POWER-CONSUMPTION-ORIENTED CHECKABILITY FOR FPGA-BASED COMPONENTS OF SAFETY-RELATED SYSTEMS

This paper is dedicated to the problem of the circuit checkability of components in the safety-related systems, which operate objects of the increased risk and are aimed at ensuring safety of both a system and a control object for accident prevention and a decrease in their consequences. Importance of the checkability of the circuits for ensuring safety in critical applications is emphasized as safety is based on the use of fault tolerant circuitry decisions and their efficiency is defined by the circuit checkability. Development of a logical checkability from testability to structurally functional and dual-mode model which formalizes a problem of the hidden faults and defines ways of its solution is shown. The limitation of a logical checkability in detection of faults in chains of the common signals and the need for development of checkability out of the limits of a logical form, including suitability to checking the circuits on the basis of their power consumption is considered. Power-consumption-oriented checkability (Power-checkability) allowing detection of faults in chains of the common signals is defined. Its analytical assessment for the circuits implemented in FPGA is offered. Experiments providing estimation of power-checkability for FPGA-implementation of iterative array multipliers with various activities of input signals are carried out.


INTRODUCTION
A checkability of the digital circuit is its suitability for monitoring the presence of a fault in it.The importance of this indicator increases with the expansion of the area of critical information technology applications that underlie instrumentation and control safety-related systems.These systems manage high-risk objects, including transportation infrastructures, power grids and power plants, as well as other areas relevant to people's livelihoods.Safety-related systems are focused on ensuring safety of the control object.Solving this problem requires ensuring functional safety also for the control system itself.
The amount of critical applications is increasing.Their complexity and power growth create the prerequisites for increasing the risk of accidents.
Safety, which becomes the main argument in the prevention of man-made disasters, is based on the use of fault tolerant solutions.
The main threat to their effectiveness comes from the hidden processes that can lead to the accumulation of many hidden faults.The amount of these faults may exceed the possibilities of faulttolerant solutions for their parrying.Such circumstances appear because of insufficient checkability of the circuits in the components of safety-related systems.
Therefore, ensuring of safety requires improvement in the circuit checkability, which can be significantly reduced with the growing complexity of the circuits themselves.Fault-tolerant solutions become effective in ensuring the safety of safety-related systems only when performing a condition of the system's checkability, which begins with the checkability of its components.

