Self-checking and fail-safe synchronous sequential circuit design Текст научной статьи по специальности «Электротехника, электронная техника, информационные технологии»

SELF-CHECKING AND FAIL-SAFE SYNCHRONOUS SEQUENTIAL CIRCUIT DESIGN

MATROSOVA A., ANDREEVA V., GOLOUBEVA O, NIKITINK., OSTANIN S, SEDOV Yu._________________

Tomsk State University; mau@fpmk.tsu.ru

Abstract. We investigated a problem of self-checking and fail-safe synchronous sequential circuit design being restricted with unidirectional faults and oriented to the fo llo wing prime obj ectives: a) using CAD tools for non-self-checking circuit design, b) cutting overhead of self-checking or fail-safe circuits as much as possible.

1. Self-checking synchronous sequential circuit design

The increasing complexity of digital systems and critical application in whichthey are used demand their high reliability. It is necessary that an error should be detected as soon as it is produced by the failure before it propagates through the system. It is achieved by using concurrent error detection techniques, which allow to detect both permanent and temporary faults during normal operation. Self-checking design is one of such techniques.

Consider a self-checking synchronous sequential circuit (SSC) shown in Fig 1.

Fig. 1. Self-checking SSC with observing all outputs of combinational part

The circuit consists of three portions: the output functions portion (its outputs are y1,..., ym), the redundancy portion (its outputs are ym+1,..., ys) that provides encoding SSC outputs and the transition functions portion that represents next states. These portions together form unordered code words that may be Berger code words or constant weight code words or their combination.

Self-checking SSC design is beginning from State Transition Graph (STG) description of Finite State Machine (FSM) followed by proper encoding states and outputs. Then we need choose a mode of implementationof SSC (GATE, FPGA, PLA) and connected with that a set V of permissible faults. After we have to choose or develop the proper synthesis method of a combinational part (K) of SSC that provides a unidirectional manifestation of any fault from V (method that

ensures self-checking properties of SSC). As a result we derive a self-checking SSC. During self-checking SSC design we cut overhead as much as possible.

First we investigated GATE implementation of self-checking SSC having extended the traditional set V of faults (consisting of single stuck-at faults at gates poles of a combinational part of SSC and single stuck-at faults at d-flip-flops) to single stuck-at faults at input poles of SSC. For this set of faults we need additionalxn+1,...,xr input poles (Fig. 1). It is desirable to cut their number. Special algorithm cutting the number of additional input poles was suggested [1]. Notice that there is no way to provide the self-testing properties for single stuck-at faults at the SSC input poles if using duplication of SSC.

If the number of additional input poles is unessential increased in comparison with minimal number of addition inputs it is possible to observe only outputs of self-checking SSC cutting a complexity of a checker (Fig. 2).

Fig. 2. Self-checking SSC with observing only outputs

Providing self-testing properties for such SSC allows to design self-checking networks (Fig. 3) with observing only the network outputs [2]. The networks self-checking components with additional inputs are shown in Fig. 2. But such network demands increasing the number of input poles for each component and, consequently, correcting input-output sequences applied to the network.

A permissible set V of faults for which self-checking properties are provided is oriented to mode of circuit implementation: GATE, PLA, FPGA.

In the case of FPGA implementation of a self-checking SSC (Fig. 1) a permissible set V of faults mainly consists of single functional faults of CLBs (only one CLB may be fault). If CLB is fault its own function is changed for other function of the same number of variables. Single stuck-at faults at d-flip-flops poles and input poles of SSC are also included into V.

FPGA implementation of discrete circuits conventionally is oriented to multilevel synthesis methods. We proved selfchecking properties of SSC (Fig. 1) for this setV if a combinational part of SSC is obtained with a multilevel synthesis method [3, 4]. The method is based on BDDs description of combinational circuit K functions followed by covering this description with CLB s. That is we proved that

any v , v e V, manifests itself as unidirectional fault at the combinational circuit K outputs.

R&I, 2003, Ns 3

107

output 1

output 2

Fig. 3. Self-checking network

A special class of unidirectional faults is separated [5-7]. They are called A, B- faults.

