Synthesis of Delay-Verifiable Combinational Circuits

IEEE TRANSACTIONS ON COMPUTERS, VOL. 44, NO. 2, FEBRUARY 1995 213

Synthesis of Delay-Verifiable Combinational Circuits Wuudiann Ke, Member, IEEE, and Premachandran R. Menon, Fellow, IEEE

Abstract- We address the problem of testing circuits for temporal correctness. A circuit is considered delay-verifible if its timing correctness can be established by applying delay tests. It is shown that verifying the Wing of a circuit may require tests which can detect the simultaneous presence of more than one path delay fault. We provide a general framework for examining delay- verifiability by introducing a special class of faults calledprimitive path delay faub . It is necessary and sac ient to test every fault in this class to ensure the temporal correctness of combinational circuits. Based on this result, we develop a synthesis procedure for combinational circuits that can be tested for correct timing. Ex- perimental data show that such implementations usually require less area than completely delay testable implementations.

Index Terms-Testing for timing correctness, path-delay faults, delay-verification tests, primitive path-delay faults, synthesis for delay-verifiability .

I. INTRODUCTION HE demand for increasing performance of digital circuits T has resulted in the need for operating them at the highest

possible speeds. This, in turn, has made it necessary to test manufactured chips not only for functional correctness, but also for correct operation at intended speeds. Departure from the correct temporal behavior is usually modeled by delay faults. The path delay fault model [15], which assumes that the delay along a path may increase beyond a specified range, is generally considered to be adequate for modeling incorrect temporal behavior.

To ensure test quality, tests are required to be robust. A test for a particular path delay fault is considered robust if the output at the sampling time, in the presence of the fault, is different from the correct value, independent of the delays in the rest of the circuit [13]. Robust tests may not exist for all path delay faults in an arbitrary circuit. Some nonrobust tests can be shown to be valid if certain other faults have been tested robustly [7], [12]. Such tests, called validatable nonrobust (VNR) tests, can be used together with robust tests to improve the coverage of path delay faults.

Since many path delay faults in typical combinationpl circuits may have neither robust nor VNR tests [13], there has been considerable interest in synthesis techniques for delay fault testable combinational circuits. The method based on Shannon’s expansion presented in [lo] guarantees robust

Manuscript received December 1993; revised April 1994. This work was supported in part by the National Science Foundation under Grant MIP- 9311185.

W. Ke was with the Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA. He is now with AT&T Bell Laboratories, Princeton, NJ 08542 USA.

P. R. Menon is with the Department of Electrical and Computer Engineer- ing, University of Massachusetts, Amherst, MA 01003 USA.

IEEE Log Number 9407122.

testability of all path delay faults, but the area overhead was found to be large. Synthesis procedures which produce circuits with high levels of delay fault testability are proposed in [61. This approach is based on algebraic factorization of a Boolean cover that satisfies the necessary and sufficient conditions for robust delay fault testability. However, this method does not guarantee complete robust testability as covers satisfying the required conditions may not exist for some functions. Some transformations from two-level to three- or four-level factored forms to eliminate undetectable delay faults are given in [8]. Algebraic factorization of these circuits has produced multilevel circuits with complete robust coverage of path delay faults in most of the PLA synthesis benchmarks from [2]. All the approaches mentioned above impose constraints on how the circuit is synthesized and usually result in increased area. It has been shown in [7] that the necessary and sufficient conditions for VNR testability are less stringent than those for robust testability and offer more freedom in synthesizing area- efficient circuits. However, the two-level implementation of each output function must be prime and irredundant, reducing the possibility of sharing logic.

It has been shown in [ l l ] that complete path-delay-fault testability is not necessary to guarantee temporal correctness of circuits. A method is proposed to identify a maximal set of faults that need not be considered in delay testing. Some sufficient conditions are also provided in [4] to identify path delay faults that need not be tested because their delays will not determine the performance of circuits. In both methods, the set of faults that must be tested may contain untestable faults, leading to the conclusion that the circuit cannot be tested for correct performance. However, it may be possible to verify the timing correctness of the circuit, as we shall show later.

The main contributions of this paper are the concept of delay-verijability and a synthesis method for delay-verifiable combinational circuits. A circuit is said to be delay-ver$ubZe if its correct timing at the operating speed and also at any slower speed can be guaranteed by applying delay tests. We provide a general framework for examining delay-verifiability of arbitrary combinational circuits by introducing a special class of faults, called primitive path delay faults. We then show that it is necessary and suficient to test every fault in this class to ensure the temporal correctness of a combinational circuit. Based on this result, we develop necessary and sufficient conditions for delay-verifiability and provide synthesis procedures for delay-verifiable circuits. Experimental data show that circuits obtained by our procedure usually require less area than completely delay testable implementations.

The paper is organized as follows. The basic model and terminology for delay testing are given in Section 11. Section

0018-9340/95$04.00 0 1995 IEEE

214 IEEE TRANSACTIONS ON COMPUTERS. VOL. 44, NO. 2, FEBRUARY 1995

I11 illustrates the concept of delay-verifiability by some examples. Primitive path delay faults are then defined in Section IV. Identification of primitive faults in two-level circuits is presented in Section V. In Section VI, we develop necessary and sufficient conditions for two-level circuits to be delay- verifiable. The synthesis algorithm and experimental results are given in Sections VI1 and VIII, respectively. We conclude in Section IX by summarizing our results.

11. PRELIMINARIES In this section, we present the terminology that will be used

in this paper, most of which can be found in 151, 171, [12], [13]. A path T in a combinational circuit is an alternating sequence of gates and leads,-{go, lo , g1,11, . . . , gn, l,, gn+l} , where lead I ; , 0 5 i 5 n, connects the output of gate g; to an input of gate g;+1. go and gn+l are the primary input and output, respectively. The lead l,, 0 5 i 5 n, on path T is referred to as the on-input of T. Any input of gi that is not an on-input is called a side-input of T. Since the sequence of leads uniquely identifies a path, we shall frequently use such sequences to represent paths.

Two path delay faults are associated with each pathb-one for the rising transition and one for the falling transition. We shall consider only faults that increase delays. Decreases in delays can be treated in a similar manner. Path delay faults will be represented by the direction of transition at the primary output, t (rising) or 1 (falling), followed by the path.