RELATED WORKS, GOAL AND STRUCTURE OF THE PAPER
Requirements for safety-related systems are regulated by international standards that define safety and measures to ensure it for the system and for the control object to prevent accidents and reduce the consequences if they occur [1].
Safety-related systems can be considered as the development of computer systems with the division of the operating mode into two modes: normal and emergency, which have significant differences.The normal mode is the longest and can be considered as waiting in relation to the emergency mode.Emergency mode is the most responsible and least studied.In these modes, digital circuits can receive various input data, for example, they can operate in normal mode at the noise level and receive useful signals only when the emergency mode starts [2,3].
The limited set of input data makes the digital circuit structurally redundant.This reduces the checkability of the circuit.
As a rule, safety is supported by fault-tolerant solutions based on configurable units, correcting codes, majority structures and multi-version technologies [4,5].Multi-version solutions allow to resist to common cause failures that may occur, for example, due to design errors [6].
Fault-tolerant circuit solutions significantly complicate the digital components of safety-related systems, repeatedly increasing their structural redundancy and complexity.
Generally, the checkability of a digital circuit is defined as its suitability for performing logical checking, which is considered as the possibility of detecting a fault, using for this the error of the result calculated at the output of this circuit in testing or operating mode [7,8].
Logical checkability is best known as testability, i.e., suitability to test development for detecting faults in the process of testing of the circuit.Testability is the simplest form of logical checkability.It depends only on the structure of the circuit, and, therefore, is called structural checkability [9].
In on-line testing [10,11], the logical checkability of the digital circuit becomes structurally-functional, since it depends not only on the structure of the circuit, but also on the input data processed in an operating mode.The possibilities of on-line testing of the digital circuits are completely limited by its structurally-functional checkability.
Safety-related systems, as well as other cyberphysical systems, including IoT, receive input data from sensors.These data are measurement results, i.e., they refer to approximate data, which is usually processed in floating-point formats [12,13].
Performing operations in floating-point arithmetic greatly complicates circuit design solutions both in terms of organizing main calculations and in checking them.Mantissa processing is most efficiently performed by using the truncated operations [14,15].These operations retain a single accuracy of computations, however, they significantly complicate checking schemes, including residue checking, which is the main method of on-line testing the arithmetic nodes [16,17].
The complication of the circuits in the main and checking operations reduces their logical checkability.
The logical checkability gained development in the theory and practice of creation of the totally selfchecking circuits [18].Self-checking of these circuits increases structurally-functional checkability in error detection schemes when the self-testing condition is met [19].
However, in safety-related systems, structurallyfunctional checkability becomes dual-mode, i.e., different for a normal and emergency modes due to different input data.This difference creates a problem of the hidden faults that can be accumulated over the course of a long-term normal mode and manifest themselves in reducing the fault tolerance of the circuits in most critical emergency modes [20].
The main approach to a solution of the hidden fault problem is the use of the imitation modes which recreate emergencies and more than once brought to them as a result of unauthorized activation of the emergency mode by a person or a fault [21,22].
The use of hazardous imitation modes aimed at improving the checkability of safety-related systems indicates a lack of confidence in the effectiveness of the fault-tolerant solutions and the lack of checkability to support this effectiveness.
We can distinguish two groups of methods of the logical checkability improvement for solving the problem of hidden faults without use of the imitation modes.The first group of methods is aimed at improving the structurally-functional checkability of circuits in normal mode to counteract the accumulation of hidden faults.
Another group of methods aligns the structurallyfunctional checkability of the normal and emergency modes in order to remain the hidden faults of the normal mode in the emergency mode and to detect the faults of the emergency mode during the longterm normal mode [20].
Both groups of methods are focused on the implementation of digital components on FPGA (Field Programmable Gate Array) using modern CAD (Computer-Aided Design) systems.This feature makes them attractive for safety-related systems, which receive a number of advantages when designing on FPGA [23].
However, these methods are significantly limited by the complexity of modern circuits, a number of requirements imposed by standards to safety-related systems and opportunities of the logical checkability which is in certain dependence on the faults arising in chains of the common signals, such as signals of reset and synchronization [24].
Thus, ensuring the checkability of circuits for safety-related systems is an important and urgent task that requires its solution without the use of the dangerous imitation modes.Ensuring logical checkability faces the considerable complexity of modern circuit solutions both in the building of fault-tolerant components and the limitations of the standards, governing their development for safetyrelated systems.These arguments stimulate the search for new solutions, including those outside the logical form of checkability.
The goal of this article is to develop a new form of checkability as the suitability of a circuit for checking based on an assessment of its power consumption which allows detecting faults in chains of the common signals.Major scientific contribution is made to solving the hidden fault problem concerning common signals on the basis of assessment and the use of checkability associated with power consumption of FPGA components in safety-related systems.
Section 3 defines power-consumption-oriented checkability (power-checkability) and gives its analytical evaluation for the circuits designed on FPGA.Section 4 describes experiments with FPGA projects to evaluate their power-checkability and analyzes the results of these experiments.