Let F(X,Z) ={f1(X,Z),...,fs+p(X,Z)}, be the system of Boolean functions describing the behavior of a sequential circuit combinational part (combinational circuit K from Fig. 1 or Fig. 2) and Fv(X,Z) - the similar system for a fault v , F(X,Z) * Fv(X,Z). The system Fv(X,Z) has to possess the special property to provide a unidirectional manifestation of fault v at the circuit K outputs.

Consider Boolean vectors ai and a 2, ai =0^,..., «in, a2 = a21,...,a2n, a1 - a2, if ali ^ a2i, for example, 101001 < 111101. Booleanvectors ai and a 2 are comparable ifeither a1 <a 2 or a 2 <a1 otherwise the vectors are noncomparable.

If for the certain fault v and any vector a we have either F(a) < Fv(a) or Fv(a) < F(a), then the fault v is unidirectional.

A system F(X, Z) is monotonous if for any comparable vectors a1, a 2 so that a1 <a 2 we have:

F(oq) < F(a 2). For example, the system

If = X1 V X3 V X5 V Xg V Z1Z2,

lf2 = X1X2 v Z1

is monotonous one.

A system F2 (X, Z) implicates a system F1 (X, Z) if for any a the condition F1 (a) < F2 (a) takes place. The system

f = X1 v x3 v x5 v x6 v z2,

lf2 = X1 v Z1

implicates the above mentioned system.

108

If for any a1, a 2 so that a1i =a2i, i e {1,..., 5} , and a1j-a 2j, j e{s +1,..., 5 + p}, F(a1) < F(a 2), then the system F(X,Z) is partially monotonous in Z variables. For example, the system

If = Z1 v Z2 v Z3 v X1 v X2,

lf2 =Z1Z2

is partially monotonous in Z variables.

Let F(X,Z) and Fv(X,Z) be partially monotonous systems in Z variables,

v e V is A-fault if Fv(X,Z) < F(X, Z),

v e V is B-fault if F(X,Z) < Fv(X, Z).

Show that such faults represent widespread in practice set of faults.

First show that partially monotonous system inZ variables may be directly obtained from STG description of FSM. Illustrate it by the following example. We have the STG de scription (Table 1).

Having encoded states with the same weight code words we get the Table2.

Table 1

x1 x2 x3 q q y1 T2 T3 y4 y5

0 - - 1 1 0 0 0 1 0

- 0 - 1 1 0 0 0 1 0

1 1 - 1 2 1 0 0 1 0

- - 0 2 2 0 0 1 1 0

- - 1 2 3 1 0 1 1 0

1 0 - 3 3 0 1 0 0 0

0 - - 3 4 1 1 0 0 0

- 1 - 3 4 1 1 0 0 0

- - 0 4 4 0 1 0 0 1

- - 1 4 1 1 1 0 0 1

Table 2 represents partially determined system of Boolean functions. Having changed the 0 values of the state variables ofthe Table 2 for don’t care values we obtain the Table 3. Any line of the Table 3 may be interpreted as system F(X, Z) implicant. All lines represent this system as a whole. The system implements partially determined system of Boolean

Table 2

X1X2X3 Z1Z 2Z3Z4 Z 1Z 2Z3Z4 y1y2y3y4y5y6y7

0 - - 1 0 0 0 1 0 0 0 0 0 0 1 0 1 1

- 0 - 1 0 0 0 1 0 0 0 0 0 0 1 0 1 1

1 1 - 1 0 0 0 0 1 0 0 1 0 0 1 0 1 0

- - 0 0 1 0 0 0 1 0 0 0 0 1 1 0 1 0

- - 1 0 1 0 0 0 0 1 0 1 0 1 1 0 0 0

1 0 - 0 0 1 0 0 0 1 0 0 1 0 0 0 1 1

0 - - 0 0 1 0 0 0 0 1 1 1 0 0 0 1 0

- 1 - 0 0 1 0 0 0 0 1 1 1 0 0 0 1 0

- - 0 0 0 0 1 0 0 0 1 0 1 0 0 1 1 0

- - 1 0 0 0 1 1 0 0 0 1 1 0 0 1 0 0

R&I, 2003, N 3

functions described in Table 2.F(X,Z) is partially monotonous in Z variables.

