 [7][12]. A more
complete presentation of arithmetic codes and supporting
circuitry as well as related state-of-the-art literature can be
found e.g. in [7].
B. Fault-Secure Arithmetic Circuit
A self-checking circuit is one whose inputs, internal states,
and outputs are encoded using EDCs. It is called fault-secure
w.r.t. a given set of faults, if in the presence of an internal
fault from this set, its output is either correct or it is a
detectable error. Here, our attention is limited to temporary
faults and it is assumed that a fault can change the logic
state of any internal line of a circuit to 0 or 1.
X

X A
Y

Y A

Arithmetic
circuit
{+, , }
mod A

Arithmetic
circuit
{+, , }

Residue
code
mod A

Z A

Checker
Residue
generator
mod A

Figure 3.

Z *
A

Comparator
of residues

Error
signal

Self-checking arithmetic circuit protected using residue code.

Fig. 3 shows the general scheme of a self-checking arithmetic circuit protected using the residue code mod A, which
works as follows. Two input operands X, Y of the circuit
are accompanied by |X|A , |Y |A their check parts mod A.
The same arithmetic operation  {+, , } is executed
separately and in parallel on input operands and their check
parts, to produce the result Z = X  Y as well as the check
part of the result |Z|A = ||X|A  |Y |A |A . From the result
Z is generated independently the check part |Z|A which
is used as the reference value for the comparator of check
parts. Should the check parts agree (i.e., |Z|A = |Z|A ), the
result of computation Z is assumed to be correct.
To determine the conditions which would guarantee that
a circuit of Fig. 3 is fault-secure, we will analyze separately
the effects of (temporary) faults that occur in the checker
and in the arithmetic circuit. Any internal fault (no matter
whether simple or multiple) in the checker may have only
two effects: (i) it is maskedwhich is desirable, because
under single fault assumption the arithmetic circuit provides
a correct result; and (ii) it activates the error signalwhich is

undesirable, because under single fault assumption the arithmetic circuit provides a correct result, i.e., it is a false alarm
(the only thing that can be done to reduce its likelihood is
to reduce the area of the checker). Any internal fault in the
arithmetic circuit may have three different effects: (i) it is
maskedwhich is desirable, because the arithmetic circuit
provides a correct result despite the fault; (ii) it causes a
detectable errorwhich is acceptable, because the erroneous
result caused by an internal fault the arithmetic circuit is
signaled; and (iii) it causes an undetectable error which is a
multiple of A (an incorrect output codeword is produced)
which must be avoided; only in this case the whole circuit
of Fig. 3 is not fault-secure.

residue checkers. We propose the following new low-cost


solution. Should some error be caused by a fault occurring
anywhere in the delay line beyond the primary input, it
can be detected at the very end of the delay pipeline by
comparing the signal xk against its corresponding check
part |xk |A both at the very end of the delay line (recall
that the check part is error-free by proviso of the single
fault assumption). The comparison is done by the extra nal
checker (which generates the error signal CEIn ) that veries
whether the signal that arrives at the very end of the delay
line is correct.

III. D ESIGNS P ROPOSED

As we have mentioned in the Introduction, a fault-tolerant


system can be built using two identical fault-secure modules.
Such a circuit, shown in Fig. 5, works as follows. Initially,
the output data generated by of one of two identical faultsecure modules, say Module 1, are selected by the Switch.
Should a detectable error caused by an internal fault of
Module 1 be signaled by its internal checker (the signal
Error in Module 1 activated), the Switch automatically
selects the output data generated by Module 2. Thus, the
continuous correct outputs are still provided and the whole
system of Fig. 5 is indeed fault-tolerant for internal faults
(causing detectable errors) of a single module.

A. Fault-Secure Direct FIR Filters


Fig. 4 shows the scheme of the fault-secure version of
the direct implementation of the FIR lter. If a fault occurs
anywhere else but on the top delay line of the registers, any
error it causes can be detected by observing the same design
rules as for its transposed counterpart, detailed in [7].
Xk
n

n
C0

C1

CN -1

n-bit
residue
generator
mod A

Xk*
2n

2n

n-bit
residue
generator
mod A
Xk

a
A

Comparator
of residues

2n

Xk

CEIn

Yk

N-operand 2n-bit adder

a
A

a
C0

a
C1

mod A
a

2n-bit
residue
generator
mod A

a
CN -1

Yk

mod A

Figure 4.

