1149
IEEE TRANSACTIONS ON COMPUTERS, VOL. c-23, NO. 11, NOVEmBER 1974
[3]
[4]
[5]
[6]
[7]
[81
[9]
[10]
[11]
[12]
[13]
Issue on High-Speed Memories in Appreciation), vol. EC-14, pp.
706-711, Oct. 1965.
D. B. Armstrong, "On finding a nearly minimal set of fault detection tests for combinational logic nets," IEEE Trans. Electron. Comput. vol. EC-15 pp. 66-73, Feb. 1966.
J. P. Roth, 'Diagnosis of automata failures: A calculus and a
method," IBM J. Res. Develop., vol. 10, pp. 278-294, July 1966.
W. H. Kautz, "Fault testing and diagnosis in combinational
digital circuits," IEEE Trans. Comput., vol. C-17, pp. 352-366,
Apr. 1968.
D. C. Bossen and S. J. Hong, "Cause-effect analysis for multiple
fault detection in combinational networks," IEEE Trans.
Cornput. (Special Issue on Fault-Tolerant Computing), vol. C-20,
pP. 1252-1257, Nov. 1971.
I. Kohavi and Z. Kohavi, "Detection of multiple faults in combinational logic networks," IEEE Trans. Comput., vol. C-21
pp. 556-568, June 1972.
A. D. Friedman, "Fault detection in redundant circuits," IEEE
Trans. Electron. Comput. (Short Notes), vol. EC-16, pp. 99-100,
Feb. 1967.
F. W. Clegg "Use of SPOOF's in the analysis of faulty logic
networks," iEEE Trans. Comput. (Special Issue on FaultTolerant Computing), vol. C-22, pP. 229-234, Mar. 1973.
Z. Kohavi Switching and Finite Automata Theory. New York:
McGraw-Hill, 1970.
R. Dandapani, S. M. Reddy, and J. P. Robinson, "An investigation into redundancy and testability of combinational logic
networks," Themis Project, Automation Theory, Univ. of
Iowa, Iowa City Tech. Rep. 32, Sept. 1970.
E. L. Lawler, "L& approach to multilevel Boolean minimization," J. Ass. Comput. Mach., vol. 11, pp. 283-295 July 1964.
S. M. Reddy, "A design procedure for fault-locataZle switching
circuits," IEEE Trans. Comput. (Short Notes), vol. C-21, pp.
1421-1426, Dec. 1972.
[14] -, "Complete test sets for logic functions," IEEE Trans.
Comput., vol. C-22, pP. 1016-1020, Nov. 1973.
[15] R. Dandapani, "Derivation of minimal test sets for monotonic
logic circuits," IEEE Trans. Comput., vol. C-22, pp. 657-661,
July 1973.
3;_N
ta 2;
0
Ramaswamni Dandapani (S'71) was born in
Nagpur, India, on February 26, 1946. He received the B.Sc. degree from Nagpur University, Naur, India, in 1964, the B.E.
degree from the Indian Institute of Science,
Bangalore, India, in 1967, and the M.S. degree in electrical engineering from the University of Iowa, Iowa City, in 1969.
FXrom
Teaching Assistant in the Department of
1968 to 1971 he was
a
Research and
Electrical Engineering, University of Iowa.
He then joined the Department of Computer Science, University
of Iowa, as a Teaching and Research Assistant, where he worked
towards the Ph.D. degree. He is now with the Department of Engineering Technology.
Sudhakar M. Reddy (S'68-M'68), for a photograph and biography
please see page 48 of the January issue of this TRANSACTIONS.
Design Technique of Fail-Safe Sequential Circuits
Using Flip-Flops For Internal Memory
YOSHIHIRO TOHMA
Abstract-A method for the realization of fail-safe sequential
circuits is presented where flip-flops are employed for representing
the internal states. First, such a design technique where the circuit
will be trapped in an erroneous state into which it is transferred by
a fault is shown. Further, the condition for assuring that the circuit
will be dropped into the particular (predetermined) final state when
a fault exists is described. Finally, some extensions of the technique
are attempted.
Index Terms-Fail-safe, fault, flip-flop, reliable system, sequential
circuit.
