1. No category

Design of a Self-Checking Microprogram Control

IEEE TRANSACTIONS ON COMPUTERS, VOL. C-22, NO. 3, MARCH 1973
Design
of
255
a Self-Checking Microprogram
Control
ROBERT W. COOK, WILLIAM H. SISSON, THOMAS F. STOREY,
Abstract-In designing a self-checking processor, it is essential to
recognize the types of failures that are most probable. Matching the
checking techniques with the type of faults that are expected to occur
should yield the best result with the least amount of hardware. The
microprogram control will consist of integrated circuits: large-scale
integration (LSI) for the memory and small-scale integration (SSI) for
the associated control logic. Because of the density of chips on a plug-in
package and the physical proximity of the devices on an integrated
circuit, multiple faults within a single circuit are highly probable. The
types of faults within a circuit have been analyzed and found to be of
the type which would tend to affect the bits in a unidirectional manner.
Also the failed bits would probably be adjacent rather than randomly
dispersed throughout-the microprogram store word.
The checking technique implemented takes advantage of the error
characteristics mentioned above. This led to the choice of using
m-out-of-n codes for the control fields of the microprogram instruction
words. This code permits the detection of all multiple unidirectional
errors. However, for the address field, it is desirable to maintain the
data in binary form. Consequently, a check code which is systematic
is essential to give this flexibility. By recognizing that the multiple bit
faults tend to affect adjacent bits, we can take advantage of this fact by
interleaving the binary address field with the m-out-of-n codes in the
microprogram store. Any multiple adjacent bit faults would then
affect both the binary address field and the m-out-of-n code. Therefore, a single parity check bit is adequate to detect single bit faults in
the binary field with multiple adjacent bit fault detected by the
m-out-of-n check.
Index Terms-Coding, control logic, fault detection, logic design,
microprogram control.
I. INTRODUCTION
ANEW STORED program-control processor is being developed for telephone central offices. In the older
electromechanical offices, the control of the office was distributed in such a way that the failure of any single control
unit resulted in degradation of service rather than complete
failure. The advent of the electronic switching systems (ESS)
[1] -[31 with a centralized control has required a high degree
of attention to insuring the reliability of the control unit [4] .
In order to meet the availability requirements of a telephone
central office, a two-control unit standby redundant system
has been used in all ESS systems. A system block diagram of
an ESS system is shown in Fig. 1. The standby is used to continue service while a central control is being repaired. A
single control unit would be unacceptable, even if it were
self-correcting, since it would have to be periodically removed
from service while it was being repaired. With two control
units, there is no need to incorporate any self-correction
Manuscript received June 9, 1972; revised October 2, 1972.
The authors are with Bell Telephone Laboratories, Inc., Naperville,
Ill. 60540.
AND
TELEPHONE
LINES
WING N. TOY
TRUNKS TO OTHER
TELEPHONE OFFICES
PER IPH ERAL SYSTEM
SYSTEMI
& ~~STATUSll
|
/0
TAPE
CHANNELS
TAPE
I/O
l
I
PROCESSOR
Bu
_
CHANNELS
TUNIT
_________
STORUNITE
lPROCESSOR
| STC
STORE@
l
! Cm I IlICmI
I_..
,
_I
I
l
iTC g ~~STORE
BUS
CONTROL UNIT
j
_,I
l
I
I
Fig. 1. System block diagram.
techniques within a processor, since it would add to the complexity of the system without providing any appreciable increase in reliability. The No. 1 ESS [1] used a Hamming code
in memQry to correct errors and the No. 101 ESS system [3]
used a retry on memory operation, but both of these
techniques were dropped on subsequent systems.
Once an error is detected in the on-line central control, the
standby is switched on-line. When the new on-line has spare
time, it attempts to diagnose the fault in order to assist the
maintenance personnel in repairing the defective central
control.
Errors must be detected as soon as possible in order to prevent any erroneous changes in the state of the central office.
It is essential, therefore, that error detection be done continously. This function is much better suited to circuits
than to programs since no real time is expended if it is performed by hardware concurrently with normal system operation. Also with integrated circuits, the cost of logic circuitry
has been reduced drastically, making the hardware method of
fault detection more attractive.