POWER-CHECKABILITY DEFINITION
The circuit checkability can be estimated by the ratio of the PF volume of ranges of impossible power consumption values, which uniquely characterizes the circuit as faulty, to the PT volume of a whole range of power consumption values, PT = PF + PC, where PC is the volume of a range of possible power consumption values.
The RC range of possible values of power consumption allocates two ranges of impossible values in the entire RT range: upper RU and lower RL, for which their volumes PU and PL make up the volume PF = PU + PL.Volumes PU and PL, referred to the entire volume of PT, determine the upper and lower checkability of the circuit, respectively.
Upper checkability determines the detection of faults that significantly increase power consumption, for example, in the event of a short circuit.
Lower checkability is focused on faults that significantly reduce power consumption.This reduction of power consumption occurs in its dynamic component, which is proportional to the number of transitions switching signals in the circuit.A significant reduction in the number of transitions is caused by faults that violate common signal circuits, such as, for example, reset and synchronization signals.
Faults in common signals pose a significant threat to safety-related systems, as they can be hidden from logical checking due to its blocking in a state that indicates the absence of a fault.
Thus, logical checkability does not cover a set of faults arising in common signal circuits.For their detection, it is necessary to develop alternative forms of checkability, including power-oriented checkability.Further, we consider the lower checkability, which is important for detection of faults in chains of the common signals.
Taking into account the constant value of the supply voltage, the values of consumed power are replaced in the assessment of checkability with the values of current consumption.Lower checkability, which takes into account the influence of only the dynamic component of the power consumption, is accordingly determined using the dynamic component of the current consumption as follows:

СP.L = ID MIN / ID MAX,
where ID MIN and ID MAX -the minimum and maximum values of dynamic component of the current consumption, respectively.
Power-checkability СP.L essentially depends on the conditions of the circuit designing.We are reviewing Quartus Prime 17.1 Lite Edition (Intel FPGA) [25], which estimates power consumption using its PowerPlay Power Analyzer utility [26].Similar utilities, for example, XPower Analyzer, are also used in other recognized CAD systems, in this case in Xilinx ISE [27].
It should be noted that Intel FPGA (former Altera) and Xilinx are world leaders in FPGA design and produce 38% and 49% of products in this market, respectively [28].
Power monitoring of the circuit can be performed in its operating mode by measuring the current consumption.We can judge the dynamic component ID by subtracting its static component IS from the measured IT current consumption, which can be estimated previously by means of the PowerPlay Power Analyzer utility.
We can assess checkability using simulation and measurement results taking into account their errors.
The minimum ID MIN value of the dynamic current consumption component can be estimated as follows: where ΔIT and ΔIS -an absolute value of the error of current consumption IT and its static component IS, respectively.Formula (1), taking into account the equality IT -IS = ID, is converted to the following form: The maximum ID MAX value of the dynamic component of current consumption can be received similarly taking into account the increasing errors and possible increase in activity of signals at circuit inputs: where ID*, ΔIT*, ΔIS* -the dynamic component of current consumption, an absolute value of the error of current consumption and its static component for a case of the increased activity of input signals.
Then the lower power-oriented checkability is evaluated with regard to ( 2) and ( 3) by the following formula:

СP.L = (ID -ΔIT -ΔIS) / (ID* + ΔIT* + ΔIS*). (4)
The PowerPlay Power Analyzer utility estimates the current consumption of IT, as well as its dynamic ID and static IS components with an error of Δ = ±2.5%.Sensors for measuring current consumption work with the same error.
Then, formula (4), taking into account ΔIT = ΔIS = 2.5% and ΔIT* = ΔIS* = 2,5%, takes the following form: The parameters ID, IS and IT of powercheckability СP.L can change their values under the influence of the activity of signals that are fed to the inputs of the circuit.Therefore, the powercheckability СP.L should be investigated with different input signal activity.The final result is the smallest power-checkability СP.L.
The assessment methodology contains the following sequence of steps: -Designing in Quartus Prime a project of a multiplier of a given range.
-Compiling a project in Quartus Prime that results in determining the allowed synchronization frequency for the project.
-Setting up time parameters (frequency) in the utility Time Quest Timer Analyzer.
-Re-compiling the project with the established time parameters.
-Setting up in the Power Play Power Analyzer utility a given value for the activity of informational (input / output and internal) signals of the project as a percentage of the clock signal activity (frequency).
-Running a simulation in Power Play Power Analyzer, which determines the total current consumption of the core IT and its static IS and dynamic ID components.
-Calculating by formula (4) the checkability value for the given multiplier design and given informational signals activity.