I. INTRODUCTION
THE more important role a digital system serves, the
more serious damage a failure of the system may
Manuscript received July 20, 1973; revised May 14, 1974.
The authoi is with the Department of Electronics, Tokyo Institute of Technology, Tokyo, Japan on leave at the Digital Systems
Laboratory, Stanfofd University, Stanford, Calif. 94305.
cause. Fail-safe digital systems [1] are those which produce safe-side output whenever a fault occurs within the
system. In this context, the fail-safe realization of systems
may be considered to be one approach to highly reliable
digital systems.
Several papers [2P[5], [9] concerned with the realization of fail-safe sequential circuits have been published
where the internal states are represented by the outputs
of the delay elements. However, ffip-flops are very often
used for the representation of the internal states [6], [7]
and therefore, it is expected that we can utilize particular
properties of ffip-flop such as those of holding the state
by itself and the DON'T CARE condition for exciting the
J or K input in realizing the fail-safe sequential circuits.
The sequential circuit considered here is as shown in
Fig. 1 where the Mealy-type representation of the circuit
is adopted only for convenience. The ffip-flops are of the
JK type and every excitation circuit to the J or K input
1EEE TRANSACTIONS
1150
Input
X
Ou0tput
Oiltput
a: 00 OO/0 0 1/0
FFn
C:
(a)
.
1974
Inot (x)
P.S.
. > Circuit
Lolic CCT's
COMPUTERS, NOVEMBER
ON
1910
n~~~~~~J-
Representation of
Present state
Fig. 1. A sequential circuit.
is realized independently of any other excitation circuit.
The operation of the circuit is assumed to be synchronous.
II. EFFECT OF FAULT
Before presenting the technique in detail, let us consider
a modulo-3 counter of Fig. 2(a). By using the state assignment of Fig. 2(b), we can determine the excitation function to the J and K inputs as shown in Fig. 2 (c) and (d) .
Assume here that the output of the gate to ki input is
stuck-at-0. We know from Fig. 2(d) that this fault will
affect the state transition from state (11) with input 1.
The circuit will move to state (01), though the true next
state is (00). Therefore, when input sequence 111111
is applied to the circuit in state (00), it will produce
output sequence 001010 which is different from the true
sequence 001001. If an output of the counter of value 1
will activate some other equipment, the second false
output of value 1 in the above sequence may cause unexpected effect and in some cases serious damage to the
whole system which includes the counter. In this sense, we
can say this counter is not fail-safe.
Consider, however, the state assignment of Fig. 3.
Normally the circuit will move through states (000),
(011), and (110). Four new states (001), (010), (100),
and ( 111) will appear when some fault exists in the circuit.
As described later, these states will be called "erroneous
states." In order to realize the fail-safeness, we designed
the circuit in such a way that the next state of any erroneous state was the same as that erroneous state itself
without any regard to input. State (101) was treated as
the DON'T CARE state. The realization of the counter based
on the above state assignment is shown in Fig. 4.
Now let us assumne that the output of the gate to the
J3 input is stuck-at-1. Apparently the state transition
from state (000) is affected by this fault. For instance,
when input 0 is applied, the next state will be (100),
instead of (000). However, what is the next state of this
C: I I
o
1011/0
Ii 1/O 0 0/i
(b)
I
j2j2j11[L.l i
o j
LI o~
00 O O
1
I
,T,.
(c)
8
f
°|
l
I
o
I
a, -x
Kz= x
(d)
Norlndl
I
0
gfoi
4 0o 0
c0 o/0 { l/0
4: 0 Ii oi1/0 uII0/
C,: I0
10I/c
ooc/
=x o
2.
A
modulo-3
counter.
Fig.
Stdt,s
00.1
Erroneous
5Sates
PonJ
i
Ca&re
0
.0 lo.
01/0
0/0
0 0/0
ol
00
1I/O
I I I
0 0
i/0
0/0
0
O
0/o
1/0
0
Fig. 3. A state assignment and a specification of A.
