The Design of Fail-Safe Logic by Becker, Harvey




The Design of Fail-Safe Logic
Harvey Becker
Follow this and additional works at: http://scholarworks.rit.edu/theses
This Thesis is brought to you for free and open access by the Thesis/Dissertation Collections at RIT Scholar Works. It has been accepted for inclusion
in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact ritscholarworks@rit.edu.
Recommended Citation
Becker, Harvey, "The Design of Fail-Safe Logic" (1977). Thesis. Rochester Institute of Technology. Accessed from
THE DESIGN OF FAIL-SAFE LOGIC 
by 
HARVEY W. BECKER 
, 




Requirements for the Degree of 
Approved by: 
MASTER OF SCT~NCE 
in 
ELECTRI C llli IDJG DffiERING 
professor Name Illegible 
(Thesis Advisor) 
professor George A. Brown --- -- - -- - --.- - ----- --
Professor George Thompson 
,,------- ------ ---------
Professor Name Illegible ---- ---- -- ...... ---- -
(Department Head) 
DEPARTI1ENT OF ELECTRICAL ENGINEERI"lG 
COLLEGE OF ENGINEERING 
RO CHESTER INSTI'fUTE OF TECfWOLOGY 
ROCHEs '.r3R, NEW YOR.T( 
JUNE, 1977 
ABSTRACT
This paper examines the behavior of digital logic
families, specifically identifying the properties and
characteristics of digital fail-safe logic. Fail-safe
digital design is examined utilizing classical logic and
semiconductor theory. The effects of failures internal to
the structure of digital integrated circuits are analyzed
and a discussion of pertinent logic design is presented.
The techniques to detect all types of multiple failure modes
are examined. With these results, a method of design for
fail-safe logic is presented and analyzed.
11
TABLE OF CONTENTS
LIST OF FIGURES v
LIST OF CURVES vii




I- INTERNAL COMPONENT FAILURES OF INTEGRATED
CIRCUITS 6
II . DISCUSSION OF THRESHOLD LEVELS 21
III . TYPES OF LOGIC FAULTS 30
IV. PROPERTIES OF FAIL-SAFE LOGIC 40
V. BASIC PROPERTIES AND LIMITATIONS OF THE CMOS
LOGIC GATE 42
VI. DISCUSSION OF FAIL-SAFE DESIGN TECHNIQUES ... 51
VII. ANALYSIS OF THE THREE TERMINAL GATE 66
VIII . THE FAIL-SAFE LOGIC GATE 80
IX . RESULTS 104
X. CONCLUSIONS 107
REFERENCES 109
APPENDIX A. EVALUATING THE EFFECTS OF FAILURE 111
MOLES
APPENDIX B. ANALYSIS OF A RTL CIRCUIT 1 20
APPENDIX C. ANALYSIS OF A TTL NAND GATE 121
APPENDIX D. ANALYSIS OF A ECL GATE 1 25
m
TABLE OF CONTENTS (cont'd.)
APPENDIX E. ANALYSIS OF A RTL GATE USING THE NEWTON-
RAPHSON METHOD
APPENDIX F. ANALYSIS OF A TTL SCHMITT TRIGGER GATE.
APPENDIX G . LOGIC FAULT DETECTION
APPENDIX H. LOGIC HAZARDS












1. NOR transistor circuit and truth table with internal
component failures 9
2. RTL logic gate with equivalent circuit 10
3 . DTL NAND/NOR gate H
4. Schematic of a TTLrNAND gate 14
5. Schematic of a ECL gate 19
6. Schematic of a RTL gate 23
7. The AND gate with open-circuit input lines 34
8. The NAND gate illustrating output stuck-at-faults
9. Logic network illustrating fault masking 34
10. Example of a multi-valued fault line in a DTL
logic network 37
11. Illustration of indistinguishable faults 37
12. internal structure of the CMOS inverter 43
13. Structure and truth table of a two-input CMOS
NAND gate 43
14. Typical N-and-P-channel MOS impedance 45
15. Minimum and maximum voltage transfer characteris
tics for the four-input NAND gate 47
16. Minimum and maximum voltage transfer characteris
tics for the two-input HAND gate 48
17. Minimum and maximum voltage transfer characteris
tics of a typical two-input NAND gate for supply
voltages of 5VDC and 15VDC 50
LIST OF FIGURES (cont'd.)
Page
18. Comparison of a two-input CMOS NAND gate and the
three terminal logic gate 52
19. The structure and truth table of a three terminal
gate 53
20. Minimum and maximum voltage transfer characteris
tics of a typical three terminal gate with plots
for a secondary input, V2> of 5VDC and 15VDC .. 55
21. Secondary input signal of the three terminal gate 58
22. input and output waveforms of the three terminal
gate 60
23. Graph of maximum and minimum threshold levels of
the three terminal gate 78
24. The fail-safe logic gate &1
25. Voltage transfer characteristics of a typical
fail-safe gate 86
26. Input/output waveforms of the fail-safe gate .. 87





1. Plot of the RTL gate's output voltage as a
function of the change in load resistance .... 12
2. Plot of the RTL gate's output voltage as a
function of the change in input resistance ... 13
3. Input/output transfer characteristics of a
RTL gate 24
4. Input/output transfer characteristics of a
RTL gate with a failure in the base resistor . 25
5- Input/output transfer characteristics of a





1 . Types of component failure modes 7
2. Sensitivity of component variations for the DTL
gate in Figure 3 16
3. Truth table of normal and faulty output functions
of network in Figure 9 36
4. Truth table of the three terminal gate shown in
Figure 19 61
5. Illustration of internal faults of the three
terminal gate of Figure 19 64
6. Internal failure modes of the three terminal
gate 67
7. Terminal failure modes of the three terminal
gate 75
8. Identification of the input/output terminals of
the fail-safe gate in Figure 24 83
9. Truth table of the fail-safe gate 84
10. Internal failure modes of the fail-safe gate .... 91
11. Terminal failure modes of the fail-safe gate .... 98
12. Examples of detectable failure modes of the fail
safe gate 101
13. Internal failure modes of the element #3 102
vm
INTRODUCTION
The intent of writing a paper on fail-safe logic
design is to identify and resolve the problems associated
with digital circuits as they pertain to fail-safe designs.
Existing fail-safe devices and systems hdve been found to
be designed for only a single application and not adapta
ble for any other use, unable to resolve all potential
failure designmmodes, or are hybrid in nature. The need
to establish a method or approach for fail-safe logic that
resolves all failure modes of logic gates and be useable
in various engineering applications is pertinent to many
present-day electronic systems.
HISTORICAL OVERVIEW
When, where or who invented the first fail-safe
device or system is not known. It is known, that where the
demand for safety and safer devices or systems has prevailed,
fail-safe devices have come into being. With the advent of
the Industrial Revolution, systems rapidly became more
complex which resulted in increasing numbers of accidents,
injuries, and damage. Failure to keep pace with the in
creasing technological growth became increasingly evident
as the occurrence of major disasters increased over the
1
years. Efforts finally led to adopting legislation for
Mine, Industrial, Railroad, Marine, and Traffic safety.
After the turn of the century, Congress passed the
Railroad Safety Appliance Act forcing the railroads to in
stall basic safety devices; many involved fail-safe design.
The railroads, who initially opposed such legislation
became ardent supporters of safety measures. These early
fail-safe devices were mechanical in nature but by the mid
1920's electro-mechanical systems designed around unique
relays replaced the earlier mechanical devices and quickly
proved themselves. This laid the foundation for fail-safe
systems that exist today.
With the advent of the semi-conductor, electronic
fail-safe systems came into use and have continued to
develop and grow. However, the fact that electro-mechan
ical fail-safe devices are very much in use today, in the
age of the integrated circuit, is evidence of the lack of
acceptance to convert to, or rely on the electronic device
for many fail-safe requirements. Today we have a level of
fail-safe design that is basically applications-oriented.
In the future, concepts that encompass but extend beyond
the particular application, one that involves general fail
safe design techniques may be required in order to make
adequate use of the integrated circuit.
SCOPE
The scope of the paper will be fail-safe logic. The
intent is to establish design techniques for the CMOS
Logic Family that will enable it to function in a fail-safe
mode of operation, by identifying the internal and external
(logical) failure modes of digital integrated circuits and
using the CMOS gate to resolve these fault conditions by
implementing the techniques of complimentation and dynamic
self-checking. it is intended that the use of these methods,
at the individual gate level of operation, will produce a
fail-safe logic gate.
r
The first three chapters discuss the types of circuit
failures common to all families of digital integrated cir
cuits. Chapter I identifies and analyzes the effects of
internal component failures on the operation of digital
integrated circuits. The effects of threshold variation on
the operation of logic is discussed in Chapter II and common
logic faults that affect normal logic operation are identi
fied and explained in Chapter III. The paper then focuses
on the general requirements of fail-safe logic in Chapter IV,
and relates them to the basic properties and limitations of
the CMOS logic gate in Chapter V, followed by the techniques
that will be implemented by the CMOS logic to produce a
fail-safe gate in Chapter VI. Chapter VII will then imple
ment these methods and analyze their results on the CMOS Nand
gate. A discussion as to the operation of the fail-safe gate
is presented and analyzed in Chapter VIII. The results of
the paper are discussed in Chapter IX and conclusions are
then brought forth which indicate the degree of success
obtained.
THE CONCEPT OF FAIL-SAFE
The concept of fail-safe has precluded any standard
ization of a definition. This is due to the fact that the
concept is inherently involved with the problems of safety
and of risks using such devices or systems. There has not
been any major agreement on what a fail-safe design should
specifically accomplish. There appears to be some acceptance
given to the definition that fail-safe is a characteristic
of a device or system which ensures that any malfunction
affecting safety is of sufficiently low probability such
that the risk is. acceptable. This definition relates failures
to safety levels in so far as all failure rates should not
exceed some specified limit. It implies that failures that
do occur must not degrade safety and that no such limit as
an absolute fail-safe level exists.
The intent of a fail-safe design is to produce mini
mal damage and injury in the event of a malfunction to the
device or system. Hence, a fail-safe design is one which
maximizes the inherent possibility that if the device or
system fails, it will fail in the least unsafe condition and
preferably in an entirely safe condition. This paper will
interpret this definition as implying the following:
1 > A circuit designed for fail-safe operation has
the property that once a fault (or faults) has
caused the system to malfunction, it must auto
matically enter a
"safe" state from which the
system should never leave.
2. The circuit must be capable of acting on single
and multiple failures regardless of the sequence
of occurrence.
3. The circuit must be capable of detecting internal
device failures as well as logical failures.
CHAPTER I
INTERNAL COMPONENT .^AILilRES OF INTEGRATED CIRCUITS
Internal component failures are crucial in the design
of a fail-safe circuit. The fact that an internal failure
may cause the output of a device to produce an erroneous
signal is compounded by the parameter variations due to
temperature, supply voltage, fanout, and noise, If an in
ternal failure produces an undetectable change at the output
of the device, then a failure elsewhere could render the
circuit unsafe. The purpose of this chapter is to identify
potential internal component failure modes and analyze these
integrated circuit failures to determine their effect on the
gate's operation. By considering different logic structures,
the effects of circuit complexity and component selection on
circuit performance can be examined.
Table 1 lists the four common integrated circuit com
ponents used in digital gates and shows their potential
failure modes. The causes of component failures can range
from processing and manufacturing techniques to
misuse in
the application of the device. Regardless of the causes of
these failures, it is the effect on the operation of the
digital circuit that is of significance. As an example of
internal component failures, the NOR transistor circuit in
TABLE 1




