Abstract
Introduction
With the increasing use of VLSI circuits in critical applications such as automotive electronics, process control, implantable medical devices, and avionics, the need for fault-tolerant circuits is increasing. Fault tolerance can be considered a design metric at any level of the design hierarchy ranging from the circuit level to the system level. However, considering fault tolerance late in the design cycle often involves large overheads in area, delay, and power consum tion This motivates the application of fault tolerance at Iigber levels. Fault tolerance covers detection, diagnosis, and recovery from faults.
A formal characterization of fault security for multiprocessor schedules was presented in [l] . The concept of fault security was first integrated into the behavioral synthesis of application-specific integrated circuits in [2] , where a technique for securing intermediate results in a computation was presented, in order to ease scheduling constraints and introduce additional opportunities for resource sharing. Allocation and assignment for ensuring 
Proceedings of FTCS-26
fault security were addressed in [3] . Schemes for error recovery through checkpointing and rollback were presented in [4] , [5] , and [6] . Techniques for behavioral synthesis of reconfigurable or self-repairing data path structures were presented in [7] .
In this work, we focus on behavioral synthesis of faultsecure controller/data paths for data-dominated circuits. The data path is made fault-secure by having two separate threads of computation, and comparing the results using equality checkers. In order to reduce the overheads required to provide fault security, we allow resource sharing between the two threads, and secure intermediate results by inserting comparison operations appropriately. We present an algorithm to determine which intermediate results to secure in order to maximize the benefits of resource sharing. Unlike previous work where the decision of which intermediate results to secure was performed statically before behavioral synthesis, our method performs this task dynamically (during behavioral synthesis). Thus, our algorithm also naturally explores cost tradeoffs between comparators and the other data path components such as functional units, registers, and multiplexers. We demonstrate that it is possible to signiJicantly reduce the area overhead required for fault security if we are willing to tolerate a very small non-zero robability of aliasing. In this direction, we present an a f h i n g analysis procedure that guides behavioral synthesis by identifying configurations that are very unlikely to lead to aliasing. Our dynamic securing and aliasing probability analysis techniques have been integrated into an iterative improvement based behavioral synthesis framework that performs module selection, clock selection, scheduling, allocation and assignment while exploring the tradeoffs that result from the interaction of these tasks. To the best of our knowledge, no other work targets module or clock selection in behavioral synthesis for fault tolerance. We also allow for loo s in the behavioral description, unlike many previous metiods in this area.
Background
In this section we introduce some basic concepts that we use in our work. Behavioral Synthesis: Behavioral synthesis is the process of transforming a behavioral description of the system into a register-transfer level (RTL) implementation, Behavioral synthesis can be divided into several tasks such as scheduling, allocation, assignment, module selection and clock selection. We assume that the behavioral specification, that is usually provided in a hardware description language, has been compiled into a control-data flow graph (CDFG). Vertices in the graph represent operations and edges in the graph denote data or control de-pendencies. The process of scheduling assigns a cycle (or set of cycles) of execution to each operation in the CDFG. Clock selection refers to the procedure of choosing a value for the system clock period. Module selection involves choosing a module library template or functional unit type for each operation in the CDFG. The processes of functional unit allocation and assignment decide how many instances of each functional unit template (e.g. ripple-carry-addel; carry-lookaheadaddec array-multipliel; wallace_tree_multiplier etc.) to use, and map the operations of the CDFG to the allocated instances. Fault Security: A circuit is said to be fault-secure with respect to a specified class of faults if, on the occurrence of any fault from the class, the circuit produces either the correct output or an output that will be detected as erroneous (i.e., an erroneous output never goes undetected). The fault model that we use in this work assumes the fault to be confined to a single unit in the circuit (e.g., adder, multiplier, register, multiplexer, etc.). The fault can last for any duration (i.e., it may be permanent or transient) and can cause an arbitrary error at the unit's output.
