This paper presents a corrective control scheme that automatically counteracts the adverse effect of intermittent faults in the logic of asynchronous sequential machines. When an intermittent fault occurs to the machine, a set of state transitions defined in the machine suspends the normal behavior for a finite interval. The objective is to design a corrective controller that makes the closed-loop system show the normal input/state behavior despite the occurrence of an intermittent fault. We show that realization of fault tolerance depends on a certain reachability property of the asynchronous machine. For validating the applicability of the proposed control scheme, we implement the closed-loop system on VHDL code.
Introduction
Intermittent faults are a class of faults in dynamic systems where faulty behavior or a malfunction of the system occurs and endures for some finite time [1] . Several contributing factors, such as internal system faults or disturbance entities from the outer environment, combine their influence to invoke an intermittent fault. In hardware systems, intermittent faults are typically caused by bad electrical contacts, sticky components, overheating of chips, noisy measurements from sensors, power surges, and so forth [2] .
In this paper, we address the problem of how to make asynchronous sequential machines immune to the attack of intermittent faults. Endowed with logic of clockless sequencing, asynchronous sequential machines have distinctive features such as stable/unstable states, instantaneous state transitions, and fundamental mode operation. Since asynchronous machines are still widely used as an important building block of digital systems [3] , [4] , we have to develop a robust schemes of fault tolerance for asynchronous machines against typical classes of faults, among which intermittent faults are given a high priority.
We use a control-theoretic approach to realizing fault tolerance. Corrective control is a novel automatic control scheme specified for asynchronous sequential machines. A corrective controller, also in the form of an asynchronous machine, is placed in front of the controlled machine and receives the external input and the output feedback from the machine to generate a control input. A remarkable advantage of corrective control is the capability that it can compensate the stable-state behavior of the asynchronous machine in a desirable way without resort to redesign of machine's inner logic. A series of research results about corrective control has been presented during the past decade; refer to [5] - [10] and the references cited in these papers.
In our modeling, when an intermittent fault occurs to the considered asynchronous machine, a set of state transitions defined in the machine suspends the normal behavior for a finite interval. This setting reflects the property of intermittent faults that faulty behavior caused by the intermittent fault endures at intervals before its adverse effects diminishes. As a result, the asynchronous machine loses part of its reachability during the manifestation of the intermittent fault. We will address that if the machine has latent reachability enough to tolerate the adverse effect of the intermittent fault, one can design an appropriate corrective controller that materializes fault tolerance. Under the framework of corrective control, the closed-loop system can continue to show the normal behavior as if no intermittent fault happened to the machine.
The rest of this paper is organized as follows. In Section 2, we model the considered asynchronous sequential machine and the adverse effect of intermittent faults on the characteristics of state transitions. In Section 3, we present the condition for the existence of a corrective controller that realizes fault tolerance against intermittent faults. It is shown that realization of fault tolerance depends on a certain reachability property of the asynchronous machine in the failure mode. We also propose a novel control procedure to accommodate the occurrence of the intermittent fault and its self counteracting. In Section 4, for validating the applicability of the proposed control scheme, we implement the closed-loop system on VHDL code and conduct an experimental study using a fault scenario. Finally, conclusion and remarks on future studies are addressed in Section 5. Figure 1 . Corrective control system for the asynchronous machine Σ with the intermittent fault ω.
Preliminaries

Problem Statement
In this paper, we consider input/state asynchronous machines, where the present state of the machine is given as the output value. The corrective control system for an input/state asynchronous machine is illustrated in Figure 1 . Σ is the considered asynchronous machine and C is the corrective controller also constructed in the form of an asynchronous machine. v is the external input, u is the output of C serving as the control input, and x is the state feedback from Σ. ω represents the intermittent fault that freezes part of state transitions of Σ temporarily. Σ c symbolizes the closed-loop system represented by the diagram.
