INTRODUCTION
Self-Checking (SC) devices are increasingly becoming a suitable approach to the design of complex systems, to cope with the growing difficulty of on-line and off-line testing. As far as on-line testing is concerned, the design of Self-Checking systems allows the detection of both transient and permanent faults, providing the identification of an erroneous behavior as soon as it is observable. A Self-Checking circuit consists of a functional circuit generating encoded data and a checker, which verifies that no fault has occurred (either in the circuit or in the checker itself) by controlling that data belong to the adopted code. When combinational circuits are considered, a SC design encodes the circuit outputs, when sequential circuits are considered, the encoding applies to outputs and state [1] . The paper considers the design process for SC circuits, oriented toward control dominated systems based on Finite State Machines and Data path (FSMD) descriptions, typical of VLSI devices specified in VHDL. The goal of this investigation is to present a complete methodology for the design of Self-Checking sequential systems specified in VHDL, covering all aspects; state assignment, data encoding and applications of synthesis constraints. The FSM state assignment constitutes a novelty. The main difference from other approaches ([1 2 3 4 5 6 7] ), is that the assigned state code does not constitute a codeword itself, but the sequence present state code-next state code is the element of the defined code. The binary codes assigned to the FSM states are such that each 〈present state, next state〉 pair is characterized by the same constant Hamming distance. When the data path is combinational, without specific arithmetic units (dealt with in [8] for instance), the TSC metic units (dealt with in [8] for instance), the TSC methodology applies the traditional encoding of the data -Berger or Parity code -. When the data path is sequential a specific innovative approach has been defined, based on the identified structures composing the network. The methodology is integrated in the design process of VLSI system, described in VHDL. This formalism (constituting the entry point of the design methodology together with the KISS format for MCNC benchmarks) allows the integration of the proposed approach in a standard industrial design flow. One of the main advantages of the proposed methodology is that it is, to the authors' knowledge, the only complete approach for the realization of TSC complex systems starting from a VHDL description. Other approaches, instead, mainly deal with a subset of the system (typically the controller), sometimes requiring a reduced area overhead. Yet, the area penalty of the presented methodology mostly derives from the fact that all components are designed to be TSC and all necessary checkers are included to obtain a TSC system. The elements of the TSC design methodology based on the aforementioned aspects are the following ones. 1. State encoding based on the constant Hamming distance for detecting the incorrect evolution of the control FSM through its states (Sec. 4). 2. Sequential data path encoding according to ad hoc techniques (Sec. 5). 3. Output encoding with Parity/Berger code (Sec. 6). 4 . Achievement of the complete fault coverage by acting on faults observability, i. e., their ability to produce a detectable error. This is a necessary step since the methodology defined at a functional level does not cover all stuck-at faults at gate level due to lack of a complete fault-error relation enforced at a structural level, guaranteeing that each fault produces all and only detectable errors (Sec. 8).
Step 4 is performed a posteriori after encoding the entire network, allowing logic sharing between next-state and output functions, for an area overhead minimization. The paper is organized as follows. Section 2 introduces the generic system architecture, the highlights of the proposed design methodology and some definitions, providing a review of related approaches. Sections 3 through 8 detail the different aspects of the methodology following the organization presented above. Costs and Self-Checking properties of the complete system are evaluated on a set of MCNC benchmark FSMs and on a set of industrial controllers, also comparing the achieved results with other published approaches. Conclusions and future developments are presented in the final section 10.
FRAMEWORK AND RELATED WORK
The target architecture of the proposed methodology consists of a Finite State Machine and Data path (FSMD). The approach is best suited for control dominated circuits, characterized by a control FSM and a relatively simple data path (either sequential or combinational). Such a system organization is typical of devices specified in the VHDL hardware description language [18] . The FSM defines the states of the controller and its evolution according to the control input values; a data path manipulates data inputs generating the system outputs. Such outputs may be latched to allow the values to be stable before propagation to the downstream logic. The proposed methodology provides an approach for designing each one of these elements. Arithmetic operators are left aside since specific approaches can be applied (e. g., [8] ).
