The temporal Boolean derivative applied to verification of extended finite state machines  by Vandermeulen, E. et al.
Pergamon 
Computers Math. Applic. Vol. 30, No. 2, pp. 27-36, 1995 
Copyright©1995 Elsevier Science Ltd 
Printed in Great Britain. All rights reserved 
0898-1221(95)00075-5 0898-1221/95 $9.50 + 0.00 
The Temporal Boolean Derivative Appl ied 
to Verification of Extended Finite 
State Machines 
E.  VANDERMEULEN 
LGI2P, EMA-EERIE Parc Scientifique G. Besse, 30000 Nimes, France 
H. A. DONEGAN 
University of Ulster, Jordanstown, County Antrim 
BT37 OQB, Northern Ireland 
M. LAaNAC AND J .  MAGNIER 
LGI2P, EMA-EERIE Parc Scientifique G. Besse, 30000 Nimes, France 
(Received December 1994; accepted January 1995) 
Abst ract - -Extended finite state machines are an important feature of modern computers. Their 
verification, unlike sequential system testing, is very complex and has received little attention in 
literature. This paper suggests a model based on a symbolic representation to describe the temporal 
behavior of sequential machines. Two examples of different architectures illustrate the application of 
the methodology. 
Keywords - -Boo lean  derivative, Temporal logic, Sequential machine. 
INTRODUCTION 
Sequential machines demand quality production coupled with opt imum testing procedures. Such 
procedures attempt to verify that  the device under test possesses the functional characteristics 
that  it was intended to have. This procedure is known as functional testing which would, for 
example, verify that  a combinational circuit behaves as its t ruth table demands, and moreover, 
verify that  a sequential system operates according to its state transition and output tables. The 
pr imary purpose of functional testing is to determine if design mistakes exist within the device. 
The method of this research is based on the extended finite state machine (efsm), a general- 
ization of the traditional finite state machine (fsm) model [1]. An efsm can be represented using 
an appropriate formal system. In this particular case, temporal ogic is used to represent heir 
behavior. The logic is that described in [2,3]. 
The output values of a fsm at a given time depend not only on the present inputs, but also 
on previously applied inputs. Essentially, the history of previous inputs is summarized in the 
state of the system. Efsm verification, with which we are primarily concerned, is considerably 
more difficult than combinational logic verification, and has received much less attention. To 
apply functional testing to sequential machines, the procedures are three-fold. First, symbolic 
E. Vandermeulen wishes to thank J.C. Hughes and D.A. Bell of the Faculty of Informatics at the University 
of Ulster, Northern Ireland for arranging accommodations and facilities to enable the preparation of this paper 
during the summer of 1994. Without the collaborative efforts of D. Pearson at Ecole des Mines, the opportunity 
would not have arisen. 
Typeset by ~4fl/~S-TEX 
27 
28 E. VANDERMEULEN et al. 
representation is used to map the behavior of the efsm to a list of formulae called elementary 
valid formulae (evf). Second, more abstract reasoning is required so that conditions involving 
the same event can be represented within unified valid formulae (uvf). The precise meanings of 
evf and uvf are described later in the paper. Finally, the Boolean derivative is brought into play. 
This is used to calculate the sensitivity of any uvf with respect o a given variable. All faults on 
the present and next state transition are considered. 
Boolean derivatives are used in algebraic techniques to develop test patterns for combinational 
circuits. This is essentially a method of determining the primary inputs required to force a 
function to be sensitive to a particular input variable. It is very interesting from an analytical 
point of view, but has limited practicMity, because it requires that a switching function be 
developed to describe the combinational circuit under consideration. Moreover, the Boolean 
derivative is computationally intensive for implementation  a digital computer. 
The testing strategy is applied to logic circuits which comprise ach device. These circuits are 
constructed by interconnecting elements called gates whose inputs and outputs are characterized 
by the binary digits 0 or 1, the output of each gate which can, for example, be an AND gate or 
an OR gate can be represented by a logic or a Boolean function of the inputs. 
Akers et al. [4] have proposed an efficient method to compute Boolean functions using binary 
decision diagrams (bdd). The limitation of this method is based on the size of the Boolean 
functions that a bdd can represent. It is assumed that the behavior of the circuit is completely 
described. 