Duplication with comparison [8] is the traditional method of providing fault security to a system. The two circuits that execute the same computation will henceforth be referred to as the original and the copy. This method guarantees fault security against any fault that affects either the original or the copy, but not both. However, duplication and comparison after synthesis can lead to excessive overhead in circuit area. Moreover, having identical implementations for the original and copy leaves the circuit highly susceptible to common mode failures [9] . We use a variant of the duplication and comparison technique. where we duplicate the CDFG. We compare the outputs; of the original and copy CDFGs for error detection by in-. serting a sufficient number of equal-to comparison opera-. tions in the CDFG. We assume that these comparison oper-. ations are performed by totally self-checking (TSC) equality checkers, and hence, faults in the units implementing these comparisons need not be explicitly considered during behavioral synthesis. The outputs of all the TSC equality checkers can be reduced to just two outputs using a TSC: two-rail checker. Securing of operations and edges: Securing of opera,. tions refers to a technique in which the outputs of some operations in the original part of the duplicated CDFG are compared with the results of the corresponding operationis in the copy. The operations whose results are compared are referred to as the secured operations. Securing of operations has been used to ease scheduling constraints and create additional opportunities for resource sharing [2] . In the sections that follow, we use the term "secured edge" to mean an edge whose source node is secured. Aliasing: If a fault causes the circuit to fail in such a manner that the outputs of the original and the copy are equal, but erroneous, aliasing is said to have occurred. Given a duplicated CDFG and an RTL circuit that implements it, Observation 1 below gives the necessary condition for aliasing to occur due to a fault in any functional unit. 
Figure 2: Securing of nodes to enable sharing between copies Aliasing is undesirable for fault security. One way to avoid aliasing is to impose the following constraint during resource sharing: operations in the original and the copy cannot be assigned to the same functional unit. This defaults to the approach of duplication and comparison after behavioral synthesis. To illustrate this approach, consider the duplicated CDFG shown in Figure 1 . The operations in the CDFG are annotated with the names of the functional units that perform them. From the figure, we can see that four multipliers, two adders and one equality checker are required to implement the duplicated CDFG. A further refinement of the above idea presented in [2] is the following: nodes in the original and the copy which are not separated by secured operations cannot share a functional unit. The above constraint was imposed in [2] by first scheduling the original CDFG, then "delineating" the duplicated CDFG into several "regions," and finally scheduling the regions in the copy. Operations from the original and copy that belonged to different regions were allowed to be assigned to the same functional unit. These constraints were incorporated into an assignment procedure in [3] .
Example 1:
Consider the duplicated CDFG in Figure 2 .
This CDFG was synthesized while allowing sharing between the original and the copy. We can see that a fault in functional unit M2 could lead to an error in the original and the copy. However, if the extra equality checker eq2 is added, then the unsecured path between nl and output Out is secured, so that the necessary condition for aliasing is not satisfied. This ensures that any fault in functional unit A42 that leads to an error at the final output will be caught by e q l , or by eq2. A secured operation "cuts" a path from the nodes it separates to primary outputs and loopouts, thus preventing aliasing (see Observation 1) . The insertion of the extra TSC equality checker saves a multiplier, which is Securing of operations can also be utilized to increase the scheduling freedom available to various operations in the CDFG, and hence the opportunities for resource sharing [2] , as shown next. Example 2: Consider the transformed CDFG on the right in Figure 3 . Here we make use of the same instance of operation n3 in both the original and the copy. The corresponding operation in the copy, n3-c, is now required to feed only the comparison operation with output check2, and hence the scheduling freedom available to operations in the transitive fanin of this operation is significantly enhanced. For instance, operation n3-c, which was required to complete in the second control step initially can now be scheduled in control steps 2 or 3. Schedulin it in control step 3 reduces the number of required multipiers to implement the duplicated CDFG from two to one at the expense Figure 4 , we allow sharing between nodes in the original and copy even when there is no secured operation separating them. This is because, as illustrated in Section 4, the probability of aliasing while not zero, can be shown to be extremely low. This saves one
I
We focus on data-dominated behavioral descriptions, as are common in the digital signal and image processing domains. Two important characteristics of such descriptions are: (i) they consist mainly of arithmetic operations like addition, subtraction, multiplication, and delay operators, and (ii) the rate at which the design should process input samples is typically fixed, i.e., it is crucial to meet the required input sample rate requirement but it does not pay to be able to process input samples any faster. Thus, we attempt to provide fault security while minimizing area under hard real-time performance constraints.