Definitions and assumptions
This section recalls some basic definitions on the design of Totally Self-Checking circuits and the properties that need to be guaranteed [14] .
Definition 1.
A sequential (combinational) circuit is self-testing for a fault set F if and only if (iff), for every fault in F, the circuit produces a non-codeword output during normal operation for at least one input codeword. Definition 2. A sequential (combinational) circuit is fault-secure for a fault set F iff, for every fault in F, the circuit never produces an incorrect output codeword. Definition 3. A sequential (combinational) circuit is Totally Self-Checking for a fault set F iff, for every fault in F, the circuit is both self-testing and fault-secure. Definition 4. A circuit is code-disjoint for a fault set F iff input codewords map onto output codewords and input non-codewords map onto output non-codewords. Definition 5. A TSC circuit is a totally Self-Checking checker for a fault set F iff, for every fault in F, the circuit is self-testing, fault-secure and code-disjoint. Definition 6. A controllable Self-Checking checker [16] is a TSC checker performing a check function if it is instructed to, otherwise it indicates a fault free behavior.
Faults
The adopted fault model is the general single stuck-at fault affecting any gate input/output. The circuit primary inputs are considered fault-free since no encoding is applied.
Related approaches
The basic approach, suitable for sequential circuits and for combinational ones, consists of the duplication of the circuit. A comparator monitors two copies of the original system detecting differences in the behavior of the two elements caused by faults. Leveugle et al. proposed alternative approaches to fault detection in FSMs by defining a methodology based on signature monitoring [3] . They adopt a state encoding such that the signature of each state code is made invariant after each state, independently of the followed path. Another design method is based on the concept of a monitoring machine [10] . The binary code for the state assignment of the main machine constitutes the information bits of the encoding while the binary code of the monitoring machine serves as check bits. Further studies aimed at minimizing the overhead and the complexity of the definition of the monitoring machine [11] . The adoption of error detecting/correcting codes for the state assignment and output encoding [4 5 6 7 12 13] is another approach to the design of SC sequential circuits. The basic architecture is that of Fig. 1 ; the circuit outputs are encoded and a checker verifies that the produced values belong to the codeword set of the applied code. The functional non-encoded data produced by the circuit is extracted from the encoded data (for non-separable codes) and is sent to the rest of the system. The same methodology applies to the state; the assigned binary codes belong to a selected code (a typical choice is the 1-hot, or 1-out-of-n, code) [14] . A checker is attached to either the present (as in Fig. 1 ) or next state lines. For traditional codes, constrained syntheses allow the realization of logic networks with the desired properties [9] . In fact, to be detected a fault must produce an output or/and next-state value not belonging to the sets of codewords defined for the applied codes, a property related to the logic realization of the network. For instance, when adopting the parity code, a fault must produce an odd multiple error to be detectable by the checker, and the easiest (and most expensive) way to achieve an odd-cardinality is to separately synthesize the outputs. The resulting cardinality is odd and equal to one. Berger code allows the detection of unidirectional errors; to achieve a 100% fault coverage the network has to be unate. [15] developed a theory of TSC system design, by defining conditions for interconnecting components of a system in order to obtain a globally TSC system. This paper defines a methodology for designing TSC sequential circuits, providing the detection of faults affecting the evolution of the system through its controlling sequence, based on a new encoding for the state. The output logic, constituting the data-path part of a complex system, is designed to be TSC through the adoption of both a traditional encoding (e. g. Parity/Berger codes) and more specific approaches, aimed at minimizing area overhead.
A STATE ENCODING BASED ON A CONSTANT HAMMING DISTANCE
The control FSM, and specifically the state encoding problem, is considered first. This section defines the problem, the proposed encoding methodology, also introducing adjustments for the management of the reset state. Data on the impact of the methodology on the number of state bits are reported.
