In this paper, we present methods for synthesizing multi-level asynchronous circuits to be both hazard-free and completely testable. Making an asynchronous two-level circuit hazard-free usually requires the introduction of either redundant or non-prime cubes, or both. This adversely a ects its testability. H o wever, using extra inputs, which is seldom necessary, and a synthesis for testability method, we c o n vert the two-level circuit into a m ulti-level circuit which is completely testable. To a void the addition of extra inputs as much as possible, we introduce new exact minimization algorithms for hazard-free two-level logic where we rst minimize the number of redundant cubes and then minimize the number of non-prime cubes. We target both the stuck-at and robust path delay fault models using similar methods. However, the area overhead for the latter may be slightly higher than for the former.
Introduction
Achieving complete testability of asynchronous circuits has long been recognized to be a di cult problem since these circuits must be hazard-free 15]. Hazard-free synthesis methods frequently introduce redundant or non-prime product terms, resulting in circuits which are not fully testable. Thus, ensuring hazard-free behavior and at the same time achieving complete testability seem to be contradictory requirements. However, our aim in this paper is to show that hazard-free completely testable asynchronous multi-level circuits can be easily synthesized, in some rare cases requiring some extra control inputs.
In order to ensure high reliability of a circuit, one must test both its logical and temporal behavior for correctness. Physical defects may increase the propagation delays along di erent paths, giving rise to delay faults 19] . Delay faults can be categorized according to two models: gate delay faults and path delay faults. The gate delay fault model models excessive d e l a y limited to just one gate, whereas the path delay fault model models excessive d e l a ys along a whole path from an input to an output. Therefore, the path delay fault model is more comprehensive however, it may require more time for test generation because the number of paths is usually much larger than the numb e r o f g a t e s .
Delay faults are generally tested by t wo-pattern tests. For path delay faults, these tests launch a 0 ! 1 o r a 1 ! 0 transition at the input of the path to see if the desired transition reaches the output of the path within the speci ed time. A two-pattern test is called robust if arbitrary delays elsewhere in the circuit cannot invalidate it 19] . A robust test can be further categorized into a hazard-free or nonhazard-free test. For a hazard-free robust test, no hazards can occur on the tested path irrespective o f the delay v alues elsewhere in the circuit. This is the most stringent fault model. Hazard-free robust path delay fault testability of a circuit also implies testability under other fault models, such a s s t u c kopen 17]. Since it is known that robust testability of general circuits is usually quite low 1 9 ] , many synthesis for testability methods for this fault model have been presented 17], 20]-26]. However, these methods are not geared towards hazard-free implementations that are required for asynchronous circuits. Several e orts have been made to attack the asynchronous testing problem 1]-8]. For example, for a class of asynchronous circuits called speed-independent, the presence of some stuck-at faults can stop the circuit, thereby p r o viding a degree of self-checking behavior 1, 2]. However, not all stuck-at faults stop the circuit. Other testability methods have b e e n i n troduced to handle particular design styles such a s micropipelines 5] and Tangram-based designs from Phillips 6] . A comprehensive synthesis for testability method has been proposed by Keutzer et al. 4 ]. This work targets the hazard-free robust path delay fault model, which is one of the fault models we target too. The rationale for using this fault model is that since asynchronous interface circuits usually have strict delay requirements, it is desirable to detect any abnormality in their temporal behavior. Another interesting method has also been developed, where independent control of both phases of each v ariable is assumed 7] .
The aim of this paper is to synthesize hazard-free asynchronous circuits which are also completely testable under the stuck-at or the robust path delay fault models. Both fault models are treated similarly however, the latter model may require slightly greater area overhead. As in 4], we assume that full scan 8, 9] is available for converting the asynchronous circuit memory elements, such a s Set-Reset or C-element, into scanned memory elements in order to make these elements controllable and observable. For delay fault testing, enhanced scan 10], which allows the application of two b i t s in sequence to the present state lines, is assumed.