I
Fig. 4. A different realization of the modulo-3 counter.
erroneous state (100)? The excitation condition to the
J3 input is normally DON'T CARE in state (100). Therefore,
the fault does not affect the state transition from state
(100) and hence the next state of state (100) at any
input is the same as the one specified in the design procedure, that is, (100) itself. In a similar way, we can
show that the circuit will be trapped in an erroneous state
1151
TOHMA: FAILLSAFE SEQUENTIAL CIRCUITS
when it is moved into it by some fault. If we design the
circuit in such a way that any erroneous state will produce
the safe-side output with any input, the circuit will never
produce a false critical output, provided the fault occurs
only within the circuitry for determining the state
transition.
As in the above example, a circuit is said to be fail-safe,
if it produces a safe-side output whenever a fault occurs
within the circuit and the circuit goes into the incorrect
state caused by the fault. In Section III a general theorem
concerned with the realization of fail-safe sequential
circuits will be presented.
III. STATE TRAPPING TECHNIQUE
We assume the following hypotheses in what follows.
Hypothesis 1: A fault may occur at some excitation
circuit to a flip-flop or at the output of some ffip-flop. The
effect of a fault in the output circuit of Fig. 1 will be considered in Section V.
Hypothesis 2: Only a single fault occurs. If some gate,
say, NOR gate included in the feedback loop of the flip-flop
becomes faulty and the output of one side of the flip-flop
is accordingly stuck at some value, say, "1," the output
of another side of that flip-flop will take the value complementary to that stuck value. Therefore, we assume the
following condition.
Hypothesis 3: The output of a faulty element is stuckat-i or 0. If the output of one side of a flip-flop, say, fi
is stuck-at-1 (0), the output of another side of that flipflop, fi takes on the complementary value of 0 (1).
Hypothesis 4: The input x and its complement x operate
normally at any time, since these inputs are assumed to
be provided from an external circuit.
A sequential circuit in normal operation is specified by
the following five-tuple.
X Set of input values or alphabets.
Q Set of states which appear during normal operation.
Z Set of output values or alphabets.
6 State transition function during normal operation:
6:X X Q-+Q.
o Output function during normal operation:
w:X X Q Z.
A state q E Q is represented by an n-tuple of the outputs
of ffip-flops, (fjfn_l' -f'). The set of all n-tuples of (fnfn-l
**fi) is denoted by Q. Of course, Q is a subset of Q. The
next state of a state which belongs to Q - Q is not particularly specified as a design condition. However, after
the given sequential circuit is constructed, the next state
of any state of Q is uniquely determined by the circuit
configuration. Therefore, we use another state transition
function A: X>( Q -+ Q, instead of 6, for describing the
state transition behavior of the circuit.
Next, we extend A (and 6) for the case of input sequences, using the same notation. Let X* be a set of all
sequences of input values. For any input sequence x* E X*,
Atx*,q) (6(x*,q)) represents the final state of the circuit
when the input sequence is applied to the circuit in q.
Note that the circuit does not necessarily operate
improperly as soon as a fault occurs within the circuit. In
these circumstances, we do not consider the circuit to
have the fault. We consider that the fault occurs effectively at an instance when the circuit operates improperly
for th first time. In this sense, A will change to Al, when
a fault "occurs." AW(x,q), q E Q means an "erroneous"
state which appears at the presence of the fault. Then, a
set of erroneous states Qe is represented as follows:
Qe = u Ae (x*,q).
(1)
X*eX*; qeQ
There may be many approaches to make a circuit failsafe. The method presented here is based on such an idea
that Q and Q. are disjoint. That is,
Q n Q. =
Q u Qe C Q.
(2)
When the above condition is satisfied, a fail-safe sequential
circuit can be realized by assigning a safe-side output to
each state of Qe.
Now consider that the circuit has been moved to a first
erroneous state q = Ae(x,q) to which the circuit is
dropped from a normal state q of Q by a fault. The true
next state of q should normally be ql_ A (x,q). The
Hamming distance between the state assignments of
q.1 and ql, denoted by dI q.el,ql is 1, since the fault is
assumed to be single and excitation circuits to each ffipflops are independent of each other. Therefore, in order
to make the condition (2) assured, the following condition
is necessary, but not sufficient.
d{qi,qj}
Vqi,qj E Q,
> 2.