Fault-Secure
Module_2

Yk1

ME

Yk1,i
EM1

Yk2,i
EM2

Yk2

Switch

EM2
Yk,i

Comparator
of residues

(A)
CEOut

a
Yk

N-operand adder mod A

Fault-Secure
Module_1

EM1

mod A

B. Fault-Tolerant Implementation of Direct FIR Filters

Generic architecture of the fault-secure direct digital FIR lter.

However, compared to the fault-secure transposed FIR


lter, where generating the check part for the incoming
signal xk sufces, the propagation of the input signals
through the delay line may cause serious error handling
problems, which was already observed in the previous
works considering protection using Hamming codes [3][5].
Suppose that a single fault affects one bit of the i-th register
of the upper delay line and causes an error. Therefore,
because the erroneous bit is propagated on the same position
to all remaining registers from the i-th to the (N 1)th, consequently, all multipliers from the i-th to the last
(N 1)-th will receive an erroneous input signal. As a result,
several multipliers could produce erroneous results whose
accumulated error value could easily beat the error detecting
capabilities of the residue code used. The most obvious
solution would be to check every multiplier separately, but
it would incur excessive extra hardware cost of N 1 extra

Yk

(B)

Figure 5. (A) Fault-tolerant FIR lter built of two fault-secure circuits;


(B) switch cell.

IV. C OMPLEXITY E VALUATION AND C OMPARISON


Here, we have applied the design rules imposed on the
internal structure of the basic circuits which would allow
to avoid occurrence of faults causing multiple errors undetectable by residue codes mod A, presented exhaustively in
[7]. In particular, these include one rule formulated in [13]
that the internal structure of a full-adder must be bit-sliced
to avoid multiple errors undetectable by residue mod 3 code
and those formulated in [14] to implement fast parallel-prex
adders applicable in fault-secure arithmetic circuits protected
using various residue codes. The synthesis of the sample
circuits was performed for the following assumptions.
No delay constraints, so that ripple-carry adders
(RCAs) are used to reduce area.
Unprotected and duplicated versions use adders with
no design restrictions.
Residue protected version uses circuits which guarantee
that the whole circuit is fault-secure by design:

the matrix multiplier uses the carry-save adder tree


with all full-adders bit-sliced, and
the RCA with all full-adders bit-sliced.
No design restrictions are imposed on the realizations
of all checking circuitry.

Table I
A REA ESTIMATES ( IN m2 ) FOR FAULT- SECURE DIRECT FIR FILTERS
1
n

2
Unprotected

9412

18917

16

35884

71972

19015

38124

16

72315 144833

38318

16

DWC

Code

76729

145009 290222

5
Residue
protected

8-tap lter
mod 3
10422
mod 15
12079
mod 3
37294
mod 15
3895
16-tap
mod 3
mod 15
mod 3
mod 15
32-tap
mod 3
mod 15
mod 3
mod 15

lter
20708
2401
74407
77709
lter
41375
47972
148465
155062

6
7
Overhead [%]
(3-2)/2
(5-2)/2
101.0
100.6

100.5
100.3
100.2
100.1

10.7
28.3
3.9
8.5
8.9
26.3
2.9
7.5
8.0
25.2
2.4
6.9

Table II
A REA ESTIMATES ( IN m2 ) FOR FAULT- TOLERANT DIRECT FIR FILTERS
1
n
8

2
Unprotected
9412

TMR

Code

28311

16

35884 107802

19015

16

72315 217094

38318 115028

16

145009 435176

57121

5
2FS

8 tap lter
mod 3
20915
mod 15 24227
mod 3
74729
mod 15 78038
16 tap lter
mod 3
41486
mod 15 48090
mod 3 148955
mod 15 155559
32 tap lter
mod 3
82820
mod 15 96013
mod 3 297073
mod 15 310267