Problem definition
Berger, m-hot and SEC [2] codes are among the most frequently adopted codes for the state. The common element is that the state code constitutes a codeword itself (in a fault free situation). A fault is detected if the bits representing a state code are not correct, i. e., if it is a non-codeword. A fault in the next state logic may cause a non-codeword, a legal but incorrect codeword (not correct for the fault free evolution of the FSM) or no error at all. The encoding approach we propose provides the capability of detecting not only a noncodeword, but also an erroneous next-state codeword. The aim is to reduce the overhead implied by memory elements and by the next-state logic. Let B={0,1} be the carrier of the considered two-element Boolean algebra B (B,and,or,1,0); the Finite State Machine is modeled as a Mealy machine, represented by the 6-tuple M = <S, I, O, δ, λ, s 0 >. S is the state set, I ⊆ B n is the inputs set, O ⊆ B m is the outputs set, δ is the next state function δ: S 5 I → S, λ is the output function λ: S 5 I → O and, s 0 is the initial (reset) state. The encoding of the FSM is achieved by providing a state assignment in which every state is at a constant Hamming distance from its next states. More specifically, consider two states, s j and s h , such that s h = δ(s j , i k ); the state assignment is performed by selecting the most appropriate constant distance value and by guaranteeing the following relation:
is the Hamming distance between α and β and d is the fixed value.
The relevant aspect of the proposed encoding is the adjacency between two states instead of the transition between them. By representing with G(V,E) the direct graph characterizing the FSM in which, v i ∈V constitutes the i-th state and e vi,vj =(v i ,v j ) ∈ E represents the transition (direct edge) from v i to v j , the previously reported characteristic is translated in an undirected graph G(N,E) in which an FSM state univocally corresponds to each node n i ∈N while the -possible -transitions set {e ni,nj ,e nj,ni } corresponds to a non-oriented edge a ij with i≠j connecting node n i to node n j . Since every node is adjacent to itself, self-loops are not considered (e ii ∉E). Starting from the above defined model, the proposed encoding problem can be formally described as follows. Let |N| be the cardinality of the node set, |E| the cardinality of the constraints transition set and n c be the number of bits of the codeword. The problem consists of determining the minimum value of n c such that the constraint encoding set -the distance is imposed by |E| -is not empty, that is:
The optimization problem belongs to the class of NP problems and its complexity is related to the cardinality of the set of arcs and nodes; the proof can be found in [19] .
State assignment heuristic procedure
The constraint optimization problem related to the state encoding is a high computational complexity problem.
To find a solution in a reasonable time, heuristics have to be adopted. Two are the considered heuristics: a clique based heuristic, applying a pattern matching approach [20] , and a node based procedure. Since the latter has given better results in most cases for both execution time and number of bits, the node based heuristic is presented.
A. Node based state assignment
This procedure takes into consideration, as the basic element, the graph node, target of a compatible binary code. The input of the adopted strategy is the list of nodes sorted in a descending order according to their node degree (the number of incident edges to the node). The encoding problem is related to the constraints set, hence, by starting from the highest constrained node the probability to reach a solution increases. When selecting to the next node to be encoded, an additional criterion is considered. The node is the one with the highest degree and directly connected to at least an already assigned node. The algorithm assigns to a i-th node in the node list a code belonging to the set of admissible codes. Such a set, composed of still unassigned codes, is computed as the intersection of the sets of codes at distance d from the nodes already encoded and directly connected to it. The procedure starts from the node with the highest degree (B or F). By fixing an assignment for state B=0000, the next state to be encoded is state A (first node in the list connected to the encoded sub-graph B). The admissible encoding set (AES) for state A is AES_A={0011; 0101; 0110; 1001; 1010; 1100}; let A=0011. The next state to be encoded is C, the first node connected to the encoded sub-graph {B,A}. The nodes verifying the encoding and the connection properties for C are B and A. AES_C (see Fig. 3 ) results from the intersection between the sets related to A ({0000; 0101; 0110; 1001; 1010; 1111}) and to B The next state to be encoded is D, with AES_D={0110; 1001; 1010; 1100}. Similarly, states F and G are encoded. Node E is selected next. Constraint nodes are F and G. AES_E is computed by intersecting the sets related to F ({0000; 0011; 0110; 1001; 1100; 1111}) and to G ({0000; 0011; 0101; 1010; 1100; 1111}) that is, {0000; 0011; 1100; 1111}. Codes 0000 and 0011 are already assigned, determining AES_E={1100; 1111}. Next, a code is assigned to state H. The final encoding is shown in Fig. 2 . ({0011; 0101; 0110; 1001; 1010; 1100}). Let C=0101. 