(3)
This is a reason why we used the parity check code for
the state assignment in the example of Fig. 3. Further, if
we express a set of such first erroneous states as Q.', Q.'
can be formalized as follows and must be included in QO.
QeI = IqeEI3q'E Q, dIqo1,q'} = 1}
QeI C Qe.
(4)
Faults can be classified into two types according to
their outcome. For any state q of Q, q means the weight
of the state assignment in the following discussion.
Type 1: Using the same notations of q.1 and ql as described before, if q.1 has a false component of value 1, that
is,
q
1
>
I ql
(5)
the fault which causes q61 is classified as Type 1.
Type 2: In contrast, if q,,1 has a false component of value
0, that is,
q
<
the fault is classified as Type 2.
ql
(6)
1152
IEEE TRANSACTIONS ON COMPUTERS, NOVEMBER
Then, the types of every fault occurring at various
elements in the circuit can be identified as follows.
1) The stuck-at-i fault at fi of a flip-flop is apparently
of Type 1 (Since we have assumed the fault dependency
between fi and fi, we refer to the fault at a flip-flop only
as the fault at fi in what follows.)
2) Let 0i be a logical function of the excitation circuit
to the J input of the ith flip-flop. (For convenience, that
excitation circuit will be called the Oi circuit in what
follows.) When a fault occurs within the 0i circuit, 0. will
change to i,,. If the fault is the stuck-at-1 fault,
0,e > 0,
(7)
since no inverter (NOT) gate is included in the 0i circuit.
This relation means that the J input of the ith flip-flop
may be excited improperly when it is not to be excited.
Therefore, this fault is of Type 1.
3) In a similar way, let 4,j and j,pe be a logical function
of the excitation circuit to the K input of the ith flip-flop
and its modified function caused by a fault in the excitation circuit, respectively. (That excitation circuit will be
called simply the 41, circuit.) If the fault is the stuck-at-0
fault,
1974
since all flip-flops other than the ith one will operate
normally. For i,
(13)
Aie (x,q.l) = 1
since the output fi of the ith flip-flop is stuck-at-i. Note
that the value of the output fi of the ith flip-flop in q01,
denoted by fi(q61), is already 1 and A(x,qe') = q.1. Then
(14)
Ai (x,q1l) = 1
A e(x,q.1) = Ai(x,q61).
(15)
Thus, we can conclude that for any j = n 1,
Aej(x,q01)
=
Aj(x,q.1)
Ae(x,q.l) = A(x,qe1)
This is a partial proof of the theorem.
(16)
= qe .
(17)
Case of the Stuck-at-1 Fault at a Gate in the 0, Circuit:
Note again that fi (qel) = 1 and the circuit has been
designed in such a way that Ai (x,qel) = 1. In realizing
this condition, we need only to inhibit the excitation to
the K input of the ith flip-flop when the input x is applied
to the circuit in q.1. That is,
pj(x,q01) = 0
&e < i.
(8)
(18)
Oi(x,q'e) = DON'T CARE.
This means that the K input of the ith flip-flop may not Therefore, the faulty function Oie does not affect the state
be excited when it is to be excited. Therefore, this fault transition from q,' to the next state. This means
is of Type 1.
Aie(x,q6l) = Ai(x,q.1).
(19)
In contrast, we can show that the following three faults
are of Type 2.
Thus (16) and (17) also hold in this case.
4) The stuck-at-0 fault at fi of a flip-flop.
Case of the Stuck-at-O Fault at a Gate in the 'pi Circuit:
5) The stuck-at-0 fault at a gate in the 0i circuit.
According to jIe < 41i and (18), we can conclude
6) The stuck-at-1 fault at a gate in the At, circuit.
0.
(20)
Pje (x,qel)
Now, let us consider the desirable property of A. Apparently, A must have the following relation to
Therefore, ,pie functions correctly when the state transition
occurs from q,' to the next state. Thus we again obtain
Vx E X, Vq E Q, A(x,q) = 6(x,q).
(9) the same conclusion as in the above second case.
Q.E.D.