Out of tolerance increase













Figure 1 illustrates the defective output functions Z. and
Z2 caused by the open-circuit failures of R- and R2 respect
ively.
The significance of component failures is thei: im
pact on the input and output characteristics of the digital
circuit. Sample calculations showing the effect of ccnponent
changes on the output of a basic transistor circuit, es
evaluated in terms of the stability and sensitivity of the
device, are given in Appendix A-
Analysis of the Resistor Transistor Logic, (RTL),
gate in Figure 2 will be used to illustrate the effects of
internal component changes on the operation of this circuit.
The RTL gate in the left portion of the circuit has itt
output level high; i.e., the inputs are all assumed low
(ground potential). The equivalent circuit loading for the
left portion (Q. and Q2) is illustrated in Figure 2b. :he
analysis for determining the sensitivity to component tol
erances is given in Appendix B, with reference to Appencix
A for the procedure. The obtained results of output sensi
tivity to component tolerances for R^ and RT are as follows:
Vo %






































NOR Transistor Circuit & Truth Table






















(a) RTL Logic Gate with Loading.
(b) Equivalent Circuit of (a).
FIGURE 2
11
It can be seen from Eq. 2 that for the nominal values in
Figure 2 a change in the value of RT will result in a cor-
responding change in Y as plotted in Curve 1. Also, a
plot of the change in V0 as a function of the value of R ,
0 -D
using the nominal values in Figure 2, is shown in Curve 2.
From these plots it can be seen that a change in the value
of either R or R_ will have a significant effect on the
h si
output of the logic gate. Simulating failures by determining
the sensitivity to compojaent changes for a fan-out of three,
illustrates the ability to detect multiple failures at the
output of the gate. However, as shown in Curves 1 and 2,
these simple internal failures degrade the information being
processed by the gate.
Whereas the discussion on an RTL gate showed the
effects of passive component failures on the gate's outp :.t,
the analysis for the DTL gate in Figure 3 will illustrate
the effect of internal component failures on the current gain
of the output transistor of the gate. An important property
of this type [l] of DTL gate is the current gain (Aj_) whioh
is defined as the ratio I^/I^. In terms of the circuit




































lL at a F an C f
3
0
















0 2 4 6 8 10 12 14 16 18 20 22 24 26
RESISTANCE OF RL IN HUNDREDS OF OHMS
P|ot of the Output Voltage as a Function of the











































0 1 2 3 4 5 6 7 8 9 10 11 12 13
RESISTANCE OF Rg IN HUNDREDS
OF OHMS
Plot of the Output Voltage 'js a Function of the

























































The obtained results of gain sensitivity to component tol










Various changes in the component tolerances of Figure 3
have been tabulated in Table 2 as a function of the sensiti
vity of A^. These results illustrate the effect of failure
modes on the output transistor of the gate. The effects
produced may cause the output to malfunction in a manner
that will prevent the fan-out gates from being properly act
ivated. Thus, a failure within the DTL gate can be detected
at the output but the particular component causing the failure
may not always be identified. However, multiple internal
failures cannot always be distinguished from single failure
modes and as shown for the RTL gate, these types of internal













































<l ^ ^ ^ ^
o o O O
CM *dr \D CO











tis . ro UD o K>
KA \Q * ^







< ^. VL ^ ^
^ o o o o
< Cvl ^t- uo CO


















H ^ !=> ^ ^ ^ ^
* O hi O O o O
S fH <! CM ^h UD CO




Analysis of the Transistor-Transistor Logic, TTL
gate in Figure 4 will be used to illustrate the effects
of internal component changes on the operation of this type
of gate. The analysis for determining the sensitivity to
component changes is given in Appendix C with reference to
Appendix A for the procedure. The obtained results of sen
sitivity to component variations are as follows:
bEl












= 1 (12) S = 1 (13)
RT
From the derivedequations of sensitivity for the circuit it
can be seen that a change in the value of R2 will have a
significant effect on the gain of Q2 and little effect on
the gain of Q^ when switched to the opposite state. Also,
a parameter change: in Q^ , (Eq.. 12), will affect the gate's
18
performance in only r. binary state. The TTL gate exhibits
the same types of fav.l y output modes as were discussed for
the RTL and DTL gates. However, the complexity of the structure
masks the identity of .ost failures from being determined
and allows many failuras to be detectable in only one of
the binary states of ~; .e gate.
Analysis of the Emitter Coupled Logic, ECL, gate in
Figure 5 will illustr.iie internal component changes on the
operation of this tyv :f gate. The analysis for determining
the sensitivity to cc. j nent changes is given in Appendix D.
The obtained results i sensitivity to component variations
are as follows.-
V0R nVORO UK O
O^ = 2 (14) O,
-T,
-
- ( ) = -1 (15)
^ = +2 (16) ^ = -1 (17)
From the derived equations, (Eq,. 14 to 16), of sensitivity
for the circuit in Figure 5 it can be seen that a change in
the value of R2, R, , or 1. will have a significant effect
on the norminal output 1 -/els of the ECL gate. As with the
TTL gate, the complexity of the
structure masks the identity
of most failures from le
_ig




























































put terminals of the gate. Also, an unspecified change in
the transistor's beta, R2, R, , or R. will produce failures
that are usually detectable in only one of the binary states
of the ECL gate (as observed at the output terminal) .
This discussion has dealt with the effects of para
meter variations at the output of typical logic gates. Based
on the previous analysis we have shown that the normal oper
ation of all digital logic families can be affected by
internal component failures. The more complicated structures
not only increase the possibility of single and multiple
failures occuring but may prevent their detection at the
input or output terminals of the gate. Based on the suppo
sition that detection of all internal failures is a necessary
(but not sufficient) condition for fail-safe logic operation,
we can conclude from this analysis that: (1) all internal
component failures must be detectable at the output of the
logic gate, (2) all multiple failures within the gate's
structure must be detectable, (3) detection of all types of
failure modes; open-circuits, short-circuits, leakage, etc.,
must be provided for, and (4) the detection of internal
failures must be accomplished in a manner that does not




DISCUSSION OF THRESHOLD LEVELS
Whereas the previous chapter dealt with the general
problem of internal component failure modes of integrated
circuits, this chapter will focus on one such type of failure;
the instability of internal threshold levels. The purpose
of separately identifying and analyzing this failure mode
is that fail-safe design techniques will individually
address themselves to resolving this failure mode independent
of other types of failures. Therefore, it is the intent of
this chapter to analyze the threshold level of various
types of logic gates to determine their effect on the gate's
operation. The threshold level is a function of the internal
structure and the gate's ability to maintain its threshold
level is essential for proper operation. A change in this
level must be considered a failure mode of the gate if it
causes the gate to produce a faulty output independent of
other internal failures.
An example of the change in base-to-emitter junction
voltage, V-o-n,, as a function of temperature is given in
Appendix E. The obtained results show that V^-p is about
0.6 volts at room temperature and as the temperature in
creases, V.^ decreases at the rate of 2.5 millivolts per
BE
22
degree centigrade. The significance of this change in V-nE
as it affects the threshold voltage level of an RTL gate
(Figure 6) is shown plotted in Curves 3, 4, and 5. The
analysis of the RTL gate, using the Newton-Raphson Method,
is given in Appendix E. Curve 3 illustrates the change in
threshold level that can be expected from the RTL gate as
the temperature varies from 200k to 400k. The effect
of this change in threshold level is significant because
the input varies by the amount AV. Curve 4 is a plot of
r
-1-
the same input/output transfer characteristics shown in
Curve 3 with the additional constraint that R has exhibited
a change in value consisting of a -100$ decrease from its
nominal value of 450 ohms. This plot illustrates the effect
of an internal component failure on the threshold level of
the gate. Curve 5 is a similar plot with the constraints
that R is reduced in value by -100% and R is increased
B L
from its nominal value of 640 ohms by +100$. This plot
illustrates the effect of multiple component failures on the
gate's threshold level.
Using the analysis for the ECL gate, given in Appendix
D, the sensitivity of threshold voltage (V-n-r,) with respect
to internal gate components are as follows:
oVBB V<W R5 (18>
R5 R5
'































































' ~" *" . .. . . : _ _ . " ~* u--|-- <>
o
; o t-






























































































































































/ l r-. il
r I
I i / o n
"









*-^-^ o O "^
.- > rv
i ">
1 / ! o .E u -a
1 /





























i | !>* 1 : !
i : - i
y 1 :/ I J !
'
i
i / ! / i > !
'
1






/ i / i
/ / 1










































































From these results we can see that some component failures
will have a significant effect on the threshold level of
the ECL gate. In comparison to the RTL gate, the complexity
of its structure is an added disadvantage as well as the
smaller output voltage swing. Thus, the greater voltage
swing required between logical 1 and logical 0 levels will
allow for greater variations in component changes before
affecting the threshold of the gate.
A similar analysis has been calculated for a TTL
type integrated Schmitt trigger circuit in Appendix F.
From these results, we can determine the sensitivity of its


























As expected, the resistor R is critical for proper threshold
detection. A failure in R_ will cause improper detection
of the input signal level being applied to the gate.
In addition to the conclusions brought forth in the
previous chapter, several additional conclusions can be
reached from this analysis. It is apparent that the threshold
level is a critical parameter for fail-safe logic and such
designs must either provide the means to maintain this level
29
or the ability to detect an out of tolerance condition
at the output of the gate. The analysis has shown the dif
ficulty in maintaining the threshold level because of its
dependency on the components and parameter in the structure
of the logic gate. Therefore, all fail-safe logic must have
the property of providing threshold detection for gates.
30
CHAPTER III
TYPES OF LOGIC FAULTS
The preceeding chapters have dealt with the failures
internal to the structure of integrated circuits. All
other types of potential failure modes shall be investi
gated herein; i.e., all potentail failures that occur
r
external to the structure of the logic gate shall be con
sidered as logic faults. The purpose of this chapter is
to identify and analyze various logic faults so as to define
the remaining types of faults fail-safe logic must resolve.
A discussion of common methods used for logic fault detection
is given in Appendix G-. . along with a discussion of hazard
faults in Appendix H.
The logic faults to be considered are assumed to be
permanent or solid, i.e., once a permanent fault occurs it
will not disappear or change its nature. Also, intermittent
faults or transient faults are considered in regards to a
12]
predefined time interval. These general categories of faults
can be further identified as follows:
A- PERMANENT LOGIC FAILURES
1. An output is stuck at a logic 1 or 0 (possibly due
to shorted or open-circuited transistors).
2. A logic gate does not respond to one or more
inputs (possibly due to a failed diode).
3. An output is slow to change after the input
31
changes (possibly due to deteriorating rise or
fall time) .
4. An output which fans out is logic 1 at some inputs
and logic 0 at others.
5. Multiple failures.
6. Failure of a complete chip (possibly due to a
power connection break or physical damage to the
chip) .
7. The shorting of two or more circuits on a single
chip (possibly due to failure of a crossover).
B. INTERMITTENT LOGIC FAILURES
1. Electromagnetic coupling of noise into a logic
gate .
2. Loose wires or particles in the integrated circuit.
3. Unusual conditions on the primary power input.
4. Temporary overheating of part of the circuit.
5. Random drift in the delay characteristics of
a circuit which is used in logic with critical
timing.
Fail-safe logic should be capable of detecting
bridging faults. A bridging fault occurs when two leads
in a logic network are connected accidentally and wired
13]
logic is performed at the connection. This type of fault
can occur in the following configurations:
1. inside the integrated circuit package where a
crossover connection is a result of defective
masking, etching of conductors, breakdown of
insulators, etc.
2. Integrated circuit packaging provides bridging
faults due to the soldering between the tiny
solder pads on the chip and the pins of the
package. Two adjacent wires may come into con
tact when one shakes loose from stress or excessive
32
solder may establish a so-called "solder bridge"
between pads.
3# At the circuit board level shorts may be caused
by defective printed circuit traces, feedthroughs,
loose or excess bare wires, or solder bridges.
The majority of bridging connections happen at the logic
gate level where only the input and output leads of logic
gates are involved.
Most failures in digital networks belong to the class
MB]
of "Stuck-At" faults. They are faults which cause a logic
t
gate's input line or output line to become stuck at logic
value 1 (s-@-1) or logic value 0 (S-@-0). The faulty
lines do not actually assume the corresponding signal values
but the circuit behaves as though the particular logic gate's
input or output line assumes that "Stuck-At" value. In
considering a two-input AND gate, there are four possible
binary input patterns; 00, 01, 10, and 11. Some input
failures will not cause the output to change, i.e., they
are masked. For example, if 00 is applied to the inputs
of an AND gate, the output will be affected only when both
inputs are S-@-1 and all other possible stuck failures will
be masked. If we apply the input pattern 11 to an AND gate,
then either or both one's being S-@-1 will cause a change in
the output. Therefore, the most sensitive input pattern
for a multiple input AND gate is, 111....1. The most sen
sitive input pattern for OR and NOR gates are all zero in
puts. For Exclusive-OR gates all the possible input patterns
33
have equal sensitivity to stuck-at faults.
Although an input or output of some gate may assume
a fixed logical value independent of the inputs applied to
the gate, it should be noted that faulty wires do not
actually assume the corresponding signal values but the
logic network behaves as if the particular gate input or
output assumes that fixed value. For example, in Figure 7,
if the wire "a" becomes stuck at the signal value corres-
ponding to logical 1, the wire "b" which is directly connected
to it will also become logical 1 . However, if the input
lead "a" to the AND gate becomes open-circuited the output
X becomes independent of the input value B but the output
Y of the second AND gate is still BC
As an example of output logical faults that cannot
be represented by S-@-0 or S-@-1, consider the network of
Figure 8. Assuming that diode-transistor logic (DTL) is
used, if the output of two independent NAND gates are con
nected together by a bridging fault, both outputs become
equal to the AND of the NAND gate outputs as shown in Figure
8B. Consequently, a single fault can cause two independent
gates to change their logical function. In some circuits
the presence of certain physical faults do not alter any
of the functions realized by the logic network. This implies
that such faults cannot be detected by applying inputs to
the network and observing the outputs. Consider the network
