B. State encoding evaluation
This approach has been applied to a set of benchmarks to evaluate the impact of the distance constraint on the number of bits. In fact, although the area implied by the next-state function logic cannot be directly related to the number of state bits (see results in [2] Therefore, the number of bits for the 1-hot code is the upper bound for such a distance value. The 1-hot code requires the highest realization area mainly because of the high number of memory elements. Mentor Graphics' Fault Tolerant approach on average implies costs similar to the ones produced by the proposed approach, but no direct synthesis or detection methodology is available, thus the provided state encoding is not structurally supported.
The Reset state
The reset state is the state which the system evolves into, any time a specific input condition is verified (reset signal is active), independently of the present state. This state is connected to each one of the states of the FSM, increasing by one the node degree, and constraining all states to be at distance d from its binary code. This usually increases the number of bits required for encoding the FSM. The assumption is that there is one or more input configurations identifying the reset condition (if starting from a VHDL description, the reset condition is unique). To solve graph connectivity problems and then the encoding, it may be convenient to encode all the other states of the FSM according to the constant distance methodology, excluding the reset state from the list of nodes. To control the correct evolution of the circuit into the reset state a separate logic block is used, that verifies the generated next-state value with respect to the fixed reset state configuration when the reset signal is active. Fig. 5 shows the modified architecture, including the OR-type Controllable Self-Checking (CSC) checker taken from [16] . When the reset signal is active the distance between present state and the reset may not be equal to the adopted distance d, and no checking should be performed.
More specifically, the detecting functionality is given by a CSC checker controlled by signals c1 and c2 generated by the additional block. The behavior is as follows: » c1c2 = 10 if the reset_condition = true & next_state = reset_state , (CHECK OFF) » c1c2 = 01 in all other conditions, (CHECK ON) » c1c2 = 00 or 11 do not occur in a fault free case. If signals c1c2 indicate CHECK ON (c1c2 = 01, 00 and 11) the values on the error indication lines are those of the standard TSC distance checker, otherwise (CHECK OFF) the values are those generated by the additional logic block which verifies that the generated next-state is the reset state (Next-state = Reset block in Fig.  5 ). The proof of the CSC properties can be found in [16] . By adopting this methodology the distance constraint set related to the reset state is ignored.
THE SEQUENTIAL DATA PATH
The complexity and peculiarity of the sequential circuit deriving from a VHDL description and synthesis suggests the adoption of specific approaches for the identified elements. When the outputs are generated by the data path through a combinational relation depending on the present state and the primary inputs, the encoding of the data flows constitutes a feasible approach for the realization of a TSC network, provided the application of a suitable synthesis methodology, issue addressed in the next section. When the outputs are generated through a sequential relation, the encoding applies both to the output data and to the internal "state" of the sequential data path. Such a state is represented by the internal variables, typical in VHDL descriptions of the sequential circuit. There may also be other memory elements on the primary outputs. Excluding latches on the outputs, dealt with in a separate way, two classes of internal variables have been identified: generic internal variables and variables with a multiplexer cycle structure. An example of the generic internal variables is presented in Fig. 6 . The variable defines the evolution of the sequential data path. Among internal variables, a particular structure has been identified, referred to as multiplexer cycle, where the memory element is used to store signal values and does not constitute the state register of a control FSM. The following piece of code (Fig. 7) , taken from the industrial circuit FSM_CHP, provides an example of this situation. (b): encode the outputs without considering that they are latched; (c): adopt a specific methodology to make TSC the internal variables, dealing with multiplexer cycle structures and generic internal variables. All three approaches cope with the latching of the outputs not taking into account the presence of the register. In fact, by adopting a traditional encoding for the outputs (e. g., Berger code), any single stuck-at in the register elements may only cause a single error, always detectable by the adopted encoding. The first approach is not feasible for FSMs with a relevant data path since a sequential data path may have several memory elements. In such a case, the second approach is more efficient, reducing the complexity of the state assignment task, suited for checking the evolution of the control machine, while still providing the detection of all faults. In the last approach, for multiplexer cycle structures an encoding of the data is performed, and the same architecture is applied to the check bits. Generic internal variables are dealt with by introducing an encoding (parity/1-hot, depending on the width of the data path state variables) of the state and by monitoring the behavior with the necessary checker. An example of this approach is presented in section 10, on VHDL benchmark FSM_CHP.