1
Theorem
is
a
formal
the
representation
of
property
However, the condition (2) has not yet been imposed on
the next state of any state which belongs to Q Q. Then, that the circuit will be trapped in an erroneous state q,'
when the circuit is dropped into it by some fault.
let us specify A in such a way that
IV. DEFINITE FINAL ERRONEOUS STATE
Vx E X,
Vqel C Qel, A(x,qol)
qel.
(10)
The key of the above method is to hold the false value
We can verify the following theorem.
of
the output of a faulty or improper flip-flop. However,
Theorem 1: If the condition (10) is satisfied,
since all flip-flops except the improper one will operate
Vx E XI
normally, we are able to have the circuit placed in the
Vq'l E Qel, Ae(x,qol)
(11)
q,1.
particular final erroneous state. For instance, if the false
Thus, the condition (2) holds.
output of value 1 appears at fi of a flip-flop in q61, we can
Proof: The proof of the theorem will be given for the make
the next state of qe' at any input to be (11-e--1).
case of Type 1 fault only, since the proof for the case of
In contrast, if the false output of value 0 appears at fi
Type 2 fault is obtained in a similar fashion.
in qe,' we can make the next state of qel to be (00... 0)
Case of the Stuck-at-I Fault at f, of a Flip-Flop: Let us
regardless of input. Thus in the example of Fig. 5, the
consider the next state of an erroneous state q,l with an
final erroneous state will be (111) or (000), corresponding
input x E X, that is, Ae(x,q0l). The values of fj in Ae(x,q.1) to
a Type 1 or Type 2 fault, respectively. This propertv
and in A(x,q,1) are denoted by Aje(x,q,l) and Aj(x,qe'),
is apparently desirable, since the final erroneous state
respectively. Then
can give us information about what type of fault exists in
Vj P i, Aje(x,q.l) = Aj(x q 1)
(12) the circuit.
=
8.
-
=
=
1153
TOHMA: FAIL-SAFE SEQUENTIAL CIRCUITS
Erro,eous
state
NSormal
States
caused by both faults of Type 1 and Type 2 in connection
with fh and fl, respectively.
.
(b
I0
l
0/,
%I
o
voA
0
fh
X
d
ft
I
(...1...0 ... )
Erroreovs
Even if we design the next state of q, to be (11... 1), f,
0
00
States
may fail to change its value from 0 to 1 by virtue of the
fault of Type 2. This means that state (11... 1) cannot
Oii
0
0
be the definite final erroneous state. A similar conclusion
results if we assume the next state of q, to be (00... 0).
Q.E.D.
0
Before presenting the next theorem, let us define the
Fig. 5. A state assignInent and a specification of A.
inclusion relation between states.
Definition: Let (aXan1. a,) and (bbbn
1...bi) be state
However, consider the previous example of Fig. 3. assignments of two states qa and qb, respectively. If and
Erroneous state (010) may be caused by a fault of Type only if for any j = n - 1, aj > bj, then qa includes qb. This
1, say, the stuck-at-i fault in the 02 circuit, while it may relation is expressed by
also be caused by a fault of Type 2, say, the stuck-at-0
(21)
qa > qbfault at the output fl of the first flip-flop. In this case, we
cannot assure definitely what the next state of (010) is
Then the next theorem shows the condition of state
at the presence of the fault, unless it is designed to be assignment which assures the condition of Lemma 2 for
(010) itself. Thus we have little information about the dividing Q.' into two disjoint subsets.
-type of fault here.
Theorem 2: If and only if Q does not have such two
Now let us formally define the "definite final erroneous states qi and qj that qi 2 qj and d{qi,qj} = 2, then the
state" as follows.
circuit can have the definite final erroneous states.1
Definition: q(+) and q(-) are defined as the definite final
Proof: Assume such qi and qj exist in Q that qi 2 qj,
erroneous states if and only if the circuit will move to and d{qi,qj} = 2. qi and qj can be expressed as follows:
q(+) and q(.) and stay there finally whenever the Type 1
fault and the Type 2 fault occur within the circuit, refh ft
qc.
i)
spectively
1 I
Then, we obtain the following theorems.