A test for a path delay fault in a combinational circuit consists of a sequence of two vectors, ( V I , w2) applied at times t o and t l , respectively. The time between to and t l , i.e., tl - to , is assumed to be long enough for the circuit to reach a stable state with the vector VI. The outputs are sampled at t 2 , where t 2 - t l is the test clock period T and is usually equal to the intended operating clock interval. The vectors w1 and ~2 are such that a transition in the appropriate direction is launched and propagated along the path under test.

A test T for a particular path delay fault F is said to be robust if the sampled output in response to T in the presence of F is different from the expected output, independent of the delays in the rest of the circuit 1131. All other tests are called nonrobust tests. A nonrobust test T is said to be a validatable nonrobust (VNR) test, iff there exists a set of tests S 3 { T } such that no element in S is a robust test for F , and the correct response to S implies that the fault F is not present in the circuit under test. In terms of fault detection, VNR tests are as good as robust tests if the effects of inertial delays can be ignored as discussed in [7]. These effects will also be ignored in this paper. We shall use the term RV tests to denote tests that are robust or validatable nonrobust. A circuit is RV-testable if there is a robust or VNR test for every single path delay fault.

Note that the above definition of VNR tests differs slightly from those in [13] and [7]. These papers define a VNR test as a set of vector pairs (the set S in the above definition), whereas we define it as a vector pair T. The tests in S - { T } are needed for validating the test T . An additional difference between our definition and that in 171 is that the latter also

treats robust tests as VNR tests. Thus, RV tests correspond to VNR tests of [7].

Consider a two-level AND-OR circuit C implementing a function f . A literal is a Boolean variable or its complement. A cube is a set of literals and corresponds to an AND gate in C. A cover is a set of cubes which covers the ON set of f but not any vertex in its OFF set. A 0-vertex (I-vertex) is a vertex in the OFF (ON) set of f . A vertex is called a relatively essential vertex of a cube q if the vertex is contained in q but in no other cube of the cover.

The controlling value at a gate input is the value that determines the value at the output of the gate, independent of the other inputs. Its complement is called the noncontrolling value. For an AND (OR) or NAND (NOR) gate, 0 (1) is the controlling value while 1 (0) is the noncontrolling value.

111. DELAY VERIFICATION

Delay verification, which is the focus of this paper, is based on the application of an appropriate set of delay tests to guarantee that the circuit can be operated at the intended speed.

Definition I : A set of path delay tests is called a strong delay-veriBcation test set if the correct response to this set implies that the circuit will perform correctly at the test clock period, r , and also at any slower speed. A weak delay- verification test set is similarly defined, but correct operation

We shall illustrate the concept of delay-verification by means of a few simple examples.

Example 1: In the circuit of Fig. 1, all path delay faults except those on adf are detectable by robust tests. Test abc = (011, 111), validatable by a robust test for fault lZef, is a VNR test for Tadf. Fault ladf is untestable. The signal values for the vector pair (111, O l l ) , which propagates a falling transition from a to d are shown in the figure. The fault ladf can produce an incorrect output only if the rising transition at e is also late, but this condition will be detected by a robust test for TZef. If the circuit passes the robust test for Ttief, fault ladf is guaranteed not to affect the timing of the circuit. The circuit is not RV-testable but the set of tests for the detectable faults forms a strong delay-verification test set and the correct response to this test set guarantees the correct operation of the circuit. Note that this implementation uses an

0 This example demonstrates a case where the delay of an

individual path will not affect the delay of the circuit if the delays of some other paths have been verified to be correct. Although the set of tests for the detectable faults forms a strong delay-verification test set in this example, this is not always the case. Furthermore, not all circuits have strong delay-verification test sets.

Example 2: Fig. 2 shows a circuit which does not have a strong delay-verification test set. All faults except t bd f , lbdf , Tbe f , and l b e f are testable by robust tests. The reader can verify that the eight robust tests together with the nonrobust tests (101, 11 1) and ( 1 11, 101) constitute a weak verification test set. In this case, even the exhaustive set consisting of all the vector pairs is not a strong verification test set. The signal

is guaranteed only at the tested speed.

implicant abc, which is not prime.

ICE! AND MENON: SYNTHESIS OF DELAY-VERIFIABLE COMBINATIONAL CIRCUITS 215

- L a

J--r 1 c z+

Fig. 1. A circuit that has a strong delay verification test set (Example 1).

b C

C

(a)

Fig. 2. A circuit that does not have a strong delay verification test set (Example 2).

ab 00 01 11 10

values in the circuit for the two tests (101, 111) and (111, 101) are shown in Figs. 2(a) and (b), respectively. If there are no path delay faults, any output pulse that may occur will occur before the sampling time t 2 . Faults on the paths from b and 6 may result in an output pulse occurring later. Such faults may or may not be detected at time t z . Therefore, the correct response for these two tests only guarantees that the circuit will operate correctly if the clock period is the test clock period 7, but the delayed pulse due to the path delay fault may cause incorrect operation at a slower clock speed.0

To accommodate possible input skews, voltage variations, and some environmental factors, delay testing is usually performed at a speed that is slightly higher than the intended operating speed. A circuit that passes a weak delay-verification test set may therefore fail at the intended operating speed. Even if the operating clock period is the same as the test clock period, there is a reliability issue for circuits that pass only the weak delay-verification test set. Therefore, this paper will consider strong delay-verification test sets.

Dejinition 2: A circuit which has a strong delay-verification 0

RV-testable circuits are delay-verifiable, but the converse may not be true. As circuits are not always delay-verifiable, we shall derive necessary and sufficient conditions for delay- verifiability. We shall show later that delay-verifiability may require detection of the simultaneous presence of more than one path delay fault. Let us first demonstrate it by an example.

Example 3: In the circuit of Fig. 3, all path delay faults except Tcdgf and TEehf are robustly testable. Consider a manufactured circuit that passes the set of tests for the testable faults. The timing of the circuit can be incorrect only if one or both of the untestable faults exist. In the case when only one of them is present, the circuit will operate correctly at the test clock speed or any slower speed. Suppose tcehf is present while Tdgf is not. The signal values for the vector pair abc = (1 11, 1 lo), where there is a rising transition propagating from E to h, are shown in the figure. The fault TEehf can

test set will be called a deluy-ver$able circuit.

I

L

Fig. 3. (Example 3).

A circuit illustrating the need for testing multiple path delay faults

produce an incorrect output only if the rising transition at g is also late, but this situation will not happen because fault TEdgf is not present. For the case when f d g f is present and TEehf is not, we obtain the same result. Therefore, we do not have to worry about the case when only one of the untestable faults is present. However, we cannot ignore the case when both are present.