An overview of our behavioral synthesis framework for fault-secure data paths, called ALPS, is given in Figure 5 . ALPS accepts as input a CDFG and a constraint on the input sample period. The CDFG is first duplicated and the TSC equality checker compared to Figure The algorithm explores the clock period space by considering a subset of those candidate clock eriods that divide the given sample period constraint evenyy. The fastest clock period cannot be any less than the register-to-register delay of the fastest functional unit in the module library. Further pruning in the clock period space is performed based on the delays of various components in the library. Details and the rationale behind the clock period pruning method we use can be found in [IO] . For each clock period, ALPS first derives an initial solution that meets the given sample period constraint. It then searches for a sequence of moves (as opposed to a single move) that maximizes the cumulative improvement in the quality of the solution. This improvement is measured by a quantity called Gain. In our case, since we want to optimize the area, the gain is the reduction in area. At any point, the next move is chosen using the steepest descent heuristic [l I]. In other words, we choose the move that gives the greatest reduction in area. The various moves that we explore are described in Section 3.1. While exploring moves that affect resource sharing, we use our aliasing probability analysis method to ensure that the aliasing probability as a result of the move is very low. The working of this algorithm is illustrated through an example in Section 6.
Moves in the iterative improvement procedure
In order to explore the module selection, scheduling, and resource sharing search spaces, we define three types of moves for our algorithm: class A, B, and C. Moves of Class A transform the data path by replacing an instance of a functional unit t l by a functional unit t2. For example, the re lacement of a ripple-carry-adder by a carry-lookaheaddher is a move of class A. Moves of Class B either replace two functional units f u l and f u 2 by a single functional unit fu, or split a single functional unit into two separate functional units. For merging of functional units, the following three conditions should be satisfied: C1 There exists a functional unit which can execute operations executed by both f u l and f u2.
C2
There exists a schedule which makes the sharing feasible. In general, sharing between two functional units might involve a reschedule of the operations mapped to f u l and f u 2 . C3 The probability of aliasing due to a fault in the merged module should be extremely low.
The manner in which condition C3 is checked is the topic of Section 4. If this condition is violated, then some intermediate results are appropriately secured to reduce the probability of aliasing to acceptable levels. Operations are
G' e secure(G);llSecure primary outs and loopouts Best D P e 0; C u r D P t 0;
//Find minimum area data path for current clock
Figure 5: Overview of our fault-secure datapath synthesis method secured in such a manner that the nodes in the original which are assigned to a functional unit, and some other nodes in the original which correspond to those in the copy that are assigned to the same functional unit are separated by secured operations. The procedure for selecting which intermediate operations to secure is presented in Section 5. Figure 1 and Figure 2 illustrate the application of a move of class B. Here, two operations, one from the original and the other from the copy which were initially assigned to different functional units, M2 and M4, are now assigned to the same functional unit, M2. It can be easily seen that the operations satisfy conditions C1 and C2. Our aliasing probability analysis techniques presented in Section 4 reveal that condition C3 is also satisfied in this case. Moves of Class C secure a specific operation Op with an aim of easing the scheduling constraints on operations in the duplicated CDFG. Moreover, all the fanouts of O p as well as the corresponding operation in the copy, Op-c, are now fed by 0 . While a move of class C in itself may not lead to a &crease in area, it can enable other subsequent moves of classes A and B due to the extra scheduling freedom of the operations in the transitive fanin of Op-c (including Op-c). Figure 3 is an example application of a move of class C followed by a reschedule. In the figure, 339 securing of operation n3 enables rescheduling of the corresponding operation in the copy.
Fault security for the controller
A finite-state machine specification for the controller is generated based on the schedule and assignment information after data path synthesis. Logic synthesis tools are then used to generate an implementation. The following constraints are imposed on the logic synthesis process in order to result in a fault-secure implementation. During state encoding, all valid controller states are constrained to have the same parity [12] . If the controller is a Mealy machine, outputs are also constrained to be encoded with the same parity with the help of an extra output. The combinational logic of the controller is constrained such that no logic sharing is performed among its various outputs. The present-state lines and the controller outputs are fed to a TSC parity checker. A fault within any one of the logic cones, or a single fault at any state flip-flop or a single fault in the TSC parity checker itself is detected by the TSC parity checker. The outputs of this checker can be combined with the outputs of other equality checkers in the datapath through a TSC two-rail checker. Thus, only two extra pins are required for fault tolerance purposes.
