The authors introduce two low-cost, modular, totally self checking (TSC), edge triggered and error propagating (code disjoint) flip-flops: one, a D flip-flop used in TSC and strongly fault secure (SFS) synchronous circuits with two-rail codes, the other a T flip-flop, used in a similar way as the D flip-flop but retaining the error as an indicator until the next presetting, to aid error propagation. Thus, the self checking T flip-flop can be used as an error indicator. The self checking D flip-flop is smaller than the duplicate D flip-flop circuitry by 30%. The self checking T flip-flop error indicator is 60% smaller than the pervious error indicator in the literature. These circuits, unlike previously reported circuits, can also detect stuck-at faults in the clock inputs. The authors have also presented TSCierror propagating applications for the above flip-flops: a counter and a shift register.
Introduction
Current circuit complexity makes the determination of errors in a circuit arduous. Totally self checking circuits, proposed by [I] , use input output coding to determine whether a circuit is operating accurately. The code disjoint (CD) property is utilised to design TSC circuits at the system level. Circuits which are CD propagate the error through to indicate the error on the ouptut. However, it is hard to devise circuits that are both TSC and CD.
A strongly fault secure circuit is a circuit that becomes a TSC circuit after a finite number of faults, and until then will operate correctly (or is fault secure). If, for the same faults, the circuit is code disjoint and then becomes self testing and still remains code disjoint, the circuit is said to be strongly code disjoint. Strongly fault secure circuits satisfy the goals of totally self checking circuits. As far as synchronous designs are concerned, there are no circuits to date that exhibit all the TSC properties. The sequential designs, which appear in [5] , add some extra circuitry to the clock of the ordinary memories to make register files with self testing load signals. The register file in [5] is not self testing for multiple unidirectional faults at clock input lines. The sequential circuits used in [5] with the proposed register file are based on the model given in [6] , which does not consider the faults in storage elements. Furthermore, these circuits did not incorporate preset and clear with unordered codes in their circuits. No single-chip flip-flop circuit with unordered coded clock, preset and clear that is TSC with the error propagating property, has yet been proposed.
The DD,-FF is an edge-triggered D-FF with the TSC property that is also error propagating. TT,-FF can be used as an error indicator circuit [7] . These circuits use two-rail code for the input output coding. For any two bits of a pair of two-rail code, we use one DD,-FF or one TT,-FF.
The size of the proposed DD,-FF is 30% less than duplicate D flip-flops. The duplicate D flip-flops circuit is not self testing for multiple unidirectional faults at clock input lines. The size of an edge triggered register file with two rail codes using the DD,-FFs is 33% less than the same register file proposed in [5] with Berger code. (Berger codes have the smallest number of bits among unordered codes.) The size of TT,-FF is 60% less than the error indicator circuit in [7] . Notice that the [7] circuit is only an error indicator and uses system clock which is not even self tested. The error indicator in [7] was proposed as a simpler circuit than the error indicator circuit in [8] .
We present simple applications for the above DD, and TT, flip-flops in the form of a TSC/CD counter, a TSC/CD shift register. DD,-FF and TT,-FF were introduced in [9, IO], respectively.
Definitions and notations
Input-output coding techniques are used to detect faults automatically. Single stuck at 0 and stuck at 1 faults and multiple unidirectional faults [Ill are the faults modelled in this paper. It is also assumed that the time interval between two faults is long enough for the proper cycle and input code to pass through the circuit.
(i) A circuit is self-testing (ST) if, for every fault from a prescribed set, the circuit produces a noncodeword output for at least one codeword input [l] .
(ii) A circuit is fault-secure (FS) if, for every fault from a prescribed set, the circuit never produces an incorrect codeword output for any codeword input [l] .
(iii) A circuit is totally self-checking (TSC) if, for every fault from a prescribed set, the circuit is both ST and FS [I] .