DEF IN IT IONS 
F in i te  S tate  Mach ines  
Our attention will be primarily focused on deterministic synchronous completely specified 
machines, which possess the property that the next state is determined uniquely by the present 
state and the present input. A typical sequential machine is shown in Figure 1. It consists of 
a combinational logic block and feedback latches that hold the information. It is assumed that 
the present state and the next state are neither directly controllable nor observable. Usually, a 
sequential machine is represented by a quintuple, (S, X, Z, 6, A) [5], where 8 is a nonempty set 
of states, X a nonempty set of inputs, Z a nonempty set of outputs, where 
and 6 : X × 8 --+ $ is the state transition function, 
and A : X x 8 --* Z is the output function. 
A state is a bit pattern of length equal to the number of memory elements (latches or flip-flops) 
in the sequential circuit, just as input and output are bit patterns of lengths corresponding 
to the number of input and output bits of the circuit. They each represent a combinational 
value of Boolean variables. Each state, input, and output pattern comprises components which 
correspond, respectively, to sets of flip-flops, input values, and output values. 
Primary Inputs 
:1 
Present states I 
Combinational logic 
Latches 
Primary outputs 
j 
I jext States 
Figure 1. Finite state machine. 
Temporal Boolean Derivative 29 
Figure 2 illustrates an example of a/sin with one input (e), two flip-flops (A,B), two gates and 
one output (z). This machine is controlled by a clock. The flip-flop characteristics and output 
equation of Figure 2, where A+ and B+ are next values of respective flip-flops, are shown in the 
following equations. 
A+ = e.A' + (e' + B).A, 
B+ = e.B' + (e.A' + e'.A).B, 
z :B  
e 
Clk 
la A 
. )  Ka A' 
I Jb B -- Clk 
4Kb B' 
Figure 2. Example of a finite state machine. 
Extended F in i te  S ta te  Mach ine  
An Extended Finite State Machine E is defined [1] as the 7-tuple (8, I ,  O, D, I ,  lg, T), where: 
8 is a nonempty set of symbolic states, 
27 is a nonempty set of input symbols, 
(P is a nonempty set of output symbols, 
l) is an n-dimensional space, 
~" is a nonempty set of enabling functions fi such that fi : l) ~ {0, 1}, 
b/is a nonempty set of update transformations Ui such that Ui : l) --~ l), 
T is a transition relation such that T : S × 9 r × 27 --~ 8 × U × O. 
6 is used to denote an n-dimensional vector with the components 6i c D~ and the transition 
T((S1, f, I), ($2, U, O)) is denoted by ($1, f, I) --* ($2, U, O) where $1, $2 E 8, f 6 5 r, U 6/4, and 
O 6 (9. Further, ($1, f, I) --* ($2, U, C i means that if E is in symbolic state $1 with a vector of 
variables 6 such that f(6) = 1 and the input I is received, then E moves to the symbolic state $2, 
while generating output O and performing the update 6 ~- Ui(6). 
The input and output sets of an efsm are partitioned and the extraction of the fsm shows 
two parts (see Figure 3). One is the sequential machine which is called the control part and 
the other is referred to as the operational part. The control part is an fsm as discussed above, 
and the operational part is composed of registers and functions. A system which is independent 
of the number of bits used to represent inputs and outputs is required. Both of the parts are 
synchronized using enabling and updating functions. 
Prima~ Primary 
Boolean Sequential Boolean 
Inputs System outputs 
Control Part 
Enabling function, I Ipdate Function, U 
~ Operational Part I ~  
outputs  
Figure 3. Extended finite state machine. 
30 E. VANDERMEULEN et al. 
Example  of  an Extended Finite State Machine 
This example is based on the work of Cheng and Krishnakumar [1]. Consider a machine M of 
2 inputs i1,i2 and one register l where il, i2 and rl are, respectively, 1 bit, 8 bits, and 8 bits 
wide. The function of the circuit is described as follows: when il is high, read in the value at i2 
and store it in rl. Once it is stored in rl, check its value. If the value is less than 16, increment 
it by 1 at each cycle. Otherwise, output the value in rl and repeat. This system can be modelled 
by the following efsm. The machine consists of two symbolic states So and $1. There are five 
transitions: 
:rl 
:r4 
The interpretation of T3 
input il == 1, then the 
output is 1. 
We remark that, in this example, if 
additional transitions. 