qi: * **-)
Lemma 1: If the definite final erroneous states exist,
(22)
qj:( 0...0O...
q(+) and q(-) should be (11... 1) and (00 .0), respectively.
where the tuples expressed by the dots are equal in both
Proof: Let q(+)' be a definite final erroneous state states. Then, consider a state .. 1... 0...) q,. Apwhich is caused by a fault of Type 1 and different from parently, q,, E Q.' and may be caused from qj by a fault
(11- -1). Then, at least, one state variable, say, fk, of of Type 1. Since it may also be caused from qi by a fault
value 0 exists in q(+)'. This means that fk never takes a of Type 2, qU E Q.l' n Q,l2, that is, Q.11 n Qe.2 $ 4.
false value 1, and therefore, leads to the contradiction
Conversely, if Q."' n Q.12 $£ 4, the following q., which
to Hypothesis 3. A similar argument holds with respect belongs to both Qe." and Q.12 exists.
to q(-).
Q.E.D.
Lemma 2: The necessary and sufficient condition for
3qj,qj C Q, d{qi,q.} = 1,
Isil > Iq,l,
the circuit to have the definite final erroneous states is
d{qj,q,} = 1,
I q.l < Iq,. (23)
that any erroneous state of Q.' is classified into two disjoint subsets by the type of fault which causes that er- This implies that qi 2 qj and d{qi,qj} = 2.
Q.E.D.
roneous state
Note that the example of Fig. 3 does not satisfy the
Proof: Let Q." and Qe12 be subsets of erroneous states condition of this theorem, but the example of Fig. 5 does.
of QW, caused by the faults of Type 1 and Type 2, respecThe following state assignments are actually useful
tively. If Q.U1 n Q612 = 4), it suffices to design the state from the practical point of view.
transition of states of Qel in such a way that
Vq.1 C Qe.', Vx C X, A(x,q01) = (11... 1)
1 It must be pointed out that if the circuit has a fault E7 at some
which affects the state transition from an erroneous state to
gate
=
Vx
C
E
Vq.1 Q612,
X, A(x,q.1) (00 .0).
q(+) or q(-), the circuit still operates properly, because it stays in
state. However, when one more fault E. occurs which causes
On the other hand, the assumption that Q,11 n Q.12 $ 4 normal
the circuit to move from a normal state to an erroneous state, the
circuit may not go to q(+) or q(.) by the effect of both faults E, and
readily leads to the following contradiction. From the En.
In this case, the circuit is considered to have two failts and
assumption, we can consider such a state q, that may be therefore,
this case is not included in the scope of this paper.
IEEE TRANSACTIONS ON COMPUTERS, NOVEMBER 1974
1154
Corollary 1: A state assignment using the constantweight code always satisfies the condition of Theorem 2.
It is known that if we use the constant-weight code for
the state assignment, we need only one or two redundant
state variables in most practical cases.
Corollary 2: The minimum distance three-state assignment also satisfies the condition of Theorem 2.
V. SOME CONSIDERATIONS BEYOND THE
LIMITATION OF THE HYPOTHESES
A. Fail-Safe Realization of the Output Circuit
Since the output circuit of a sequential circuit is only a
combinational circuit, many techniques for the realization
of fail-safe combinational circuits are applicable [1j, [8],
[9]. Among those, the so-called "double-rail trick" and
the application of the constant-weight code to the output
circuit may be most feasible.
Since a state variable is represented by the output of a
flip-flop, its complement is readily obtained from the
output of another side of that flip-flop. As shown in Fig.
6(a), the complemented output of the sequential circuit
can be obtained simply by combining the outputs of the
complemented state variables with the complemented
input x through logic gates which are dual to those in the
uncomplemented output circuit. If a fault occurs within
either the uncomplemented or complemented output
circuits, it will violate the relation that both outputs z and z
are complementary to each other. If we design the peripheral circuits so as not to react upon such output situations,
those output pairs can be considered safe-side and
hence, the whole output circuit consisting of both the
complemented and uncomplemented output circuits is
UpIfuWfeJ
OA r
(fl...