Our objective is to present the existence condition and design procedure for C that diagnoses and tolerates the adverse effect of intermittent faults. The closed-loop system Σ c will seem to maintain the normal behavior even though part of the machine's state transition characteristics is invalidated by fault for a certain interval. This is made possible by virtue of latent redundancy in the reachability of the machine and the feature of asynchronous operation of the closed-loop system. To this end, the controller C should achieve the following specific functions.
i) First, C should recognize fault diagnosis. In other words, it has to determine whether an intermittent fault occurs to the machine Σ without violating the normal input/state specification of the machine.
ii) After diagnosing an occurrence of the fault, C must generate an appropriate control input u in response to the change of the external input v so that Σ c can continue to show the normal behavior. This is the critical component of fault tolerance in our study.
iii) Since the adverse effect of the intermittent fault vanishes after finite steps in our model, C should also perceive whether Σ returns to the normal status, i.e., whether part of state transitions that degenerated by fault regain their functionality.
In this paper, the event that the adverse effect of the intermittent fault vanishes is termed self counteracting. We assume that the control configuration of Figure  1 abides by the principle of fundamental mode operation [11] , an operating policy that prohibits the simultaneous change of two or more variables. This policy helps to prevent uncertainties arising from simultaneous changes in two or more variables. According to fundamental mode operation, both the occurrence of the intermittent fault ω and its self counteracting should occur when Σ is at a stable combination.
System Modeling
An input/state asynchronous machine Σ is modeled by a 4-tuple
where A is the input set, X is a set of n states, x 0 È X is the initial state, and f : X ¢ A X is the state transition function defined on X ¢ A. Σ operates according to a recursion of the form
The current state x k goes to the next state x k 1 asynchronously in response to a switch of the input to u k , where k represents the step counter of the machine, which advances by one upon a change of the machine's input or state. 
If there exists an input sequence t È A such that x ½ sÔx, tÕ, x ½ is said to be stably reachable from x. It is known that any stably reachable state can be reached in at most n ¡ 1 steps, where n is the cardinality of the state set X [5] .
In most asynchronous sequential machines implemented as real hardware, e.g., digital systems, we design the machine not to respond to any invalid input character. In terms of state transitions, receiving an input character that makes an invalid pair with the present state is equivalent to the behavior of a stable combination-staying at the present state. Hence, by assigning a stable combination to every invalid state-input pair, we can make f a total function. If a state x È X has transient combinations with all the elements of a set A x A, then we define f Ôx, vÕ x, v È AÞA x , where Þ denotes the set difference.
To deal with intermittent faults, we partition the input set A into
where A N is the normal input set and A F is the set of intermittent faults. As addressed before, the occurrence of an intermittent fault causes a temporary halt of a set of state transitions. For brevity's sake, this paper assumes that there is only one intermittent fault ω, i.e., A F : Ø ωÙ, with the associated set of state transitions F X ¢ A N :
Without loss of generality, we assume that every Ôz i , v i Õ È F is a transient combination; stable combinations would not be influenced by the intermittent fault.
As addressed before, we stipulate that once the intermittent fault attacks Σ, its adverse effect persists only for some finite steps, after which it attenuates or vanishes. Here, a step implies a change of the external input character v that enters into the asynchronous machine Σ (see Figure  1 ). Define l as the maximum number of steps within which Σ stays under the influence of the intermittent fault ω, that is, all the transitions of F degenerate. This means that after the fault occurrence, the transitions of F may go back to the normal mode any time within l steps. After l steps, they will definitely be back to the normal mode. Note that the exact moment that F returns to the normal mode is nondeterministic; only the maximum duration l of the failure mode is available. We limit the range of l to
where n X . If l n ¡ 1, Σ can traverse the entire states before returning to the normal mode, which becomes equivalent to the case of permanent changes of the characteristics of state transitions [12] . Using the stable recursion function s, we summarize as follows the situation of the fault occurrence discussed so far. 