OUTPUT ENCODING: BERGER CODE
The encoding of the output function of the control unit (control signals) completes the design of the SC system, covering all possible erroneous behaviors classified by the functional fault model. Berger code has been selected for encoding the outputs, allowing a global comparison of the proposed methodology with others ([1  2] ). The encoding of the FSM outputs is straightforward, except in those circuits where the outputs are not completely specified. In such cases, a preliminary synthesis is performed to eliminate don't care conditions, after state assignment. Such a synthesis of the FSM fixes all don't cares at determined values while pursuing an area minimization goal with respect to the given state assignment. At this point, the circuit is completely specified and the encoding of the outputs with Berger code is straightforward. In particular, the state transition graph of the synthesized network is extracted, the outputs are encoded and then a final synthesis is performed, producing the final SC FSM. Other different strategies have also been examined to exploit the degrees of freedom of the FSM description (i. e., Boolean relations), whose results are equivalent to the presented ones.
100% STUCK-AT FAULT COVERAGE
The functional definition of the TSC properties does not completely relate to the gate implementation of the logic network [9] , hence it is necessary to define a synthesis strategy able to exploit the code properties making each fault observable by generating a non codeword. Moreover, the proposed state encoding does not provide complete fault coverage, not distinguishing between next states of the same present state. Therefore, the proposed state encoding, Berger encoding of the outputs together with a unidirectional synthesis of the logic circuit do not guarantee the complete fault coverage of all single stuck-at faults. The proposed state assignment guarantees that any time a fault causes an erroneous evolution from the present state to a next state with a binary code at distance d' ≠ d or d' ≠ 0, such an event is detected, otherwise the fault is not detected. That is, the state assignment methodology itself, at a functional level, does not provide a complete fault coverage, deferring such a task to the gate level realization. Hence, a structural approach based on the duplication of the ports affected by undetected stuck-at faults has been defined. These faults are covered with a post-processing step, to achieve a complete fault coverage. Let us consider, as an example the piece of circuit of Fig. 8a , where an undetected fault has been identified on input wire m of gate g66. The duplicating technique introduces (Fig. 8b ) a new gate with an inverted functionality with respect to the gate in exam, fed by the same inputs; an AND gate (g66dup). In a fault free situation, gates g66 and g66dup will assume an opposite logical value. When a fault occurs, including specifically the undetected stuck-at on input wire m, gates g66 and g66dup will assume the same value. By comparing the output values of gates g66 and g66dup with a 2-variable two-rail checker (TRC 2 ), the fault will be detected. The other two inputs of the TRC 2 are constituted by the outputs of the checker on the state lines. If several gates need to be duplicated, each (a1 i , a2 i ) pair will feed a p-variable TRC (TRC p ), generating a tree of TRC 2 . The last TRC 2 will take as input the constant distance checker outputs. The approach is expensive if the number of faults to be covered is high and faults are dispersed throughout the circuit, due to the high overhead of the TRC 2 (6 gates). To improve costs an analysis is performed to group gates to be duplicated into blocks, so that for several gates affected by undetected faults a block of ports is replicated and a single TRC 2 is introduced (see [24] for details). This structural approach allows the adoption of a generic synthesis. In fact, the TSC design methodology does not require a unate synthesis of the logic realizing the next-state function, an "expensive" task, seldom supported by synthesis tools, such as those available for an HDL based design methodology. Nevertheless, a targeted synthesis providing that a fault always generates an odd number of erroneous bits would grant a 100% fault coverage.