Aliasing probability analysis
In this section, we describe our aliasing probability analysis procedure that is used to identify additional resource sharing opportunities that do not significantly compromise fault security. Error Model : Consider a functional unit f u that is affected by a fault F. Let one of the operations performed by f u be 11 Op 12, where I1 and 12 are variables, and Op is an operation in the duplicated CDFG. Then, the out ut produced by f u under the influence of the fault is modered by the equation:
(1) Note that the above additive error model does not forsake any generality since no assumption is made about the nature of the error function f (Il,12). No assumption is made about the nature of F either (i.e., we do not assume any specific fault model). If a functional unit performs several operations, the outputs of any arbitrary subset of these operations may be erroneous.
The aliasing equation
Our aliasing analysis procedure is based on the derivation of the aliasing equation, that captures the conditions which need to be met for aliasin to occur. In this section, we explain how to derive the aEasing equation for a duplicated CDFG given the candidate set of operations that we desire to assign to the same functional unit. A separate aliasing e uation is derived for each primary output and loopout of i e CDFG.
The aliasing equation is derived by expressing the value of each primary output and loopout of the original and the copy in terms of the primary inputs and the error function. The error function captures the effect of a fault in a functional unit on the results of the operation(s) it performs. The effect of the faulty nodes in the original and copy CDFGs appears at their respective primary outputs or loopouts.
4.1.1
In this section, we ferive an expression for the error at a primary output or loopout when multiple operations are affected by a fault in the functional unit that they are assigned to. The caIcuIation is illustrated by the following example. equal.
Output(fu)
where T'is the number of terms, and n(i) is the ithproduct term, that is a product of some primary inputs and some error functions. For the last example, for the error at n9-c, n(1) = l.f(a4,a5), n(2) = a6f(a4,a5), and so on.
Summary
Now that we can find the error at a primary output or loopout in terms of the errors at the faulty nodes, we can equate the error at each such output in the original with the error at the corresponding output in the copy to obtain the aliasing equation as follows:
(Error due to nodes in S' at the output) -( 3 ) (Error due to nodes in S" at the output) = 0 where, S' is a set of nodes in the original and S" is the set of nodes in the copy that are assigned to the faulty functional unit.
Aliasing conditions
Our aliasing analysis procedure consists of deriving the aliasing equation and then analyzing it to draw conclusions about the probability of it being satisfied. Exactly evaluating the probability of aliasing requires information about the nature of the error functions (which in turn depends on the fault model), and the joint probability density function (PDF) of the input variables. In general, such information may not be available for several applications, and even when available, the computational requirements for performing an exact analysis may be prohibitive (e.g., if multiple stuck-at fault model is assumed). Hence, we have developed methods that upper bound the aliasing probability. We present two conditions (Condition 1 and Condition 2) that can be used as tests to check whether the probability of aliasing is low. If either test succeeds, we can share a functional unit between the candidate operations. Initially, we assume that all primary input variables to the CDFG are uniformly distributed in their entire range and uncorrelated. Later, we show how arbitrary distributions can be considered. We discuss the two conditions next.
Condition 1
In this subsection, we describe a condition, called Condition 1, under which sharing can be performed with a very low aliasing probability. The test for this condition hinges on the following result: Result 1: If there exists a primary input PI on which none of the error functions depend (i.e., which does not appear in the argument of any error function), and if a subset RI of the product terms in the aliasing equation depends on PI, while a subset RI' does not, satisfaction of the aliasing equation implies that, with a very high probability, the following two sub-equations are satisfied:
Product terms in RI = 0 (4) Product terms in RI' = 0 ( 5 ) If, as a result of the recursive application of Result 1, each product term in the aliasing equation becomes 0, Condition 1 is said to be satisfied. The rest of this section proves Result 1 and describes an algorithm to check for Condition 1.