(iv) A circuit is code disjoint (CD) if it always maps codeword inputs to codeword inputs to noncodeword (v) A circuit is stongly fault-secure (SFS) for a fault set F iff, for every fault f in F, either the circuit is TSC for cfs, or the circuit is FS for v) and, if fault f occurs, the resultant circuit is still SFS for F -cfi [4] . It has been
shown that TSC goal can be achieved by SFS circuits (vi) A circuit is strongly code disjoint (SCD) for every fault set F iff, for every fault f in F, either (a) the circuit is CD, and is ST forf, or (b) the circuit is CD, and if faultfoccurs, the resultant circuit is still SCD for F -f [12] . Note that the checker circuits need to be TSCiCD. It has been shown that TSC goal can be achieved by SFS circuits [4] . The strongly code disjoint (SCD) property in SFS circuits has the same goal as CD property in TSC circuits. A checker can be SFSiSCD [12] . In each set of equations for internal states and output, the min-terms arc separated in two parts, called the operating min-terms and latching min-terms, respectively. For the XX, pair, the C.X and C.X, are latching part, because they keep the value of X and X, constant when C = 1(C, = 0). Similarly, C,.Q and 82 C,.Q, keep the value of Q and Q, constant when C = The values of Q and Q, will change due to values of X, and X, respectively, when C = l(C, = 0). When C = 0(C, = I), the values of X and X, change due to DD,. Therefore, the flip-flops are positive edge triggered, because at this edge, X and X, stop changing (due to inputs) and Q and Q, accept the values of X, and X.
During the fault-free operation of DD,-FF, any DD, codeword values (01 or 10) are transferred to QQ, at the following positive edge of clock (CC, change from 01 to IO). Similarly, the noncodeword values (00 or 11) of DD, arc transferred to QQ,. In the DD,-FF, any noncodeword output can be changed to any other codeword or noncodeword by the input codeword or noncodeword. Therefore, the DD,-FF satisfies the error propagating property.
The function table of the DD,-FF is shown in Table 1 . Sixteen possible conditions arc marked with 
Every possibility of a stuck at fault has been checked. For instance, for any stuck-at fault, there is a condition for the circuit that can check that fault. The test conditions will occur during circuit clocking and DD, input changes. To check any possibility of stuck-at fault, the input lines of AND gates arc marked with a number. In Table 2 , both stuck-at faults for each line arc checked to produce the noncodeword output with one of input codeword conditions (dl, d2, d,, d4). Some errors appear instantly, while other errors appear after the next positive, edge. In Table 2 , all conditions with a dot above it (d4) appear immediately, while others appear after the next positive edge. Both kinds of error indication for line 1 arc shown in Fig 
11 stuck-at-1, at the output a noncodeword appears immediately. On the other hand, if there is a stuck-at-0 fault as shown in Fig. 2 (5) , the noncodeword appears after the next positive going edge. Any noncodeword output remains at least for one clock edge and it can be detected by the error indicator circuit. The stuck-at fault of OR gates are checked automatically. The stuck-at faults of inputs and clock which have multiple fan-out is explained in the next Section for the code disjoint property.
I Clock considerations
Errors in the clock inputs have been taken into consideration. As can be seen from Fig. 1 , QQ, will be 00 when CC, = 00. Since QQ, = 00 is a noncodeword, an error is indicated. When CC, = 11 (for the DD,-FF), if DD, = QQ,, the values of XX, and QQ, will not change from their previous values. However, when DD, = Q,Q both XX, and QQ, will become 11, which being a noncodeword will indicate an occurrence of an error. For normal operation of the clock circuit, CC, has to pass a transient state of 00 or 11 when change from 01 to 10 or from 10 to 01. However, it is desirable to have a 11 intermediate transient state, which should last for less than the propagation delay of the flip-flop circuit. This can be achieved by passing the original clock through a NAND latch circuit. The changes of DD, inputs should be avoided during clock transition time. Such a change may produce an unknown output. This problem also exists for other fault-tolerant design
Preset (PR, PR,) and clear (CLR, CLR,)
The complementary parts of PR, PR, and CLR, CLR, are shown in Fig. 1 with dashed lines. Note the flip-flop is positive edge triggered. The CC, lines can be swapped to make the flip-flop negative edge triggered.
The circuits of DD,-FF in Fig. 1 are formed with AND-OR gates. For ease of use in VLSI circuits, the DD,-FF can be made with NAND gates as given in [9] . Therefore, their PR, PR, and CLR, CLR, lines in Fig. 1 are activated by 10 values. These clear and preset lines are added with TSCiCD property. These lines are used for normal operation and presetting of the flip-flop circuits. These preset and clear lines restore the circuit to an error-free state.
