Abstract: Efficient models are introduced for totally self-checking/code disjoint (TSCiCD) and strongly fault-secure/strongly code disjoint (SFS/ SCD) synchronous controller models. These models are based on two low-cost, modular, TSC edge-triggered and error-propagating CD flipflops. Properties of the proposed synchronous controller models are proven. The design procedure for these models and their proper applications are explained.
Introduction
Current circuit complexity makes the determination of errors in a circuit arduous. Totally self-checking (TSC) circuits [l] use input-output coding to determine whether a circuit is operating accurately. The code disjoint (CD) property is utilised to design TSC circuits at the system level. CD circuits propagate the error through to indicate the error on the output. However, it is hard to devise circuits that are both TSC and CD.
A strongly fault-secure (SFS) circuit becomes a TSC circuit after a finite number of faults and until then will operate correctly (or is fault-secure). If, for the same faults, the circuit is CD and then becomes self-testing and still remains CD, then the circuit is said to be strongly CD (SCD). SFS circuits satisfy the goals of TSC.
Unordered codes [2] are used for input-output codings in circuits that are TSC or SFS. Techniques have been presented for the creation of combinational TSC circuits [3] , SFS circuits [4] and SFSiSCD circuits [2] for a class of unordered codes.
I. I Related works
As far as synchronous controller designs are concerned, there are no circuits that exhibit all the TSC properties. Nanya's sequential designs [5] add some extra circuitry to the clock of ordinary memories to make register files with self-testing load signals. Nanya's sequential circuits [5] with the proposed register file are based on a previous model [6] which does not consider the faults in storage elements. Other circuits [3, 71 also have not considered the faults in storage elements and have supposed that the clock is fault-free. Therefore, these methods could only produce proper SFS or TSC sequential circuits which do not need memories (asyn-0 IEE, 1999 IEE Proceedings online no. 19990243 DOL 10.1049 Paper first received 15th July 1997 and in revised form 21st August 1998 The authors are with the Department of Electrical and Computer Engineering, University of Queensland, St. Lucia, Queensland, 4072, Australia chronous circuits). It is not easy to design cascaded hazard-free asynchronous circuits because of the fundamental mode of operation requirement.
In a self-checking system, any change of inputs or states must be checked for errors. A synchronised change of inputs and states is also necessary in a selfchecking circuit to produce error-indicating output [5, 81. For synchronous circuits to indicate errors, they must be edge-triggered synchronous systems. Leveltriggered systems become asynchronous during the active clock level.
Contributions
The models are based on two CD flip-flops, DD, 91 . An introduction to the controller model has been given previously [lo] .
(i) it is an edge-triggered synchronous circuit.
(ii) it is TSC/CD for input and state variables. (iii) errors in state register are considered. (iv) error in the clock input is considered. (v) the cost of the checker for inputs and states is reduced by using self-checking flip-flops and SFSiSCD combinational circuits. (vi) the cost of combinational logic is reduced by sharing product terms.
Fault model
Advantages of the proposed controller are that
The following faults are modelled in this paper: single stuck at 0 fault; single stuck at 1 fault; and multiple unidirectional faults.
Input-output coding techniques are used to detect faults automatically. It is assumed that the time interval between two faults is long enough for the proper cycle and input code to pass through the circuit [12] . Definitions of terms used in this paper are found elsewhere [l, 2, 41.
I Note
The monotone functions of a combinational circuit with unordered codes in the input and output produce a two-level logic circuit with SFS properties [4]. A method is described elsewhere [2] for SFS/SCD combinational circuit design with systematic code input. This method [2] has two procedures called 'covering-nc-CD' and 'covered-nc-CD', which add a few lines to the output of the circuit to make it SFS/SCD. The method of removing untestable terms from an SFS equation to make a TSC circuit is presented elsewhere [3] . The TSC method [3] produces TSC/CD circuits if they are derived from SFSiSCD functions.
These methods of design for SFS, SFS/SCD, TSC and TSC/CD circuits are used for input and output combinational logic of the self-checking controller. 
Fig.2 ler with DD,-FFs or TT,-FF,

Structure of udded line checker, TSC/CD and SFSISCD control-
The next-state register made with DDn-FF s produces a low-cost register. The DDn-FFs are not error indicators, and therefore the output logic must be CD or a checker should be used. We explain below how to design the CD output logic for systematic state code assignments.
In the case of TT,-FFs, the errors in the flip-flop become a stuck-at fault. Any fault at the state register made up of TT,-FFs will be a stuck-at fault for the next state and automatically propagated. Therefore, for non-systematic state code assignments the state register with TT,-FFs can be used without any need for the checker. Figs. 1 and 2 ; either one or a combination of them can give a proper solution for the four different cases.