: (S0,TRUE, il == 1) ~ (S l , r l  = i2,Out = 0); 
: (S0,TRUE, il == O) --* (S0,NULL, Out = 0); 
: (S l , r l  < 16,il == 1) --* (S l , r l+  = 1,Out --- 1); 
: (S l , r l  >_ 17, il == 1) --* (S0,NULL, Out = rl); 
: ($1, TRUE, il == 0) --~ ($1, NULL, Out = 1). 
is: if the efsm is in state So and the register l is less than 16 and the 
next state will be So and the register l is incremented by 1 and the 
we had used a fsm definition, we would have required 
Linear Discrete  Tempora l  Logic 
Traditional propositional logic is extended by temporal operators, which allow the expression of 
time varying properties as they occur in the behavior of sequential systems. Here, we remind the 
reader of some basic elements of temporal logic as presented and used by Manna and Pnueli [2] 
and Magnier [3,6]. This technique was developed by these authors for specification and software 
verification. 
Symbols: ~ , A, V , D are respectively read as: Not, And, Or, Involve. 
Consider the situation where an efsm moves from a state to another state. The ° operator 
represents the next instant that is associated with the next state and is called 1-future instant. 
Using this definition 
.1 =. ,  represents he I st future instant 
and .n = ( .n - l ) .  represents he n th future instant. 
Propositional temporal logic is an extension of the classical ogic 
• (next), [] (always). 
Priority: -,, •, [~, A, V, D. 
Boo lean  Der ivat ives 
The Boolean derivative of a function f (v l , . . . ,  vn) with respect o the variable v~ is defined as 
of  
OVi = f (V l , . . . ,V i - l ,0 ,  Vi+l,... ,vn) G I (Y l , . . . ,V i - I , I ,v i+I , . . . ,Vn) ,  
where f (v l , . . . ,  vi-1, O, v i+l , . . . ,  vn) is the function f evaluated with v~ being O, f (v l , . . . ,  vi-1, 
1, vi+l . . . .  , vn) is the function f evaluated with vi being 1, and @ is the exclusive-or operator. 
If °--L is 0, the function f is completely independent of the variable v~, that is, the value of f does Ovi 
not change when the value v~ changes. If ~ is 1, the function f depends directly on v~ [3,5,7]. 
Here are some properties [3,5] 
Of(Vl,. . . ,Vn) O~I(Vl . . . .  ,Vn) 
Ovi Ov~ ' 
Temporal Boolean Derivative 31 
0 / (V l , . . . ,~)n)  _ 0 / (~) l , . . . ,Vn)  
Ov~ O-,vi 
Boolean derivatives are used to determine test patterns for faults in sequential systems and to 
verify properties of ]sm. The most common fault model is the logical stuck-fault model [5,7] in 
which there are three basic assumptions: 
(1) a fault results in a module responding as if one of its inputs or outputs is physically stuck 
at 1 or0,  
(2) the basic functionality of the circuit is not altered by the fault, and 
(3) the fault is permanent. 
The logic module can be a single gate or a collection of gates that implement some logic function. 
The use of the Boolean derivative to determine test patterns for faults that occur on the 
primary outputs consists of two fundamental steps. First, if a test pattern is being sought for 
primary input v~ stuck-at-1 fault, vi must be selected as 0 to attempt o force the line (signal) 
to deviate from its faulty value. Likewise, if a test pattern is being sought for vi stuck-at-O fault, 
select v~ as 1. Second, select the remaining primary inputs such that the output is sensitive to 
the value of vi. This second step is accomplished by forcing the Boolean derivative with respect 
to vi to be 1. These two steps can be placed in equation form as: 
of of 
-~vi A ~v/ = 1 for stuck-at-1 faults and vi A ~v~ = 1 for stuck-at-0 faults. 
EFSM BEHAVIOR IN TEMPORAL LOGIC 
Elementary Valid Formulae 
This research suggests a method based on a temporal ogic algebra [3] which describes the 
temporal behavior of efsm. This algebra allows us to calculate the temporal Boolean derivative 
of a formula with respect o an event. In [3], an evf is equivalent to a transition of a fsm. We 
have to extend this definition to the e fsm. 
The principal advantage of an efsm, due to Chang [1], is the capability of operating with a set 
of states and sets of transitions imultaneously. This advantage is embodied in the set of enabling 
functions whereby the register variables, primary inputs and primary outputs are integrated for 
the utilisation of the update functions. The remaining problem asks how to denote the data 
inputs and data outputs from the operational part. 
The method uses symbolic representations and the reader is reminded that states, inputs and 
outputs were described as patterns. For each transition, it is desirable to have a functional 
formula such that when the fsm is in state $1 with input X, the fsm moves to state $2 with the 
output Z. 