Our method di ers from 4] in several ways. First, they start with a two-level circuit which i s guaranteed to be prime but may be redundant, whereas in our work the two-level circuit may be both redundant and non-prime. Second, our method includes two-level synthesis algorithms which exactly minimize redundancy and non-prime implicants, thereby enhancing two-level testability, while their method does not. Finally, their multi-level synthesis approach is an adaptation of a previous synthesis for testability method based on Shannon's decomposition 17], whereas we use an alternative method. They also present a heuristic method based on algebraic factorization 31], which can be shown to be a special case of our approach. Our own method is adapted from a previous synthesis for delay fault testability method for combinational circuits 23], which assumed prime and irredundant t wo-level circuits as a starting point, and thus was not geared towards asynchronous circuits.
Our synthesis method has three steps:
(i) We synthesize a two-level circuit which is hazard-free, using a new algorithm which rst minimizes the number of redundant products and then minimizes the number of non-prime products. The motivation is to reduce the need for extra control inputs (a di erent approach for using extra inputs for robust testability has been given in 24]).
(ii) The hazard-free two-level circuit is converted into a multi-level circuit which i s completely testable for the given fault model, yet maintains the hazard-free property of the original circuit.
(iii) The multi-level circuit is then further optimized, using multi-level testability-and hazardpreserving transformations, to obtain the nal circuit.
2 Synthesis of Optimally-Testable Two-Level Hazard-Free Logic
In this section, we address the problem of synthesis for testability of hazard-free two-level logic. Such logic, in general, has two features which pose problems for testing: the presence of (a) nonprime implicants, and (b) redundancy. W e rst present b a c kground on combinational hazards and review an existing algorithm for hazard-free two-level logic minimization 11]. We then address the synthesis for testability problem by extending this algorithm in two w ays. Our rst algorithm nds a hazard-free solution with exactly minimum number of non-primes our second algorithm nds a hazard-free solution having exactly minimum redundancy. The two algorithms are then combined into a single algorithm which nds an optimally-testable hazard-free two-level solution using a threelevel cost function: (i) minimum redundancy (primary cost), (ii) minimum number of non-primes (secondary cost), and (iii) minimum numb e r o f i m p l i c a n ts (tertiary cost).
Combinational Hazards
For the following discussion, a combinational circuit model is assumed where gates and wires may have arbitrary nite delays. Since we are concerned with the dynamic behavior of a combinational circuit as its inputs change value, we need to formalize the notion of a \multiple-input change". A transition cube 15, 12, 11] i s a c u b e w i t h a start point and an end point. G i v en input states A and B, the transition cube A B] has start (end) point A (B) and contains all minterms that can be reached during a transition from A to B. The cube describes a multiple-input change or input transition from A to B. Inputs are assumed to change monotonically (i.e., at most once) in any order a n d a t a n y time. Once a multiple-input change occurs, no further inputs may c hange until the circuit has stabilized. A function f which does not change monotonically during an input transition is said to have a function hazard 15, 1 2 ] . For example, in Figure 1 If an input transition has a function hazard, no implementation of the function is guaranteed to avoid glitches during the transition (assuming our circuit model of arbitrary gate and wire delays) 15]. 
Conditions for a Hazard-Free Transition
We n o w describe conditions to avoid logic hazards in a sum-of-products implementation (for further details, see 12, 11] ). These conditions are best illustrated by examples.
Example 2.1. Again, consider the example in Figure 1 While the cover of Figure 1 (c) insures that each static sub-transition of t2 is hazard-free, it still does not guarantee that dynamic transition t2 itself is hazard-free. In fact, t2 has a hazard. Initially a d is low when d goes low, a d goes high nally, when a goes high, a d goes low. Therefore, a d may glitch during the transition. Assuming arbitrary delays on gates and wires, this glitch m a y propagate to the OR gate output, and the result is a dynamic logic hazard. The problem can be seen in the Karnaugh map: a d intersects transition t2 in the middle, but not at its start point 0111. Such a n i n tersection is called illegal 
Hazard-Free Covers
A hazard-free c over is a cover of a function which is hazard-free for a set of speci ed input transitions.