The ability to apply efficient self-checking or self-detecting
schemes seems to be a function of the regularity of the circuitry involved. The most irregular and hence the most
difficult area of the processor to make self-checking is the
control logic. This circuitry decodes the machine instruc-
256
IEEE TRANSACTIONS ON COMPUTERS, MARCH 1973
microprogram structure. Next, the assumptions that have
been made about the type of faults that are most probable
will be discussed. Finally, several of the fault-detection
techniques used to achieve self-checking in the control portion of the processor will be discussed.
Fig. 2. Processor block diagram.
tions and provides the sequence of control signals to the data
logic which is necessary to execute the instructions. This
paper describes the techniques used to achieve a high degree
of self-checking in the control logic of a new processor for
telephone switching systems.
The new processor, as shown in Fig. 2, may be divided into
four major sections for the purpose of this paper, since different techniques for self-checking are used in each section.
The major sections are the following.
1) Microprogram store and associated registers.
2) TO and FROM decoders, which are used to gate data to
and from the single data bus and to drive the FUNCTION
decoder.
3) Data manipulation logic that is duplicated and matched
since Boolean functions which are not amenable to other
checking schemes are included.
4) Register stack that contains the programmer accessible
processor registers. These registers are bit sliced to prevent
multiple bit faults and checked with parity bits.
Only the first two sections are described in more detail,
since the last two are not involved in the control portion of
the processor.
SELF-CHECKING DESIGN PHILOSOPHY
The basic objective in designing self-checking circuits for a
processor is to match the checking techniques with the type
of faults that are expected to occur in the most efficient
manner. If the classes of failures that are most likely to occur
can be characterized in some way, then fault detection
methods can be designed that will efficiently detect those
classes of failures.
The following section will discuss the major architectural
features of the control logic of the new processor, i.e., its
II.
A. Microprogram Control
The major feature of the processor control logic is that it is
microprogrammed. Microprogramming permits a more regular
approach to the design of control logic and, therefore, selfchecking techniques can be more readily applied [5] -[7].
The conventional control logic for a processor is illustrated
in Fig. 3. Other than the OPCODE register and COUNTER,
there is very little regularity. Each operation code or instruction requires a series of gates that decodes the contents
of the OPCODE register, COUNTER, and STATUS INDICATORS
and provides, as a result, control signals to perform data
manipulation, as well as updating the COUNTER and OPCODE
register as necessary. The control circuitry shown in Fig. 3
is essentially a small wired logic computer capable of performing a fixed number of operations, one of which corresponds to each possible machine instruction which can be
presented to it from the program store.
A simple microprogrammed control is shown in Fig. 4. The
wired logic of a conventional control section has been replaced by a small processor, appropriately called a microprocessor. The characteristics of the microprocessor that make
it different from a main processor are the elementary nature
of its operations and the speed of its memory and basic cycle
time. There are many possible variations of microprocessor
design, one of which is shown in Fig. 4. Each microprogram
store word contains the address of the next instruction and a
TO and FROM gating field which specifies the source and
destination for a gating operation, or may specify some other
type of operation. The microprogram store is addressed by
the microprogram address register (MAR) which receives its
contents either from the OPCODE of the main machine instruction to be executed (this forms the initial address of the
microprogram sequence which performs the instruction) or
from the last executed microprogram word.
It should be noted that the microprocessor has very little
irregular circuitry; most of the complicated logic is stored as
microinstructions (a form of software called firmware) rather
than individual gates. In other areas of the processor, special
purpose hardware can also be reduced by performing its functions with a microprogram sequence, e.g., the interrupt
control and initialization.
The primary reliability feature of the microprogrammed
structure is that it is regular and allows the use of self-checking
coding techniques in the memory and registers. The TO and
FROM field decoders are also checked by a coding technique
as will be described later. In order to enhance the basic processor speed and flexibility, several features have been added
to the basic microprocessor and these features are checked by
a variety of techniques, ranging from coding to duplication.
Some other reliability features of a microprogrammed structure include the minimization of clock signal distribution.
Clock signal failures can be very difficult to diagnose because
of the marginal conditions which result. In this micropro-
COOK et al.: SELF-CHECKING MICROPROGRAM CONTROL
STATUS INDICATORS
257
*
-
32 BITS
-
o
I
32 BITS
OUTPUTS
Fig. 5. 1024-bit emitter follower array masked encoded 512 words X
2 bits.