The TSC property of CLR, CLR,, PR and PR,l line is apparent, since any incorrect stuck-at-0 or -1 will create a 00 or 11 combination for the CLR, CLR, or PR, PR,. These noncodeword combinations latch one of the X, X,, Q or Q, to a fixed value (0 or 1). This fixed value will result in an error condition.
For the CD (error propagating) property different situations should be considered. if these clear and preset lines are not used (PRPR, = 10, CLRCLR, = 10) and they are connected to a logical level, only the
stuck-at error situation has to be considered. The other cases are where only one of these two pairs is connected to constant value (01) and the other is under control of data. In this case, if controlled lines have a noncodeword (00 or ll), one of Q or Q, values will latch to 0 or 1 without affecting the value of the complementary pair. If this situation continues long enough, a noncodeword will appear. Since, clear or preset is connected to a large number of flip-flops in a circuit, the probability of instantaneous error indication is high. The last possible connection is that both PR, PR, and CLR, CLR, are under the control of the input data and the load signal. In this case, the noncodeword data inputs (00 or 11) will make PR, PR,, CLR, CLR, = 0000 or 1111. When PR, PR,, CLR, CLR, is 0000, the output becomes 00 and when it is 1111 the output becomes 11. These are error indications.
Simple application (shift register)
The self checking shift register circuit with the DD,-FFs and four to one multiplexers is shown in Fig. 3 . The combinational part of the circuit (multiplexers), attached to DD,-FFs, can be designed in different ways. The design method of combinational part makes the circuit to be TSCiCD or SFSiSCD. The different mode of shift register operation can be chosen by So, So,, SI, SI, as given in Table 3 . 
Hardware cost
In any fault-tolerant method, there are some extra bits for coding and most synchronous circuit use two rail code. Two other methods are currently proposed in the literature, one the duplication method, the other by Nanya in [5]. In our method, for every pair of complementary data, only one flip-flop is used. The duplicate circuit of edge triggered D flip-flops for a pair of tworail code is shown in Fig. 4 . if CK, CK, in Fig. 4 becomes stuck-at 00 or 11, it will not produce noncodeword output. Therefore, the duplicate D flip-flops is not self testing for clock input lines. Nanya has proposed a circuit to make the register load signal self testing, which is connected to the clock input of the memory [5] . This is an edge-triggered D flip-flop with self testing load signal which can be used for two-rail clock. But, for multiple unidirectional stuck-at faults in 'CP' lines of register file with bit slice circuit in Fig. 5 , the circuit may not produce noncodeword outputs. Therefore, the register file with bit slice circuit in Fig. 5 is not self testing for clock input lines. If an 8-bit of data is coded with Berger code which has the least number of check bits as used in [5], the codewords are Notice that the code translation from two rail to Berger and vice versa is also added to the cost of method in [5].
TT,-FF

I Equations and circuits
Internal next state and output equations of TT,-FF, circuit diagram and its symbolic representation are given in Fig. 6 . It is contrasted to the previous circuit proposed in [7] in Figs. 7 and 8. In the equations of Fig. 6 , the complementary parts are labelled with an extra yz (i.e. C = clock and C, = C', T, = T'). Also 'X, X,' and 'Q, Q,' are complementary pairs in a fault-free operation with input codewords.
In these equations for internal states and outputs, the min-terms can be separated in two parts, as the operating and latching parts.
For X and X,, the C.X and C.X, are the latching part, because they keep the value of X and X, constant when C = 1(C, = 0). In the same way, C,.Q and C,.Q, 
Properties
For the TT,-FF, four possible cases can occur. One, if TT, = 01, the internal state XX, will be Q,Q during the clock period CC, = 01. Thus QQ, remains unchanged. Two, when TT, = 10, the internal state XX, will be QQ, during the clock period CC, = 01. QQ, is then equal to XX, when CC, = 10. In this case the outputs have swapped values. Cases three and four cases where TT, are noncodeword values (i.e. operation is under error conditions). When TT, is 11 or 00, XX, will be the same as the input. Under this error condition, QQ, will have the same noncodeword value of 11 or 00 after the clock edge. The output changes can occur in the circuit when the input exists before the clock edge and remains stable during the clock transient states. The nonsynchronised input changes (during clock edge) produces an unknown output in an edge triggered synchronous circuit and must be avoided.