THE DESIGN OF TSC CHECKERS FOR THE CONSTANT DISTANCE CODE
To completely define the TSC system, specific checkers for the proposed constant distance state assignment have been designed [26] , whereas Berger checkers are found in literature [25] . The attention has been focused on a class of the adopted Hamming distance characterized by the value of d = 2, according to the results of the impact of different distance values on area (see area costs in Fig. 4) . A methodology has been defined to design d = 2 checker, for a generic number n of state bits. The TSC checker circuit is characterized by an input-code space constituted a-priori by all possible 2 2 n combinations since no assumptions are here made on how a fault corrupts the next-state binary code, constituting a part of the checker inputs (the other part is the present-state configuration). By relating the checker realization to the code, the checker needs to verify that there are either exactly 2 or none bits out of the n, changing value from the present state and the next state binary codes. As output-code space, the dual-rail code has been adopted, the smallest unordered code. The design of the checker is organized into stages. The first stage, XOR module, consists of a module for evaluating the Hamming distance. It receives as inputs the two n-bit binary codes (PS(n:1) and NS(n:1)) corresponding to the present state, PS, and next state, NS, configurations. The output is an n-bit binary code I(n:1) characterized by a number of 1s equal to the Hamming distance between the input codes. The code space for vector I(n:1) consists of all configurations with either 0 or d 1s out of the n bits. A second stage, converter module, consists of a block for mapping the configuration on n bits onto 4 bits, vector RI(4:1), maintaining the number of 1s, i.e., the distance. Thus, the module converts codewords (non codewords) on n bits into codewords (non codewords) on 4 bits. The last stage, basic n4d2 module, checks the RI(4:1) configuration for a 0/2 number of 1s, providing as output the dual rail code. A basic n3d2 module has been designed together with the necessary converter modules to 3 bits. The checkers obtained by connecting these stages independently designed are TSC if such modules are independently TSC, as shown in [26] . The class of checkers has been designed to require a reduced test set, considering the limited number of input configurations available, when the state code moves toward the 1-hot code. The checker is still self-testing.
TSC METHODOLOGY EVALUATION
Final area results achieved with the proposed methodology have been compared with those deriving from a 1-hot code for the state, after output encoding and achievement of a 100% fault coverage. Two classes of sequential circuits have been considered: a set of MCNC benchmark machines, and a set of industrial controllers. The former allow a comparison with other approaches with respect to the reported results. Yet such FSMs seldom match real controllers architectures; the degree of interconnection of the state transition graph is far too high, aspect affecting the complexity of the proposed methodology. Hence, to put into the right perspective the defined approach, which nevertheless achieves significant results on benchmark FSMs, some industrial controllers has been also selected.
Benchmark machines
Tab. 3 reports the literal count for each benchmark achieving a complete fault coverage, also including 12 literals for each memory element (master-slave flip-flop).
Overheads are in average lower mainly due to the reduced number of memory elements required for the state assignment. In fact, although the area implied by the logic implementing the next-state function cannot be directly related to the number of state bits (see results obtained by [2] ), the area occupied by memory elements significantly affects the final overhead of the synthesized sequential circuit. As it can be determined by the values in Tab. 3, the next-state logic for the one-hot code is usually reduced with respect to the logic for the proposed state assignment, leading to "anomalies" in cost results, such as the case of benchmark s510. These results are expected to improve when a using a specific synthesis methodology and output encoding, aspects currently under investigation. 
Industrial controllers
Three industrial controllers described in VHDL have been selected for the application of the proposed strategy. From such a description, nodes have been extracted to apply the encoding algorithm. The standard HDL design flow has then been applied to the sequential circuit, provided the encoding of the state and of the outputs as described. Details of the VHDL based methodology are illustrated on the FSM_CHP controller, for the other circuits only the main information and results are reported.