Stable Reachability
In the problem of model matching between the asynchronous machine and a reference model, a corrective controller exists if and only if stable reachability of the machine is greater than or equal to that of the model [5] , [6] . Our problem of fault tolerance can be interpreted as another model matching problem. We regard the asynchronous machine under attack of the intermittent fault as the system to be controlled, and the original machine with the nominal behavior as the model. Then, we can design a corrective controller that realizes fault tolerance, provided that stable reachability of the machine that loses part of its state transitions (F defined above) is equal to that of the nominal machine. Note that stable reachability of the machine under attack of the intermittent fault can be never greater than that of the nominal machine.
Let us define the state set as X : Øx 1 , x 2 , . . . , x n Ù.
Remind that stable reachability from a state x i to another one x j means the existence of an input string t È A N with 1 t n ¡1 such that sÔx i , tÕ x j . In our modeling, the adverse effect of the intermittent fault ω terminates at most in l steps. After the occurrence of ω, Σ can reach from a state to those states that are reachable from the original state in l or less steps, instead of n ¡ 1 steps. In our study, hence, we only have to consider stable reachability with the length of l steps.
In the former studies [5] , [8] , we used the skeleton matrix to describe stable reachability of the machine Σ. In this paper, we define l-skeleton matrix, To describe stable reachability of Σ with faulty behavior, we denote by Σ F the asynchronous machine Σ in which all the state transitions of F lose their functionality, as designated in item a). The corresponding skeleton matrix, termed KÔΣ F Õ, has its Ôi, jÕ element defined as follows. Note that we do not have to impose the length limit l on KÔΣ F Õ because in the operation of corrective control, the stable transitions between the states of the machine will be made instantaneously [5] , [8] . Thus the corrective controller C can utilize the maximal reachability of the machine by employing input strings with the length up to n¡1.
Using the skeleton matrices, we now postulate the following existence condition for a corrective controller that realizes fault tolerance against the intermittent fault ω. 
where the equality is taken entry-by-corresponding-entry.
The proof of the above proposition can be induced in a manner similar to the problem of model matching (e.g., refer to [5] , [7] , [8] ).
Control Mechanism
In view of Figure 1 , the controller C perceives an occurrence of the intermittent fault ω by observing the state feedback x from Σ. Assume that Σ stays at a stable combination with the state z i when the external input v changes to v i . Once certifying the occurrence of the intermittent fault ω, C begins corrective control action for realizing fault tolerance. C has two inputs-the external input v and the state feedback x-and one output u that serves as the control input to Σ. Hence C is a deterministic input/output asynchronous machine whose form is
where Ξ is the state set, ξ 0 È Ξ is the initial state, φ : Ξ ¢
X¢A
Ξ is the recursion function, and η : Ξ¢X¢A A is the output function.
Assume again that Σ has been at the stable state z i and the intermittent fault ω has occurred to Σ, when the external input changes to v i . To determine whether ω has really happened, C delivers v i to Σ as the control input by setting u v i . Upon receiving the incorrect state feedback x z i , C knows that all the transitions of F, including Ôz i , v i Õ, degenerate by fault. Note that this does not mean that ω has occurred just before the external input v i is transmitted. It may have occurred several steps before; the only information available is that it has occurred before less than l steps. 
Let us describe in detail the procedure of corrective control. In the beginning, C is at the initial state ξ 0 . The controller remains in its initial state until it detects a stable combination with the state z i . C then moves to ξ t , termed the transition state [7] . In fundamental mode operation, an input change or occurrence of the intermittent fault can occur only when the machine stays at a stable combination. At ξ t , hence, C anticipates that the input character v i may enter into the system, thereby preparing fault tolerance.
When the external input v switches to v i at ξ t , C relays it to the machine. Upon receiving the incorrect state feedback x z i (and identifying the occurrence of ω), C initiates corrective action by generating the first control input u 1 to Σ. Σ will be driven to Following the above notations, we denote all the intermediate states Σ passes through by x 1 , x 2 , . . . , x k¡1 with the following relation: 
having lost its normal functionality at the onset of the failure mode, would not provide the correct next stable state in the feedback path. This constraint is applied to all the control input sequences used in the proposed control scheme.