Suppose both untestable faults are present. With the signal values shown in the figure, the circuit will sample a wrong value 0 at time t z . This incorrect temporal behavior can be detected by applying test abc = (1 11, 110). Vector pair (1 11, 110) is not a test for any single path-delay fault, but is able to detect the simultaneous existence of faults f d g f and TEehf. Since this test will detect the coexistence of these two faults independent of delays in the rest of the circuit, it is actually a robust test. We can include test abc = (111, 110) with the set of tests for the testable single faults to form a strong verification test set and this test set will detect every case where the timing of the circuit is incorrect; thus the circuit is

0 If we apply the method of [ 111 to the circuit of Example 3,

only fEdg f or Tceh f can be identified as unnecessary to test. Since neither of these two faults is RV-testable, 100% fault coverage is unattainable. However, a strong delay verification test set exists, which can be obtained by considering one

delay-verifiable although it is not RV-testable.

216 IEEE TRANSACTIONS ON COMPUTERS, VOL. 44, NO. 2, FEBRUARY 1995

multiple fault as shown above. This motivates us to define a new class of path delay faults which include multiple path delay faults and whose verification is sufficient to guarantee the temporal correctness of the circuit.

Iv . PRIMITIVE PATH DELAY FAULTS

Example 3 has illustrated the need to test for certain multiple path delay faults. While there are too many multiple path delay faults to be tested in a reasonable amount of time, we shall show that it is necessary and sufficient to test for a special class of multiple path delay faults, that is of relatively small size.

To simplify discussion, in the rest of this section, we will assume that the circuit is a tree circuit, in which fanouts and inversions are allowed only at primary inputs. Nontree circuits can be always converted to this form by unfolding and applying DeMorgan’s law to move inversions toward primary inputs. There is a one-to-one correspondence between a path in the nontree circuit and its corresponding tree circuit. Every path in the tree will start from a literal, which will be called the path input.

Dejinition 3: A single-path is a path from an input literal to a primary output. A multiple-path is a set of single-paths that share the same primary output. A multiple-path rI1 is said to be a (proper) subpath of a multiple-path I I 2 if II1 C ( c ) I I 2 .

A lead is an on-input of a multiple-path if it is on the multiple- path. A lead is a side-input if it is an input to a gate on the

0 According to the definition, a single-path is also a multiple-

path. In Example 3, Edgf and Eeh f are two single-paths while the set { E d g f , E e h f } consisting of these two single-paths is a multiple-path.

Dejinition 4: A multiple-path-deluy-jiiult (MPDF) TII (LII), where II is a multiple-path, represents the condition in which every single-path T E II has a fault T j . (1~). Let Fl and F2 be MPDF’s with the same transition direction on paths I31 and I I 2 , respectively. Then F1 is said to be a (proper) subfault of

0 Dejinition 5: A test T for an MPDF F is a vector pair

which launches and propagates transitions along the multiple- path. It is robust if the application of T will sample an incorrect output value in the presence of F , independent of the delays in the rest of the circuit. It is validutable if the detection can be shown to be valid if certain other paths can be tested

The test abc = (1 11, 110) in Example 3 is a robust test for the MPDF 7 { d g f , Eehf }.

Definition 6: A MPDF TII (In) is said to be sensitizable iff there exists a pair of vectors that launches 0 4 1 ( I +

0) transitions at all path inputs and the final value at each side-input of II is a noncontrolling value. Otherwise, it is nonsensitizable. A multiple-path II is said to be sensitizable for a 0 + 1 (1 + 0) transition if TII (LII) is sensitizuble.

Faults f E d g f and TEehf in Example 3 are both nonsensitizable, but f { E d g f , Zeh f } is sensitizable.

As we will focus on multiple-paths, the term “path“ (“fault”) will refer to “multiple-path” (“MPDF”) in the rest of the

multiple-path but is not an on-input.

F2 if II1 C ( c ) I I 2 .

robustly.

paper. We will not mention the direction of the transition in a statement if it applies for both directions.

Lemma 1: Nonsensitizable faults can affect the circuit delay only if there are sensitizable faults in the circuit.

Proof: Suppose there is a nonsensitizable fault F on II and it affects the circuit delay. And assume that no subfault of F is sensitizable. Since the fault affects circuit delay, there must be a vector pair for which the circuit delay is determined by the delay of II. Since F is not sensitizable, there must be a side-input of II which has a controlling final value. Let G be a gate whose side-input has the controlling value. The fault F can affect the timing of the output transition only if the final value of the on-input of G is also the controlling value and changes before the signal on the side-input. This implies that there exists another fault F’ on a path through G that also affects the circuit delay. If all faults F U F’ are not sensitizable, we can replace F by F U F’ and repeat the

0 The lemma implies that we do not have to test nonsensitiz-

able faults if every sensitizable fault has been tested. Therefore testing for all sensitizable faults is sufficient to verify the delay of the circuit. We now define a special class of sensitizable faults, which will further reduce the number of faults that need to be considered for verifying the circuit delay.

Dejinition 7: A fault TII (In) is said to be primitive if 1) it is sensitizable and 2) none of its proper subfaults is sensitizable. II is said to be a 0 --f 1 (1 + 0) primitive path,

In Example 3, TEdgf and TEehf are both nonsensitizable but f{?dgf, Eeh f } is sensitizable; thus T { E d g f , Eeh f } is primitive.

We shall now establish the relationship between delay- verifiability of circuits and the testability of primitive faults.

Lemma 2: Any RV-test for a subfault of an MPDF F is also an RV-test for F .

Proof: Let F, be a subfault of F and F,’ = F - F,. Suppose T is an RV-test for F,. Based on the definition of RV- tests, T will detect F, even if fault F,‘ is present; furthermore, the detection of F, U F,’ is independent of the delays in the rest of the circuit. Since F = F, U F,‘, T is also a RV-test for F . 0

Theorem 1: A set of vector-pairs is a strong delay verification set iff it contains an RV-test for every primitive fault.

Pro08 (SufJiciency) Follows from Lemma 1 and Lemma 2.

Necessity: Let F be a primitive fault that is not RV- testable in a circuit C. From the definition of primitive fault, F must be sensitizable. This implies that there is a vector pair that may produce an incorrect output if F is present. Therefore,

0 Unlike the concept of primitive faults, the approach pub-

lished in [ l l ] only identifies a set of faults, called robust dependent (RD) faults, that need not be tested if all remaining single faults are tested by robust tests. The set of RD faults for a circuit may not be unique, and all non-RD faults may not be testable by robust tests. In such cases, nothing about the delay- verifiability of the circuit can be inferred. The redundandant

process until a sensitizable fault is found.

iff tII(lII) is primitive. 0

the circuit C is not delay-verifiable.