6
7
Overhead [%]
(3-2)/2
(5-2)/2
200.8
200.4

200.4
200.2

200.2
200.1

122.2
157.4
108.3
117.5
118.2
152.9
106.0
115.1
116.1
150.6
104.9
114.0

Tables I and II present the area estimates for fault-secure


and fault-tolerant versions of sample lters, respectively.
It is seen that the hardware overhead needed could be
also as low as for their transposed versions counterparts
proposed recently in [7]: e.g. for all fault-secure lters with
16-bit operands and protected using the residue code mod
3 it is about 3%. For fault-tolerant versions with 16-bit
operands, the hardware overhead ranges only from about
105 to 117.5%, which is signicantly less than over 200%
for triplication.
V. C ONCLUSIONS
In this paper, we have proposed the design method of
direct nite input response (FIR) lters which are faultsecure for internal single line temporary faults. The use
of arithmetic error detecting residue codes makes these
circuits capable of detecting errors during normal functioning. Thanks to respecting some well-dened design

restrictions, 100% error coverage for single internal faults


has been achieved. Sample fault-secure versions of direct
FIR lters, protected using residue codes modulo 3 and 15,
were synthesized using Cadence RTL Compiler over the
commercial CMOS065LP 65 nm low-power library from ST
Microelectronics. Compared to the unprotected version, the
hardware overhead of the fault-secure versions depends on
the residue code used, on the length of input operands, and
on the lter size; for 16-bit operands and residue code mod
3, it can be as low as from about 2.5% to 3.7%. The faulttolerant versions can be easily obtained by duplicating the
fault-secure versions, at the signicantly lower cost (slightly
over 100%) than over 200% required by triplication.
ACKNOWLEDGMENT

This research was done within the framework of the


ARDyT project ANR-11-INSE-15 sponsored by the Agence
Nationale de Recherche (ANR), France.
R EFERENCES
[1] M. Nicolaidis, Ed., Soft Errors in Modern Electronic Systems. New
York, NY, USA: Springer, 2011.
[2] U. Meyer-Baese, Digital Signal Processing With Field Programmable
Gate Arrays, 4th ed. Berlin/Heidelberg, Germany: Springer, 2014.
[3] R. Hentschke et al., Analyzing area and performance penalty of
protecting different digital modules with Hamming code and triple
modular redundancy, in Proc. 15th Symp. Integr. Circuits and
Systems Design (SBCCI), Porto Alegre, Brazil, 914 Sept. 2002, pp.
95100.
[4] S.-F. Liu, P. Reviriego, and J. A. Maestro, Enhanced
implementations of Hamming codes to protect FIR lters,
IEEE Trans. Nucl. Sci., vol. 57, no. 4, pp. 21122118, Aug. 2010.
[5] J. A. Maestro et al., Protection against soft errors in the space
environment: A nite impulse response (FIR) lter case study,
Integration, the VLSI J., vol. 42, no. 2, pp. 128136, Feb. 2009.
[6] Z. Gao et al., Efcient arithmetic-residue-based SEU-tolerant FIR
lter design, IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 60,
no. 8, pp. 497501, Aug. 2013.
[7] S. J. Piestrak and P. Patronik, Design of fault-secure multipliersaccumulators and FIR lters protected using residue codes, in Proc.
17th EUROMICRO Conf. on Digital System Design (DSD 2014),
Verona, Italy, 2729 Aug. 2014, pp. 575582.
[8] R. Patel and S. Boussakta, Fast parallel-prex architectures for
modulo 2n 1 addition with a single representation of zero, IEEE
Trans. Comput., vol. 56, no. 11, pp. 14841492, Nov. 2007.
[9] R. Muralidharan and C. H. Chang, Radix-8 Booth encoded modulo
2n 1 multipliers with adaptive delay for high dynamic range
residue number system, IEEE Trans. Circuits Syst. I, Reg. Papers,
vol. 58, no. 5, pp. 982993, May 2011.
[10] R. Conway and J. Nelson, Improved RNS FIR lter architectures,
IEEE Trans. Circuits Syst. II, vol. 51, no. 1, pp. 2628, Jan. 2004.
[11] S. J. Piestrak and K. S. Berezowski, Design of residue multipliersaccumulators using periodicity, in Proc. IET Irish Sign. & Syst.
Conf. (ISSC), Galway, Ireland, 1819 June 2008, pp. 380385.
[12] S. J. Piestrak, Design of residue generators and multioperand
modular adders using carry-save adders, IEEE Trans. Comput.,
vol. 43, no. 1, pp. 6877, Jan. 1994.
[13] T. G. Gaddess, An error-detecting binary adder: A hardware-shared
implementation, IEEE Trans. Comput., vol. C-19, no. 1, pp. 3438,
Jan. 1970.
[14] U. Sparmann, On the check base selection problem for fast adders,
in Dig. Pap. 11th Annu. 1993 IEEE VLSI Test Symp., Atlantic City,
NJ, USA, 68 Apr. 1993, pp. 6265.