(a) NAND Gates ILLustrating
Output Stuck-at-









Network ILLustrating Fault Masking.
FIGURE 9
35
of the output functions of the normal and faulty network
are shown in Table 3. We observe in Table 3 that only
when the input variables are at the following logic states
will an error be produced at the output.
ABCD - [OOOO] , [0010] , |j)10o) .
The problem of multi-valued lines exist when the logic
value at all points along a line is not the same although
the line may be connected to the inputs of different gates.
In Figure 10, it is assumed that the logic value of lines
"a", "b", and
"c" are identical. If we take the structure
of the logic gates into consideration, we observe that the
assumption of singled valued lines is not valid. For example,
an open-circuit at an input of gate 2 or at gate 3 (assuming
a failure such as the input diode of the gates) does .not
affect the logic value of other terminals because the open-
circuit point is floating. However, if the output of gate
1 is S-@-1 it will always force the corresponding inputs
of gate 2 and gate 3 to be logical 1 . It is possible that
a fault at one input terminal will result in all other
terminals connected to the faulty terminal being stuck.
For example, in Figure 10, a short circuit between the base
and emitter of the transistor (DTL logic gates) will cause
both lines "a" and "b" to be S-@-0. Therefore, the actual
situation may depend on the internal gate's structure.
Two failures, i,j, are said to be indistinguishable
if for all possible input and control input combinations,
TABLE 3
TRUTH TABLE OF NORMAL (Z) AND FAULTY (Z3)
OUTPUT FUNCTIONS OF NETWORK IN FIGURE 9
36
A B c D z
za
0 0 0 0 r 0 1
0 0 0 1 0 0
0 0 1 0 0 1
0 0 1 1 0 0
0 1 0 0 0 1
0 1 0 1 0 0
0 1 1 0 0 0
0 1 1 1 0 0
0 0 0 1 1
0 0 1 0 0
0 1 0 1 1
0 1 1 0 0
1 0 0 1 1
1 0 1 0 0
1 1 0 0 0





Example of a Mult-valued Fault Line





ILLustration of Indistinguishable Faults.
FIGURE 11
38
the output of the gate with failure i is the same as the
output of the gate with failure j. Certain types of in
distinguishable failures can easily be identified. For





terminals and line"c" as the output terminal, the conditions
that line "a" is S-@-1 and line "c" is S-@-1 are indistin
guishable (if line "a" has a fan-out equal to one) because
for either of the failures the output of the OR gate is
always equal to 1
,
and line "b" S-@-1 is also indistinguish
able from line "a" or line "c" S-@-1 for the same reason.
Similarly, the indistinguishable failures for the other
types of gates are as follows:
AND GATE; Any input S-@-0 and output S-@-0.
NOR GATE; Any input S-@-1 and output S-@-0.
NAND GATE; Any input S-@-0 and output S-@-1.
For networks with many cascaded gates the indistinguishable
faults may propagate through several levels of gates. For




cause line "c" to be S-@-0, line
"c" S-@-0 will cause
line "e" to be S-@-1, and line
"e" S--1 will cause line
"G" to be S-@-1 . Therefore, lines "a", "b", "c", and
"d"
S-@-0 and lines "e", "f","G", S-@-1 are all
indistinguish-
ables.
Therefore, we observe that common logic faults are
not always easy to detect. The difficulty in detecting
stuck-
at faults on a network level can be correlated to the
39
severity of determining internal failures of logic gates,
i.e., the more complex the network, the more difficult is
the task of determining the presence of the logic fault.
The procedure we will utilize in fail-safe logic will be
based on the detection of faults at all levels of the logi;
network, thus eliminating m?ny difficulties presently
encountered in identifying and detecting logic faults.
40
CHAPTER IV.
PROPERTIES OF FAIL-SAFE LOGIC
The previous discussions and analysis have shown the
multiple limitations of logic families. It is these modes
of internal and logic faults that we will attempt to resolve
by establishing: (1) The general properties of fail-safe
r
logic, (2) the advantages and limitations of CMOS logic,
(3) pertinent fail-safe design techniques and (4) the
analysis for a fail-safe logic gate. It is the intent of
this chapter to identify the necessary conditions and chara
cteristics of fail-safe logic circuits. Based upon the pre
vious analysis, the necessary conditions for fail-safe
logic are: (1) The ability of all gate threshold levels to
either remain stable for all fault conditions or be detect
able at the output of the gate or network, (2) the ability
of all logic gates to remain insensitive to internal com
ponent failure modes or be able to detect and respond to
all such faults, and (3) the ability of the logic network
to detect all single or multiple fault combinations occur
ring between the terminals of any and all logic gates in
the network.
In providing these conditions it is suggested that
fail-safe logic have the following properties: (1) The
41
ability to inhibit operation of the circuit's function
as soon as possible after a fault is detected, (2) the
ability to detect all logic faults at the gate level of
operation, (3) the ability to detect failures so that all
information being processed by the gate or network can
not be changed or degraded, (4) the ability to prevent
masking of logic faults, (5) the ability to prevent faults
from propagating through the network and (6) the ability
to provide detection for "out of tolerance" circuit or in-
r
ternal component changes.
Unrestricted faults may cause any number of possible
erroneous failures in a circuit and the ability to check
for all possible conditions will require some type of de
tection circuitry. it is known that if a circuit is dupli
cated and both circuits are operating independently and
in parallel with similar but isolated inputs, then by dyna
mically comparing the outputs of both circuits any error or
fault which does not appear simultaneously in both will be
immediately detected. The problem lies in multiple faults
common to both circuits that can occur: through common
grounds, power lines, simultaneous masking of multiple
but different faults, or in the system's ability to evaluate
the dynamic outputs. Modification of this basic concept,




BASIC PROPERTIES AND LIMITATIONS
OF THE CMOS LOGIC GATE
The Complementary Metal Oxide Semiconductor, CMOS,
is presented herein as a logic family suitable for fail
safe design. The basic CMOS Inverter is analyzed in Appendix
I., and the simplicity of its internal structure, as shown
in Figure 12, is apparent when compared to the other logic
families previously discussed. The intent of this chapter
is to identify those characteristics of the CMOS gate which
make it useable in fail-safe logic and to point out several
of its limitations that will effect its usefulness.
The selection of the CMOS gate is based upon the
following characteristics: (1) The complementary nature of
its circuit, (2) the symmetry associated with Its voltage
transfer characteristics, (3) its ability to function as
a three-terminal device (discussed in a later chapter),
and (4) the simplicity of its internal structure.
The CMOS NAND gate, as shown in Figure 13, will be
utilized as the basic building block of fail-safe logic.
The input gates of transistors Q1 &nd Q4 are tied together
to form input 1 of the basic Inverter. The input gates of













































0=GND. l = + 10v.
Structure & Truth Table of
H|






a series resistance which is extremely high or low depending
upon its input signal in the inverter formed by Q1 and Q4.
Likewise transistors Q4 acts as a series resistance in the
other inverter configuration. The output of the circuit is
at ground (VQa) potential only when both transistors,
Q3 and Q4, are in saturation. This occurs when both inputs
1 and 2 are at V-^. Since the output is equally isolated
from both V^^ and V^ the gate can operate with negative
DD bb *
as well as positive supplies. The only requirement is
that V^-p. be more positive than VQQ.
JJJJ bb
Since the gate's MOS transistors are mainly voltage
controlled resistors, the transfer region is determined by
the parallel/series combination of the transistor impedances
in conjunction with the input voltages, the number of inputs,
and the gate circuit configuration. The transfer region of






As shown in Figure 14, the values of the standard
transistor
ON resistance may vary from 10
megohms to 30 ohms depending
on the physical dimensions of the MOS transistor
and the
value of the applied voltages. For the NAND
gate the transfer
region is given by the ratio of the




































3-10 -9 -8 -7 -6 -5 -4 -3 -2 -1
Typical N and P Channel Impedance. \6j
FIGURE 14
46
transistors connected in series and the p-channel tran
sistors connected in parallel. Using these conditions
for the CMOS NAND gate, the bounds of the transfer voltage




VDD - [^J^, -0.1] (31)
V = V








Total number of inputs
per gate.
Number of used inputs
per gate.
A plot of eq. 31 and 32, for all input combinations of a
four input NAND gate, is shown in Figure 15. The signifi
cance of this plot is to place a restriction on the NAND
gate as to the number of gate interconnections allowed
because of the large variation in transfer voltage that
can occur. When considering the two input NAND gate, we
will utilize both gate inputs. This restriction will impact
the size of any given fail-safe logic network but will
provide better transfer voltage control of the gate as
illustrated in Figure 16. From these plots we observe that





































































































































^^-U i I ' 1 1 1 1 1 i T r i
10 11 12
V|N3 VI,S
Maximum & Minimum Voltage Transfer Characteristics
for the Two Input NAND Gate.
FIGURE 16
49
of various gate parameters. This wide voltage transfer
spread must be considered in checking or detecting variations
in the gates' threshold levels. A plot of the minimum
and maximum voltage transfer characteristics for the two-
input NAND gate, as a function of the V-^ supply voltage,
is shown in Figure 17. This plot will be utilized later on
In conjunction with the operation of a fail-safe gate.
50
1A


















































































