The aliasing equation can be written as:
Consider again the duplicated CDFG of Figure 6 . The aliasing equation for this CDFG when the shaded operations are faulty is as follows:
In this case, we can see that the number of product terms, T , is equal to 8. Consider a primary input ai that is a factor of a proper subset of the product terms and does not appear in the argument of any error function. We rewrite the aliasing equation abstracting all the terms other than ai into coefficients C,. In other words, we reduce the aliasing equation to a polynomial in ai as given below. If at least one coefficient is non-zero, then the probability that a randomly chosen value of ai will solve the equation is upper bounded by k12N where N is the bit-width of the data path and k is the degree with respect to ai of the aliasing equation. (This is because Equation (7) , bein a polynomial in ai, has at most k roots. The probability tfat a randomly chosen integer in the range [0,2N -11 will satisfy the equation is upper bounded by k12N. The actual ing equation. Hence, t l ! e aliasing equation can be written into coefficients CO and C1.
probability could be much less because Equation (7) may not have any integer roots, in which case the probability of the equation being satisfied by ai is 0.) For a data path which has a bit-width of 32, for example, this is negli ible. The above analysis has shown that the aliasing probatility is very small if at least one of the coefficients C,j is nonzero. We next analyze the aliasin probability when the assumption (at least one of the coefficients is non-zero) does not hold. To see what this means, let us apply the condition to our running example. In the following analysis, we refer to the probability of aliasing as Puliuring.
Example 6:
If CO + 0 or C1 + 0, then from the above arguments, paliaing = 1 / 2~.
We now consider the case where CO = C1 = 0. This reduces to the following sub-equations:
Both of these sub-equations must be satisfied for aliasing to occur. The aliasing analysis procedure is recursively called on these two sub-equations. Therefore, the Pulicrsing of each sub-equation bounds the Paliasing of the whole equation. I In general, the primary input ai can be looked upon as inducing a partition' on the terms of the aliasing equation. One block of the partition consists of terms which depend on ai, and in the other block are terms which do not depend on ai. The product of all these partitions gives a set of aliasing sub-equations. If each sub-equation consists of a single product term, then for the aliasing equation to have a solution, each of the product terms in the aliasing equation must be zero. Note that each product term in the aliasing equation represents an additive error at a primary output or loopout. Therefore, if all the product terms are zero, it implies that the error at the primary output or loopout is zero and aliasing does not occur.
We illustrate recursive testing of the aliasing condition using the following example. Example 7: Consider the aliasing equation given below. ~l~2~3f(~l,~2)+~lf(a2,al)+a4f(a2,al +a2) = 0
Here, n(1) = ala2a3f(al,a2), n(2) = alf(a2,al>, and n(3) = a4 f (a2,al+ a2), where a1 ,a2,a3, and a4 are primary inputs. n(1) is the only product term that depends, on a3. Moreover, the error functions do not depend on a3. Hence, the aliasing equation splits into the follow.. ing two sub-equations: a l a 2 f ( a l , a 2 ) = 0 andalf(a2,al)+
It turns out that we can apply Condition 1 to the second. sub-equation. Here, we see that the second term, n(3), has; the primary input a4 unique to it. So this induces a partition on the sub-equation which leaves us with three distinct ' A partition, P , is a structure which is defined on a universal set U = {el,e2,. . . , er}, and consists of several disjoint subsets Sl,S2,. , , ,Snr such that UE,Si = U. The product of two partitions, PI and P2, which have the same universal set U is another partition P3 which has the following property: Disjoint subsets A I , . . . ,An which comprisc P3 are such that if any two elements ei,ej E U are in the same subset Ai of P3, then the two elements are in the same subset in both P1 and P2. By definition, ZeroPurtition = {{eI},{e2}, ...,{ e r } } and IdentityPurtition = { e l , e2,. . .,er}. For example, if (I = {aI,a2, u3,a4}, PI = { {aI,u2}, {a3,a4}}, and P2 = { { a l , a 3 } , {uZ,a4}}, then the product ofPI andP2 is {{a1},{u2},{a3},{u4}}, whichis theZeroPurtition. then one of its constituent factors must be zero. We already know that n ( i ) is a product of some primary inputs and some error functions. The probability of a primary input being zero is 1/2N. This implies that, given that n ( i ) = 0, with a high probability one of the error functions in n(i) must be zero. (If there are no primary inputs in n ( i ) , then one of the error functions which constitute n(i) is guaranteed to be zero). From above, it follows that all three error functions in our example are zero with a very high probability. However, this implies that all primary outputs assume their error-free values, in which case, by definition, aliasing cannot occur. Thus, we can conclude that the The pseudo-code for our procedure that tests for Condition 1 is given in Figure 7 . In this code, the support set of an error function is defined as the set of all the primary inputs that it depends on. To derive the above result, we assumed that all the primary inputs are uniformly distributed. We now show how to evaluate Puliasirlg for non-uniform distributions. Let primary input ai satisfy Condition I, i.e., it does not appear in the support of any error function and influences the coefficients of a subset of the error functions. Suppose ai is non-uniformly distributed and the most probable value of ai has a probability of Peak(ai). Aliasing occurs when a randomly chosen value of an satisfies the aliasing equation. The number of solutions to the aliasing equation is bounded by k where k is the degree of ai in the aliasing equation. Hence, PaliasirzE is bounded by k x Peak(ai) which corresponds to a case when all roots of the equation have a probability of Peak(ai).