Table 3

x1 x2x3 z 1z2z3Z4 z 1z 2z3z4 yty2y3y4y5y6y7

0 - - 1 - - - 1 0 0 0 0 0 0 1 0 1 1

- 0 - 1 - - - 1 0 0 0 0 0 0 1 0 1 1

1 1 - 1 - - - 0 1 0 0 1 0 0 1 0 1 0

- - 0 - 1 - - 0 1 0 0 0 0 1 1 0 1 0

- - 1 - 1 - - 0 0 1 0 1 0 1 1 0 0 0

1 0 - - - 1 - 0 0 1 0 0 1 0 0 0 1 1

0 - - - - 1 - 0 0 0 1 1 1 0 0 0 1 0

- 1 - - - 1 - 0 0 0 1 1 1 0 0 0 1 0

- - 0 - - - 1 0 0 0 1 0 1 0 0 1 1 0

- - 1 - - - 1 1 0 0 0 1 1 0 0 1 0 0

A systemF(X,Z) contains as a rule not more letters than the system derived from the same STG during non self-testing encoding states when using minimal number of the state variables. The table 4 illustrates that.

The Table 4 is divided into 3 portions. The first portion describes STGs parameters. Here n is the number of input variables, m - output variables, l - the number of products and 5 the number of states of FSMs. The second portion describes parameters of systems obtained from STGs by encoding states when using minimal number of state variables. Herep is the number of state variables, £ - is the number of letters. The third portion describes the systems F(X, Z) .

Consider GATE implementation of the system F(X,Z). A set V of faults consists of all single stuck-at faults at the gate poles of a combinational part of the circuit (combinational circuit K) and all single stuck-at faults at d-flip-flop input and output poles so that V is a convention set of faults.

We have proved that any fault v , v e V, is either A-fault or B-fault if a) two level factorized method is applied to the

systemF(X,Z) [5, 6], b) multilevel factorized synthesis method is applied to the system F(X, Z) [7].

If any fault from a set V considered is A, B-fault, then it is enough to monitor only outputs of a synchronous sequential circuit (Fig.2 without additional input poles). It demands more simple self-testing checker.

A set of all input-output sequences of a synchronous sequential circuit will call as M . Let the certain fault v is undetectable on these sequences when only outputs is monitored. Denote this fault as undetectable one.

We have proved that if there exist some undetectable faults in the circuit and new fault from V appears then obtained multiple fault manifests itself as unidirectional one at the synchronous sequential circuit outputs. We suppose that any next fault fromV appears after a setM with previous faults is exhausted. It means: preserving undetectable faults is not dangerous.

2. Universal decomposition method of self-testing m/n-code checker design oriented to FPGA implementation

The self-testing combinational m/n- code checker design, as a rule, is based on determining the weight of input codewords of a checker. For this aim either threshold circuits or circuits based on parallel counters are applied. All these checkers are oriented to GATE implementation. The self-testing property of a checker is basically connected with single stuck-at faults at the gates poles.

FPGA technology opens new possibilities for self-testing checker (STC) designby exploiting the ability of each CLB to implement one or two arbitrary Boolean functions with the fixed number of variables.

A universal decomposition method is developed to design any m/n codes checkers [8, 9]. A decomposition formula is suggested followed by its specialized implementation with CLBs.

Notice that the number of all different m/n code words is equal to Cm. They can be represented as a sum of Cm products of the rank n . Denote this sum as Dm (X).

For example, D^(X) consists of252 products with rank 10 and contains 2520 letters. This expression can not be cut in the frame of a sum of products because any two products of Dm (X) are at least bidirectional.

Fora compact descriptionofall m/n, 1 < m < n, code words a special formula A is proposed. The formula comprises brackets, symbols a, v and decomposition functions.

Decomposition function Dp (Xr) is a sum of products corresponding to all (q, p) code words, p < k, 0 < q < p, Xr c X,

X = {x1xn } .