KE AND MENON: SYNTHESIS OF DELAY-VERIFIABLE COMBINATIONAL CIRCUITS 217

path delay faults defined in [4] are a subset of RD faults. Primitive faults, on the other hand, specify the necessary and sufficient set of faults, including MPDF’s, to be tested for delay verification. In principle, they can be used to derive a delay verification test set for any circuit, or prove that the circuit is not delay-verifiable. In Example 3, one fault in each of the non-RD sets was not robustly testable. However, the MPDF consisting of the two faults was a primitive fault and could be tested by a robust test.

In practice, identifying all primitive faults in an arbitrary circuit is not an easy task. Fortunately, identification of primitive faults is relatively easy in two-level circuits. And in our synthesis approach, there is no need to identify primitive faults in arbitrary multilevel circuits. This will become clear later.

v . IDENTIFICATION OF PRIMITIVE FAULTS IN TWO-LEVEL CIRCUITS

To find a strong delay verification set, we must identify all primitive faults and then generate a test for each of them. In this section, we will present necessary and sufficient conditions for primitive faults in two-level circuits. For multilevel circuits, similar conditions can be obtained on their Equivalent Normal Forms (ENF’s) [I J, [SI as is detailed in [9].

Dejnition 8: Consider a two-level AND-OR circuit C with a cover E. A set of literals L = {Z1, / a , . . . , Zk} is said to be a prime literal set in cube q, q E E , if L q and q - L contains a 0-vertex. If L does not satisfy the above condition, then it is called a nonprime literal set in q. When the literal set contains only one literal, the word “set” is omitted. A prime literal set L is said to be minimal if every proper subset of L is nonprime. A circuit is said to be prime if every literal set

0 For the function f = q 1 + 42 + 43, where 41 = aE, q2 = abc

and q3 = Ec. Neither a nor c is prime in q 2 , but { a , c } is prime, therefore { a , c } is also minimal.

DeJnition 9: Consider a two-level AND-OR circuit C with a cover E. A set of cubes Q E is said to be a redundant cube set if E - Q contains the same vertices as E, otherwise it is irredundant. An irredundant cube set Q is said to be minimal if every proper subset of Q is redundant. A circuit is said to be irredundant if every cube is irredundant, otherwise it is said to be redundant.

For the function f = q1+ q2 + q3 + q4, where q1 = aF, q2 = ab, q3 = ac and 44 = bc, cubes q2 and q4 are redundant but cube set { q z , q4 ) is irredundant and is also minimal.

In two-level AND-OR circuits, primitive faults can be identified by examining the primality of the literal sets from which the paths start and the irredundancy of the corresponding cubes.

Lemma 3: In a two-level AND-OR single-output circuit C, fault JII is primitive iff II 1) goes through only one AND gate and 2) starts with a minimal prime literal set L of a cube 4 .

Pro08 Sufficiency: It follows from Definition 6 and 8 that LII is sensitizable because L is a prime literal set. Since L is minimal, no proper subfault of JII starts from a prime literal set; therefore, no proper subfault of 1II is sensitizable.

in every cube is prime.

- ’

Necessity: Suppose II goes through more than one AND gate. For LII to be sensitizable, some proper subpath II, of II that goes through only one AND gate must start from a prime literal set, otherwise a 1 -+ 0 transition cannot be produced at the output by changing literals in the set. But if 113 starts with a prime literal set, then LII, is sensitizable, and JII will not be primitive. Therefore, II can go through only one AND gate. If L is a nonprime literal set, then III is not sensitizable, thus it is not primitive. If II, is a proper subpath of II which originates from a prime literal set, then JII, is sensitizable, and thus III is not primitive. Therefore, L must be prime and minimal.

Lemma 4: Let Il go through a set of cubes Q in a two-level AND-OR single-output circuit. Fault TII is primitive iff 1) no two single-paths E II go through the same cube and 2) Q is a minimal irredundant cube set.

Proof: Suficiency: Since Q is irredundant and minimal, there must exist a 1-vertex w2 that is contained by every cube E Q but not by other cubes. Under ‘02, all side-inputs of II will have noncontrolling values, thus T I 3 is sensitizable. Now we shall show that no proper subfault of TII is sensitizable. Since no two single-paths E II go through the same cube, any proper subfault of TII should go through a cube set Q’ C Q. Since Q is minimal, Q‘ is redundant. As Q’ is redundant, any vertex covered by Q’ is also covered by some other cubes

Q. Therefore, any 0 -+ 1 transition propagating along a path through Q‘ will be masked by a 0 -+ 1 transition in a path not through Q’, i.e., there will be a controlling 1 produced at the OR-gate input by a path other than that through Q’. Therefore, no proper subfault of TII will be sensitizable.

Necessity: If two paths of II go through the same cube and TII is sensitizable, any proper subfault of tII containing a single-path fault going through each cube of Q will be sensitizable, thus TII is not primitive. If Q is redundant, as shown above, TII is not sensitizable. If Q is irredundant but not minimal, then a proper subfault of tII will go through a minimal irredundant cube set and will be sensitizable, thus TII

In an irredundant circuit, every cube will be an irredundant cube, so every single-path delay fault for a 0 -+ 1 transition is primitive.

Theorem 2: In an irredundant two-level AND-OR circuit, there are only two types of primitive faults:

1) JII, where II goes through only one AND gate and starts from a minimal prime literal set;

2) Tn, where 7r is a single-path.

is not primitive. 0

Proofi It follows directly from Lemma 3 and Lemma 4. 0

VI. DELAY-VERIFIABLE TWO-LEVEL CIRCUITS

Because we have observed that most of the existing designs are not delay-verifiable, we shall focus on developing a method for obtaining delay-verifiable circuits. In this section, we investigate necessary and sufficient conditions for delay- verifiable two-level AND-OR circuits. The results also apply to the ENF of multilevel circuits. The concept and results based

218 IEEE TRANSACTIONS ON COMPUTERS, VOL. 44. NO. 2, FEBRUARY 1995

on primitive faults will be used to guide the synthesis process for delay-verifiability.

We shall first examine the necessary and sufficient conditions for a primitive fault to be RV-testable. We consider only irredundant circuits, therefore only the two types of faults mentioned in Theorem 2 will be examined. We denote the value of the output of a circuit C and a cube q under a vector 21 by C(v) and q(v), respectively. Similarly, we denote the value of a literal I in a cube q by ql(v).