Condition 2
Our second test for aliasing is based on performing a set of variable transformations to recast the aliasing equation into a form where it is more amenable to an analysis similar to that for Condition 1. Each of the product terms in the aliasing,equation given in Equation (6) can be written in the following form:
The product in j is taken over all the primary input factors in a roduct term, while the product in k is taken over all error gnction factors. The variables p j and P k are the powers of the primary input a j , and error function f k , respectively. (The subscript i alongside the brackets indicates that the corresponding product terms are derived from n(i)). SupportSet(i) is defined to be the set of primary inputs that occur in ( n , i a j P j ) i .
Consider two distinct primary inputs, am and an, such that whenever am and an appear in the argument of any error function, they are part of a common subexpression, CS(am,an). Moreover, suppose that am is part of SupportSet(i) for some i. In addition, we also require that an does not belong to SupportSet(i) for any i. Under the above assumptions, we prove that variable am splits the aliasing equations into two aliasing sub-equations, both of which must be satisfied for aliasing to take place. (1) ala2f(a2a3,a4) , n(2) = -f(a2a3,al), and SuppartSet(1) = {al,a2}. We can see that (a2,a3) is a possible candidate for (am,an), and Suppose that we are given arbitrary values for: (i) all primary inputs except am and an, and (ii) CS.
Under the above constraints, let v be a permissible value for CS. The aliasing equation reduces to a polynomial in am, and can be solved to obtain possible values of am for which aliasing occurs. Assuming that at least one of the coefficients in this polynomial is non-zero, the number of given a value of CS = a2a3, there is at most one pair of values for (a2, a3) that satisfies the aliasing equation.
Note that the above arguments were made under the condition that CS was fixed to a value v. It is possible that there might be several assignments to am and an that result in CS assuming the value v. Only pm x pn of these result in aliasing. Therefore, the probability of aliasing, given that CS = v, is given by l/(number of solutions to CS = v).
Since in the above analysis we assumed a single value v for CS, summing the conditional probability over all possible values of CS will result in the probability of aliasing. Let us suppose that S(v) represents the number of solutions to the equation CS(am, an) = v. The probability of aliasing can then be derived as follows:
E, = Event where value of CS is v A = Event that the aliasing equation is satisJLied (9) The probability of event E, is equal to S ( V ) I~~~ since the pair of primary inputs (am,an) can assume 2" values with equal probability of which only S(v) values result in event E,. We have Dreviouslv evaluated P(AIE,) to be I),,, x
All E, Now, we address the case where all the coefficients of powers of am in the aliasing equation are zero. In this case, am can be viewed as splitting the aliasing equation into at most pm -t 1 distinct sub-equations, one for each power of am. These sub-e uations can then be recursively analyzed, as in the case of %ondition 1.
If am and an are non-uniformly distributed with the most probable values having probabilities Peak(am) and Peak(an) of occurring, respectively, then the analysis is as follows.
P(A) = P(E,)x P(AIE,)
A l l E , 
Graph-theoretic formulation of aliasing conditions
Intuitively, Conditions 1 and 2 can be more easily understood as structural requirements on CDFGs. Graphtheoretically, Condition I can be stated as follows: If a primary input, which is not in the transitive fanin of any of the faulty nodes, feeds a path from any faulty node to a primary output at a multiply operation, then the aliasing equation can be split into sub-equations. For instance, in the CDFG in Figure 6 , a9 does not appear in the transitive fanin of any error function, but feeds the path from nl to Out at operation n7. Whatever values the error functions take, satisfaction of the aliasing equation requires, in some sense, the knowledge of a9 which the faulty nodes do not possess.