I O
I Controller models
In Fig. 1 . the self-checking controller is designed with input logic (IL) followed by a state register, which is followed by output logic (OL). The input signals are directly fed to the output. The input and output logic in Fig. 1 are considered to be SFS or TSC, and a checker is used for input codewords. This checker also checks the state assignment codewords if DD,-FFs are used.
In Fig. 2 , it is considered that the combinational logic is designed to be SFSiSCD or TSC/CD by adding extra lines to the output. The checker in Fig. 2 checks only the adding extra lines. Both input logic and output logic share the product terms (Fig. 2) .
The product terms of both models can be shared. if the input codewords are checked by other circuits, the controller does not need to be CD for input codewords. If either input or output logic is CD for input codewords, then the controller is CD for input codewords. The self-checking synchronous controller circuits for the four cases are as follows.
Case 7:
The monotone function of the nextstate logic and output logic produces SFB functions which can be changed to TSC functions. A checker (self-exercised) is required for input codewords. if DDnFFs are used for the state register, then the checker should also check the state assignment codewords. If TTn-FFs are used for the state register, then the state assignment codewords do not have to be checked (as explained above).
Case 2:
In this case, TTn-FFs are used for state register. If the controller is a Mealy machine, the SFB (TSC) output logic can be made SCD (or CD) for input codewords by adding extra lines to the output according to Pagey et al.'s method [2] . The input logic remains SFS (TSC). There is no need for the CD property for state assignment codewords because TT,-FFs are used. if the controller is a Moore machine, the SFS (TSC) input logic can be made SCD (or CD) for input codewords by adding extra lines according to Pagey et al.'s method [2] , and the output logic remains SFS (TSC) (Fig. 2) .
Case 3:
In this case, DD,-FFs are used for the state register. If the controller is a Mealy machine, the SFS (TSC) output logic can be made SCD (or CD) for a combination of input codewords and state assignment codewords by adding extra lines to the output according to Pagey et al.'s method [2] , and the input logic remains SFS (TSC). If the controller is a Moore machine, the SFS (TSC) input logic equations can be made SCD (or CD) for a combination of input codewords and state assignment codewords by adding extra lines according to Pagey et al.'s method [2] , and the output logic remains SFS (TSC) (Fig. 2). 
Case 4:
A checker (self-exercised) is required for input codewords in this Moore machine. The SFS (TSC) output logic function (according to states) can be made SCD (CD) by adding extra lines to the output according to Pagey et al.'s method [2] , and the input logic remains SFS (TSC) (Fig. 1) .
The following example shows how to produce a TSCi CD controller for a simple code. 
Example
Consider the state flow diagram of a synchronous machine S, which is shown in Fig. 3 states, the controller circuit is designed as in Case 2 in Section 3.1.
The monotone (SFS) functions for the DD,-FF excitation circuit can be derived directly from Table 2 . The excitation functions for the TT,-FFs can be derived from Table 3 (although the next-state table and the  excitation table for The monotone (SFS) functions for TT,-FFs excita-
tion circuit can be written from Table 3 as follows:
After simplifying the functions by Diaz et al.'s method [3] , the following TSC functions are found which are used to synthesise the input logic circuit:
The monotone (SFS) functions for output logic can be found from output 2, Z, values due to inputs and states of machine S, which are shown in Table 4 . Functions Z and Z,, in Table 4 are SFS (TSC) but are not CD for input codewords. To design the SFSi SCD output logic circuit, the systematic combination of codes must be considered for code spaces (also referred to as density properties [2] ). Therefore, it is necessary to have all possible code words occurring in the circuit. In our example, the four possible code words of input are used.
To design SFSiSCD output logic circuit, we add the last term as shown in Table 5 , where the state Y,Y,, Y2Y2,1 = 10 01 has been added. As the outputs are still unknown, they are left as 'dd'. This addition is only in the output table and not in the next-state table. If the added state occurs in the next-state logic (under error conditions), the circuit outputs an error.
In Table 5 If Diaz et al.'s method 131 is followed for output logic functions, the circuit for TSC/CD design is produced. The TSC/CD equations seem simpler than SFS/SCD equations, but this is not always the case. For example, in terms of circuit hardware cost, especially in Mealy model controllers, the SFSiSCD circuit may give a better solution.
Different input-output coding
Two-rail codes were used for inputs, states and outputs in the above example. It is possible to use other kinds of unordered codes for inputs and outputs, but two-rail codes need to be used for state assignments because of the two-rail TSC/CD flip-flops.
Conclusions
We have introduced models and design methods for self-checking edge-triggered synchronous controllers. Conventional circuits were TSC or SFS only, and did not consider the faults in memories and on the input clock. Our proposed method considers the faults in memories and input clock, and reduces the checker cost by producing SFWCD or TSC/CD circuits. The methodology is achieved using the two low-cost DDn-FFs and TT,,-FFs for the state register.
5