EXPERIMENTAL ASSESMENT OF LOW POWER-CHECKABILITY
Power-checkability СP.L is determined for iterative array multiplier circuits of binary numbers based on simulation results that were run on Intel Max 10 10M50DAF672I7G FPGA containing 288 9-bit multiplication blocks with input and output buffer registers [29].
The multiplication blocks in Quartus Prime are designed on the basis of the LPM_MULT multiplier from the Intellectual Property Core (IP-Core) of the Library of Parameterized modules (LPM), which is a part of Quartus Prime [30].
In the course of the experiments, FPGA projects of iterative array multipliers with the size of operands n = 16, 32, 48 and 64 were implemented.The input signals activity АI was set using the PowerPlay Power Analyzer utility in the range from 0% to 100% in relation to the synchronization signal of the multiplier registers with increments of 12.5%.
The simulation results which are the parameters ID, IS and IT for a core of FPGA chip are shown in Tables 1-4 for n from 16 to 64 bits, respectively.Power-checkability СP.L is calculated for ID MIN which is estimated at zero activity of input signals, and ID MAX received in case of an increase in activity АI of input signals for value ΔАI = 12.5% from 0 to 100%.
Results of power-checkability assessment represented as a percentage are shown in Table 5.The graphics show the monotonous nature of change in the checkability, which raises with decrease in possible change of activity of the input signals.
At the same time, even in an exceptional case of АI = 100%, power-checkability shows values from 36.67% to 44.95% which keep the considerable range of values of a dynamic component in the current consumption for detection of faults in chains of the common signals.
It should be noted that Power-checkability, as a rule, grows with increase in operand size of multipliers.The exception makes only operand size 16 for ΔАI ≥ 50%.

CONCLUSION
The checkability of the circuit plays a pivotal role in providing the effectiveness of fault-tolerant solutions used in safety-related systems to ensure the safety of the system itself and the control objects.
Understanding the logical checkability of the circuits was developed from testability to structurally-functional and dual-mode structurallyfunctional models, which allowed to determine the problem of the hidden faults and ways to solve it without using dangerous imitation modes.
However, the possibilities of improving logical checkability are limited by the growing complexity of modern circuit solutions.
In addition, the logical checkability and decisions developed in its framework, including methods of its improvement and on-line testing methods, are limited in detection of faults which arise in chains of the common signals playing an important role in functioning of the digital circuits.These faults can block the check circuits and the error detection results.
The development of circuit checkability by estimating its power consumption, that has been proposed, is provided by the necessary tools of evaluation in modern systems of digital component design on FPGA.
Power-checkability allows to detect faults in the circuits of common signals in reducing the dynamic component of power consumption.
Analytical assessment of power-checkability is based on the current consumption and its dynamic and static components, which reflect the power consumption at a constant supply voltage.
Experiments for power-checkability evaluations based on the dynamic component of the consumed current were performed on Quartus Prime 17.1 Lite Edition (Intel FPGA) CAD software using an intelligent LPM_MULT module for a range of iterative array multipliers sizes and activity levels of the input circuit signals.
The experiments that have been carried out showed a high level of power-checkability, which raises with the decrease in change of activity of the input signals and, as a rule, grows with increase in complexity of circuits.
In the most widespread cases if a change in activity of the input signals does not exceed 25% and 50%, power-checkability exceeds 50% and 65%, respectively.Thus, more than a half of range of values in a dynamic component of the current consumption lies in the area of impossible values which allow detecting faults in chains of the common signals.
Complication of iterative array multipliers while increasing the size of operands from 32 to 64 bits raises power-checkability of their circuits unlike a logical checkability which decreases with the growth of circuit complexity.

Figure 1 -
Figure 1 -The results of evaluating the power-checkability of the multipliers when the activity of the input signals changes