Condition 2 is more difficult to test than Condition 1, but is common in the case of CDFGs with heavy reconvergence. Condition 2 can be stated as follows: If there exists a node n in the CDFG with two primary inputs, am, an in its transitive fanin, such that all paths from am and an to any faulty node pass through n, and if exactly one of the two nodes feeds a path from a faulty node to a primary output at a multiply operation, then the aliasing equation can be split into aliasing sub-equations. In the CDFG in Figure 8, node nl is n. Condition 2 can be easily understood as a variable transformation wherein the fanout edge of n becomes a primary in ut, taking the lace of an. Now, Condition 1 can be appled to the CDJG obtained because am does not appear in the transitive fanin of any faulty node.
Summary
Conditions 1 and 2 test for the possibility of.aliasing at a specific primary output or loopout. A fault In a single functional unit may result in aliasing at multiple outputs and very low probability of aliasing at one output does not imply very low probability of aliasing at other outputs. It is possible that the operations that feed a specific primary output or loopout are erroneous and all other operations executed by that functional unit (that feed other outputs) are error-free. In this case, aliasing may occur only at one output. Hence, we have to apply the two tests to all outputs, that are fed by operations mapped to the functional unit under consideration. Only if all primary outputs and ioopoutr; pass the test can the candidate operations be mapped to the: same functional unit.
The two tests which have been developed are not necessary conditions for aliasing to be extremely improbable. However, they are easy to implement and detect a significant fraction of cases where aliasing is extremely unlikely. In many of the cases in which the two tests failed, we could find functions f which corresponded to single stuckat faults which would result in aliasing with a high probability.
4.2.5
Our aliasing analysis technique for functional units can be straightforwardly extended to cover register faults,. Here, we would like to determine whether a set of variables in the original CDFG, and another set of variables in the copy can share a register. As in the case of functionaJ units, we express the erroneous value of a variable stored in the register as V +f(V), where V is the fault free value, and f ( V ) is an arbitrary error function. The procedure for deriving and analyzing the aliasing equation remains similar to the case of faulty functional units.
Faults in multiplexers can be classified into those that affect data-routing and those that do not affect datal-
Faults in registers and multiplexers
routing. Formally, we can characterize them as follows. Consider an n-to-1 multiplexer with data inputs I I , 12, ..., I,, and output 0. In the first case, we can write the erroneous value at the multiplexer output as: O,,.= f (selected data input). In the second case, the error is: 11,12,13 , ..., In) We use a point-to-point interconnect model. A fault that does not affect data-routing is equivalent (from the point of view of aliasing analysis) to a fault in the register or the functional unit that the multiplexer feeds. We make the multi lexers secure against a restricted sub-class of the other crass of faults, namely, those faults that cause the multiplexer to select a data input that is different from the one that it is supposed to select. It can be shown that a multiplexer routing error causes the controller/data path circuit to behave in a manner that can be modeled by deleting some nodes and edges from the CDFG, and adding different nodes and edges in their place. The aliasing equation is derived by equating the expressions for primary outputs and loopouts in the original and modified CDFGs.
Dynamic securing
There are two situations where we need to select a set of intermediate results in the CDFG to secure., The first situation occurs in moves of class B where securing is performed to allow resource sharing between the original and the copy in order to minimize area overhead. The second situation is in moves of class C where TSC equality checkers are added in order to improve mobilities of various operations in the CDFG. We present efficient heuristics to selectively secure operations in the duplicated CDFG for both of the above situations in this section.
Dynamic securing for moves of class B
The dynamic securing problem in the context of a move of class B can be stated as follows: given a duplicated CDFG, a set of nodes A in the original, and a set of nodes 'B in the copy, find a set of nodes S that should be secured such that: (1) the nodes in A and 'B are separated (see Definition 1) after securing the nodes in S, and (ii) the cardinality of S is as small as possible. This formulation utilizes the fact that aliasing cannot occur as a result of sharing of a functional unit by A and ! B if they are separated by secured operations. The above problem can be shown to be equivalent to the graph-theoretic problem of finding a minimum cardinality edge cut set in a hypergraph, which can be solved in polynomial time in the number of nodes and edges in the CDFG, using an algorithm presented in [13] .