After an occurrence of an error, the output will not revert back to a code word until the next presetting of the circuit. When an error has occurred (i.e. QQ, = 11 or 00), if QQ, = 00, no input (i.e. TT, = 10, 01) can change its value. if QQ, = 11, TT, = 00 can change the output QQ, to 00, which is still an error condition. This property of TT,-FF can be used as an error indicator. This also keeps the error to be propagated through the system. It is useful in a system that an 'error blocking path', as mentioned in [13] , exists. The function table of the TT,-FF is shown in Table 5 . Sixteen possible conditions are marked with t l , t2, ..., t I 6 . To check any possibility of stuck-at fault, the input lines of AND gates are marked with a number. Every possibility of a stuck-at fault has been checked like DD,-FF. In Table 6 , both stuck-at faults for each line are checked to produce the noncodeword output with one of input codeword conditions (t,, t,, t 3 , t4).
Clock considerations
Errors in the clock inputs have also been taken into consideration.
As can be seen from Fig. 6 , QQ, will be 00 when CC, = 00. Since QQ, = 00 is a noncodeword, an error has been indicated.
When CC, = 11, if TT, = 01, the values of XX, and QQ, will not change from their respective previous values. However, when TT, = 10, both XX, and QQ, will become 11 which, being a noncodeword, will indicate an occurrence of an error.
As explained for DD,-FF, CC, has a transient state of 11 when changing from 01 to 10 by passing the original clock through a NAND latch circuit. The CC, transient 11 value occurs for one gate delay, which is less than (minimum) two level logic circuit of XX, or QQ,. The CC, is 10 before QQ, changes can have feedback effect. Therefore, the CC, transient state cannot produce a noncodeword when TT, = 10.
The changes of TT, should be avoided during clock transition time. Such a change may produce an unknown output. This problem also exists for other fault tolerant design methods [7] .
Preset (PR, PR,) and clear (CLR, CLR,) circuit
The For the CD property different situations should be considered. if these clear and preset lines are not used (PRPR, = 10, CLRCLR, = 10) and they are connected to a logical level, only the stuck-at error can occur. The other case is where only one of these two pairs is connected to a constant value (01) and the other is under control of input data. In this case, if the controlled lines have a noncodeword (00 or I l ) , one of Q or Q, values will latch to 0 or I without affecting the value of complementary pair. if this situation continues long enough, a noncodeword will appear. Since clear or preset is connected to a large number of flip-flops in a circuit, the probability of instantaneous error indication will be high. The last possible case is when both PR, PR, and CLR, CLR, are under control of one pair of input data. In this case, the noncodeword data inputs (00 or 11) will make PR, PR,, CLR, CLR, = 0000 or 1111. When PR, PR,, CLR, CLR, is 0000 the output becomes 00 and, when it is I 1 11, the output becomes 11. These are error indications.
Simple application (counter)
TT,-FFx with TSCiCD combinational circuits are used for the counter. The circuit diagram is shown in Fig. 9 . The I,, 11, to Ik, I,,, lines are for parallel loadings with Load, Load, control lines. The AI, AI,, to A/,, Akn are outputs. When Count, Count, = 10, the counter counts up if Up, Down = 10 and counts down when Up, Down = 01. The Clock, Clock, are input clock lines.
The counter with TT,-FFs produces a design with low complexity. Outputs of the counter in Fig. 9 can enter to an SFS circuit without any checker because of its error indication property. (Refer to [2] which proves this as a weakly code disjoint property for SFS circuits.)
Hardware cost
Hardware cost comparison of TT,-FF with the modified error indicator circuit in [7] is shown in Table 7 . Clear and preset lines are not considered. Notice that the circuit in [7] is only an error indicator, it has extra delay elements and uses system clock which is not self tested. The cost of proposed circuit is 60% less than a conventional circuit, which is only an error indicator and is not self testing for its clock input lines. 