DECODED CONTROL LEADS
TO EXECUTION LOIC
Fig. 3. Conventional control logic.
STATUS
IDMATOtS
DECODED CONTROL LEADS
TO EXECUTION LOGIC
Fig. 4. Microprogrammed control
cessor, the gating control signals perforn the timing and it is
not necessary to distribute the clock extensively throughout
the processor. In general, the clock distribution is limited to
the microprocessor itself where it can be easily checked.
Another reliability feature of a microprocessor is the improved access to processor hardware for fault detection programs. The microprocessor has other advantages for system
architecture, such as flexibility of the order structure and
simplification of the logic involved that are beyond the scope
of this paper.'
Fault Assumptions
The new processor is being constructed out of integrated
circuits with each chip containing from four to eight logic
gates. Because of the physical proximity of the various
B.
'IEEE Trans. Comput. (Special Issue
C-20, pp. 727-830, July 1971.
on
Microprogramming), vol.
circuits on an integrated circuit chip, multiple gate faults
within a single chip are highly probable.
As an example of the type of failures that can be expected
in the microprocessor, let us consider a chip or integrated
circuit from the microprogram memory as shown in Fig. 5.
Each chip contains two bits of 512 words in an emitter
follower array. Nine bits of address are supplied; five bits
being decoded to;select I-out-of-32 word lines, and the other
four bits being decoded to select the appropriate two bits out
of the 32 bits previously selected. Now let us consider the
most likely failures of such a chip.
Since the decoding is from binary to l-active-out-of-32 possible outputs, we must only consider any output stuck-at-I or
O or any input open on the decoding gates. Any of these
failures, single or multiple, result in two basic types of failures,
i.e., no access or multiple access of the memory words with
the content of the accessed words oRed together. Similarly,
the output decoding is binary to l-active-out-of-16 outputs,
and the possible failures result in no access, multiple access,
or single bit failures stuck-at-I or 0. Some typical data cell
failures would be an open base which would cause all bits
beyond the failure to be stuck-at-O, or two bases shorted
together which would result in multiple access.
An analysis of failures such as these results in two assumptions about fault classes. First, it is assumed that all errors in
parallel bits are unidirectional, i.e., any number of bits may
fail but they all fail in the same direction, either stuck-at-I or
stuck-at-0. Both no access and multiple access of words from
a memory cause unidirectional errors. Also, most failures on
a chip that affect multiple bits on that chip, e.g., power
failures, tend to affect all parallel bits in the same direction.
The principal codes which have been used to detect multiple
unidirectional errors are the m-out-of-n codes [8], [9]. An
m-out-of-n code is one in which all valid code words have
exactly m bits equal to 1 out of the total of n bits. In some
cases, it has not been desirable to use m-out-of-n codes because
the valid code combinations are rather restrictive, e.g., an
m-out-of-n coded field could not be used to hold an arbitrary
binary constant for use in another mode of operation. However, they have been used extensively throughout the processor for data which is to be decoded and then used as
control information.
IEEE TRANSACTIONS ON COMPUTERS, MARCH 1973
258
The second class of errors that has been identified is the
adjacent errors. This assumption applies to circuits such as
the microprogram store where bits in a word are physically
adjacent. The assumption is that the bits which fail will be
adjacent rather than randomly dispersed throughout the word.
This assumption has allowed the use of a less powerful code
by simply interleaving the various fields of a microprogram
as will be described later.
The errors discussed thus far have been assumed to be solid
logical errors. The consideration of intermittent or nonlogical
errors is difficult because of a lack of appropriate tools or any
unifying characteristics. In the past, the assumption has been,
and continues to be for this project, that they will be detected
as soon as they cause a logical failure.
III. DETECTION TECHNIQUES
The microprogram store contains basically two types of
data: control and address information. The control fields are
immediately decoded and checked to provide control signals,
hence, a more efficient nonsystematic code, such as the
m-out-of-n code, would give the maxum detectability at
the least possible cost in hardware. However, for the address
field, it is desirable to maintain the data in binary form not
only for addressing, but also to provi4e binary data to several
sources. Consequently, the choice of a systematic code for
the address field is essential to give this flexibility. By recognizing that multiple bit faults would tend to affect adjacent
bits rather than be randomly dispersed throughout the word,
we can take advantage of this fact by interleaving the binary
field with the m-out-of-n code as shown in Fig. 6. Any
multiple adjacent bit fault would then affect both the binary
field and the m-out-of-n code. Consequently, a single parity
check bit is adequate to detect single bit faults in the binary
field [10], [111 and multiple adjacent bit faults would be
detected by the m-out-of-n check.