DISCUSSION OF FAIL-SAFE DESIGN TECHNIQUES
The purpose of this chapter is to identify and dis
cuss how various techniques can be implemented to overcome
the short comings of integrated circuit failure modes and
logic faults. Although the methods are presented individu-
r
ally, it is intended that they be combined (discussed in
a later chapter) to be effective in the use of fail-safe
logic.
THREE TERMINAL LOGIC GATE
We shall redefine the CMOS logic gate as a device
which can function as a three terminal logic gate. Figure
18b shows the CMOS gate of Figure 18a with its terminals
redefined. The difference being that the reference terminal
must always be at a potential less than the secondary input
terminal (not necessarily ground) and that the secondary
terminal will not be held constant but will change period
ically within given operating tolerances. Figure 19 shows
the structure of the three terminal gate and its truth
table modified to define the normal operating states of
all internal semiconductors. By allowing the secondary






















Comparison of (a) Two Input CMOS NAND






















PRIMARY INPUTS OUTPUT INTERNAL STATES
A B vQ Ql Q2 Q3 Q4
1 1 o OFF OFF ON ON
o 1 1 ON OFF ON OFF
o o 1 ON ON OFF OFF
1 o 1 OFF ON OFF ON
The Structure & Truth Table of a Three Terminal Gate.
FIGURE 19
54
of transforming the basic CMOS gate into a three terminal
device. its voltage transfer characteristics, redefined
from the NAND gate in Figure 17., is presented in Figure
20 along with a list of symbol definitions.
The purpose of using the three terminal gate is to;
(1) Sensitize the set of primary input variables such that
all primary input combinations can be utilized in the de
tection of internal gate faults, (2) to detect out-of-
tolerance changes in the threshold level of the gate, (3)
to propagate to the output any faults and normal gate
functions in a dynamic operating mode, and (4) to self-
diagnose faults occurring at the gate's terminals.
TERNARY LOGIC
The nature of a fault state can be viewed as a third
value (n) different from 0 and 1 , representing the condition
that a faulty input, output, or internal value has occurred.
The fail-safe gate with this property of ternary (i.e. 0,
1
, N) inputs should be able to produce ternary outputs
such that all failure modes produce a 0-*N or 1?-N output.





>0 change at the output.
Takaoka and Mine [J7j first proposed a fail-safe
system based on ternary inputs and outputs which they called
the N-Fail-Safe (NFS) system. They showed that any switch














































































j 8 10 12 14 16
IY INPUT VOLTAGE V||s|
um Voltage Transfer Characteristics
Terminal Gate with Plots for a
V2, of 5vdc & 15vdc.
FIGURE 20
56
output failures are 0-*-N or 1>N (neither WO nor
0
M )
for any input failures 0-^N or Hi. Takaoka and Ibaraki
JJ3_| extended the concept to sequential machines. Where the
realization of such a machine is based on double-line
logic that makes use of dual coding: 0-*>(1,0), 1**(0,1),
and N^-(1,1) for inputs and outputs. However logic faults
caused by asymmetric failures, 1^-0, cannot be realized.
Also, no consideration for internal failure, modes of the
binary logic gates were considered and the hardware imple
mentation utilized binary delay elements which can have
additional undetectable failure modes as discussed in
Appendix H. However, by extending their concept, not only
with two-rail logic (discussed in Appendix G), but with
the three terminal logic gate it is intended to overcome
these basic short comings.
SELF -CHECKING
In order for a fault to be detectable, it is not
necessary to be able to propagate the fault's occurrance
to some observable output. It is only necessary for the
fault to interrupt the normal behavior at the output of
the failed gate. It is this interruption in normal operation
that will be propagated to some observable output, indepen
dent of the location, type of fault, or quantity of faults
within the network. The self-check is composed of a
periodic signal applied to the secondary, V2> input of the
57
three terminal gate. By keeping the primary input from
having to perform testing on the gate we will be able to
accomplish the following: (1) Isolate all faults to the
gate level, (2) provide separate outputs for normal and
failure modes of operation, (3) prevent the dependence
on external hardware to propagate a fault to the circuit's
output for detection, (4) provide the capability to thor
oughly test for all internal faults, and (5) provide the
capability for continuous checking of all gates.
t
In a normally functioning circuit, signals whose
logical value varies in time with some predictable behavior
can be generated and applied to the secondary input of the
three terminal gate. During normal operation the signal
has a waveform as shown in Figure 21 . in addition to
previously discussed failure modes, variations in T
and T^.^, due to some additional failure, will alter the
OFF
duty cycle (T0W/TpERI0I)) . Circuits designed to detect
errors in periodic signals have used the method of forcing
an erroneous signal into the circuit and observing the
output. This requires the capability of interrupting
normal operation to perform the test. The concept of
"Self-Checking" introduced by Carter and Schneider \\j
will be applied to the three -terminal gate. We can define
the three-terminal gate as a self-checking logic gate
for a primary input set of variables, A, a secondary
(periodic) input set of variables, N, and a fault set of







FIGURE 21 Secondary Input Signal of
the Three Terminal Gate.
59
for some input in A and N. Self-checking is necessary
to insure that all conditions for single and multiple
faults that may occur will be detectable. Hence, if we
take A to be a set of primary inputs applied for at least
one period that N is applied, then no fault in F should
cause an undetectable error during normal operation and
the device is a totally self-checking logic gate.
The input and output waveforms of the three -terminal
gate during normal operation is illustrated in Figure 22,
r
and Table 4 is a modified truth table showing both the logic
states for all inputs and outputs as well as the normal
states of all internal semiconductors. The symbols used
denote the applied conditions as illustrated in Figure 19.
These waveforms illustrate the ternary output states; Vnnrp>
V0UT' V0UT' and tlie ternary inPu"t states; V^, v^, and
T2 . The truth table shows the internal state variations
with the application of V? - For example, when A and B are
set to V
T->T
and Vo changes state, all four semiconductors
change states in a complementary manner. Therefore, the
ternary inputs and outputs and complementary cycling provide
self -checking at the gate level.
DYNAMIC OUTPUT
The ability of a gate to remain in a dynamic state
is an indication that it is functioning properly. Upon





































UNI TS- of TIMh <T )
Input & Output Waveforms of the Three Terminal Gate.
FIGURE 22
5h PH PH PH PH Ph^f-
^i PH PH PH PH PH Ss; Ph



















CM PH ^ PH ^ S is; Ss; Ss;







PH ^ Ss; Ss; S S
Ph
Ph Ss;




H f=> EH EH EH EH EH EH EH BA EH
Ph 1=3 i=> t=> fc> t) != f=> i=> t=>
fr^




















PH % tH CM CM CM CM CM CM CM CM CM
o
s <lj













EH Ss; ^ Ss; fez;
> pq H H H H




S fs; Ss; ^
H <) H H H H
Ph
Ph
lf> i=l i>l lt>
62
of states that are not detectable. Thus, fail-safe logic
should assure a safe-side output upon failure. For example,
consider a traffic controller with red and green lights.
The green light denotes a safe state or go and the red
light denotes a dangerous state or stop, when the system
fails the controller should show the red light regardless
of the actual situation on the road. if the failed traffic
controller shows a green light or no light while the actual
situation on the road is dangerous, then an accident may
occur. Many fail-safe systems fT0| fj , have the undesir
able characteristic that component failures must be assumed
to be one way, i.e., they all fail to either a S-@-0 or
S-@-1 fault but not both. In utilizing the three -terminal
gate, we will attempt to be fail-safe for both S-@-1 and
g_@_0 failure modes.
We have discussed that by applying the most sensitive
input pattern to a NAND gate (1, 1), any stuck-at fault
will alter the gate's output for some categories of perma
nent faults. If we then apply a non-sensitive input pattern
to the NAND gate (0, 0) the combination of both input pat
terns will cause the output to vary so as to detect the
stuck-at faults of the gate. Therefore, by complementing
the input pattern to the gate, the change or lack of change
at the output is a method of detecting internal failures
and logic faults at the gate. The ability of fail-safe
logic to produce a dynamic output is a measure of its
63
failure mode and an important characteristic of such logic.
When the output ceases to be dynamic, it will remain in
either the 1 or 0 state and this change to a static state
is an indication of a safe failure. By applying this method
to all gates, single and multiple faults can be detected
and will not be masked by the propagation of one failed
gate through another to the output of the circuit. We
have discussed the ability of a three-terminal gate to
produce a ternary output. By connecting multiple three-
terminal gates in a complementary arrangement (fail-safe
gate), it is possible to produce a dynamic output for
fault detection.
COMPLEMENTATION
The nature of complementation is discussed in detail
in the analysis of the fail-safe gate (later chapter).
The purpose now is to illustrate that the limitations of
the three-terminal gate will require such a method to
resolve its inherent difficulties.
An analysis of particular internal failures is il
lustrated in Table 5. Item 1 of the table shows for Q1
being S-@-1 for the input conditions: VTTJ (A and B), and
Vo , the output state will be V^Ti-m- Comparison to the
normal output state (Table 4), for the same input states,
shows the output is identical. This indicates that the

































































































































Sh Gh Ph Ph
Ph Ph Ph Ph


























































internal states, as defined for item 1 above, shows that
Q1 being S-@-1 causes a short from the V2> (V-mO > "terminal
to ground, (V terminal). Consequently, the three-terminal
gate is unable to detect this type of failure. Another
type of undetectable, failure is shown in items 2 and 3 of
Table 5. For these conditions, Q3 Is assumed to be S-@-0.
Analysis of Figure 19 and Table 4 shows the output to be in
the normal (non-failure) state, but during .the interval
that the secondary input is low, V?, an open-circuit exists
within the gate's structure. These two limitations restrict
the three -terminal gate's usefulness which can be overcome
by using a fail-safe gate configuration (to be presented
in a later chapter) .
66
CHAPTER VII
ANALYSIS OF THE THREE TERMINAL GA.TE
The purpose of this chapter is to analyze the three-
terminal gate, as shown in Figure 19 and defined in Table
4, for internal failure modes, logic faults., and failures
resulting from changes in its threshold level. The methods
discussed in the previous chapter are implemented into
the gate's operation and it is intended to show the degree
of fault detection obtained by combining them in the manner
described herein.
INTERNAL FAILURES
For this analysis the inputs of the three-terminal
gate, (A, B) , are sequeaced through all sets of input
variables: 00 01 10 11, The selected sequence is random
but the failure modes are assumed to occur before the sequence
begins, The types of failures are defined as S-@-0,
(ON), or S-@-1 , (OFF). This definition assumes all perman
ent internal failure modes can be represented by a short-
circuit or open-circuit of the transistors Q1 through Q4
or a variable resistance, Figure 14, of these transistors.
All possible combinations of open-circuits and/or
short-circuit failures (Figure 19) are tabulated in Table 6.
TABLE 6
INTERNAL FAILURE MODES OF THE THREE-TERMINAL GATE
67
SECONDARY FAULT OUTPUT sEa FOR
INPUT CONDITIONS INPUT SEQ, OF
v2 Ql Q2 Q3 Q4 OO 01 10 I 1
y2 OFF OFF OFF OFF *_4) *Vo *Vo )b
v2 OFF OFF OFF OFF *^o *^b *Vo *-*b
v2 ON OFF OFF OFF Vo Vo Vo X
v2 ON OFF OFF OFF Vo Vo Vo vo
v2 ON ON OFF OFF
Vo'
Vo Vo vo
V2 ON ON OFF OFF Vo Vo Vo Vo
v2 ON ON ON OFF Vo Vo Vo *%
v2 ON ON ON OFF Vo Vo Vo Vo
v2 ON ON ON ON *)h *Vo "Vq ^0
v2 ON ON ON ON *^b *v^ *%> *%
y2 OFF ON ON ON '* ^ *-% ^o
v2 OFF ON ON ON *%> *^o ^ ^
^2 OFF OFF ON ON *Vo *)b *% -vb
V2 OFF OFF ON ON *^o *%> Vo %
y2 OFF OFF OFF ON *)h ^ *Vo -vb
^2 OFF OFF OFF ON *Vo *Vo "Vo *Vb
y2 OFF ON OFF OFF Vo Vo *Vo
v2 OFF ON OFF OFF Vo Vo Vo Vo
y2 OFF OFF ON OFF *\b %
*v
Lk> _yb
V2 OFF OFF ON
OFF *Ab *% *Md *Vo
68
























































































































































































































































































o 'o vo vo
Vo Vo V,o V0
70





























































































































































































































































































































































































































































































































































































































































The table identifies when the output changes from its
nomal value (of Table 4) by the asterisk before the
symbol in the output sequence column. By examining Table
6, we can conclude that: (1) all possible combinations
of internal stuck-at-faults, except those identified by
a double asterisk, can be detected at the output terminal
of the three-terminal gate for the specified sequence,
(2) the periodic secondary input, Vo, does not contribute
significantly to these types of failures, and (3) a parti
cular stuck-at-fault combination may not always be detected
for a given set of input variables. We observe that the
double asterisk items of Table 6 are open-circuit or short-
circuit modes of operation, as seen at the output. However,
these failure modes can be detected by the fail-safe gate
by the choice of implementation of the three -terminal gate
into its structure.
LOGIC FAULTS
Table 7 is a tabulation of all combinations of logic
faults that will appear at the terminals of the
three-
terminal gate. This table indicates that these failure
modes may be detected at the gate's
output but the second


























































