Identifying self counteracting, or finding the moment the state transitions of F regain their normal behavior, is solved automatically when the controller C is faced with any state-input pair belonging to F. Remind that even after the occurrence of ω, we specify the behavior of C such that it relays the external input v i to the machine Σ whenever Σ is at the stable state z i . If Σ stays still in the failure mode, the state feedback remains unchanged from z i . C will then continue to carry out the correction behavior as described above. On the contrary, if the state feedback is observed to be x sÔz i , v i Õ, C concludes that the adverse effect of the intermittent fault ω has vanished. After identifying, the closed-loop system Σ c will return to the normal mode in which C does not conduct any control action; it just relays the external input v to the machine by setting u v.
VHDL Experiment
Consider an input/state asynchronous sequential machine Σ whose state flow diagram is shown in Figure 2 . Here, Figure 2 ), and 4 Ù with x 0 : x 1 . Solid arrows represent normal state transitions and dashed arrows are the elements of F, the set of the state transitions associated with ω:
When ω occurs to Σ, the transitions of F becomes
We assume l 3, namely the adverse effect of ω vanishes at most 3 steps after its occurrence.
To check the existence of a corrective controller, we first calculate skeleton matrices. A slight examination of We have implemented on VHDL code the closed-loop system Σ c comprising the asynchronous machine Σ and the corrective controller C, and have conducted an experiment using a fault scenario. It is assumed that the intermittent fault ω occurs to Σ when the machine stays at the stable combination Ôx 2 , aÕ. In our scenario, after 3 steps, i.e., after the external input values changes 3 times, the adverse effect of ω vanishes. Figure 3 shows the result of the VDHL experiment illustrating the control activity of C. b 1 b 0 are state bits with the assignment of x 1 00, x 2 01, x 3 11, and x 4 10. Note that all the signals are interpreted as rising edgetriggered. The asynchronous machine Σ is at the initial state x 1 at t 0 nsec, and in response to the change of the input to a, it moves to the next stable state sÔx 1 , aÕ x 2 at t 40 nsec. At this instant, the intermittent fault ω occurs to Σ, freezing the state-input pairs of F. As marked in Figure 3 , the external input changes to b at t t 1 . But, since Σ is in the failure mode and Ôx 2 , bÕ È F, the transition does not
give the correct result; instead, the machine Σ remains stuck at the state x 2 . Observing this situation, C perceives the occurrence of ω and begins the corrective control activity.
As the control input sequence for Ôx 2 , bÕ is chosen to be r 2 cb, C provides Σ with the first control input character c at time t 2 . Σ then transfers to x 1 , the first intermediate state in the correction path. Next, C gives the second control input b to Σ, which moves to the goal state x 3 at time t 3 , completing fault tolerance. Since this corrective control is carried out asynchronously, an outer user will observe that Σ moves directly from x 2 to x 3 in response to the external input b. After this control phase, the external input changes again to d (at time t 4 ) and c, in response to which Σ moves to x 2 and x 1 . Because the external input is switched three times in total, the adverse effect of ω vanishes right after the external input changes to c, i.e., when Σ reaches the stable combination Ôx 1 , cÕ. We see at time t 5 of Figure 3 that the next external input is a for which Ôx 1 , aÕ È F. According to the proposed control scheme, C relays a to Σ and upon receiving the right state feedback x 2 at time t 6 , it ensures that the transitions of F return to the normal status.
Considering the instantaneous transition characteristics of the closed-loop system shown in Figure 3 , we assert that this experiment result validates the applicability of the proposed control scheme to real-world digital systems.
Conclusion
In this paper, a corrective control law has been proposed in order to tolerate the intermittent faults occurring to input/state asynchronous sequential machines. The considered intermittent fault has the feature that its influence lasts for a finite time. Realizing fault tolerance depends on the remaining stable reachability of the machine given after part of its transitions degenerates by fault. Also, the corrective controller can know both the occurrence and termination of the intermittent fault whenever the machine enters into the degenerated state-input pairs. The result of the VHDL experiment validates the applicability of the proposed fault tolerance scheme.