Table 4

I II III

Example n m s l p X p X

BBTAS 2 2 6 24 3 120 4 96

DK27 1 2 7 14 3 56 5 42

DK512 1 3 15 30 4 150 6 90

DONFILE 2 1 24 96 5 672 7 490

KEYB 7 2 19 170 5 1 344 6 1004

LION 2 1 4 11 2 40 4 29

LION9 2 1 9 25 4 150 5 100

MODULO12 1 1 12 24 4 120 6 72

S8 4 1 5 20 3 140 4 120

SAND 11 9 32 184 5 1623 7 1255

SHIFTREG 1 1 8 16 3 64 5 48

SSE 7 7 16 56 4 350 6 294

STYR 9 10 30 166 5 1390 7 1058

TAV 4 4 4 49 2 258 4 211

TBK 6 3 32 1569 5 16107 7 12969

TRAIN11 2 1 11 25 4 150 6 100

TRAIN4 2 1 4 14 2 56 4 42

In part, k may be the number of the CLB inputs and Dp - the function that is implemented at one of the CLB outputs.

R&I, 2003, N 3

109

A formula derivation

Table 5

D2 D2 D2 d9 d6 D4 Di50 d6 d12

CLB 2 6 6 8 6 9 18 25

LUT 4 9 9 12 9 14 25 32

CLB 7 10 5 14 24 36

LUT 14 19 10 26 48 69

Obtain formula A for D^CX). For this aim first divide a set X into two subsets X1, X , X1 =

X = {xk+1,...,xn}'

Dm(X) = v Dk(X1)Dn _ k(X*) (1)

i,j (1)

i+j=m

i 1 j *

Here symbol a between Dk(X ) ,Dn_k(X ) is omitted.

If n - k > k , then execute the next step ofthe decomposition (1) for eachDn_k(X ) and so on. As a result we obtain the formula A in which for any Dp(Xr) the condition p < k takes place.

Consider the example. Obtain A for D5, k = 2. First

X = {x1,x2} , X = {x3,x4,x5,x6} .

D^ = (D2(X1)D4(X*) v D2(X1)D2(X*) v v D2(X1)D4(X*)).

Then X2 = {x3,x4}, X3 = {x5,x6} . Execute the next step of the decomposition (1) for D4(X ),D2(X ),d4(X ). We have the following.

A = d6 = (D2(X1)(D2(X2)D2(X3) v d2(X2)d2(X3)) v v D2(X1)(D2(X2)D2(X3) v D2(X2)D2(X3) v

v D2(X2)D2(X3)) v D2(X1)(D2(X2)D2(X3) v

v D2(X2)D2(X3))).

The structure of this formula can be represented by a tree (Fig.

4).

We suggested a special method of CLB covering ofA formula that ensures the self-testing and code disjoined (for above mentioned set V ) properties. A complexity of a checkers is represented in Table 5.

The First two lines ofthe Table 5 illustrate the number of CLBs and LUTs we need for the certain checkers if applying the decomposition method. The last two lines of this table illustrate the numbers of CLBs and LUTs we need after covering GATE checker implementations described in the papers and books with CLBs. Columns ofthe Table correspond to the different checkers marked by Dm .

We spread the decomposition method to the subsets of m/ n code words and unordered codes with arbitrary numbers of codewords.

3. Fail-safe synchronous sequential circuit design

It is first of importance not only to detect fault at the first moment of its manifestation on the circuit output lines but also recover correct functioning of a circuit.

We deal with the problem of recovering a synchronous sequential circuit (SSC) when any fault from all permissible unidirectional faults (transient or intermittent) occurs.

We mean single stuck-at faults at gates poles and d flip-flops poles of the scheme.

We consider a set V of all multiple stuck-at faults at the input CLB poles and output CLB poles.

A checker is self-testing if for any fault v , v e V, there exists a test pattern among all m/n code words of this checker.

A m/n code checker is code disj oint if for any m/n code word at the checker inputs it provides either 01 or 10 at its outputs. Otherwise it provides either 00 or 11 at the outputs.