*0 K *Y-0 *0
^0 \ f0 f0
vo *0 V *vo




^0 fo f0 ^0
76
TABLE 7 (cont'd)
SECONDARY FAULT CONDITIONS ON OUTPUT SEQUENCE FOR
INPUT INPUT LINES INPUT SEQUENCE OF




v2 S-@-1 S-@-0 ?0 'o ?0 ^0
12 S-@-1 S-@-1 *I0 *I0 *\ *0
v2 S-5-1 S-@-1 *I0 *Io % **0
SECONDARY FAULT CONDITIONS ON OUTPUT SEQUENCE FORE
INPUT OUTPUT LINE INPUT SEQUENCE OF
v2 Yo
00 01 10 11
Y-2 S-0--0 *V *V *V **Y
-0 -0 -0 -0
V2 s-@-o *Y *Y *Y
-0 -0 -0 *^o
S-@-1 V V Y0 *v
v2 S-S-1 ^0 fo fo fo
77
THRESHOLD FAILURE MODES
The purpose of V2 is to provide internal transistor
complementation for threshold failure modes. Figure 23
is a graphical representation of Figure 20 in which the
maximum and minimum threshold levels of the three-terminal
gate are illustrated. if internal failures cause the gate's
transistors to fail in a mode other than an open-circuit
or short-circuit, then these marginal failures may effect
the threshold level of the gate by producing a faulty
output signal. Referring to Figure 23, it is observed that
when the secondary input is low, y_2, any marginal failures
may cause the normal threshold level, (point B) , to increase
along the threshold line beyond point X. When this occurs
the output of the three-terminal gate will change from y~
to Vn and detect this marginal fault. Likewise, with
the
secondary input at Vo any marginal failures may cause the
normal threshold level, (point C), to increase beyond




marginal failures that shift the transfer curve in the op
posite direction, (point A decreasing to point X), will




periodic check signal, V2, could either shift its maximum
value, (V2) or minimum value, (V2), which would appear as
a marginal fault and result in similar types of detectable
outputs. Therefore, the values selected
for V2, V2, and





Graph of Maximum & Minimum Threshold Levels
of the Three Terminal Gate.
FIGURE 23
79
tolerance, i.e., the degree in which a marginal (threshold)
fault is detectable. If a marginal fault causes a shift
from point A to B, the output may shift enough to be detect
able as a logic fault by the following gate. Therefore,
self-checking of the periodic secondary input is accomplished
by the three-terminal gate as well as threshold detection
that exceeds specified tolerances.
80
CHAPTER VIII
THE FAIL-SAFE LOGIC GATE
The purpose of this chapter is to define and analyze
the fail-safe logic gate, F.S.G. The operation of the
F.S.G. will illustrate the utilization of the techniques
in Chapter VI and resolve the limited detectability of faults
in the three-terminal gate. The fail-safe gate can be de
fined as any multiple -input, dual-output circuit constructed
with CMOS logic gates, as shown in Figure 24. The multiple
inputs consist of primary lines for processing circuit in
formation as to the gate's failure modes such that a failure
will be any detectable transformation of the correct gate
function. The fail-safe gate is said to be sensitized for
a particular set of primary input variables if a change in
output V-,-, is the result of a fault. Therefore, if any
combination of primary input variables is applied to the
gate, and the observed output is correct, then no faults
exist within the gate. If the output states are incorrect,
it will be observed as the complement of its correct value
(state) and indicate the presence of a fault or faults.
The fail-safe gate is composed of three-terminal
gates; two consisting of two input CMOS NAND gates and one















































FIGURE 24 THE FAIL SAFE GATE
82
The relationship of the symbols for the F.S.G. in Figure 24,
and the CMOS gate are given in Table 8. The F.S.G. requires
the use of positive and negative logic signals as identified
in Table 9. The maximum and minimum voltage transfer
characteristics of a typical gate with plots for a second
ary input, +V2, of +5 volts and +15 volts is shown in
Figure 25. Element #1 operates with positive logic; i.e.,
a low binary state defined as ground reference level.
Element #2 operates with negative logic; i.e., a high state
defined as being at ground reference level. Element #3
requires both positive and negative logic to provide a con
tinuous dynamic output signal. With the use of positive
and negative logic the voltage levels, +V, will never be
identical except when failure modes occur at the gate.
The fail-safe gate has a fault output terminal, V.,-,,
il
which enables detection of failure modes at the gate level.
In this manner fault detection is always independent of the
normal circuit operation. The element #3 is incorporated
into the gate's structure so that it can operate as a
dynamic detector. By connecting its input to ground and
providing a resistor R between the input and output terminals,
the voltage at the fault terminal, V_, must be greater than
or less than a ground level for proper gate operation. This
is illustrated in the waveforms in Figure 26. By switching
between known states V^ will always be at: +v/, -V/,
-Vq, or +VQ or fauj_t free operation. When V-^ produces a
TABLE 8
IDENTIFICATION OF THE INPUT AND OUTFTT
TERMINALS FOR THE FAIL-SAFE LOGIC









VSS GROUND -v2 ~Y0
VIN +VIN "VIN
GROUND
VOUT +Y0 "VOUT VF
TABLE 9






























































SECONDARY PRIMARY FAIL-SAFE DETECTOR
INPUT INPUTS OUTPUTS OUTPUT
v2 A B Yo VF
+v2 +^IN +^IN +Y6













































































j i 1 : i !
! ! i
A ,


























i i i ! i ! i
+Vq J







































(a) Normal Gate- Operation.






































































then a fault has occurred within the
gate or at its input/output terminals. Failures that
occur internal to the gate, but are external to the three
elements, (gate interconnections), are also detectable at
the fault terminal V^.
F
Figure 26b illustrates intermittent (non-permanent)
failure modes that have occurred at the A input terminal
of element #1 and the
+Vn
terminal due to an internal
failure. The ability to detect these faults are indicated
by the variation in voltage level at the fault terminal.
This output normally varies between zero and -Y/ and is
a function of the gate's transfer characteristics, feedback
resistor, and input voltage of the #3 element. To operate,
this portion of the fail-safe gate will require component
selection to meet specific detection levels at the V-
terminal. If these failure modes were permanent, then the
V-- waveform, shown in Figure 26b would be different for
F
each simulated fault.
In reference to the waveforms of Figure 26, the -vn




and -V, because the example has been
idealized for the purpose of illustration. In normal
operation only the input gate for a logic network would
function with ternary inputs, (+VIlf, -Vj^, and -Y^) Also,
the waveforms show that the input state; +V-j-jx or -V^
can
occur only when the secondary input, V2, is at +V2
or -y_2,
90
respectively. Therefore, any failure modes that restrict
this sequence of operation will be detectable because they
will create failures within the gate.
The fail-safe elements, as shown in Figure 24, are
three -terminal gates as discussed in previous chapters. The
element #1 has been analyzed in Table 6 and 7 of Chapter
VII. A similar analysis for element #2 is shown in Table
10 and 11. The structure and truth table for element #3
is shown in Figure 27. its function is to independently
detect all failure modes of the fail-safe gate including
faults internal to its own structure. The element should
also prevent the masking of multiple gate faults. The de
vice is a three-terminal gate with its primary input, VTW,
referenced to ground. Its two secondary inputs, -Vn ,
function
as identified in Table 8 and Figure 26. By continuously
comparing the signals at the secondary input terminals,
the #3 element of the fail-safe gate produces a unique
dynamic output, V-^, for the normal sets of primary input
variables to the fail-safe gate (as shown in Table 9). The
output will always maintain this set of voltage levels
unless a failure occurs to the fail-safe gate. Table 12
identifies the type of output change produced for specific
failure modes. Analysis of the failure modes of element
#3 is shown in Table 13, indicating all fault conditions
are detectable at the output of this element. Note that




INTERNAL FAILURE MODES OF THE FAIL-SAFE GATE
SECONDARY FAULT OUTPUT SEQ. FOR
INPUT CONDITIONS INPUT SEQ. OF
-v2 Q5 0.6 07 08 00 Ol 10 I I






OFF OFF OFF OFF -Vo -Vq -VG ^V0
-*2
ON OFF OFF OFF
*
"Vo -Vo -V0 -V0
-v2 ON OFF OFF OFF -Vo "V0 -VG "Vo




OFF OFF -Vo -Vo "Vo -V0
-y2 ON
ON ON OFF *-Vo ?VQ -v0 ;v0
-v2 ON ON ON
OFF -v0 -V0 -Vo -V0
-y2 ON
ON ON ON ?Vo *v0 ?v0 ;vQ
-v2 ON ON
























OFF OFF OFF ON *-v0 to -V0 "Vo
-v2 OFF OFF OFF ON "Vo "Vo -V0 "Vo
-v2 OFF ON
OFF OFF *-v0 -Vvo -Vo %
-v2 OFF
ON OFF OFF "Vo "Vo -V0 ""Vo
-y2
OFF OFF ON OFF % % -V0 "Vo
-y2
OFF OFF ON OFF -Vo "Vo -Vo -*V0
92















































































































































































































































































































































































































































































































































































































































































































































































Vo Vn -V^O o "Yo





















'Vo H0 -v0 ;yo
"Vo "Vo -vG H0































-Vo "Vo "Vny0 'o o
97




































































































































TERMINAL FAILURE MODES OF THE FAIL-SAFE GATE
SECONDARY FAULT CONDITIONS ON OUTPUT SEQUENCE FOR
INPUT INPUT LI^ES INPUT SEQUENCE OF
-v2 A B
OO 01 10 11
-v2
S-@-0 NORMAL
~Yo ~Y-o ~Yo ^0
-Vo S-@-0 NORMAL
~Yo ~Yo ~Yo -;ro
S-@-1 NORMAL
~Yo ^o ~Y-0 -^o
-V2
S-@-1 NORMAL
-vo -H ~Yo -v
-V2
NORMAL 3-@-0
~Yo ~^0 -lo -^o
-V9 NORMAL
S-@-0
~Y0 ~Y0 ~Yo -'fo.
-12
NORMAL S-@-1





























A B 00 01 10 1 1
-V0 S-a-1 3-1--0
~Yo ~Yo -*o -vQ
""












































