Embed Size (px)
Citation preview
Microprocessing and Microprogramming 39 (1993) 237-240 North-Holland 237
Concurrently Self-Checking Structures For Fsms
M . G . S a m i - D . S c i u t o - R. S te fane l l i
Dipartimento di Elettronica ed Informazione - Politecnico di Milano (ITALY)
Design of concurrently self-checking Finite-State Machines is taken into account, with the aim of obtaining a fault coverage as high as possible (within a given fault model) while keeping the modified structure reasonably simple. A code-based approach is presented, suitable for unidirectional faults. It is seen that simple restrictions to synthesis of the combinatorial network (in the case of random logic) allow to consider such a fault model as acceptable, while there are no constraints if PLAs are used. In particular, a solution based on a modified Berger code is discussed, and results obtained for a set of benchmark FSMs are considered. A simplified structure is further introduced.
1. INTRODUCTION.
Finite-State Machines (FSMs) ,are basic components of most complex digital structures; typically, control units (including I/O control subsystems) ,are implemented as FSMs. It becomes therefore fund,'unental to grant credibility of FSM operation: in particular, for very complex structures it is necess,'u'y to achieve concurrent self-checking of such component units. The problem has been studied recently by some authors; in general, solutions presented in the literature suggest use of a checking machine co- operating with the "nominal" FSM (possibly exploiting some form of information compression in state assigmnent for the checking machine) or else adoption of suitable coding for state ,and output assigmnent (see [1], [2], [3], [4], [5], [6]). In the present paper, we discuss adoption of a code-based solution; this approach is efficient with respect to a uni-directional fault model ,and this, in turn, is acceptable if suitable constr,'fints ,are introduced to random logic implementation of the combinatorial section as well as in the case of PLA-based implementations. It will be proved that such approach realizes also a functionzd-level requirement for FSM self-checking capability: n,'unely, it grants that any single fault in the physical implementation of the machine will bring the FSM in an "error state" not included in the nominal state set and thus allow error detection by a simple checker.
Prior to introduction of the code-based solutions, we define the characteristics of a self-checking FSM at a functional level, i.e., with reference to its state transition table ,and to a functional error model: clef'tuitions ,are given for Mealy-type machines, extension to Moore-type ones being immediate. Let M: (S,I,Z,~,~,) be ,an FSM, where S is the set of states (henceforward referred to as nominal states), I is the set of input symbols, Z the set of output symbols, ~5 is the next-state function ,and ~, is the output function. Error instances are sununarized ~Ls follows:
1. Given a state s i ~ S and ,an input symbol
i ~ l , let 8 ( s i , i a ) = s j be the nominal
outcome of the next-state function; in the
presence of an error, it is 8 * ( s i , i ~ ) = S k ~S.
We are thus assuming a single-state transition model, by which the state set is not increased;
2. let ~,(s i , i s ) = z' be the nominal outcome of the
output function; in the presence of an error it is
~* ( s i ,i s ) = z" (not necessarily in Z);
3. both above instances occur simultaneously.
Let us concentrate on instance 1. Instance 2 can be treated by ,any proper output coding technique (in particular, solutions discussed for case 1 can be adopted); as for inst~mce 3, it is self-evident that a solution valid for instance 1 holds for instance 3 ,as well. To obtain a self-checking machine, we must augment the set of states by introducing redundant
238 M.G. Sami et aL
states, such that ~my error will cause the machine to evolve toward a redundant state. Denote by R the set of redund,'mt states; the state table of the machine is modified such that 8(si,i~) is either the correct
next state or otherwise it is 8(S i , i~) r* = E R. The
coding approach here presented is based on a particuhar assignment technique, by which an augmented state set is immediately derived, redundant states being ,associated with non-code word assigmnent.
2. FAULT MODEL AND BASIC CODING APPROACH.
Our basic assumption concerns the existence of unidirectional faults only. To this end, referring to the traditional FSM model, we must assume that:
• all variables entering the combinatoriM part of the FSM ~Lre input in both natural lind complemented form;
• there are no inverters inside the combinatori~d network;
• the only ~dlowable faults for flip-flops ,are those that create a "stuck-at" on a single flip-flop output; unwlmted switching (or absence of switching), keeping ,always the two outputs Q
lind Q at complementary v,'dues, is not taken
into account as it would not fall within the unidirectional fault model.