A circuit that is able to preserve its correct functioning after occurrence of such faults will be called a fail-safe circuit. Selfchecking circuit interrupts its functioning after fault manifestation. Fail-safe circuit continues properly functioning when a fault has occurred.

The simplest way of providing fail-safe property is a triple module redundancy (TMR). The basic concept of TMR is to triplicate the hardware and perform a majority voting to determine the true output of a circuit. The primary TMR difficulty is providing a high reliability of a voter. The hardware redundancy in this case is more than 300%.

v

110

R&I, 2003, Ns 3

Fig. 5. Survivable scheme 1

We suggest a fail-safe architecture of synchronous sequential circuit in the assumption that a fault can appear in any system component. 1) It is not necessary to provide a high reliability of any circuit component. The architecture ensures a survivability property: after termination of a temporary fault attack the fail-safe system turns into free fault system. The latter is impossible when applying TMR techniques to sequential circuits. The fail-safe architecture is oriented to cut overhead in comparison with TMR technique. We suggest a fail-safe SSC scheme that includes two self-checking SSCs, one self-testing checker and the additional rather simple combinational circuits.

In the paper (M. Lubaszewski and B. Courtois,“A Reliable FailSafe System,” IEEE Tran. on Comp., vol 47,No2, 1998, pp 236241.) the fail-safe system is suggested that also based on selfchecking circuits. This system includes two SSCs, two selftesting checkers and rather complicate error-masking interface containing flip-flops.

Fail-safe Scheme 1

We propose to implement a fail-safe SSC design using the scheme shown in Fig. 5.

Here K1 is a combinational part ofa self-checking SSC1, K2 - a combinational part ofa self-checking SSC2, y1,...,ym, (y2,...,ym) are output lines of self-checking SSC1 (SSC2),

y!n+1,.., y!s, (ym+1 ,.,y2) are additional output ^ of

theSSC1 (SSC2) providing either m/n- codes or Berger 112 2

codes. Notice thatZ1,...,Zp (z1,...,Zp) are state lines

ofSSC1 (SSC2) and d1,...,dp (d2,...,dp) are the corresponding d-flip-flops.

The OR circuit comprises s + p two-inputs OR gates so that inputs of each gate are like outputs of K1 and K2 . The OR circuit has s + p outputs. An output of each OR gate is at the same time the output line of the OR circuit. The AND circuit is similar to OR circuit. OR circuit output line s are input

Fig. 6. Fail-Safe scheme 2

R&I, 2003, N 3 111

lines of a self-testing checker. The checker has two output lines: uj,U2. A multiplexer MX connects y1 m, z1 ,-,zp with y1,...,ym, z1,---,zp whenuj,u2 take either 01 or 10 values. Otherwise the multiplexer MX connects y!,...,ym> z1>-,zp with y1,...,ym, z1v,zp. Here y1,...,ym are the scheme output lines. z1,...,zp are the state lines of the scheme and X1,..., x n are its input lines.

Take into account that self-checking SSC1 and SSC2 are identical. They provide unidirectional manifestation of their permissible faults on the K1 (K2 ) output lines and admit both GATE and FPGA implementation.

As for a self-testing checker, OR circuit and AND circuit their permissible faults also manifest themselve s as unidirectional

(transient or intermittent) ones on the output lines u1,u2 of the checker and output lines of the OR circuit and the AND circuit, correspondingly.

MX faults can change connection of some lines from a set y1 ,...,ym,z1 ,-,zp for like lines from a set yf ,...,y m,

ff ff

z1,..., zp.

We also admit single stuck-at faults on the lines connecting circuits of the scheme except lines y1,...,ym, z1,...,zp, X1,..., xn. We consider a line along with its branches We have proved fail-safe property of a scheme for all above mentioned faults. The scheme is survivable if next fault appears after a forgoing fault stopped its action.

Fail-safe scheme 2

We suggest fail-safe scheme shown in Fig. 6 having restricted with GATE implementation of SSCs.

Notice that if we consider only GATE implementation of the circuit K the permissible faults at gates poles of K and at input and output poles of d-flip-flops are A, B-faults.

FSM considered has an initial state and a reset input. Any FSM input-output sequence begins with the reset input.

Any fault appears not previously than the forgoing fault has disappeared and the input-output sequence during which this fault acted has changed for other sequence.

The scheme considered is more simple as its self-testing checker has less input lines. OR, AND and MX are more simple for the same reason.

We have also proved fail-safe properties of this scheme, and its survivability property. The latter means after termination of a temporary fault attack the scheme 2 turns into free fault one.

4. Conclusion

Self-checking SSCs design methods are suggested. They are oriented to cut overhead with using CAD tools for non-selfchecking design and can be constructed in the frame of both GATE and FPGA technology. The results may be used for design of self-checking networks consisting of self-checking SSC components.

Universal decomposition method of self-testing checker design is developed. It is oriented to FPGA technology. The method provides the self-testing property for multiple stuck-at faults at CLB poles.

The schemes providing synchronous sequential circuit failsafe and survivability property for unidirectional transient and intermittent faults are suggested.

The scheme architectures are based on doubling self-checking SSC, using self-testing checker for one of these SSCs and masking unidirectional faults manifestation with the corresponding OR, AND and MX circuits.

References: 1. Matrosova A. Yu. and Ostanin S.A. Self-Checking Synchonous FSM Network Design // 4th IEEE Int. On-Line Testing Workshop, Capri, Italy, July 1998. P.162-166. 2. Matrosova A., Levin I., Ostanin S. Self-checking Synchronous FSM Network Design with LowOverhead”, International Journal ofVLSI Design, Vol. 11, No. 1, 2000. P. 47-58.3.MatrosovaA.,NikitinK., GoloubevaO. Totally selfchecking FSM design based on multilevel synthesis methods and FPGA implementation//the 7th IEEE International On-Line Testing Workshop, Taormina, Italy, July 9-11, 2001. 4. Matrosova A., Golubeva O., Ostanin S. Totally Self-checking FSM Design Based on Multilevel Synthesis Methods and FPGA Implementation //Proc. of the 4-th International Conference on Computer-Aided Design of Discrete Devices (CAD DD 2001), November 2001, Minsk, Belarus. 5. Matrosova A., Ostanin S. Self-checking FSM Design with Observing only FSM Outputs”, Proc. of the 6th IEEE International On-Line Testing Workshop (IOLTW2000), July2000. P. 153-154. 6Matrosova A., Ostanin S., Sedov Yu. Functional Properties of A, B- faults on SelfChecking FSM Design with Observing only FSM Outputs // Proc. of the 3-th Russian Conference “New Information Technologies in Researching Discrete Structures”, 2000, Russia, Tomsk. P. 209-215. 7. Mampocoea A.&., Cedoe W.B. O cBonciBax HencnpaBHOcTen, no-poxgeHHLix MHoroypoBHeBLiMH MerogaMH cnme3a, npnMeHeHHLiMH k HacrnuHO mohotohhlim cncreMaMbyneBLix $yHKnnH//MaTepHajiLi 4 BcepoccnncKOH KOH^epeHunn c MexgympogHLiM yuacTneM “Ho-BLie HH(J)OpMaLIHOHHLie TCXHOJIOrHH B iiccnegoBaHnn CUOXHLIX CTpyK-Typ“, 10-13 cemabpfl,2002. Tomck, Poccna. C.287-292. 8. Matrosova A., Ostrovsky V., Levin I., Nikitin K. Designing FPGA base Self-Te sting Checker for m-out-of-n Codes // 9th IEEE International On-Line T esting Symposium, Kos International Convention Center, Kos Island, Greece, July 7-9, 2003. 9. Mampocoea A.&., HuKumuH K.B. CnHTe3 caMOTecrnpyeMoro gereKropa (m/n) - KogoB Ha nporpaMMHpyeMLix norauecKHX 6noKax (nhE) // 2 CnGnpcKaa HayuHaa mKona-ceMHHap c MexgyrnpogHLiM yuacmeM ”npo6jieMLi KOMntroTepHon 6e3onac-Hocrn n KpnnTorpa^na ”, SIBECRYPT’03, (b neuam).

112

R&I, 2003, Ns 3