_f.D.41
(b)
(a)
Fig. 6. Fail-safe realization of the output circuit.
VI. CONCLUSION
A method for the realization of fail-safe sequential
circuits has been presented. It should be emphasized that
only one redundant flip-flop is required if the technique
described in Section III is used.
ACKNOWLEDGMENT
The author wishes to thank Prof. E. J. McCluskey and
R. Ogus of Stanford University for their encouragement
and comment in preparing this paper.
REFERENCES
[1] H. Mine and Y. Koga, "Basic properties and a construction
method for fail-safe logical systems," IEEE Trans. Eledron.
Comput., vol. EC-16, pp. 282-289, June 1967.
[2] T. Watanabe, Y. Takahashi, and H. Enomoto, "A method of
realization of fail-safe sequential circuits" (in Japanese), in
Proc. Joint Conv. Inst. Elec. Eng. Jap., no. 1984, Apr. 1966.
[3] N. Tokura, T. Kasami, and A. Hashimoto, "Failsafe logic nets,"
IEEE Trans. Comput. (Short Notes), vol. C-20, pp. 323-330,
Mar. 1971.
[4] Y. Tohma, Y. Ohyama and R. Sakai, "Realization of fail-safe
sequential machines by using a k-out-of-n code," IEEE Trans.
Comput., vol. C-20, pp. 1270-1275, Nov. 1971.
[5] M. Diaz, J. C. Geffroy, and M. Courvoisier, "On-set realization
of fail-safe sequential machines," in 1973 Int. Symp. FaultTolerant Computing, June 1973.
[6] H. A. Curtis, "Systematic procedures for realizing synchronous
sequential machines using flip-flop memory: Part I," IEEE
Trans. Comput., vol. C-18, pp. 1121-1127, Dec. 1969.
[7] -' "Systematic procedures for realizing synchronous sequential machines using flip-flop memory: Part II," IEEE Trans.
Comput., vol. C-19 pp. 66-73, Jan. 1970.
[8] H. Hirayama, T. Vatanabe, and Y. Urano, "Synthesis of failsafe logical systems" (in Japanese), J. Inst. Electron. Commun.
Eng Jap vol. 52-C, pp. 33-40 Jan. 1969.
[9] T. Takaoka and T. Ibaraki, "V fail-safe sequential machines,"
IEEE Trans. Comput., vol. C-21, pp. 1189-1196, Nov. 1972.
fail-safe.
We can consider another similar case where the constant-weight code, say, r-out-of-p code, is used for the
output assignment. If the output circuits to each p output
lines are independent of each other as shown in Fig. 6(b),
a fault in an output circuit may cause an output with
weight not equal to r. If the peripheral circuits are carefully designed not to react upon such outputs, those
outputs can be again considered safe-side and hence, the
output circuit is fail-safe.
B. Use of Gates Common to Several Excitation Circuits
It is apparently desirable to use gates or subcircuits
Yoshihiro Tohma was born in Kawasaki,
commonly in several excitation circuits, if possible. Howon August 22, 1933. He received the
Japan,
ever, since a single fault at such a gate may affect the
B.S., M.S., and Dr.Eng. degrees in electrical
values of several flip-flops, such a case may arise where
engineering from the Tokyo Institute of Technology, Tokyo, Japan, in 1956, 1958, and
some ffip-flop has the false value 1, while the other has
1961, respectively.
the false value 0. Therefore, the condition (2) is no longer
In 1961 he joined the staff of the Tokyo
assured. A way to avoid this complicated situation is to
Institute of Technology, where he is now an
Associate Professor in the Department of
restrict the use of common gates only within excitation
Electrical and Electronics Engineering. He
circuits to the J inputs of flip-flops, or only within those
has been engaged in research on switching
to the K inputs. In those cases, a fault at a common gate theory and his current research interests are in the realization of
digital systems.
mny cause flip-flops only to have either false value 1 or 0 ultrareliable
Dr. Tohma is a member of the Institute of Electronics and Comand' hence, the state trapping technique described in munication
Engineers of Japan, the Information Processing Society
Section III is also applicable.
of Japan, and the Institute of Electrical Engineers of Japan.