A. The FSM_CHP sequential architecture
The control FSM has 4 states, interconnected as shown in Fig. 9 . The sequential data path is characterized by an internal variable mapped on a one bit signal and by 15 bits in a multiplexer cycle structure. Fig. 9 proposes a possible state assignments for the control FSM fulfilling the constant distance constraints. There are 2 undetected faults causing a 98% fault coverage. The overhead for a 100% fault coverage with respect to a state assignment performed with NOVA is of 33%. The FSM_CHP architecture has a sequential data path and there are multiplexer cycles. The specific described methodologies are applied; data flows are encoded independently of the presence of the multiplexer cycle, by "attaching" the logic block to the check bits, after the encoding. The parity code has been used both for single bit signals and for the 14 bits signal ici, due to cost evaluation, introducing 4 additional outputs. The independent synthesis is achieved by means of separate PROCESS constructs. The sequential data path consists of an internal variable, encoded with the parity code. This introduces an additional internal variable and the duplication of the process controlling the internal variable itself. Fig. 10 . Initial VHDL for the sequential data path, characterized both from the multiplexer structure and an internal variable.
The resulting modified VHDL code is shown in Fig. 11 Fig. 11 . VHDL for the sequential data path; outputs are encoded with the parity code, maintaining the multiplexer structure. Fig. 12 reports the area data for the initial and encoded circuits; it is possible to identify the added elements: » 4 multiplexers + 4 flip-flops for the four additional outputs applying the parity code; » 2 inverters and a XOR tree for the parity encoding. The synthesis of the modified VHDL code introduced the expected logic, with an overhead of 46,7%. The impact of the encoding is relevant due to the simplicity of the logic manipulating the input data. Three possible encoding strategies have been identified: 1. encoding of all outputs with a single parity bit; 2. encoding of ici, SPOL_H and SPOL_NC with a parity bit and no_polic with another one; 3. independent encoding of all outputs. It is possible to give a rough estimation of area costs: 1. XOR tree on labe&st_pol of 17 bits; one multiplexer cycle structure ( The last approach requires an higher overhead (multiplexers and flip-flops are more expensive than XOR gates) but provides independently generated encoded outputs, useful if the circuit is meant to be part of a more complex system. Internal variable str_lab is encoded with the parity code with another internal variable str_lab_dup, defined to have an opposite value (see code of Fig. 11 ). The required area is 328.30, corresponding to a 52% overhead. The 1-hot encoding could not be applied to this part of the sequential circuit with Mentor's tool since, when examined as a sequential circuit the number of states of the FSM explodes. In fact, when selecting the state encoding it is not possible to define the state variables to which it has to be applied, thus the tool tries to apply the 1-hot encoding to all 18 memory elements (2 18 states). The specific approach for the multiplexer cycle structure is not only efficient but also the only feasible one. For 1 bit signals (there is one signal of 2 bits) the adoption of Berger code implies a limited area overhead only if applied to all signals as a whole. The overhead is of 47%. A global synthesis of the original and modified circuit, computed a global area overhead is of 76%, less than the overhead required by the duplication methodology, whereas a "straight" application of the other approaches found in literature is not so immediate. The extraction of the entire FSM would cause an explosion of the number of states, making the application of an efficient methodology for generic sequential circuits rather impossible. 
B. Alfa controller

CONCLUSIONS AND FUTURE WORK
The paper proposed a global design methodology for realizing Totally Self-Checking VLSI systems, derived from a VHDL description. The entire approach has been presented, focusing the attention on an innovative state assignment algorithm for the definition of a state encoding based on a constant Hamming distance between present state/next state binary codes, which allows the design of SC sequential circuits. Sequential data path and output encoding, and SC checkers design have been also addressed introducing new techniques. Results in terms of overheads have been presented on a set of benchmarks. Future efforts are directed toward the definition of synthesis methodologies allowing an efficient exploitation of the proposed state encoding, and the adoption of alternative output encodings, for reducing area overheads.