Fig. 6. Microprogram store coding techniques.
A
R
MICROPROGRAM STORE
E
P
N
T
N
-
IPI_
NA
_|
4/8
TO
1/70 DECODER
CHECKER
ERROR
I'
FROM
TO
TPI MIR
TO
1/70 DECODER
TI 1 I T
ti
4
8
CHECKE
ENCODER
ENCODER
ERROR
CONTROL
CONTROL
A. Control Field Checks
The TO and FROM control fields are each eight bits wide
FUNlCTION
and are encoded as a 4-out-of-8 code. Fig. 7 shows the funcDECODER
tional diagram of the control field decoding and check circuitry. There are 70 valid combinations in an 8-bit field which
have four l's and four O's. The control fields must be decoded
CONTROL
to l-out-of-70 in order to drive the control points of the
Fig. 7. Control field decoding and check circuitry.
machine.
The decoded leads are reencoded to the bit-by-bit complement of the original 4-out-of-8 field, and then checked by a form a FUNCTION decoder whose inputs require the simulselt-checking 4-out-of-8 checker designed by Anderson and taneous operation of a TO and a FROM field crosspoint. In
Metze [161. This check will detect any multiple unidirectional this way, a 10 X 10 matrix or 100 crosspoints can be genererrors which occur anywhere from the Aicroprogram address ated by assigning only 10 crosspoints from each of the TO and
register (MAR) to the decoded control leads. This is a very FROM fields. These control signals are checked in several
powerful check since it checks many parts of the micropro- ways. Some are checked functionally during the execution of
cessor, including microprogram store address decoding, micro- instructions. Some feed duplicated circuitry, e.g., the data
program store, its output circuitry, microinstruction register manipulation logic; consequently, the decoder gates are also
duplicated so that any fault will be caught by a mismatch in
(MIR), and 4-out-of-8 control decoders.
A number of microoperations consists of setting or clearing the duplicated circuits. Finally, some miscellaneous control
individual flip-flops or enabling dedicated paths in which the signals are only used for maintenance-type functions and,
Use of a single TO or FROM field crosspoint would be in- therefore, do not need to be immediately checked by hard-effuient. Thus, a combination of these two fields is used to ware but can be periodically checked by software.
11
COOK et al.: SELF-CHECKING MICROPROGRAM CONTROL
In the design of normal binary decoders, it is necessary to
clock or strobe the decoder outputs to eliminate spurious
noise spikes during the changing of the information at the
input to the decoders. Because of the nature of the m-out-of-n
code, it is necessary to first clear the buffer register (MIR)
which serves as an input to the decoders before gating in a
new m-out-of-n code. In this way, one can guarantee that no
noise spikes occur on the output of the decoders. If one has
to strobe the decoders themselves and the strobe signal fails,
a marginal type of failure occurs which is extremely hard to
diagnose. By removing the strobe at the decoder and clearing
first and then gating into the MIR the problem is eliminated.
That is, if the clear signal fails, a new m-out-of-n code is gated
in on top of the last one or, if the gating signal fails, all zeros
result. Both of these faults result in immediate m-out-of-n
decoder errors which are caught. The use of microprogram
control in conjunction with the m-out-of-n control fields significantly reduces the complexity and use of a clock or timing
source which is needed in a conventional machine to eliminate
race condition.
B. Microinstruction Sequencing Checks
The basic check on microinstruction sequencing is single-bit
parity that is carried on all microprogram store addresses.
Because this may be insufficient to detect all multiple errors,
additional checks are added to augment the single-bit parity
technique.
Normally, a parity generation circuit or parity tree is required to check parity; however, in this case a bit in each
microprogram memory word has been used to replace it. As
shown in Fig. 8, two parity bits are stored in every microprogram memory word PF which is the parity of the address
stored in the word and is gated to the MAR with it, and PN
which is the parity of the address of the microprogram
memory word itself. The MAR parity is simply matched
with PN of the word accessed from microprogram memory
to check parity.