For example, referring to Figure 2, So is the state of the fsm when the value of A = 0 and the 
value of B -- 0, back so-on with the other states, inputs and outputs. 
Table 1. Variable change. 
\ A B \ e \ B 
So o o Xo o Zo o 
$1 0 1 X1 1 Z1 1 
S2 1 o 
$3 1 I 
Henceforth, we use Boolean variables which are true either if the fsrn is in state S or if the input 
is X and the output is Z. When a variable is false, it means that almost only one of the remaining 
variables can be true. For example, so True means that the fsm is in state So, whereas -,so means 
32 E. VANDERMEULEN et al. 
that the ]sm is in any other state except So. To represent this functional behavior in temporal 
logic, elementary valid/ormulae (evf) [3] are used. In this case: 
s0Ax0 Dos0Az0 ,  
where 
s 0Ax l  D e83Az0 ,  
81 Ax  0 ~ o80 Az1, 
81 Ax  1 ~ os 3 Az1,  
82 Ax  0 ~ o82 A zo, 
82 Ax  1 ~ os 1 AZo, 
83 Ax  0 ~ os3 Az1,  
83 A X 1 ~ o82 A Z 1, 
s~ is the Boolean variable that returns True if the fsm is in state S~, and returns False if the 
fsm is in any other state except S~. 
xi is the primary Boolean variable that returns True if the input to the fsm is Xi, and returns 
False if the input to the fsm is any other input except X~. 
z~ is the primary Boolean variable that returns True if the output from the fsm is Zi, and 
returns False if the output of the fsm is any other output except Zi. 
Note that for n inputs, m flip-flops, and p outputs, this method requires 2 n symbolic input 
patterns, 2 m symbolic state patterns, and 2 ~ symbolic output patterns, all of which can be 
represented by binary decisions diagrams [8]. 
To correspond with the fsm symbolic representation, the following variable change is made: 
X denote a set of vectors that represent inputs and 
Z denote a set of vectors that represent outputs. 
With such a variable change, we can represent the input of the efsm, for example il = 0, by a 
symbolic input X0. In other words, x0 is true when 0 is the value of the input il. 
For the purpose of this research, functions are denoted as Boolean variables, thus: 
fi is a function that returns a Boolean value. 
u~ is a Boolean variable that takes the value True when the update function U~ is running, 
and False if any other update function is running except U~. 
Now, it is possible to represent an efsm in temporal logic formalism. Let an evf be defined as 
follows: 
evfp,p, = [] [Sp A f A x D .sp, A u A z], 
where s, f, x, u, z are propositional variables associated with each Boolean variable indicating, 
respectively, state, function, input, update function, and output. An example of the evf in this 
case is as follows: 
soAf lAx l  Des lAu3Azo ,  
So A f l  A xo D es0 A Ul A zo, 
sl A f2 A Xl D eSl A u2 A zl, 
s lA f3Ax l  Des0Au lAZ l ,  
Sl A f l  A xo D o81 A Ul A Zl. 
The interpretation of the third one is: if the 
true, and the input is xl, then the next state 
output is z2. 
state sl is true, and if the enabling function f2 is 
will be sl, and the update function is u2, and the 
Temporal Boolean Derivative 33 
Uni f ied  Va l id  Formulae  
Analysis of the behavior of e/sm requires a more global approach so that conditions involving 
future events can be obtained. This motivates the definitions of the uv/ which enables the 
consideration of all terms involved in the future event. Let an uvf be defined as follows: 
Et = .sp or Et = u or Et = z : 
uvf(Et)=[~I ~^x Et[spAfqAxr]]" 
[(p,q,r):sp fq ~ 
Example of /sm uv/in this case: 
~,v/(.so) = (so A 271) v 01 A xo), 
UV/ (081)  = 82 A X l ,  
~,v/(.s2) = 02 A 270) v (s3 A 271), 
71,V/(083) = (80 /~ 271) V (81 A Xl) V (3 3 A 270), 
UV/(Zo) ~--- (8 0 A X0) V (8 0 A Xl) V (3 2 A X0) V (8 2 A 271), 
UV/ (Z l )  = 82 A z 1. 