Theorem 3: Consider an irredundant two-level AND-OR single-output circuit C. Let ll be a path that starts from a literal set L = {Il,I2,...,Zb} in a cube q. LII is robustly testable iff L is prime in q.

Proofi Suficiency: As L is prime in q, we can find a 1-vertex u1 contained in q and a 0-vertex v2 = 211 - L + {G,G,... For each literal m E q and m 4 L, qm(vl) = qm(w2) = 1. For each cube p # q in the circuit, p(v2) i = 0. Therefore, ( w l , v2 ) forms a robust test for ill.

Necessity: Suppose L is nonprime in q. If ( V I , w 2 ) is a robust test for F , then for every literal 711. 4 L and m E q, qm(v2) = 1; because L is not prime in q, this implies C(w2)

= 1. For C(z12) to be 1, as q(w2) = 0, there must exist a cube p # q such that p(v2 ) = 1; this implies a constant 1 or a 0 + 1 transition at p ; in either case, the transitions propagating

0 Note that the vector pair (VI, z12) constructed in the proof is

a robust test for In. Although it targets lII, it may also detect some other faults that go through other cubes.

Theorem 4: Let C be a two-level AND-OR single-output circuit with a cover E. Let q be a cube in E and D = E - (4). A fault T7r in which 7r starts from a literal 1 E q is RV-testable iff there exists a vertex u2 that is a relatively essential vertex of q, and a vertex z11 = 212 - { I } + { t } such that

-

through q are blocked. Thus L must be prime in q .

1) C(vl) = 0, or 2) for each cube d E D that contains vl, i is prime in d.

Proof: Suficiency: If C(v1) = 0, because 212 is a relatively essential vertex of q, (211,212) is a robust test. If C(v1) = 1, then under (211 v2) , there is a rising transition at q and a falling transition at each cube d that contains VI. If 1 is prime in such a cube d, according to Theorem 3 , Ltd, i.e., the path from to the output through d, is robustly testable. If all such l t d are verified to be fault-free and the path Tlq is faulty, under (211, w~), a 1-0-1 pulse with 0 at the sampling time will occur at the output and will be detected. In this case, (VI , v2) is a VNR test for Tx.

Necessity: Suppose ( v i , w;) is an RV-test. Because for every cube p # q, p(vL) must be 0 in order to sensitize T, vh is a relative essential vertex of q. As ( v i , wL) must create a rising transition at the path input, q l ( v i ) = 1 and ql(w’,) = 0.

Suppose neither condition is satisfied, Le., there exists a cube d that contains ‘u1 = 21; - {Z} + {I} and i is not prime in d. Since w1 may be an intermediate input state between v i and v;, a falling transition may propagate via path i d during the 211

to w$ transition. As 1 is not prime in d, according to Theorem 3, l i d is not testable. Therefore, when cube q transits from 0 to 1, the value of d may be still 1, should the delay of l i d

be large enough. This implies that (vi, 21;) is not an RV-test, 0

The pair of vectors (vl, u2) derived as described in the above theorem will be a robust test if C(w1) = 0. If C ( q ) = 1, the primality of t in d will make (q, w2) a VNR test.

Theorem 3 and 4 can now be used to determine whether a two-level irredundant circuit is delay-verifiable. Lemma 3 says that every 1 + 0 primitive fault should start from a prime literal set of a cube. But as indicated in Theorem 3 , every path that starts from a prime literal set is robustly testable for a 1 -+

0 transition. Therefore, in determining the delay-verifiability of a two-level circuit, it is sufficient to consider just the 0 +

1 primitive faults. Theorem 5: An iredundant two-level AND-OR circuit is

delay-verifiable iff every 0 -+ 1 primitive fault is RV-testable. Proof: From Lemma 3 and Theorem 3 , every 1 -+ 0

primitive fault is robustly testable. Therefore, the necessary and sufficient conditions for a two-level AND-OR circuit to be delay-verifiable is that every 0 + 1 primitive fault is RV-testable. 0

Corollary I: An irredundant two-level AND-OR circuit is delay-verifiable iff for each single-path the conditions listed in Theorem 4 are satisfied.

Proof: In an irredundant two-level AND-OR circuit, all 0 -+ 1 single-path delay faults are primitive. Therefore, the circuit is delay-verifiable iff each single-path satisfies the conditions of Theorem 4. 0

Corollary 1 forms the basis for the synthesis of delay- verifiable two-level circuits. From the discussion in this section, it should be clear that the requirements for delay- verifiability are less stringent than those for RV-testability.

proving the necessity of the conditions.

VII. SYNTHESIS ALGORITHM

To obtain a delay-verifiable circuit, we adopt the following two-step procedure, which is similar to the one proposed in [ 5 ] , [7] for synthesizing RV-testable circuits.

1) Obtain a delay-verifiable two-level circuit. 2) Transform the delay-verifiable two-level circuit to a

multilevel circuit by using transformations that preserve delay-verifiability .

By targeting delay-verifiability instead of RV-testability, we have more freedom in selecting an implementation since RV- testable circuits are a subclass of delay-verifiable circuits. Therefore, we can usually find a better circuit with different criteria, e.g., area, performance and power, without sacrificing the ability to verify the timing of the circuit. In this section, we shall show an area-efficient synthesis-for-delay-verifiability algorithm that uses existing logic synthesis tools. Experimental results are presented in the next section.

There are different ways to obtain delay-verifiable two-level circuits. One approach is to impose restrictions on the way a cover is selected so that the conditions listed in Theorem 4 are satisfied. This involves modifying a logic minimization procedure such as ESPRESSO [2]. Another approach is to start from an optimized implementation, and then modify it, if necessary, to obtain delay-verifiability. We adopt the latter

KE AND MENON: SYNTHESIS OF DELAY-VERIFIABLE COMBINATIONAL CIRCUITS 219

Fig. 4. Obtaining a delay-verifiable circuit (Example 4).

approach because it is easier to implement. There are two steps in this approach.

1) Obtain a prime and irredundant (PI) two-level circuit. We only require that the subcircuit implementing each output function be irredundant but not necessarily prime.

2) Check the RV-testability for each primitive fault. Note that we only have to check the 0 + 1 primitive faults. If the circuit is not delay-verifiable, modify the circuit by cube expansion to eliminate nonprime literals until the circuit becomes delay-verifiable.