Heuristic for moves of class C
We now present a method to identify nodes in the CDFG which cause scheduling bottlenecks and secure them with a view to increasing the mobilities of various operations in the CDFG. We would like to find a node, which when secured "frees" its predecessor nodes to be rescheduled to control steps where the hardware utilization is low, potentially increasing functional unit utilization. Example 2 illustrates an application of a class C move.
To find out which nodes of the CDFG are good candidates to secure, we use the following heuristic: For each node we compute a figure (called the weight) which is a measure of the gain in area that could be obtained by securing the node and rescheduling the operations in the transitive fanin of that node. We compute the weight of a node n as follows. For each node in the transitive fanin of n, we compute the area of the functional unit that it maps to. We sum the areas of all nodes in the transitive fanin of n, including n itself. We then compute the difference between the earliest and latest control steps (span) in which any node from the transitive fanin of n is scheduled. The ratio of the cumulative area to the span of control steps is then computed. From this ratio, we subtract the ratio of the area of a register to the lifetime in cycles of the variable that is generated at node n, to get the weight of node n (the subtracted term accounts for the impact of the prolonged lifetime of the variable on register area). The node with the largest positive weight is chosen for securing during a move of class C. Example9: Consider once again the example CDFG shown in Figure 3 . Assume that the areas of the multiplier, adder, equality checker, and register are 4, 1, 1, and 112 units, respectively. We now compute the weight of each node in the CDFG. Similar1 the weights of nodes n2 through n4 can be seen to be 3.22.5, and 1.8, respectively. Node n3, which has the I maximum weight is chosen for securing.
Illustrative synthesis example
In this section, we trace the synthesis procedure for a small CDFG to illustrate the integration of aliasin analysis and securing into the synthesis procedure. In adfition, we also trace the flow of the algorithm for a case when aliasing analysis is not applied because we require the circuit to have Paliming = 0.
In the example shown in Figure 9 , the library is assumed to have exactly one adder, one multiplier, and one TSC equality checker, all of which com ute in one cycle. The deadline for all primary outputs is ?cycles.
In the initial solution that is fed to the algorithm, each operation is bound to a separate functional unit, and each variable to a separate register. In the intermediate solution for ALPS and 0-alias cases, sharing between different operations takes place without the use of rescheduling. If we are synthesizing a double modular redundant (DMR) architecture, no further sharing can take place because operations in the original and the copy cannot share functional units. In the case of ALPS, nodes n2 and nl-e can share a functional unit if n2 is scheduled in control step 2. Application of aliasing analysis to this configuration results in the following condition for aliasing at primary output Out: f (a4, a5) = a 3 f ( a I , a2) By applying Condition 1 to this equation, we can see that the aliasing probability is 1/2N where N is the bitwidth. The aliasing threshold is chosen as 2 x 2-32(4.66 x and we synthesize a 32-bit datapath (N = 32). Therefore, 
Experimental results
We have implemented the behavioral synthesis framework presented in the previous sections including the aliasing probability analysis techniques and dynamic securing procedures as the program ALPS. ALPS is written in C++. We have performed experiments to evaluate our techniques using several behavioral descriptions of digital signal and image processing a plications. ALPS reads in a textual description of the &FG, and performs clock selection, module selection, scheduling, allocation, and assignment to result in a highly fault-secure RTL circuit that consists of a data path netlist, and an FSM description of the controller. The controller is then subject to constrained logic synthesis as described earlier to result in a fault-secure implementation. The controller and data path netlists are merged and mapped to the MSU standard cell library using the SIS logic synthesis system.
We conducted experiments on nine CDFGs which perform different DSP algorithms. Among them, Puulin is a widely known benchmark. Dist, Chemical, and IIR77 are IIR filters used in the industry. Dct-lee, Dct-dif, Dctpr2, and Dct-wang perform discrete cosine transform and are named after the inventors of their algorithms. FIR is an FIR filter. Of these examples, Paulin, Chemical and Dist