Example of e/sm uv~. 
uvf(ul) ~--- (S O A f2 A x0) V (s 1 A f2 A 271) V (81 A f l  A x0) , 
uvf(u2) = sl A /2  A z l ,  
uv/(u3) = so A 11 A 271, 
uvf(osl)  = (s0 A f l  A Xl) V (81 A/2 A 271) V (Sl A f l  A X0), 
uvf(eso) = (so A f l  A X0) V (Sl A f3 A Xl), 
uvf(zo) = (So A f l  A Xl) V (SO A f l  A X0), 
UU/(Z1) = (81 A f2 A x0) V (81 A f l  A 370) , 
•V/(Z2) = 81 A f3 A 270. 
For example, uvf(nl) gives all the conditions that involve ul. They are: 
- The efsm state is So and the input is Xo(/1 = 0) the result of the enabling function f2 
is True or 
- The efsm state is $1 and the input is Xl(il = 1) and the result of the enabling function f2 
is True or 
- The efsm state is $1 and the input is X0(il = 0) and the result of the enabling function f l  
is True. 
The same interpretation can be written for states uvf and outputs uvf. One use of these uvf 
is to give some properties of efsm. For example, examining uvf(ensl) reveals sequences called 
synchronizing sequences that move the efsm into a reset state. In the case of a completely specified 
machine, these formulae constitute the necessary and sufficient conditions which characterise a 
given event [3,6]. 
It is easy to prove that 
UVf(0280) -= 80 A [[(./e 1A X0) A o( f  1 A X0) ] V [(fl A 271) A o( f  3 A Xl)]] V 
81 A [[(f3 A 271) A *(fl A X0)] V [(f2 A Xl) A "(f3 A Xl)] V [(fl A X0) A "(f3 A Xl)]] • 
C~M~3~2~ 
34 E. VANDERMEULEN et al. 
Deterministic Rules 
The definition of a deterministic machine reveals that it cannot be in two different states at 
any given moment. This property suggests the description of deterministic rules which simplify 
the method. 
-~ ([~ (si A sj))~#j s~ and sj can never be true at the same time. 
-~ ([3 (xi A xj))~#j xi and x~ can never be true at the same time. 
(El (zi A zj))i#j z~ and zj can never be true at the same time. 
These initial rules result from [3]. The same kind of rules apply with efsm and are extended 
with the update and enabling functions. As shown in the example above, more than one enabling 
function can be True at the same moment. This means that the enabling function (f)  is associated 
with input (x) as a pair. Now, it is possible to write 
-~ ([-] (ui A uj))~#j ui and uj can never be true at the same time. 
-~ ([~ ( ( f i A • j ) A ( f l A Xm ) ) ) ( i#l )Y(j #m ) . Two different pairs can never be True at the same 
time. 
THE TEMPORAL BOOLEAN DERIVAT IVE  
Boolean Derivative with Temporal Logic 
Magnier [3,6] has proposed the principle of building a Boolean derivative using temporal logic. 
Let Et be a next state Boolean event or an update Boolean event and q some variable, representing 
either a state, an enabling function, or an input, ie, 
q=sorq=forq=xandEt=esporEt=uorEt=z ,  then 
OEt 
aq = (uvf(Et) ,  q) • (uvf(Et),-~q). 
To calculate this expression i  temporal logic, it is necessary to represent (uvf (Et ) ,  q) as follows: 
(uvf (Et ) ,  q) = Ct(q) : the conditions that give Et knowing that q is True. 
(uvf(Et),-~q) = Ct(-~q) : the conditions that give Et knowing that q is False. 
~(uvf (Et ) ,  q) = ~Ct(q) : the conditions that give ~Et  knowing that q is True. 
-~(uvf(Et),-~q) = -~Ct(~q) : the conditions that give nEt  knowing that q is False. 
Hence, 
OEt 
Oq 
= c~(q) • c,(-~q) 
= (cdq) ^ --cd-.q)) v (-.c,(q) A Cd-.q)). 
The result gives all the input sequences with their initial associated states which express the 
sensitivity of Et with respect o q. In this, the first part of the research uvf(e'~Et) is calculated 
for the n th future instant and o~t -~q is calculated only at 1-future instant. 