The synthesis tool ESPRESSO is used in step 1. Before we present the algorithm used in step 2, we shall demonstrate the basic ideas by a simple example.

Example 4: Consider a three-output function whose truth table is shown in Table I. If we run ESPRESSO to minimize the function without separating the outputs, we obtain g = b d + 8cd + azd + Tibc, h = acd + abc + bcd + bcd and f = bcd + acd + Tibc + bcd. This implementation is shown in

-

Fig. 4(a) and needs only six AND gates. However, this circuit is not delay-verifiable because faults on Eq2f and bqsf are not RV-testable. To eliminate the untestable primitive faults, we can either eliminate the nonprime literal b in qz or the nonprime literal b in 45 for f . Suppose we choose to expand cube q 2 , we create a new cube q7 = cd. Because cube qz is shared by output g, we cannot remove it. After adding q7, q5 becomes redundant for f , so it can be disconnected from f . The resulting delay-verifiable circuit shown in Fig. 4(b) requires seven product terms. For the sake of comparison, we minimize each output function separately and obtain g = bi?d + Zcd + acd + Tibc, h = iicd + bcd + acd + bcd and f = Tibc + ad + cd. Term Zbc is shared by f and g while a?d is shared by g and h. This implementation is RV-testable and nine product terms are needed. 0

The two cubes 42 and q5 in the above example exhibit a special property-their literal sets are the same except for one variable which appears in complementary forms. Both cubes are in the cover of f and the'faults that start from the


TABLE I TRUTH TABLE FOR A MULTIOUTPUT FUNCTION (EXAMPLE 4)

The algorithm for synthesizing delay-verifiable two-level circuits is given in the following. As we must check the RV- testabilities of primitive faults, the complexity of the algorithm is at least as high as the test pattem generation problem, whose complexity is NP-complete. However, this algorithm performed gracefully on the benchmark circuits. Algorithm 1: Synthesizing delay-veri$able two-level circuits

0 1 1 0 0 1 1 1 1 0 0 0 1 0 0 1 1 0 1 0 1 0 1 1 1 1 0 0 1 1 0 1 1 1 1 0 1 1 1 1

1 1 1 1 1 1 0 0 0 1 1 1 0 1 0 1 0 1 1 0 0 1 1 1 0 0 0 0 1 1

complementary literals are not testable. As a matter fact, the existence of such cubes will always result in untestable faults.

Definition 10: Two cubes, q1 and 92, are said to be complementary in input variable x if 42 = (41 - {x}) U {?E} or q1 = ( q 2 - {z}) U {?E}. We will call them complementary cubes

In a circuit that contains a pair of complementary cubes 41, q 2 , where q2 = q1 - {z} U {Z}, faults fzql and fTq2 are not RV-testable. This is because z is nonprime in q1 and ?E is nonprime in q2 so that the requirement listed in Theorem 4 is not satisfied. This can be fixed by combining q1 and q2 to form an expanded cube q12 = q1 - {x}.

Note that Theorem 4 implies that the untestability of a 0 +

1 fault is caused by the nonprimality of some cube; therefore, every non-RV-testable 0 + 1 primitive fault can be removed by cube expansion to eliminate nonprime literals.

The following outlines the basic ideas used to remove the untestable primitive faults. In the worst case, every cube that has a nonprime literal set is expanded and the circuit becomes prime and irredundant for each output.

1) Since the existence of complementary cubes in the subcircuit of an output results in non-RV-testable primitive faults, we shall replace each pair with the equivalent expanded cube for the output before any further processing.

2) A non-RV-testable primitive fault that goes through cube q may be fixed by expanding q to eliminate it or expanding some other cubes to make it RV-testable.

3) Several untestable primitive faults may be fixed by expanding the same cube. For each non-RV-testable primitive fault, we shall find and record all possible ways of fixing it. After checking all non-RV-testable primitive faults, we will determine a minimal set of cubes to expand.

4) During the process, some cubes may become redundant for an output and thus can be disconnected from the output. They can be removed if they are not shared by other outputs. Note that redundant cubes should be removed one at a time because after removing a redundant cube, some other redundant cubes may become irredundant.

5) Because some cubes are expanded and may cover the relatively essential vertices of other cubes, the testability of these cubes may be affected and must be reexamined.

with respect to z 0

obtain a prime and irredundant circuit; for each output function do

combine complementary cubes; while the subcircuit is not delay-verifiable do

for each non-RV-testable 0 -+ 1 primitive fault do find and record possible ways to fix the untestability ;

endfor; find and expand a minimal set of cubes; remove redundant cube one at a time;

endwhile; endfor.

To obtain better area and performance, we may want to transform the two-level circuit to a multilevel circuit. Alge- braic factorization and algebraic resubstitution without complement [3] have been shown to preserve RV-testability [5], [7]. We shall show that these transformations also preserve delay-verifiability, and use them to obtain delay-verifiable multilevel circuits.

Theorem 6: A multilevel circuit C, is delay-verifiable if it is obtained by performing algebraic factorization and resubstitution without complements on a delay-verifiable two-level circuit Ct. Furthermore, any strong delay verification test set for C, is also a strong delay verification test set for C,.

Proof: Let S be a strong delay verification test set for Ct. The structure of the equivalent normal form of C, is exactly that of Ct [5], [7]. Since every MPDF in C, will have a corresponding MPDF in Ct and every MPDF that can affect the timing of Ct will be detected by S, every MPDF that can affect the timing of C, will also be detected by S. Therefore S is a strong delay verification test set for C, and C, is delay-verifiable. 0

VIII. EXPERIMENTAL RESULTS Experimental results for examples chosen from the

MCNC91 Benchmark set [16] are presented in Table I1 and Table 111. In Table 11, columns A, B, and C show the number of primary inputs, the number of primary outputs, and the number of product terms in the original specification. We compare the number of product terms for different implementations. First, the circuits are minimized to be prime and irredundant (PI) for multiple outputs by running ESPRESSO. The number of product terms for these circuits are shown in Column D. Next, the subcircuit implementing each output is made delay- verifiable using Algorithm 1 given in Section VII. In doing so, we may create some new cubes, as the original ones may be shared by other outputs. For comparison, each output function is also optimized to be prime and irredundant and a subsequent merge step applied to share common cubes. These

221 KE AND MENON: SYNTHESIS OF DELAY-VERIFIABLE COMBINATIONAL CIRCUITS

+PO 3 8 88 10 50 35 28 45 46

109 4

14 14 15 63 5

29 3

40 10 4

65 10 28 8 9 9 3

18 7 8

AREA

XCIz Orig. #Pt 1035 1028 1227 810 280

1459 620 206

2296 654 256 305 175 158 256 167 87

141 2406

128 58 65 75 87

110 34

431 32 29 32 31

TABLE II MPARISON FOR MCNC91 BENCHMARK SET: TWO-LEVEL CIRCUlTS - - -

-

G

R

0

U

P

1

-

G

R

0

U

P

2

-

- Column

Circuit Name apex2 alu4 apex5 ex1010 apex3 seq ex4 apex1 spla CPS

misex3c table3 table5 ex5 d P dulre2 rd73

Z5xpl sa02 e64 5xpl bw vg2 inc bl2 rd53 misex2 misexl squart5

-

-

Id84

__

PdC

-

- A - -

#pi 39 14

117 10 54 41

128 45 16 24 8

14 14 17 8 9

22 7

16 7

65 7 5

2E

1:

2: I

-

io

1

r

-

- PI

1035 575

1088 286 280 336 279 206 260 165 255 197 175 158

74 119 86

127 141 76 58 65 65 22

11c 25 42 31 2E 1i 2f

#Pt

-

-

two RV

1041 623

1144 458 569

1031 279 442 368 409 283 220 339 316 174 147 123 141 113 70 73 65 70 55

110 40 48 31 29 19 29

-

- #Pt

-

-

vel DV

LO35 577

1083 296 450 568 280 384 304 255 267 200 243 197 161 122 98

127 174 72 58 65 67

* 47 110 35 41 32 29 16 26

- #Pt

-

-

- #Pt atio 0.99 0.93 0.95 0.65 0.79 0.55 1.01 0.87 0.83 0.62 0.94 0.91 0.72 0.62 0.93 0.83 0.80 0.90 1.54 1.03 0.79 1.00 0.96 0.86 l.m 0.88 0.8': 1 .o: 1.0( 0.84 0.9[

-

-

- pi: primary input; PO: primary output; pt: product term; PI: prime and irredundant; RV: robust or validatable nonrobust; DV: delay-verifiable.

circuits are RV-testable. The number of product terms for RV-testable and delay-verifiable implementations are shown in Columns E and F, respectively. Column G shows the ratio of the number of product terms in Column F to the number of product terms in Column E.

After obtaining two-level circuits, we run SIS [ 141 to obtain multilevel circuits. The input files to SIS are in blif format [14]. Two scripts are used-script.rugged and one based on scriptdgebruic without using complement-substitution. No collapse operation is performed because it may result in long cpu times for large circuits. The PI circuits are run for both scripts while the others are run only using the algebraic script. Table I11 shows the results for the multilevel circuits. The literal counts for PI implementations are shown in Columns H and I while the literal counts for RV-testable and delay- verifiable circuits are shown in Columns J and K, respectively. The ratios of the literal counts in Column K to those in Column J are shown in Column L. In Columns J and K, we also show the incurred overhead for testability as compared to the literal counts of Column H. Column M shows the ratio of the overhead incurred by delay-verifiability to the overhead incurred by RV-testability. The tables are sorted based on Column H, i.e., the literal counts in prime and irredundant multilevel circuits. The examples are divided into two groups based on the literal count shown in H. Group 1 consists of the 14 largest examples with literal counts greater than 800, and Group 2 the remaining 17 smaller examples.

TABLE III AREA COMPARISON FOR MCNC91 BENCHMARK SET: MULTILEVEL CIRCUITS - - -

-

G

R

0

U

P

1

-

G

R

0

U

P

2

- Column

Circuit Name apex2 alu4 apex5 ex1010 apex3 seq ex4 apex1 spla CPS Id84 misex3c table3 table5 ex5 clip duke2

pdc Z5xpl

- -

__

-

Id73

sa02 e64

bw

inc

5xp1

VtQ

pI0 #IC

3821 2475 2065 1687 1607 1543 1292 1218 1215 1064 1011 958 925 834 644 525 500 492 462 293 282 253 239 235 230 148 129 119 112 70 68

-

-

pI0 #IC

3884 2363 2904 1634 1633 1732 1279 1302 1209 1048 974 960 970 962 609 540 511 515 517 305 272 253 270 218 405 168 172 132 124

71 94

-

-

multi. RV

3892( 1.02) 2471(1.00) 2982(1.44)

2298(1.43) 4037(2.62) 1279(0.99) 2022(1.66) 1285(1.06) 1702(1.60) 1071(1.06) 985(1.03)

1535(1.66) 1492( 1.81) sal(0.98) 579( 1.10) 567(1.13)

430(0.93) 278(0.95) 289( 1.02) 253(1.00) 279(1.17) Zl(0.94) 405( 1.76) 162(1.09) 167( 1.29) 131(1.10) 123( 1.10) 69(0.99) 97( 1.43)

#W/W

1990(1.18)

555( 1.13)

KI LI M vel

DV

3884(1.02) 2357(0.95) 2903( 1.40) 1707( 1.01) 1866( 1.16) 2437( 1.58) 1279(0.99) 1463(1.20) 1132(0.93) 1203(1.13) 1062(1.05) 946(0.99)

1172(1.27)

#W/W

w 540(1.03) 502( 1 .OO) 517( 1.05) 813(1.76) 289(0.99) 273(0.96) 253(1.00) 272(1.14) 233(0.99) 405( 1.76) 161(1.09) 170(1.32) 133(1.12) 123( 1.10) 67(0.96) gl(1.34)

- #IC

ratio 0.99 0.95 0.97 0.86 0.81 0.60 1.00 0.72

0.71 0.99 0.96 0.76 0.72 1.02 0.93 0.89 0.93 1.89 1.04 0.94 1.00 0.97 1.05 1.00 0.99 1.02 1.01 1.00 0.97 0.94

-

0.88

-

-

,verhead ratio 0.87 NA 0.91 0.07 0.37 0.36 NA 0.30 0.00 0.22 0.85 0.00 0.40 0.36 NA 0.28 0.00 0.40 NA NA 0.00 NA 0.83 NA 1.00 0.93 1.08 1.17 1.00 NA 0.79

IC: literal count; rug.: script.rugged, alg.: algebraic script. Overhead ratio = (K-H)/(J-H); NA if J 5 H; 0.00 if K 5 H.

For most of the examples, the delay-verifiable implementation is more area-efficient. In some cases, RV-testable implementations have better results. Especially, delay-verifiable implementations save more areas for the larger examples in Group 1 than the smaller examples in Group 2. For circuits where RV-testability incurs a large area overhead, delay- verifiable circuits tend to have a greater overhead reduction. Note that if the RV-testable implementation is better than the multiple-output PI implementation, (e.g., circuit pdc), the current version of our program is unlikely to obtain a better circuit, because our delay-verifiable implementations are based on the multiple-output PI implementations. However, we can always use RV-testable implementations if they are more area- efficient.

IX. CONCLUSION

We have demonstrated the need to consider multiple-path delay faults in deriving tests for verifying the timing correctness of combinational circuits. We have defined a class of faults, called primitive faults, and shown that the delay of a circuit can be verified by testing if and only if every primitive fault is tested by a robust or validatable nonrobust test.

Based on the RV-testability of primitive faults, a synthesis procedure for delay-verifiable multilevel circuits has been developed. Experimental results indicate that delay-verifiable circuits are more area-efficient than RV-testable circuits in most cases. The need for two-level representations may pro- hibit the use of our method for some functions that cannot


be flattened to two-level forms of reasonable size. However, [I51 G. L. Smith, “Models for delay faults based on paths,” in Proc. Int. Test Conf., Nov. 1985, pp. 342-349.

version 3.” Jan. 15. 1991.

the less stringent requirements may make delay-verifiability [ 161 s, yang, “Logic synthesis and optimization benchmarks user guide

more attractive than RV-testability in other contexts and with different other optimization goals.

REFERENCES

D. B. Armstrong, “On finding a nearly minimal set of fault detection tests for combinational logic nets,” IEEE Trans. Comput., vol. C-15, pp. 6 6 7 3 , Feb. 1966. R. Brayton, R. Rudell, and A. Sangiovanni-Vincentelli, Logic Minimiza- tion Algorithms for V U 1 Synthesis. Norwood, MA: Kluwer Academic, 1984. R. Brayton, R. Rudell, A. Sangiovanni-Vincentelli, and A. Wang, “MIS: A multi-level logic optimization system,” IEEE Trans. Comput.-Aided Design, vol. CAD-6, pp. 1062-1081, Nov. 1987. K.-T. Cheng and H.-C. Chen, “Delay testing for non-robust untestable circuits,” in Proc. Int. Test Con$, Oct. 1993, pp. 954961. S. Devadas and K. Keutzer, “Synthesis of robust delay-fault-testable Design Engineer. He is

Wuudiann Ke (M’95) received the B.S. degree in control engineering from the National Chiao- Tung University, Taiwan, Republic of China, in 1984, the M.S. degree in computer science from the University of Nebraska, Lincoln, in 1988, and Ph.D. degree in electrical and computer engineering from the University of Massachusetts, Amherst, in 1994.

From September 1990 to January 1993, he worked at Design Automation Department of Amdahl Corporation, Sunnyvale, CA, as a System

currently with AT&T Bell Laboratories, Princeton, NJ. circuits: Theory,” IEEE Trans. Comput.-Aided Design, iol. 1 I , no. 1, pp. 87-101, Jan. 1992. -, “Synthesis of robust delay-fault-testable circuits: practice,” IEEE Trans. Comput-Aided Design, vol. 11, no. 3, pp. 277-300, Mar. 1992. __ , “Validatable nonrobust delay-fault testable circuits via logic synthesis,” IEEE Trans. Comput.-Aided Design, vol. 11, pp. 1559-1573,

His research interests include digital system testing, computer-aided design of integrated circuits and design verification.

Dec. 1992. N. K. Jha, I. Pomeranz, S. M. Reddy, and R. J. Miller, “Synthesis of multi-level combinational circuits for complete robust path delay fault testability,” in Proc. Int. Symp. Fault Tolerant Computing, July 1992, pp. 281-287. W. Ke and P. R. Menon, “Delay-verifiability of combinational circuits based on primitive paths,” Technical report TR-93-CSE-32, Department of ECE, University of Massachusetts, Amherst. S. Kundu, S. M. Reddy, and N. K. Jha, “Design of robustly testable combinational logic circuits,” IEEE Trans. Comput.-Aided Design, vol. 10, pp. 1036-1048, Aug. 1991. W. K. Lam, A. Saldanha, R. K. Brayton, and A. L. Sangiovanni- Vincentelli, “Delay fault coverage and performance tradeoffs,” in Proc. 30th Des. Autom. Con$, June 1993, pp. 44-52, C. J. Lin, S. M. Reddy, and S. Patil, “An automatic test pattern generator for the detection of path delay faults,” in Proc. ICCAD, Nov. 1987, pp. 284-287. C. J. Lin and S. M. Reddy, “On delay fault testing in logic circuits,” IEEE Trans. Comput.-Aided Design, vol. CAD-6, no. 5, pp. 694-703, Sept. 1987. E. M. Sentovich, K. J. Singh, C. Moon, H. Savoj, R. K. Brayton, and A. Sangiovanni-Vincentelli, “Sequential circuit design using synthesis and optimization,” in Proc. Int. Con$ Comp. Des., Oct. 1992, pp. 328-333.

Premachandran R. Menon (M’70-SM’83-F’88) received the B.Sc. degree from Banaras Hindu Uni- versity, India, and the Ph.D. degree from the Univer- sity of Washington, both in electncal engineenng.

From 1963 to 1986, he was with AT&T Bell Laboratories, where he was engaged In research in testing and simulation of digital circuits, and switching theory, and the development of test generation and simulation systems. He is currently a profes- sor In the Department of Electrical and Computer Engineenng at the University of Massachusetts,

Amherst. His current research interests include VLSI testing and testable design and logic synthesis. He is a co-author of Fault Detection in Digital Circuits (Englewood Cliff, NJ: Prentice-Hall, 1971), Theory and Design of Switching Circuits (Rockville, MD: Computer Science Press, 1976), and a chapter in Fault Tolerant Computing: Theory & Techniques (Englewood Cliff, NJ: Prentice-Hall), 1986.

Dr. Menon is a recepient of the Bell Laboratones Distinguished Technical Staff Award. He has served on the editonal boards of the IEEE TRANSACTIONS ON COMPUTERS and the Joumal of Design Automation and Fault Tolerant Computing and on the program comrmttees of the Fault Tolerant Computing Symposium, the International Test Conference and the VSLI Test Symposium.

Synthesis of Delay-Verifiable Combinational Circuits

Documents

Transcript of Synthesis of Delay-Verifiable Combinational Circuits