VIN +VQ -Vo 'vF







GND. + y0 Yo ^F
(b) TRUTH TABLE




EXAMPLES OF DETECTABLE FA.ILITRE MODES
OF THE FAIL-SAFE GATE
GATE FAILURE
MOLE
OUTPUT SIGNAL @ Y^ WITH THE PRIMARY INPUT
VARIABLES

























































INTERNAL FAILURE MODES OF THE ELEMENT #3
102







AB = 1 1 AB = 00, 01 , 10
ON ON *VF~^*VF ^-^Vj,





















ary terminal is identical to the internal faults of element
#1 or #2 that were identified by a double asterisk in Table
6 and 10. Consequently the fail-safe gate detects these
types of otherwise undetectable failure modes.
We can conclude that the combination of ternary
states, logic complementation, dynamic signals, and
two-
rail logic provide the means to structure the CMOS logic
gate for fault detection. Specifically, the fail-safe
gate is capable of detecting single and multiple failure
modes that may occur either internally or at the terminals
of the gate. All permanent failure modes and intermittent
failures that exceed one cycle of the periodic check frequency
at V2 will be
detected. By incorporating the element #3
into the fail-safe gate, the method for self-checking
at




The paper has identified and analyzed types of internal
failures and logic faults that can effect the normal behavior
of digital circuits. By presenting these failures as a
composite group of problems that can affect'any logic gate,
we have accurately Identified the objectives of fail-safe
logic. This is significant because a thorough review of
the literature has shown either a failure to identify all
relevant types of failure modes or restriction toward a
specific set of logic applications. It is believed that this
failure to specifically identify the internal failures of
logic gates have made most techniques unacceptable for fail
safe logic.
From the analysis of the various logic families, we
have shown that none are acceptable for fail-safe logic.
However, by identifying the properties and characteristics
of fail-safe logic and the CMOS logic gate, we have been
able to identify that it is best suited for fail-safe logic
because of the simplicity of its internal structure.
The techniques brought forth in Chapter VI are a sig
nificant aspect of this paper. We have shown that by imple
menting these design techniques, a successful
method of pro-
105
viding fail-safe logic can be achieved. Although the
purpose of each technique has been presented, their
implementation into the fail-safe gate has identified some
short comings. The analysis of the three-terminal gate has
shown: (1) Only certain sets of primary input combinations
will sensitize the gate for all fault detection, (2) the
degree of threshold detection is a function of the gate's
transfer characteristics and present technology restricts
its use to marginal threshold detection, (3) the implementa
tion of self-checking through the use of second input terminal
of the three -terminal gate is a major achievement toward
internal fault detection, (4) it is instrumental in isolating
faults at the gate level, and (5) it provides the means for
dynamic operation. The use of ternary logic would be compli
cated to implement into a large logic network, i.e., to keep
track of all the positive and negative logic levels would
compound existing design problems. However, its use provides
a positive means to identify a logic fault and allows all
normal signals within the network to operate independently
of a ground or zero state. The technique of detecting failure
modes at the gate level, V , resolves the existing problems
of gate masking and multiple logic
faults but complicates
the detection process by the necessity for multiple fault
terminals that have to be implemented into an observable
output .
The fail-safe gate is shown to be an effective gate
106
for fail-safe logic. Although implemented to produce
complete fault detection, it is somewhat limited oy its
complex structure. It is possible to reduce its structure
if the probability of occurrance of certain types of
failures is considered insignificant. However, if the fail
safe gate is considered as a means of implementing the
presented techniques, then different fail-safe gate con





Although the reliability and fault-tolerance capability
of a logic gate can be improved by using reliable components
and/or providing redundancy in the circuit, no matter how
reliable the components are or how much redundancy has been
provided, no component can last forever due to gradual
deterioration or physical damage. Thus, It is important
to detect faulty components or gates as soon as they occur,
so that proper action of rendering the gate or network into
a safe mode can be initiated. By designing a circuit
as a building block of similar fail-safe gates the detection
process is easily Implemented and the fault location is
determined by a gate self-check. Thus, a combination of
internal component detection, complementation, ternary logic
states, two-rail logic and continuous self-checking are
combined into a method of designing fail-safe logic which
utilizes the CMOS gate as its basic element.
The CMOS gate achieves some degree of success when
the techniques described herein are applied. The wide
tolerance variations exhibited by its transfer characteris
tics, the limitations of the gate's maximum operating levels,
and the inability to predict a known logic state for some
108
common failure modes limit its fail-s.fe capabilities.
Any digital design would be restricted without a storage
element and using the fail-safe gate in combinational logic
networks as the only type of logic gate would restrict Its
usefulness. The concepts of: Dynamic self-checking,
three-
terminal logic gates, and independent fault detection,
prove to be Uceful techniques for fail-safe logic. The
realization of these techniques and the importance of detect




1. Marolf, R. A., Suran, J. j.,: integrated Circuits
and Integrated Systems, IEEE Transactions on Computers,
December, 1964.
2. Friedman, A. D. , Menon, R. M. , : Fault Detection in
Digital
circuits, Prentice-Hall, Inc., Englewood Cliffs,
N.J., 1971.
*
3. Mei, K. C.,: Bridging and Stuck-at-Faults, IEEE Trans
actions on Computers, July, 1974.
4. Dias, Francisco,: Fault Masking in Combinational Logic
Circuits, IEEE Transactions on Computers, May, 1975.
5. Su, Stephen, Y. , : A New Approach to the Fault Location
of Combinational Circuits, IEEE Transactions on Computers,
January, 1972.
6. Applications Staff,: Motorola, Inc., Motorola McMOS
Handbook, Motorola, Inc., 1974.
7. Takaoka, Tadao, C, Mine, H. , : N-Fail Safe Logical
Systems, IEEE Transactions on Computers, May, 1971.
8. Takaoka, Tadao, C., Ibaraki, Toskikide, : N-Fail Safe
Sequential Machines, IEEE Transactions on Computers,
November, 1972.
9. Carter, W. C, Schneider, P. R. , : Design of Dynamically
Checked Computers, proceedings of IFIP Conference, Vol
ume 2, Amsterdam, The Netherlands: NOEI-HOLLAND, 1968.
10. Freeman, H. A., Metze, G.,: Fault-Tolerant Computers
Using Dotted Logic Redundancy Techniques, IEEE Transac
tions on Computers, August, 1972.
11. Mine, H. , Koga , Y. , : Basic properties and a Construction
Method for a Fail-Safe Logical Systems, IEEE Transactions
on Computers, June, 1967.




LIST OF REFERENCES (cont'd)
13. DeFalco, John A.,: The Integrated Schmitt Trigger; A
Versatile Design Component, Texas Instrument Design Report,
Bulletin CA-152.
14. Sellers, F- F-, Hsiag, M. , Bearnson, L. .,: Error De-
tectiog Logic for Digital Computers, McGraw-Hill, New
York, 1968.
15. Su, Stephen Y. , : Logic Design and its Recent Development,
Computer Design, January, 1 974.
16. Kohavi; Kohavi,: Combinational Logic Ne.tworks, IEEE
Transactions on Computers, June, 1972.
17. Unger, S. H. , : Hazards and Delays in Asynchronous Se
quential. Switching Circuits, IEEE Transactions on Circuit
Theory, Volume CT-6, March, 1959.
111
APPENDIX A
EVALUATING THE EFFECTS OF FAILURE MODES BY
CALCULATING THE STABILITY AND
SENSITIVITY OF A CIRCUIT
STABILITY
An important causerof transistor failure is thermal
instability. The transistor's reverse saturation current,
I , changes significantly with temperature. For example,
CBO
the collector current, I , causes the collector junction
temp-
erature to rise with increasing lni... As a result of this
increase in InT3~, ln, will increase and may further increase
OBO 0
the junction temperature and consequently, I . It is
possible for this succession of events to become cumulative
so that the ratings of the transistor are exceeded and the
device burns out. It is possible for a transistor which is
biased in the cut-off region to find itself in the active
or saturation region as a result of this operating point
instability.
Analysis of a simple transistor circuit by examining
the rate of change in collector current with respect to
I .will define the stability of the
circuit. The stability
CBO
will illustrate how failure modes can affect the
operation


























(a) Transistor Circuit, (b) Simplification of Base Circuit



























ICBO + ZB ^"1)
Definition of stability (s):
}Ir ^ AIp
S = G- = S- (A-2)
ICBO AICBO






1 - 9 (dVdic)
Kirchhoff's Voltage Lav/ around the base circuit:
V = IB
'
RB + VBE + RE
'
(IB + lc) (A-4)





dlc RE + RB
114







From Eq. A-6, it can be seen that if the transistor's
beta increased, the stability of the circuit decreases. Also,
the smaller the va lue of R_, the better will be the stabili-
zation. Therefore, a failure mode in which the value of
R increases beyond its design tolerance or R changes
by decreasing in value (or becomes a short-circuit) will
cause the circuit to exhibit an increased instability.
SENSITIVITY
Internal component failures are not confined to open
or short-circuit conditions only. The variation in component
parameters as a function of circuit performance accounts for
a significant number of static and transient failures. The
output variations of a digital circuit, analyzed as to its
sensitivity to component changes will serve to illustrate
their effect on creating failure modes.
Analysis of the effect of component failures on the
performance of a PUP transistor circuit, Figure A-2,
will illustrate the sensitivity of the collector current,
I , to various component failure modes.
115







? + ZCBO (A~7)
TBi
=
JB + TCBO (A"S)
IG= %'
IB + ICB0 (^+ 1) (A-9)
Assuming that VEB
is negligible and assumming the voltages

















ZB + ^BO (A"12>
Substitute Eq. A-12 into Eq. A-1
IE
= ( ? + 1)
'
(IB + ICB0) (A-13)


























( ^ + 1 )
Substitute Eq. A-15 into Eq. A-9
n V^
-
InT5TT R ( 0 + 1 )
Ic
= ? '-^ ^ ^^ \ ICBQ ( 9 + 1)
RB + RE





VBB ^BO ^+1)-(RE + RB)
RB + RE ( p + 1)
+





Definition of sensitivity (Sy)
The sensitivity of a quantity (X) with
respect to a parameter (Y) is given by:
Wx dx y
Sf =
5 = - . - (A-18)
Using the definition for sensitivity, Eq. A-13,
and the



















( ? + 1 )E
RE
"










It can be seen from Eq. A-19 that for the nominal
values of: R = 20ol, ^
= 20, R = Ikjfr, and R = 2'kiL,
then (as shown below) a -20^ change in the value of R_
will result in a -Mfo change in the current I .
























Various changes in the tolerances of the circuit's
components have been tabulated in Table A-1 as a function
of the sensitivity of ic# These results illustrate the
effect of failure modes on the performance of the circuit.
119
TABLE A-1
SENSITIVITY VS COMPONENT VARIATIONS













20% 17.2% 19-5% 9.8$
40/o 34.5^ 39-1$ 19.5$
60$ 51.7% 58.6$ +29.3$
120
APPENDIX B
ANALYSIS OF A RTL CIRCUIT






































RB + 3 RL
In reference to Appendix A and Eq. B-4, the sensitivity

















ANALYSIS OF A TTL NAND GATE
Analysis of the gate's internal failure modes is
based on the TTL gate in Figure 4. The piecewise analysis
of the changes in internal current verses parameter changes
*
will illustrate the potential failure modes of multiple
r
transistor stages in the gate's structure. Using Figure
C-1 for the low-level output state and Figure C-2 for the
high-level output state, we can determine the sensitivity
to component changes as follows:
































































































Ri + V($ + R4)
(C-6)
The current gain of Q3 is:
Ai
=






From Eq. C-7 and Appendix A:
s
A R4 ( + 1 ) *4
'
($+1)
R4 R2 + R4 ( ^ + 1 )
$
RL + R4 ( +1)
R,
sAi=-




ANALYSIS OF A ECL GATE
Analysis of the gate's internal failure modes is
based on the ECL gate in Figure 5. We can determine the




[VBB + VBE (Q5H
1^








will be in cutoff.






