Although the address bits are shown contiguous in the MIR
in Fig. 8, they are interleaved with the other bits in microprogram store as shown in Fig. 6 in order to enhance the
the fault detection probability. In general, the many sources
which feed the MAR also contain parity which is gated to
the MAR and then checked.
The branch logic, which consists of five status bits and the
logic necessary to select one and gate it to bit 0 of the MAR,
is duplicated in order to detect faults. A branch occurs when
bit 0 of the MAR is set to 1 (by convention, bit 0 of the next
address on a conditional branch is always initially 0) and, in
this case, the parity bit in the MAR must also be complemented. In order to save a match circuit, one output from the
duplicated branch logic feeds bit 0 of the MAR while the
other feeds the parity bit. In this way, any fault in the branch
logic is detected by the parity check circuit.
In order to provide a more complete check of the sequencing
from one microinstruction to the next, the return address
register (RAR) is used as a duplicate MAR whenever it is not
busy holding a return address for microsubroutines. The RAR
receives its input directly from the microprogram store output,
259
OTHER
SOURCES
MI
A
R
--4
DE
DC
MICROPROGRAM STORE
i
IA
BRANCH
ILOGIC
.
BITS
_
12
TPF TO
I I 8
I
FROM IP MIR
8
z MATCH I
ERROR
ERROR
Fig. 8. Sequencing checks.
and so it can be used to check for faults in the MIR address
portion, the gating path from the MIR to the MAR, and the
MAR itself. Any multiple errors in either the RAR or the
MIR/MAR circuitry will be detected by this scheme when it
is active. When this check is not active, the parity check will
detect the majority of failures.
IV. DESIGN OF m-OUT-OF-n DECODING
AND CHECK CIRCUITRY
In any binary to 1-out-of-n decoding, one and only one
output will be active for a given binary code. There are
various arrangements in designing decoders. One typical configuration is to fully decode n binary combinations with n
gates. Altematively, the decoding may be divided into two or
more groups with each combination represented by two or
more outputs, one from each group [12]. The choice of
design depends on many factors, e.g., fan-out, speed, packaging, and maintenance considerations. Similarly, the basic
scheme of checking the decoding circuitry is to encode the
outputs into a two or more bit binary number [13] -[15].
Similar choices exist for the design of m-out-of-n decoders.
In fact these decoders are somewhat simpler since spurious
outputs do not occur if the inputs are first cleared. A partially decoded scheme of m-out-of-n decoding was selected
for the same reason that partially decoded binary decoders
are often built, that is to minimize the number of signal leads
in the decoder circuits. In checking the m-out-of-n decoding
circuitry, the Anderson and Metze scheme of totally selfchecking k-out-of-2k checkers were used in the implementation [16]. However, much work had been done earlier by
Carter and associates on checking of m-out-of-n codes [17]-
[19].
Fig. 9 shows the general block diagram of the 4-out-of-8
decoder and check circuitry. The two 4-bit groups are individually decoded into 16 outputs. Two methods of decoding are
presented in Fig. 10. The first. one is the normal 4-bit binary
to l-out-of-16 decoding. This method requires both uncomplemented and complemented inputs, with the second derived
by means of inverters. The outputs are sorted into five subgroups with the binary inputs having four l's, three l's,
two 1's, one 1 and no 1's. The number of gates belonging to
IEEE TRANSACTIONS ON COMPUTERS, MARCH 1973
260
4
i4(I
3(I) 2(I)
1(1)
I0()
I0 (1)I
|4-OUT-OF-8 CODE
2() 3() 4() DECODER
I
Ixl 4x4 6x6 4x4 Ixi
I + 16+ 36+ 16+ 1 .70
GROUPING
Fig. 11. Decoder output grouping.
ERROR
Fig. 9. General block diagram of partially decoded 4-out-of-8 decoder
and check circuitry.
4 BIT
3(0)
40)
2(I)
1(I)
O(I)
(a)
4
SIT
I
T
_
i
-T
REDUNDANT
(NOT NEEDED)
-le.,
,
I
AI
4tl)
3(1)
2(1)
1(1)
OMl
16 LEADS
(b)
Fig. 10. A 4-bit decoding logic.
the respective subgroups are 1, 4, 6, 4, and 1 as shown in
Fig. 10. Similarly, the second four bits in the 4-out-of-8 code
are decoded and divided into the same subgrouping. Now the
subgroups are paired to obtain the 70 possible 4-out-of-8 code
combinations. The 4(1) group pairs with 0(1) group to give
one combination; the 3(1) with 1(1) to give 16 combinations,
and so on as shown in Fig. 11. A control function is then
represented by two outputs, one from each group.