In that case, given a r~mdom logic implementation of the combinatorial network, it is easily verified that ,'my single stuck-at fault in the network, as well as ,'my flip-flop fault within the given model, may lead only to (multiple) unidirectional errors on the outputs of the combinatorial network or on the outputs of the flip-flop array; in particular, therefore, unidirectional errors only ,are present in the next- state coding as well as in the output coding. It is ,also proved that the same occurrence hold for a PLA- based implementation of the combinatorial network, where the fault model comprises single stuck-ats its well its single crosspoint faults. Given such assumptions, codes suitable for detection of unidirection~d errors clm be adopted for coding the next-state function: n,'unely, codes considered are m out of n code lind Berger code. State assigmnent is then performed as follows:
• In the case of m-out-of-n code (a non-separable code), straightforward coding on ,an augmented number n i of state variables is perfonned for
the nominal states; the set of redund~mt states R consists of all codings over n i wtriables that do not belong to the m out of n code;
• in the case of Berger coding (a separable code), ~m arbitrary assignment is performed for the nominal states over the minimum number of state variables (here denoted as n) ; then, a separate checking sequence of
nc=]log2ny] bits is appended to the
nominal assigmnents, giving the natural binary coding of the number of zeroes in the nominal assignment (the toted number of bits required for coding is now n,, =t~y +//c) . The set of
redundant states then is associated with all codings in which the checking sequence does not correspond to the nominal assignment.
Starting from the above assignments, the general structure given in Fig. 1 cim be derived; self- checking checkers must be used to gr,'mt that even single stuck-ats in the checker will be correctly detected. The structure in fig. l.a refers to the use of m-out-of-n codes; next-state outputs, coded (denoted as NS~) ,are input to both the checker ,and the next-
state register, whence present-state variables are fed to the combinatori,'d networks in normal (PSi) ,and
complemented (PS~) form. The structure in fig. l.b
refers to the use of Berger code; separation of "nominal" state variables lind of checking (Berger) variables has been explicitly shown.
3. PERFORMANCES AND COSTS
The code-based solution outlined in section 2 ,allows concurrent detection of ,any error in the next-state function induced by a single fault within the given fault model. Thus credibility of the FSM implementation is achieved (either the next state is the correct one, or else it is immediately detected iLs belonging to the redund,'mt state set). Obviously, there is ,an inherent structural redund,'mcy, deriving from two different sources:
1. There is ,an increase in the number of state variables, with respect to the nominM number nv: as a consequence, both dimensions of the
Concurrently self.checking structures for FSMs 239
state register ~md dimensions of the combinatorial network increase.
2. The requirement for unidirection,'d errors leads to non-minimum combinatorial networks whenever random logic is adopted. This ,area increase is not present in the case of PLA implementation but there, on the other hand, the fault model does not take into account the faults in the input decoding section; a separate checking structure should be introduced for this section.
3. Area required by the checking circuits must be taken into account.
IN o
PSc
~ o
design of the check bit generator, since a double-rail logic comparator was adopted capable to detect even bi-direction~d errors in this section. Finally, exhaustive fault simulation was carried out for the synthesized FSMs, obtaining the fault coverage figures given in table 1. Analysis of the results showed that all undetected errors were due to faults in the checker section; adoption of a more sophisticated self-checking checker design allows to overcome this drawback. Area redundancy proved quite high for the benchmark ex~unples; in fact these FSMs all have a small number of states, so that n c is of the s~une order of magnitude as n s and that the relative
I I N
PS
PS
b
OUT
NS
a)
Careful bal,'mcing of m-out-of-n codes will lead to ~m increased word length compal~able to that required by Berger coding. The Berger code technique c~m be seen as more satisfactory for the s~une reasons that make separate codes, in general, more satisfactory - operating sep~ately on two smaller segments of the code word instead them on the complete code word leads to simpler ,and faster checkers. We h~we thus concentrated our experiments on the Berger code solution. A number of benchmark FSMs (extracted from 1991 MCNC ,and 1989 Logic Synthesis ,and optimization benchmarks) have been synthesized using SIS [7], modified so as to gr,'mt that no inverters were present in the combinatorial network. No constraint was introduced for the
b) Figure 1: reference architectures
incidence of the checker is quite high. It is then possible to consider possible variations to the primary solutions now considered, leading to lower overall area redundgmcy; such solutions c~m be adopted only for the Berger code-based approach, since they exploit the characteristics of separate codes. In particular, refer to the structure in fig. 2: the Berger code checking sequence is there applied only with reference to the combinatorial network outputs: only next-state v~dues referring to the nominal state v~iables ,are fed back to the state register, ~md the second,'u-y inputs ,are ,also limited to n S. Insertion of the checker on the coded next-state functions would anyhow lead to detect only faults within the combinatori~d network, excluding f~mlts in the state
240 M.G. Sami et al.
register flip-flops: to overcome this limitation, a parity bit is added to the state register and parity is checked, separately, on natural and complemented state variables. In fact, the parity bit is ,already
provided by the least-signific,ant bit of the Berger checking sequence, so that no additional circuitry is required to generate it.
FSM
Train4 Tav $27 Lion Lion9 Ex3 Dk27 Dkl4 Bbtas ShiftRe~
S O Info Code Diff. FC Area bits bits to opt. Inc.
4 1 3 2 0 98.92 2.84 4 4 6 3 1 100 7.54 5 1 4 3 3 98.47 1.23 4 1 3 2 0 99.82 2.35 4 1 3 2 0 99.26 2.97 4 2 4 3 3 98.15 2.65 4 2 5 3 2 100 3.45 4 5 8 4 7 99.83 1.12 6 2 5 3 2 100 3.63 8 2 4 3 3 100 4.37
Table 1: experhnental results
other h~md, ,area required by the set of four checkers j~ IJt~ger than in the basic solution.
, . ~ >owr
P ,
Figure 2: modified ,architecture
Note that actually here, in the assumption of a single fault, a wider fault model can be accepted for the flip-flops: both bi-directional and uni-directiorml faults can be provided for, if the two separate parity checks ,are performed, In the case of a uni- directional error, one parity checker will signal it; in the case of an unwanted flip-flop switching, both p,'u'ity checkers will signal the error. Redundancy of the combinatorial network and of the state register is certainly lower than in the previous case; on the
4. REFERENCES
[1] S.H.Robinson, J.P.Shen: "Evaluation and Synthesis of Self-Monitoring Machines", Proc. Int.Conf. on Computer-Aided Design, pp.276-279, 1990
[2] B. Eschermann: "Enhancing on-line testability during synthesis", Journal of Electronic Testing: Theory and Applications", 4, 105-116, 1993
[3] R.A.Parekhji, G.Venkatesh, S.D.Sherlekar: "A Methodology for Designing Optimal Self-Checking Sequential Circuits", Proc. Int. Test Conference, pp. 283-291, 1991
[4] R.A.Parekhji, G.Venkatesh, S.D.Sherlekar: "State Assignment for Optimal Design of Monitored Self- Checking Sequential Circuits", Proc. 6th Int. Conf. on VLSI Design, pp. 15-20, 1993
[5] S.T.Chakradhar, S.Kanjilal, V.D.Agrawal: "Finite State Machine Synthesis with Fault Tolerant Test Function", Journal of Electronic Testing: Theory and Applications", $, 57-69, 1993
[6] G.P.Mak, J.A,Abraham, E.S.Davidson: "The design of PLAs with concurrent error detection", Proc. 12th FTCS, 1982, pp.303-310
[7] "SIS: A System for Sequential Circuit Synthesis", Electronics Research Lab., Mem. No. UCB/ERL M92/41, Dept. of Electrical Engineering and Computer Science, University of California, Berkeley.