EE VBB + VBE (Q5)
Rr "+IBl'R4+VBE(Q8) (D-4)




















When one or more of the gate inputs
are at a logic one level.




h R3 + \
'
R3 (D-6)






















































I is proportional to T
(E-1)
3/2 -QVg/nKT









n = 2 for silicon
Yn
- 1.1 volt at room temperature (300K)
G
Q = 1 .602 X
10"19
k = 1 .38 X 10
-23
Taking loop equations of





































































sdujoiiijuj ui J J.N3cliinD
CURVE E
130



















And the input voltage is
VIN
= YBE+H\Jco{ ^) ^nlEolt '/ (E-7)

























fonr\oTr\. c -- -i
r\~9
IQ0



























ANALYSIS OF A TTL SCHMITT TRIGGER GATE
The following analysis of a TTL type integrated
Schmitt trigger circuit will illustrate the dependence of
its threshold levels on circuit parameters. The integrated
Schmitt circuit is illustrated in Figure F-1. The opera
tion of the circuit is as follows: The multiple-emitter
transistor Q1 operates as a diode. Transistors Q2 and Q3
are the actual Schmitt trigger and transistors Q4 through
Q9 make up a NAND gate of the TTL type. The transistors
Q5 and Q9 function as emitter-base diodes. When all inputs
are tied together at a low level, Q2 is off and Q3 is sat
urated. The circuit in Figure F-2 and Figure F-2a is used
to obtain the positive-going voltage (V ) needed to switch









V0C/(EBQ_ + EB) (F-2)






































































(a).VT with Q2 in Cutoff















(b).VT_ with Q2 in
Saturation & Q3 in Cutoff.
FIGURE F2
135
assuming transistor Q2 is ON and saturated. As the
input
to the Schmitt trigger drops transistor Q3 begins to turn
on and the circuit conditions of Figure F-2b apply. When









The collector current of 02 is
<2 (V1 -YBE ^)
t = (F-4)
RE
X9 is the common-base current
gain of transistor Q2 and assumed
= 1



















Replacing v1 with F-5 :
V
T-



















For circuits built in integrated form the only access
ible points are the input and output terminals of the logic
network and the only means of analyzing it is by performing
a test, i.e., applying a set of input variables and ob-
r
serving the output response. Therefore, given a logic
network to find an input/output pair A,X such that the
response of the logic network to A will be X if and only
if the circuit is operating correctly is the basis of fault
detection. The application of a set of input variables A
and the observation of the response to observe if it is X
is called a check or test of the logic network. The major
difficulty in fault detection is that for a given failure
(g_@_1 ) ? it may be sensitized by A but for another failure
on the same network (S-@-0), it is not. Also, the number
of tests which must be applied to the circuit is proportional
to the number of logic gates and is independent of the number
of input terminals available.
Fault detection attempts to achieve the following
objectives: (1) To detect at least a specified percentage
of faults which might occur in a logic network, (2) to
locate which element or gate has the fault causing the
138
error, (3) to detect errors fast enough to allow the circuit
to retry the operation interrupted by the fault, and (4)
to classify the faults as to possible cause.
There are a number of types of checking circuits
used for fault detection. Their purpose usually falls
within one of the following categories: (1) To check
every output at all times (except possibly during transi
tions). Any deviation from the correct output should be
detected, (2) to check any deviation from the correct
output due to a single fault in the logic. Errors due to
multiple faults may or may not be detected, and (3) to
partially check for some incorrect outputs while other
faults are not checked for.
Fault detection circuits should be designed so that
faults do not propagate very far through the circuit be
fore they are detected. The detection should stop the
operation of the circuit as soon as possible after the
fault is observed. Fault detection circuitry can fail
just as easily as the logic being checked. It can fail
in two different ways: By giving an indication of a fault
when it should not, or by failing to indicate faults when
they occur. There are several approaches to fault detection
circuitry. One method is by periodically running test
sequences through the detection circuit to ensure that it
operates as intended. Another method is to use two checkers
on the logic instead of one. If one fails the other will
139
still give an output when the logic being checked fails.
This method assumes that both checkers do not fail before
the logic does. A practical design guideline is to design
the fault detection circuitry to detect all single faults.
A circuit that detects single faults soon after they occur
will therefore catch many multiple faults.
LOGIC FAILURE PROBABILITY
Portions of any check circuit which are tested oy
t
some checkout sequence should be considered for possible
sources of undetected faults. Sometimes the check circuitry
will have a built-in test sequence. One function of such
a test sequence is to determine that the check circuitry
is operating properly. if the check circuit is tested
periodically, then calculation of the probability of a
failure being undetected in the checker can be determined
as follows:
The probability of no undetected failures occurring! in a








Where PrTTF is the probability that a
check circuit gives an indication that
it contains a fault.
Where P (t) is the probability of
I"
failures In the checker's logic occurring
in the period between 0 and I.
140






V/, - means time to fail for a logic
gate .
Therefore, the probability of no undetected failures is:
f (Pchk'XT)^ f-xr_ -XT(i-Pchk)
Ai vi C C-
x-o XI
_ (G-3)
The mean time to an undetected failure is:
1
M.T.U.F. = (G-4)
* (1 ~ W
Eq. G-4 is Independent of how often the check circuit is
tested. If a failure occurs the check circuit will operate
until the next test period. If T is the period between
tests, then an undetected failure v/ill be found when the
next test period of the gate is run. The smaller T is,
the smaller the average amount of time the check circuit
will be operating with an undetected failure.
TWO -RAIL LOGIC
A technique for checking is to use a variation on
141
duplication; that is, to use the so-called "Two-Rail"
logic technique. For this type of fault detection logic
two lines are used to represent every variable; I.e.,
the 1 state of the variable is represented by one of the
lines being at logic 1 and the other line being at logic 0.
Likewise, the 0 state of the variable is represented by the
first line being at logic 0 and the second line being
at logic 1 . Using two lines to carry one
"bit" of infor-
*
mation will yield four different signals; 00, 01, 10, and
11. It is possible to select the binary states 01 and 10
to represent the 0 and 1 states respectively, while the
00 and 11 states are utilized as the third or fault state.
With the coexistance of the true and complement of any logic
function, an error in the input variable A and A will always
be detected by comparing the output of the gate X and x.
All faults caused by a single failure are detected since A
and A will not be in error simultaneously.
MULTIPLE LOGIC FAULTS
The subject of multiple faults is approached from
the viewpoint that failures in a network can be represented
as s-@-0 and S-@-1 conditions. This assumption covers most
circuit failures due to a diode being open or short, a
cut wire, a resistor being open or short, or a semiconductor
being open or short. It also assumes that at more
than one
such fault is present in the circuit at the time a test
is performed for detection. One problem associated with
multiple faults in a given network is the potentially large
142
number of faults in it. In a network with "M" lines, there
M
are 2 -1 possible multiple faults. This potential number
of multiple faults does not include internal failures that
are isolated from the input or output pins of the logic
gates.
One technique has been to generate a method to detect
single faults and then extend it so that it can handle some
specified types of multiple faults. In doing so a problem
which arises is the masking phenomenon among faults. As
an illustration, consider the circuit of Figure G-1 .
When the input variables are at the logic states, AB
= 01
,
detection of the single fault of line a being S-@-1 can
be accomplished. If line a_ and are both S-@-1, then the
application of AB will not detect the presence of line a
being S-@-1 This corresponds to a masking effect of line
c on line a under the presence of test AB. However, this
masking is not a problem if we apply a different set of
input variables in addition to AB. The application of AB = 11
detects the fault of line being S-@-1 and no fault masks
line c being S-@-1 under the presence of the test AB
= 11.
As another example of fault masking, consider the
logic network shown in Figure G-2. In this network a fault
consisting of line a being S-@-1 is not
detectable at
the output X. The set of input variables, S
= ABCD, ABC,
ABODE, ABCDE, and BCD ,
will detect all single faults in



































by the input variables ABODE. However, this input will
not detect the fault in the presence of the fault of line
a being S-@-1 because the effect of the fault can not be
made to propagate through gate 6 when a = C = 1 . Under
these conditions line b being S-@-0 is detectable when the
input variables are ABC, which is not included in the
set of input tests.
The occurrence of an undetectable fault can make
two distinguishable faults indistinguishable as shown
in Figure G-3 , for the following example. The fault
consisting of line b being S-@-1 is not detectable at out
put Y. The fault consisting of line a being S-@-0 is
detectable at output Y by setting the input variables at
ABC and at output X by setting the input at ABC The fault
consisting of line being S-@-0 is detectable only at
output X by the input variables of ABC Hence, line a
and , S-@-0, are distinguishable. However, if the fault
consisting of line b being S-@-1 occurs, these two faults
(line a and c) become indistinguishable since they are both
detectable only on output X by the input variables of ABC
Therefore, any set of input variables that detects all
single faults may not necessarily detect all multiple
faults for multilevel networks with multiple outputs. This
is also true of single output multilevel networks, as il
lustrated in Figure G-4 and Table A. The six sets of input
























A B C D E F
i i i o i o
o o i o o I
o I i I I o
i o o I o o
i o I I o I
o I o I I I
FIGURE G4 Logic Network showing Fault Masking
for Single Outputs.
146
but they do not detect the multiple faults that consist
of the following four faults
When line a and f are S-@-0 and line b and
e are S-<>-1
Consequently, the technique of monitoring the output of
a logic network to detect all logic faults is not adequate
because of the inability to propagate many faults through





Practical electronic switching circuits differ from
theoretical circuits largely in the presence of delay.
Signals representing the same variable may temporarily
r
take opposite values; signals representing complements
may temporarily take identical values. As a result of
this departure from the ideal a switching circuit may oper
ate incorrectly. A logical circuit in which delays may
assume values which will cause this incorrect operation
contain a fault commonly refered to as a hazard. Such
faults cannot be designed away and have to be corrected
by delay, whether or not the circuit contains fail-safe
gates.
Figure H-1 contains the Karnaugh map of a switching
function and a. minimum AND/OR gate realization of that
function. If we assume that ABCD = 0110; we expect F
= 1.
If we change A so that ABCD = 1110: we expect F
= 1. But
the new value of A propagates toward the output along two
paths. One path includes gates 1, 3 and 6; the second
path includes gates 4 and 6. If the total delay introduced
by gates 1 and 3 is less than the delay
of gate 4 ( T, +Tj< T4 )
148
AB




















