An alternative decoding arrangement is shown in Fig. 10(b)
whereby only the uncomplemented inputs are used for decoding. The fan-in decreases with the number of 1's in the subgroup resulting in a less complicated wiring pattern. More
important, the additional stage of logic in generating the
complemented inputs is eliminated, and this, of course, has
direct influence- on establishing the microcycle interval. Consequently, the second arrangement is chosen over the first
because of its simplicity and speed. However, with the exception of the 0(1) group, more than one output will be
active from the decoder gates. For example, the 1111 input
code would cause all gates to be active. This is entirely
satisfactory since only the gate in the corresponding subgroup of the second decoder (in this case, the 0(1) subgroup)
would be active with none in the other subgroups. Hence,
one and only one pair of decoder outputs is in the active
state. This uniquely defines one out of the possible 70 in the
4-out-of-8 codes.
As indicated in Fig. 9, the 32-decoder outputs are used as
control signals. They are paired according to the arrangement
shown in Fig. 11 to give 70 combinations at the control points.
The reduction of decoder leads allows a greater packing density of integrated circuits, not only in the decoder boards, but
also in other circuit boards. For example, in the bit-slice
circuit board where one bit from each of the 16 general
registers is partitioned onto one circuit board, the control of
data transfer via the common data bus requires a total of
32 controls. As shown in Fig. 11, the 32 controls can be
realized by taking 3(1) - 1(1) and 1(1) - 3(1) pairs to give
two 4-by4 or 16 controls. A 2-to-I saving in terminals is
achieved with this arrangement. Similarly, the number of
replicated gates required for additional fan-out capability is
also reduced.
The decoder outputs are reencoded into their code complements and are then checked with a totally self-checking
4-out-of-8 checker. Before reencoding, certain decoder outputs must be inhibited or masked in order to obtain the
correct code complement. The scheme for enabling or transmitting the exact two outputs corresponding to the 4-out-of-8
code is shown in Fig. 12. A 1111 decoder output is used to
enable the transmission of the 0000 output. Similarly, a 0000
output performs the same function for the 1111 output. Since
COOK et al.: SELF-CHECKING MICROPROGRAM CONTROL
DECODER OUTPUTS
TO CODER
Fig. 12. Group pair select.
both the 1111 and the 0000 outputs are active, they are
passed through to the coder circuit. This is represented by
the enable lead connected between the 4(1) and the 0(1)
subgroups as shown in Fig. 12. Although every decoder output on the left is active, only the 111 1 output is transmitted
through by the enable signal from the 0000 decoder output.
This output enabling is done on all group pairs. The net
result is that the ambiguity of multiple decoder outputs within one decoder is removed and only one output from each
decoder is passed through to the coder identifying uniquely
the 4-bit binary input. This simplifies the coder by reducing
the fan-in from 36 to 8.
V. SUMMARY AND CONCLUSIONS
Microprogramming permits the normally complex and irregular structure of the control section of a conventional machine
to be designed in an organized and simplified manner. As a
result, it is possible to identify and enumerate clearly the
possible failure modes of the microprogram control logic.
Having defmed the various possible failures, one can design
the circuitry required to detect them.
In order for the microprogram control to function properly,
it is necessary that: 1) the microprogram word read out from
the microprogram store or READ-ONLY memory contains no
errors; 2) the microinstruction is decoded properly; and 3) the
next microprogram store word is accessed correctly so that a
string of microinstructions is executed in the proper order.
Any malfunctions of the store access circuitry, the store
data, the gating paths, the buffers, or the microinstruction
decoder will cause improper operation of the controls in the
system. The use of m-out-of-n codes and the associated check
261
logic fulfill the requirement of a complete check of the microprogram store readout and the decoding of the control fields
to generate the control signals.
The decoder outputs fan out to various functional units for
controlling logical operations or data transfers within the
processor. Those that go to the data transfer logic control
the gating of information from one register to another via
the data bus. The circuitry of the data transfer logic is
partitioned on a bit slice with all the logic gates associated
with one bit contained on a single circuit board. Since the
decoder outputs fan out to each bit, any malfunctions of the
transfer logic within a circuit board would affect only one bit
of data. When the word is used at a later time, the error will
be detected by the parity check on the data bus. Consequently, it is sufficient to check the control signals prior to
entering the data transfer block. This is also true for the data
manipulation block because the circuitry is duplicated.