The following theorem formulates the hazard-free covering problem:
Theorem 2.1. 11] A set of implicants C is a hazard-free cover for function f with respect to a speci ed set of input transitions if and only if: (a) each required c u b e of f is contained in some implicant i n C, and (b) no implicant o f C i l l e gally intersects a speci ed dynamic transition. An implicant which does not illegally intersect any dynamic transition is called a dynamic-hazardfree implicant (or dhf-implicant). Only dhf-implicants may appear in a hazard-free cover. A dhf-prime implicant is a dhf-implicant c o n tained in no other dhf-implicant. An essential dhf-prime implicant is a dhf-prime implicant which contains a required cube contained in no other dhf-prime implicant.
Hazard-Free Two-Level Logic Minimization
Using Theorem 2.1, the two-level hazard-free l o gic minimization problem is to nd a minimum-cost cover of a function using only dhf-prime implicants where every required cube is covered. This problem i s a v ariant of the classic two-level minimization problem, where each ON-set minterm of a function must be covered by a prime implicant 1 6 , 2 7 ]. An exact hazard-free two-level minimizer has been developed 11], based on this theorem, using a constrained version of the Quine-McCluskey algorithm. There are three steps:
1. Generate the dhf-prime implicants of a function 2. Construct a dhf-prime implicant table a n d 3. Find a minimum cover of this 
Algorithms for Hazard-Free Synthesis for Testability
We n o w consider changes to the existing hazard-free two-level minimization algorithm to synthesize optimally-testable logic. For this paper, we focus on modi cations to algorithm reduce-tab. 1 Steps \do-column-dominance" and \get-essential-implicants" of reduce-tab are unchanged, since they perform structural simpli cations on the covering table. Therefore, only step \do-row-dominance" needs to be changed. In classic combinational logic synthesis, given rows i and j of an implicant t a b l e , row i is said to row-dominate j if i covers all the columns covered by j that is: cols(j) cols(i).
Minimizing Non-Primes
The rst problem is to nd a hazard-free cover with an exactly minimum number of non-prime implicants. To do so, a small modi cation is necessary to \row-dominance". If row i row-dominates j, where i is non-prime and j is prime, it is possible that a solution using j instead of i may h a ve f e w er non-primes and, therefore, be preferable. However, in all other cases, it is safe for i to dominate j: both prime, both non-prime, or i prime and j not. This modi ed row-dominance algorithm is non-prime non-increasing (npni), since it guarantees that a prime is never rejected in favor of a non-prime.
Algorithm npni-row-dominate ( 
Minimizing Redundancy
The second problem is to nd a hazard-free cover with an exactly minimum number of redundant implicants. This problem is more subtle than the problem of non-primes, since a product is itself either prime or non-prime while the redundancy of a product depends on the cover in which i t i s embedded.
For testability purposes, a product p in a cover C is redundant if and only if p is covered by C ;fpg. In contrast, logic minimization algorithms 27] often take i n to account the \don't-care set", D, and de ne p to be redundant if and only if p is covered by C D ; f pg. This latter de nition, however, is less relevant to testing.
The motivation in redundancy minimization is to accept covers with possibly additional products if redundancy can be reduced. As an example, consider the Karnaugh maps in Figure 2 for a function f with the speci ed input transitions, as shown. Figures 2(a) and (b) illustrate two hazard-free covers for f for the set of given transitions. The cover in Figure 2 (a) has minimum cardinality of all hazard-free covers, with three products. However, a c is redundant. The cover in Figure 2 (b) has four products, but no redundant products. Therefore, there are cases where redundancy can be decreased by allowing additional products.
There are two w ays in which r o w-dominance by a r o w i may be unsafe. First, i itself may be redundant in a resulting cover, where the dominated row, j, is not. Second, i may i n troduce redundancies into other products where j does not.
Algorithm rni-row-dominate-unopt, shown below, is an algorithm for redundancy non-increasing (rni) row-dominance. It requires that cols(j) cols(i) and that i itself be irredundant in the current cover C described by the implicant table. It then checks whether region i # j (i.e., i, with the minterms of i \ j removed) intersects any product p which is currently redundant i n C new . I f s o , i t returns false, on the conservative assumption that i might c o n tribute to the redundancy of p as the Algorithm rni-row-dominate-opt takes a similar but less conservative approach. Suppose i intersects some essential dhf-prime implicant e, w h e r e e is irredundant. 2 In this case, the region of intersection, i \ e, is \safe" because it is guaranteed to be covered by e in the nal cover. Therefore, i cannot introduce avoidable redundancies in the cubes which i n tersect this region. Hence, this region can be ignored. 2 In hazard-free minimization, a product may b e e s s e n tial with respect to covering of required cubes, and yet still be redundant. We h a ve implemented the new synthesis for testability algorithm by c o m bining algorithms \npni-row-dominate" and \rni-row-dominate-opt" into a single algorithm, which rst nds minimum-redundancy solutions, and of these picks those with fewest non-primes. Of the resulting solutions, it then picks one with fewest products.
Synthesis of Completely Testable Multi-Level Hazard-Free Logic
In the previous section, we presented a method which produces a hazard-free two-level logic, where we t r y t o a void redundant product terms as much as possible, while allowing non-prime product terms, whenever necessary. This two-level circuit synthesis method may produce any of the four possibilities where the circuit is redundant or irredundant and prime or non-prime. It would be easier to understand the method for obtaining a fully testable multi-level logic from this two-level logic, if we discuss the four cases separately, and try to unify the method during this discussion. Our approach w ould be to rst convert the not-fully-testable two-level logic to a testable three or four-level logic, whenever possible, or a testable two-level logic with the help of extra inputs. Then we will use multi-level testability/hazard-preserving transformations, such as algebraic factorization 31], to obtain the nal multi-level circuit. Before we proceed, we should mention some previous general results which our method takes advantage of, as follows.
An algebraic factorization method based on single and double cube divisors and their complement preserves single stuck-at fault testability 2 8 ] . This result is itself an extension of previous work in 29, 3 0 ].
Algebraic factorization or constrained algebraic resubstitution with complement preserves hazardfree robust path delay fault testability 2 0 , 2 1 ].
Algebraic factorization with 14] or without 15, 13] complement is hazard-non-increasing. In other words, if the original two-level logic is hazard-free then the multi-level logic obtained after algebraic factorization will remain hazard-free.
The rst two results above are applicable when the original circuit to which w e apply algebraic factorization is itself fully testable. The problem we face with asynchronous circuits is that these conditions are, in general, not met. However, as mentioned earlier, our aim would be to convert a twolevel circuit, which m a y not be fully testable, to another intermediate circuit which is fully testable, and then apply algebraic factorization.
Starting from Non-Prime, but Irredundant T w o-Level Logic
To motivate this case, let us consider an example rst. Example 3.1. Let us examine the sum of products expression: f = a c + ac + b c + bcd + c d (which for simplicity of exposition is assumed to be hazard-free for some given set of input transitions). In this expression, all product terms are irredundant, i.e., testable for all stuck-at 0 faults. However, the product term bcd is non-prime because literal c in it is untestable for the stuck-at 1 fault. All other literals are testable for stuck-at 1 faults. From here on, we will denote a literal which i s u n testable for a stuck-at 1 fault by superscript \+". If we are concerned about robust path delay fault testability, then we note that paths starting from literal c in product b c, from literal c in product c d, and from literal c in product bcd, are not testable for delay faults in the corresponding two-level circuit. For the rst case, the reason is that we need to make b = 1 a n d m a k e other product terms 0 without using c (since c either makes a rising or falling transition during the test, and hence does not have a xed value). This condition can be derived from the necessary and su cient conditions in 18]. The above condition is not possible to satisfy because both a c and ac cannot be simultaneously made 0 without using c. The same reason is applicable to the other two cases. Paths starting from all the other literals can be shown to be robustly testable. From here on we will denote literals which are not robustly testable with the superscript \*". A literal which is not stuck-at 1 testable is obviously not robustly testable either. Thus, a literal with a \+" superscript is implicitly assumed to have a \*" superscript too however, the reverse is not true. With the above arguments, we can rewrite the sum of products as: f = a c + ac + b c + bc + d + c d. Assuming rst that stuck-at testability i s o u r only concern, we recognize that although a stuck-at 1 fault in literal c is untestable in product bcd, it is testable in product ac. Factoring out c from these two product terms, we get the expression f = a c + c( a + bd) + b c + c d, which is completely testable for all single stuck-at faults. If robust testability is the aim, then we recognize that although literal c is robustly untestable in products b c and c d, it is robustly testable in product a c. T h us, by additional factoring we get c(a+b+ d)+c( a+bd), which is completely robustly testable. 2
Since we are using targeted algebraic factorization in the above example to achieve testability, the hazard-freedom of the original circuit is maintained. After the two-level expression is modi ed in the above fashion, further algebraic factorization based on the results mentioned earlier can be used to reduce area further while maintaining testability and its hazard-freedom. This example also shows how stuck-at and path delay faults can be treated in a similar way. The following theorem from 23] g i v es the condition under which merging of untestable and testable literals is possible for robust testability. Theorem 3.1. Consider the switching expression f = P n 1 j=1 x 1 x 2 x m P j + P n 2 j=1 R j , where P j and R j are products of literals. Suppose that (a) in each product term in P n 1 j=1 x 1 x 2 x m P j , all literals in P j are robustly testable, (b) a product term in P n 1 j=1 x 1 x 2 x m P j may not be robustly testable in a subset of literals of the set fx 1 x 2 x m g, and (c) each literal in fx 1 x 2 x m g is robustly testable in at least one product term in P n 1 j=1 x 1 x 2 x m P j . Under these conditions, literals x 1 x 2 x m are robustly testable when factored out from the rst set of product terms obtaining the following modi ed expression: f = x 1 x 2 x m ( P n 1 j=1 P j ) + P n 2 j=1 R j . A t the same time, all literals in P n 1 j=1 P j remain robustly testable, and literals in P n 2 j=1 R j retain their robust testability.
It turns out that one can obtain a very similar theorem for stuck-at faults too, as follows.
Theorem 3.2. Consider the switching expression f = P n 1 j=1 x 1 x 2 x m P j + P n 2 j=1 R j , where P j and R j are products of literals. Suppose that (a) in each product term in P n 1 j=1 x 1 x 2 x m P j , all literals in P j are testable for stuck-at faults, (b) a product term in P n 1 j=1 x 1 x 2 x m P j may not be stuck-at testable in a subset of literals of the set fx 1 x 2 x m g, and (c) each literal in fx 1 x 2 x m g is stuck-at testable in at least one product term in P n 1 j=1 x 1 x 2 x m P j . Under these conditions, literals x 1 x 2 x m are stuck-at testable when factored out from the rst set of product terms obtaining the following modi ed expression: f = x 1 x 2 x m ( P n 1 j=1 P j ) + P n 2 j=1 R j . A t the same time, all literals in P n 1 j=1 P j remain stuck-at testable, and literals in P n 2 j=1 R j retain their stuck-at testability.
Proof: The proof is very similar to the proof of Theorem 3.1 given in 23], and is hence omitted. 2
A special case of the method based on Theorem 3.1 has been used in 26, 4] for obtaining robustly testable circuits where one path which is not robustly testable can be merged with another which is. However, such a method has not been applied to obtain single stuck-at testability before, starting from an initial two-level circuit which is not completely testable. For all the asynchronous circuit benchmarks we considered, when the two-level circuit was non-prime, but irredundant, the synthesis rules based on the above theorems were successful in obtaining completely testable solutions. When a sum of products has many literals which are either not stuck-at 1 testable or not robustly testable, then we need heuristics to apply these synthesis rules e ciently to arrive at a solution. These heuristics are the same as those given in 23], and hence are not repeated here. When the two-level circuit is redundant, then the above theorems will, in general, only be partially successful. Thus, in order to achieve complete testability in the multi-level circuit, we m a y need to add extra controllable inputs, as discussed in the next section. In some rare cases, even when the original two-level circuit is non-prime, but irredundant, the above synthesis rules may still not be applicable. When this happens, there are various options:
If the synthesis rules were not successful with expression f, one can try to see their applicability to the sum of products of f 4, 23] . The circuit realization of f can be followed by a n i n verter to realize the original function. This does not a ect the hazard-freedom of the realization 13].
We can obtain another hazard-free sum of products expression if one exists, and try to apply the synthesis rules to it or its complement. In the extremely rare cases where even the above options do not work, we w ould need to add extra controllable inputs to solve the problem, as illustrated by the following example. Example 3.2. Consider the irredundant, but non-prime, sum of products f = c d + a b + a c + ac + a + bc + d. Assume that this is a hazard-free expression for some speci ed set of input transitions. There are two literals in it which are not stuck-at 1 testable and four literals (including these two) which are not robustly path delay fault testable. Let us label the product terms consecutively as p 1 p 2 p 5 .
The testability problems in this expression cannot be solved with Theorems 3.1 or 3.2. Let us rst concentrate on stuck-at testability alone. The reason the two literals in p 5 are stuck-at 1 untestable is due to the presence of p 2 , p 3 and p 4 . F or example, when we w ant to test literal a in p 5 , w e need to feed vector 0111. However, for this vector, p 2 and p 4 assume the value 1. Similarly, to test literal c in p 5 we need to feed vector 1101, which m a k es p 3 equal to 1. We denote this fact by a function P = P 5 = p 2 p 3 p 4 . In order to make p 5 testable, we need to make e a c h of these product terms 0 with an extra controllable input t 1 , which gives us the solution f = c d + t 1 a b + t 1 a c + t 1 ac + abcd, which is completely testable for all single stuck-at faults (under normal operation, t 1 = 1 ) . In order to make it fully robustly testable for path delay faults, we can now use Theorem 3.1 to obtain f = c( d+t 1 a)+t 1 a(b+c)+abcd.
Consider now the complement of the above function, and assume that it has been made hazard-free for the same set of multiple input changes, as follows: f = a b cd + ab + c d + a bcd + + a b + c d + . As before, let us label the product terms consecutively as p 1 p 4 . p 2 is not testable because of the presence of p 4 (we denote this by a corresponding function P 2 = p 4 ), p 3 because of the presence of p 4 (denoted by P 3 = p 4 ) a n d p 4 because of the presence of p 2 and p 3 (denoted by P 4 = p 2 p 3 ). To s o l v e all the untestability problems, we n e e d t o r e m o ve all these causes for untestability. T h us, we derive a composite function P as P 2 P 3 P 4 = ( p 4 )(p 4 )(p 2 p 3 ) which reduces to p 2 p 3 p 4 . Therefore, p 2 , p 3 and p 4 would need extra controllable inputs. Denote the controllable inputs for product term p i as t p i . In order to completely test p 2 we h a ve the constraint that (t p 2 6 = t p 4 ) because p 4 needs to be made 0 with the help of the controllable input when we are testing p 2 . Similarly, the constraint for completely testing p 3 is (t p 3 6 = t p 4 ), and for completely testing p 4 it is (t p 4 6 = t p 2 and t p 4 6 = t p 3 ). All the above constraints can be satis ed by t p 2 = t p 3 = t 1 and t p 4 = t 2 . T h us, the completely testable solution (for both stuck-at and delay faults) becomes f = a b cd + t 1 abc d + t 1 a bcd + t 2 a bc d. H o wever, since this requires two extra inputs, the rst solution for f, which required only one extra input, may b e c hosen. 2
The above example was deliberately made pathological in order to show h o w the approach w orks. In general, requirement of an extra input for irredundant, but non-prime, expressions is very rare. We next formalize the approach outlined in the above example into a procedure, which w e w ould apply only if none of the other options were successful in making the expression testable. This procedure is valid for both the stuck-at and robust path delay fault models. A method for determining what other product terms make a product term not robustly testable has been given in 23] and is illustrated later.
product terms which are not testable under the speci ed fault model (stuck-at or robust path delay), and label the product terms as p 1 p 2 p n .
2. For each product term p i which has an untestable literal, identify the other product terms whose presence causes the untestability. D e r i v e the corresponding function P i .
3. Derive a composite function P by taking the logical AND of all such P i functions, and simplify P into a minimal sum of products using laws from switching algebra.
4. Select the product term in P with the minimum number of literals which h a s n o t y et been processed (break any ties arbitrarily). These literals correspond to the product terms in f which will have an extra controllable input ANDed with them. Derive a set of constraints on these controllable inputs, and derive a minimal set of extra inputs which satisfy all these constraints.
5
. If the number of extra inputs required in the previous step is more than 1, then consider other products in P and repeat the previous step until either a solution is found with just one extra input or all the products in P are exhausted. For the latter case, choose the solution which required the minimum number of extra inputs.
6. Modify f by inserting the extra controllable inputs as derived above. This expression is now completely testable under the given fault model. 2
Procedure 3.1 can be applied to the hazard-free f rst and then to the hazard-free f. The one requiring fewer extra inputs can be selected. Once the two-level expression has been made testable, further algebraic factorization, as outlined at the beginning of this section, can be used to derive a testable and hazard-free multi-level circuit.
Starting from Redundant, but Prime Two-Level Logic
If the two-level expression is redundant, but prime, it means that some stuck-at 0 faults are untestable, but all stuck-at 1 faults are testable. We again motivate this case through an example rst.
Example 3.3. Consider the expression f = y z+ x # y # + x z+xy, which is assumed to be hazard-free with respect to some speci ed set of input transitions. Here the superscript \#" denotes stuck-at 0 untestability of the literal (note that stuck-at untestability automatically implies that the literal is not robustly testable either The above example illustrates that Procedure 3.1 remains valid for tackling redundant, but prime, sum of products expressions too. It is just that the P i functions have a somewhat di erent l o o k i n this case compared to the irredundant, but non-prime, case. Also, the same procedure is applicable for deriving both stuck-at and robustly testable circuits, the only di erence again being that the P i functions are di erent in the two cases.
Starting from Redundant and Non-Prime Two-Level Logic
Although Procedure 3.1 can simultaneously solve the untestability problems arising from both redundancy and non-primeness, the following approach w ould be better in reducing the number of extra inputs.
We rst add extra inputs to solve the redundancy problem only, through Procedure 3.1, and try to solve the remaining problem of either non-primeness or robust untestability using Theorem 3.1 or 3.2, as the case may b e .
Only if Theorem 3.1 or 3.2 is not fully successful in solving the residual testability problems, do we attack the problems of redundancy and non-primeness (or robust untestability) simultaneously through Procedure 3.1.
The following example will illustrate the reasons for the above approach.
Example 3.4. Consider the expression f = xy + xz + y # z # + wy z + + v z. Label the product terms consecutively as p 1 p 5 , as before. Here p 3 is redundant (meaning both its literals are untestable for a stuck-at 0 fault) and literal z in p 4 is non-prime. Also, these are the only three literals which are robustly untestable. Let us concentrate on the stuck-at testability problem rst. To s o l v e the redundancy problem only, w e d e r i v e P = P 3 = ( p 1 + p 2 ). Since these do not imply any constraints, we can solve this problem by ANDing either p 1 or p 2 with an extra controllable input t 1 . A t the same time, we realize that Theorem 3.2 can make literal z in p 4 testable by factoring this literal out from p 4 and p 5 . Therefore, a completely stuck-at testable solution is f = t 1 xy + xz + yz+ z(wy+ v). If we had tried to solve both the redundancy and non-primeness problems simultaneously, w e w ould have obtained P 4 = ( p 1 + p 2 )p 3 and P = P 3 P 4 = p 1 p 3 + p 2 p 3 . Suppose the rst product term p 1 p 3 in P is used to nd a solution, then the only constraint from P 3 would imply that t p 3 6 = t p 1 . This means that two extra inputs would be required. Similarly, using product term p 2 p 3 also would lead to two extra inputs. This is clearly an overkill for solving the stuck-at untestability problems in f. N o w let us switch our attention to robust testability. F or this case, P 3 = ( p 1 + p 2 )(p 1 + p 2 ) = ( p 1 + p 2 ) and P 4 = ( p 1 + p 2 )p 3 . I f w e s o l v e the testability problem in just the redundant term p 3 rst, and then apply Theorem 3.1 to the robustly untestable literal in p 4 , w e w ould end up with the same solution as above with just one extra input. However, if we try to solve all the robust untestability problems in f simultaneously, then P = P 3 P 4 = p 1 p 3 + p 2 p 3 , which is the same P function as obtained for the stuck-at case. Thus, in this case, again two extra inputs would be required. 2 
Starting from Irredundant and Prime Two-Level Logic
We nally come to the fourth and simplest case. For such a case, there can be no stuck-at testability problem. However, a prime and irredundant sum of products may still have robust untestabilities in it. This can be solved as before, i.e., we rst try to apply Theorem 3.1 to these untestabilities, failing which w e switch to Procedure 3.1.
Experimental Results
We h a ve applied our synthesis-for-testability algorithms to a number of examples. Table 1 gives the area and delay for a variety o f b e n c hmark circuits, using a standard cell implementation, including a second-level cache controller (cache-ctrl), controllers from Hewlett-Packard Laboratories for an experimental infrared communication chip (it-control, two-ticks-if, rf-control, mod-sd-control) and a routing chip (sbuf-read-ctl, sbuf-send-ctl, pe-send-ifc), an A-to-D converter (chu-ad-opt-e, vanbek-ad-opt), control for distributed mutual exclusion (dme-e, dme-fast-e), and other benchmarks (bad-merge). The \base" case refers to optimized multi-level hazard-free circuits, where testability is not a concern. Under \stuck-at testable" we g i v e the area and delay of a hazard-free and completely stuck-at testable optimized multi-level circuit, and the number of extra inputs (EI) required. Under \robustly testable" we give the area and delay of a hazard-free and completely robustly path delay fault testable optimized multi-level circuit, and the number of extra inputs required. The results were obtained after technology mapping in the SIS 31] logic synthesis system with the stdcell2 2.genlib CMOS cell library. The area is a relative gure obtained from the layout of the standard cells. The delay represents the critical path delay through the circuit, and is measured in nanoseconds. As indicated in the table, extra inputs were not required in any case. This is because we w ere able to obtain irredundant, but possibly non-prime, two-level logic as the starting point for each of these multi-level circuits. Also, the area overhead for testability is either zero or very small. Zero overhead is obtained when the general algebraic factorization used for the base case coincides with the targeted algebraic factorization used for the testable cases.
Conclusions
In this paper, we presented an e cient and complete method for synthesizing hazard-free implementations of asynchronous circuits which are also completely testable under the stuck-at and robust path delay fault models. Although, theoretically, to make the method complete, we m a y n e e d t o i n troduce extra control inputs in some rare cases, for none of the practical circuits that we encountered did we need an extra input. The area and delay o verheads for obtaining the testable solutions were also shown to be minimal. 