A Network which is not Static Hazard Free if
Two Input Variables Change.
FIGURE H2
149
then for a period of time [T^CT^)] zeros will be present
at all input terminals of the OR gate. A zero will appear
on the output line if these input signals remain long
enough so that gate 6 can respond, i.e.,
This is in contradiction to the ideal Boolean algebra
expression. Whether a $ will appear in a given network
will depend on the specific delay magnitudes of that network.
Once these static hazards are identified, they may
be eliminated by proper design, one prime implicant
selected when designing the network of Figure H-1 covers
minterm 0110 and another covers minterm 1110. The AND
gates 3 and 4 correspond directly to these prime implicauts.
When we vary the input signal, we cause the output signal
of one of these gates to change from 0 to 1 and the output
signal of the other AND gate to change from 1 to 0. If
these variations do not take place at the same time, a
false value of F will appear. The solution to this problem
is the addition of a redundant AND gate that maintains an
output value of 1 when A is varied. It is always possible
to find a suitable AND gate (prime implicant) when we con
sider changes of a single input variable only (adjacent
minterms). If we add to the network of Figure H-1b and
AND gate that realizes prime implicant BCD
(the prime impli
cant that covers minterms 0110 and 1110), this hazard will
be removed. This additional AND gate continously
presents
a 1 to the OR gate when A is changed. Consequently,
F may
150
not vary as a result of these changes of A. In summary,
static hazards htb eliminated from logic gates by basing
such networks on a prime implicant cover of a switching
function such that every pair of adjacent minterms is
covered by at least one selected prime implicant.
MULTIPLE INPUT-CHANGE HAZARDS
If two or more input variables are allowed to change
simultaneously, then false values of the output may arise
in either of two ways. One is a generalization of the
static hazard and can be prevented by a generalization of
the technique for preventing static hazards. Figure H-2
provides a map and realization of a switching function
that illustrates the generalized static hazards. The net
work is free of static hazards if only a single
input-
variable change is allowed. But if the input is varied
from ABCD = 1111 to 0101, i.e., A and C are changed at the
same time, then the output signals of all four AND gates
must change. If AND gates 3 and 4 provide 0's to the OR
gate before AND gates 5 and 6 provide 1's (due to the
delay introduced by the inverters), than a false
value of
F may appear.
Generalizing to include this type of activity,
a
static hazard exists if f(XX) = f(Xj)
= 1 (or 0) and f = 0 (1)
can appear temporarily when the input is
changed from X
to X^. This static hazard may be
eliminated by including
T51




XJ if such a prime impli.ant exists.
Prime implicant BD must be included to prevent the static
hazard mentioned. Eliminating static hazar-s (in general)
requires that all prime implicant s be inclu .ed in the sun-
of-products expression of a function. Netw rks based upon
the sum of all prime implicants will not be free of all
hazards if arbitrary input changes are allo\ ed. No prime
implicant covers minterms 1011 and 1110 in I igure H-2.
r
Thus, input changes from 1011 to 1110 or vice versa are
not necessarily free of hazards.
If an input is allowed to change from
X1
to X^ and
the smallest cube which covers minterm X and
X^ is not an
implicant of the function, than a function wizard exists.
In Figure H-2, if the input varies from 101 to 1110, i.e.,
both B and D change, then the output signal of AND gate 3
is to change from 1 to 0, and the output si nal of AND
gate 4 is to change from 0 to 1 . The AND g-ites 5 and 6
present jZf's to the OR gate. The delays of -ates 3 and 4
may be such that all ,0'sare temporarily
presented. to
the OR gate and F may assume the
false value of 0. Dif
ferences in gate delays have the effect of changing B
and
D in sequence. Because the exact
magnitude-
of these de
lays are unknown, we cannot
conclude which sequence; B
then D, or D then B, the OR
gate will see. The network
can take either of the two paths
marked on the Karnaugh
152
map of Figure H-2.
Function hazards cannot be eliminated by adding re
dundant gates to a network. Function hazards are common
if multiple input changes are allowed so that input changes
must be restricted when it is necessary for fault-free
operation. Thus, a second restriction is placed upon
the manner in which networks are operated: Input changes
are restricted to single input-variable variations.
153
APPENDIX I
ANALYSIS OF THE CMOS GATE
M
The following analysis of the CMOS inverter, Figure
1-1, will illustrate many of its characteristics. It
consists of P-and N-channel transistors, (MOS) connected
as shown in Figure 1-2. The following equations describe
t
the channel characteristics of the transistors when they
are connected together;


















N = Surface mobility of channel
carriers
Z = Channel width
L = Channel length
C = Capacitor formed by the silicon
0X
substrate and metal gate







































input Volt-age, Vj n




0*VIN*VTN 1 NON -SAT. CUT-OFF
Vout-VTpSV|N>VTN II NON-SAT. SAT.
vout-V-VINSVut_fVTN III SAT. SAT.
Vot + VTN5VINVDD-VTP IV SAT. NON-SAT.
VDD-VTP-VINVDD V
CUT- OFF NON-SAT.
Piece wise Linear Equations showing Operation of
Transistors Ql & Q2 in Figure II
FIGURE 1-2
155
The N-channel device operating in the saturated region-.
K
N






























= Surface mobility of channel carriers
















The operation of the complementary pair MOS inverter, as
defined in Eq. 1-1, 1-2, 1-3, and 1-4, is illustrated
in Figure i-2b and shows the voltage transfer character
istics, (vIN versus VQUT) , bz a supply voltage of +10VDC
These characteristics have been divided into five regions
and the function of transistors Q1 and Q2 are summarized
in Table 1-1. Using the D equations for the N-channel
transistor in Eq. 1-1 and end the P-channel transistor
in Eq. 1-3 and 1-4, the DC transfer characteristics of the
CMOS inverter are calculated as follows:





DP = 0 (1-5)








The equation for V0TJT













Figure 1-3 illustrates the calculated (Eq. 1-5, 1-6, 1-7,
and 1-8) voltage transfer characteristics for the CMOS









From the transfer curve it can be seen that the transfer
voltage, V, is approximately equal to 4.5 volts. If the





K = K-n, the transfer voltage would be equal to YT,~J2;
the symmetry of which is apparent. However, the values
for K and Kp are usually different for the gate, reflect






































1 1 1 I 1 l i l i "^ i i
10 11
V|N3VolfS




1. Lohmann, Dr. H.J. An Electronic Fail-Safe Logic in
Railway Signaling, paper sul5mrtTed"~:E"o institute of
RaTTway "S"ighaT "Engineers, Proceeding, 1966-67.
2. Starr, Chauncey. Social fits Versus Technological
Risk, Paper af gympd'sTunTon Human TcdTogyT
*
3. Hammer, Willie, p.E. Handbook of System and product
Safety, prentice -Hali, EngTewo'odT cTiffs7~N. J77~T9TZ7
4. Sellers, F.F., Hsiag, M. , Bearnson, L.W. Error Detect
ing L^gic^for^Mgi^aJ^Computers, McGraw-Hill, New "York",
5. Hadaway, H.W. Fail-Safe, Paper submitted to Institute
of Railway SignaT~Engineers, Proceeding of 1966-67.





7. Tokura, N. , Kasami, T-, Hashimoto, A. Fail-Safe Logic
Nets, IEEE Transactions on Computers, March, 1 j'(T~.
8. Millman, J., Halkias, CC. Electronic Devices and Circuits
McGraw-Hill Co., New York, 1"J5T.






10. Beuscher, H.J., Budlong, A.H.. Electronic Switching
Theory and Circuits, Van Nostrand^ReihhIoTd'"Co. , "New
YorE7~T97T7
11. Fitchen, Franklin, C. Electronic Integrated Circuits
and Systems, Van Nostrand ReihlioTcT Co".', "Ne"w~Y~o'rk T9T0 .
12. Tirrell, John C. Power Considerations in High Speed
TTL Logic, Computer "Design, February , T9*6*9"^
13. Applications Staff, T^xas Instruments. Designing With
TTL Integrated Circuits, McGraw-Hill Co., New ""York", T9~71
150




15. Millman, j., Taub, h. Pulse, Switching and Digital
Waveforms, McGraw-Hill C^T7""New^York"Tg6"5^
16. Blood, W.R., Jr. MECL System Design Handbook,
Motorola Inc., 197T:
'
17. Applications Staff, Texas Instruments. Transistor
iU3^Dej3j_gn, McGraw-Hill Co., New YorT"T9"6"3".
18. DeFalco, John, A. The__lntegrated_Schmitt Trigger:
A Versat ile De sign jDomponenty "fexa s
~lht~fument"s"
AppTication Sepoff, BulTeffn CA-152.
19. Lerner, Stuart, B. Hazard Correction in Asynchronous
Sequential Circuit s
, IEEE "Transactions on Electronic
Computers, April, 1965.
20. Howe, Bart, A., Coates, Clarence, L. Logic Hazards
in Threshold Networks
, IEEE Transactions on Compilfers,
Volume C-T7, No.'Trilarch, 1968.
21. Friedman, Arthur, D., Menon, Premachandran, R. Fault
Detection in Digital Circuits, Prentice -Hall,
Englewoo"d~crrffs
, ~New"j"e?sey7 1 971 -
22. Meisel, William S., Kashef, Sohrab, R. Hazards in
Asynchronous Sequential Circuits, IEEE Trahs'a'ctTons
on Co'mput'e'r "Augusf ~~T969~.
23. Dietmeyer, Donald, L. Logic Design of Digital S_y_s_tems,
Allyn and Bacon, Inc., Boston,"""MassT,
T9~7T7"~






25. Dwyer, Thomas, F. Fault___Te sting and JDiagnosis in










26. Page, Carl, V., Kamal, Samir. intermittent Faults:
A Model and a Detection procedure, IEEE Transactions
on Computefs, FeT5fiIa~fy^ TU7T.
27. Mei, Kenyon, CY. Bridging and Stuck-at-Faults, IEEE




28. chuang, Chin, s., OH, Se, j. Testability Enhancement
HLPJ-A^a 1 ?.t em s ign , paper prese"nfe"d~a f TE'EE
interna tionaT Co'nvenfioh and Exposition, April, 1975,
New York.
29. Su, Stephan, Y.H. Logic Design and Its Recent De










30. Dias, Francisco, j. Fault Masking in Combinational
Logi c Circuits, IEEE Transa cf "on "C fe"fsr7ToT .
C^4"~MayTg75"-
31. Kohavi, Igal, Kohavi, Zvi. Detection of Multiple
Faults in Combinational Logic Network's,, IEEE
Trans-
acfTons^on'Compufers, v6T7~c-^l, J"une7 1972.








33- Applications Staff, Motorola, Inc., Motorola McMOS
Handbook, Motorola, Inc., 1974.
- - - -





35. Gau.lt, J.W., Robinson, J. P., Reddy, S.M. Multiple
Fault Detection in Combinational Networks, IEEE
Trans a ctro~hs""~on Compuf"fs"j j"a~nua ry , 'I 9"72T
36. Usas, A.M. Totally S_elf-Che eking Che_cker Design
the De t e cti on of jErfors "in ~p~efiodTc S igna'l's , IEEE
Iransacfi
6"h"s"
"o"n ~C te"fs ', VoT7 "C 7 "May , 1975.
37. Maki, Gary, K* , Sawin, Dwight, H. Fail-Safe
Asynchron-
ous Sequential Machines, IEEE Transactions o"h Computers,
ju"ne7~T9"75"7
38. Tokura, Nobuki, Kasami, T-, Hashimoto, A. Fail-Safe
Logic Nets, IEEE Transactions on Computers, Mafeh","~T971
39. White, Stanley, A. A Complementary MOS NAND/nOR Ga_te,_
IEEE Journal of Solid State Circuits", "June, '~T$6T.
40. Friedman, A.D.. Fault Detection in Redundant Circui t s ,_
IEEE Transactions on ETectYo'iiic "CoiTip"ut"ers,"'YoIT~EC-T6",
February, 1967.
41. Menon, P.R. , Friedman, A.D. Fault
j)etection_in
Iterative Logic Arrays, IEEE Transa cf "on Computers,
162
42. Armstrong, D.B. On a Nearly Minimal Set of
Fault t e ct ion Tests "for "co'mTjTriaf1
6"
riaT "Logi c 'Net s ,
IEEE "Transa cfions ""on ETectforiic Computers , "ToT7TIC*r1 5 ,
February, 1966.
43. Meyer, John, F-, Sundstrom, Robert, J. Qn-Line




44. Chuang, Henry, Y.H. Fa_il-Safe AsynchronousJ4a
chines
with Multiple-input C"~"anges 7 "Tfansa ctloris "o'n
Computer
"jurie,"
"T9T6".