The sequencing of the microinstruction is checked to determine that each microinstruction is accessed properly. The
basic check is provided by two parity check bits; one directly
associated with the binary address, and the second with the
word addressed in memory. As shown in Fig. 8, they are
compared to determine whether the right memory word has
been accessed. In addition, the address bits of the NA field
are interleaved with the m-out-of-n TO and FROM control
bits to enhance fault detection capability. If any multiple
adjacent errors do occur in a microprogram memory word
which are not detected by parity checks, they will be caught
by the m-out-of-n decoder check logic. The sequencing from
one microinstruction to the next is further checked by using
the RAR as a duplicate of MAR whenever it is not busy
holding a return address. The contents of RAR are compared
with the contents of MAR to provide detection of multiple
errors in addressing the microprogram store.
The number of gates required in the microprogram control
exclusive of the store resulted in 62 percent used for actual
processing operations and 38 percent for maintenance. Of the
32 bits in each word of microprogram store, 6 or 19 percent
were used for detection. The maintenance hardware is made
up of at least two classes, that necessary for access to the
system for fault diagnosis and that required to make the
processor self-checking.
In conclusion, checking techniques, such as m-out-of-n
codes, interleaved parity and, in some cases, duplicating and
matching, are used to detect the possible failures that may
occur in the microprogram control. These checks are required
to permit detection of multiple unidirectional types of faults
possible with integrated circuit technology. A microprogram
control lends itself to analysis of these multiple bit errors,
hence, the ability to detect them.
REFERENCES
[1] J. A. Harr, F. F. Taylor, and W. Ulrich, "Organization of the
No. 1 ESS central processor," Bell Syst. Tech. J., Sept. 1964.
[21 T. E. Browne, T. M. Quinn, W. N. Toy, and J. E. Yates, "No. 2
ESS control unit system," Bell Syst. Tech. J., Oct. 1969.
[3] E. L. Seley and F. S. Vigliante, 'Common control for electronic private branch exchange," IEEE Trans. Commun. Electron., vol. 83, pp. 321-329, July 1964.
IEEE TRANSACTIONS ON COMPUTERS, MARCH 1973
262
[4] R. W. Downing, J. S. Nowak, and L. S. Tuomenoksa, "No. 1
ESS maintenance plan," Bell Syst. Tech. J., Sept. 1964.
[5] M. V. Wilkes and J. B. Stringer, "Microprogramming and the
[6]
[71
[81
[9]
[101
[11]
[121
[13]
[14]
[15]
[16]
[17]
[18]
[19]
design of the control circuits in an electronic digital computer,"
in Proc. Cambridge Philosophical Soc., Apr. 1953.
S. S. Husson,MicroprogrammingPrinciples and Practices. Englewood Cliffs, N.J.: Prentice-Hall.
M. J. Flynn and R. F. Rosin, "Microprogramming: An introduction and a viewpoint," IEEE Trans. Comput., vol. C-20,
pp. 727-731, July 1971.
H. J. Beuscher, W. H. Sisson, and W. N. Toy, "A self-checking
microprogram control," in 3rd Annu. Workshop on Microprogramming, Preprints, Oct. 1970.
D. A. Anderson, "Design of self-checking digital networks using
coding techniques." Ph.D. dissertation, Univ. Illinois, Urbana,
CSL Rep. R527, Oct. 1971.
H. L. Garner, "Generalized parity checking," IRE Trans. Electron. Comput., vol. EC-7, pp. 207-213, Sept. 1958.
R. W. Hamming, "Error detecting and error correcting codes,"
Bell. Syst. Tech. J., Apr. 1950.
H. J. Beuscher and W. N. Toy, "Check schemes for integrated
microprogrammed control and data transfer circuitry," IEEE
Trans. Comput.,vol. C-19, pp. 1153-1159, Dec. 1970.
W. N. Toy, "Error detection circuits," U. S. Patent 3 428 945,
Feb. 1969.
F. F. Sellers, M. Y. Hsiao, and L. W. Bearnson, Error Detecting
Logic for Digital Computers. New York: McGraw-Hill, 1968.