For example, if q is the state s~ o and Et as described above: 
= V ^ ^ 
j,keJK(io) 
A ~8i] 
i~1(j,k) 
A A v v 
(i'd',k')eH.K3Et(j,k) 
v V [.fJ ^ A (i,j,k)EIJK4(Et) k'#k,ko ~8¥] , 
Tempora l  Boo lean  Der ivat ive  35  
where 
Jg( io)  
I( j ,  k) 
I JK IE t  
I JK2Et( j ,  k) 
I JK3( j ,  k) 
I Jg4(Et )  
= {(j, k):  [s~ o^ ]~ ^  xk] D Et}, 
= {i : [si A ]j A xk] D Et where i # i0}, 
= {(i,j, k):  [si A ]j ^ xk] D Et, i # i0}, 
= {(i ' , j ' ,k ' ) :  ( i ' , j ' ,k') • IdK1Et -  {(i ' , j ,k)}}, 
= {( i ' , j ' ,k ' ) :  ( i ' , j ' ,k') • I JK2Et( j ,k )  - {( i ' , j ' ,k ' ) :  i' • I ( J ,K)}},  
= {(i , j ,k) • I JK1Et} - {( i , j ,k) :  (j,k) • Jg( io)}. 
In the same way, it is possible to calculate the sensitivity of an event with respect either to a 
function or an input. 
Examples  
EXAMPLE 1. 
to a state. 
In this example, we show how to calculate the sensitivity of an event with respect 
Ou2 
0sl = (uvf(u2), Sl) ~ (uvf(u2), ~1)  = f2 ^  Xl, 
Jg(O) = (2, 1), 
1(2, 1) = 0, 
I JK1 = 0, 
I JK2(2, O) = O, 
I JK4 = O. 
If the input is Xl, and the function ]2 is True, then 
when Sl becomes -~Sl then u2 becomes -~u2, or -~u2 becomes u2, 
or when -~sl becomes l then u2 becomes "~u2, or -~u2 becomes u2. 
EXAMPLE 2. In this example, we show how to calculate the sensitivity of an event with respect 
to an enabling function. 
Ou2 
0]2 = (uv](u2), ]2) • (u~f(u2), 912) = s~ ^  xl.  
If the machine is in state Sl, and the input is x2, then 
when u2 becomes -~u2 then f2 becomes -~f2, or --]2 becomes ]2, 
or when --u2 becomes u2 then ]~ becomes -']2, or -~]2 becomes ]2. 
CONCLUSION 
The investigation, based on Boolean algebra nd temporal logic, illustrates a verification strat- 
egy at the functional transition level for extended finite state machines. Essentially we have 
shown that the unified value formulae collects all the terms that involve a temporal event and 
at the same time some pertinent properties of sequential machines are revealed. Moreover, the 
temporal Boolean derivative returns the sensitivity conditions of a given event. These temporal 
logic formulae, constructed using temporal logic operators and symbolic variables are defined on 
the efsm representation model. Consequently, the strategy allowed us to address the following 
problems: 
- Formal proof of the properties of an efsm. 
- Verification of an e]sra against a reference model. 
- Formal generation of symbolic sequences for verification. 
- Sequence generation for functional tests. 
It is proposed to extend the research to include experiments which will measure the memory and 
CPU times for various input sequences. 
36 E. VANDERMEULEN etal. 
REFERENCES 
1. K.-T. Cheng and A.S. Krishnskumar, Automatic functional test generation using the extended finite state 
machine model, In Proceedings 30 th ACM/IEEE Design Automahon Conference, pp. 86-91, (1993). 
2. Z. Manna and A. Pnueli, Verification of concurrent programs: A temporal proof system, Technical Keport 
STAN-CS-83-967, Dept of Computer Science, Stanford University, (June 1983). 
3. J. Magnier, Representation symbolique t verification formelle de machines equentielles, Ph.D. Thesis, 
Universite Montpellier II, France, (1990). 
4. S.B. Akers, Functional testing with binary decision diagrams, In Proceedings 8th Annual IEEE on Fault 
Tolerant Computing, pp. 75--82, (1978). 
5. Kohavi, Switching and Finite State Machine, McGraw-Hill, (1978). 
6. J. Magnier, D. Pearson and N. Giambiasi, The temporal Boolean derivative applied to verification of 
sequential machines, In Proceedings of the European Simulation Symposium (ESS 9~), pp. 313-319, Istanbul, 
(19~4). 
7. B.W. Johnson, Design and Analysis of Fault-Tolerant Digital Systems, Addison-Wesley Publishing Com- 
pany, (1989). 
8. K.S. Brace, I~.D. Rudell and R.E. Bryant, Efficient implementation f bdd package, In Proceedings P7 th 
Design Automation Conference (DAC 90), pp. 40-45, (1990). 