W. C. Carter, K. A. Duke, and D. C. Jessep, "A simple self-testing
decoder checking circuits," IEEE Trans. Comput. (Corresp.),
vol. C-20, pp. 1413-1414, Nov. 1971.
D. A. Anderson and G. Metze, "Design of totally self-checking
check circuits for m-out-of-n codes," IEEE Trans. Comput., this
issue, pp. 263-269.
W. G. Bouricius, W. C. Carter, K. A. Duke, J. P. Roth, and
P. R. Schneider, "Interactive design of self-testing circuitry,"
in Proc. Purdue Centennial Year Symp. Inform. Processing,
Apr. 1969.
W. C. Carter and P. R. Schneider, "Design of dynamically
checked computers," in Proc. 1968 IFIP Conf., vol. 2, Aug. 1968.
W. C. Carter, K. A. Duke, and P. R. Schneider, "Self-checking
error checker for k-out-of-n coded data," U. S. Patent 3 559
168, Jan. 1971.
Robert W. Cook (S'67-M'70) was born in Proon December 1, 1943. He received the B.E.E. degree from Rensselaer Polytechnic Institute, Troy, N.Y., in 1966, and the
M.S. and Ph.D degrees from Northwestern
University, Evanston, Ill., in 1968 and 1970,
vidence, R.I.,
respectively.
Since 1966 he has been a member of the
technical staff of Bell Telephone Laboratories,
Inc., Naperville, Ill., where he has worked in
both the Service Program Group and the Control Complex Group of the Suburban Switching Systems Laboratory.
He has recently been engaged in the design and verification of a
self-checking processor.
Dr. Cook is a member of Eta Kappa Nu, Tau Beta Pi, and the
Association for Computing Machinery.
William H. Sisson (S'61-M'66) was born in Lebanon, Oreg., on September 21, 1942. He received the B.S. degree from Oregon State University, Corvallis, in 1965 and the M.S. degree
from the University of Michigan, Ann Arbor, in
1966.
Since 1965 he has worked for Bell Telephone
Laboratories, Inc., Naperville, lll., where he was
in a memory design group. He is now working
in a processor design group.
Mr. Sisson is a member of Tau Beta Pi, Eta
Kappa Nu, and Phi Kappa Phi.
A
Storey (M'71) was born in Halifax,
on March 1, 1942. He received
the Engineering Certificate from Mount Allison
University, Sackville, N.B., in 1964, the B.S.
degree in electrical engineering from Nova
X Thomas F.
IfhNova Scotia,
Scotia Technical College, Halifax, in 1966, and
the M.S. degree in electrical engineering from
the University of Hawaii, Honolulu, in 1967.
While at the University of Hawaii he had a
teaching assistantship in the Control Theory
Group.
For the past five years he has been with Bell Telephone Laboratories,
Inc., Naperville, Ill. He has worked on a number of electronic switching
systems and is presently active in the design and development of a
small self-checking processor.
Wing N. Toy (A'52-M'57)
was born in China
on February 3, 1926. He received the B.S.E.E.
and M.S.E.E. degrees from the University of
Illinois, Urbana, in 1950 and 1952, respectively,
and the Ph.D. degree in electrical engineering
from the University of Pennsylvania, Philadelpha,i 169.
He joined the Bell Telephone Laboratories,
Inc., Naperville, Ill., in 1952. His earlier work
was concerned with carrier terminals and feedback amplifier design, and he later worked on a
secure voice communications system for the military. He was next
involved with the design of the first terminal for high-speed data
transmission over telephone circuits. In 1956 and the following years,
his effort was directed in the exploratory work of a time-division
electronic switching system which led to the development of the No.
101 ESS, an electronic private branch exchange. In this project, he
worked on many assignments, including circuit, store, and logic design
of the central processor. Since 1962 he has been involved with the
development of the No. 2 ESS, a medium-size electronic switching
system. It included the control unit design and the responsibility of
planning and writing test programs for factory checkout of the system.
Recently, he has been engaged in logic partitioning, fault detection,
and LSI design of central processors. At present, he is the Supervisor
of the Control Complex Group and has the responsibility of designing
a self-checking processor for telephone switching applications. He has
received 16 U.S. patents from his technical work.
'a,

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz