Abstract-Circuits which are designed to be dependable are evaluated after gate-level design. To demonstrate the influence of implementation technology on dependability parameters, we developed a simple method which transforms the evaluation problem into conceptual hardware and then to SAT instances. The method can accommodate any combinational fault model. The performed evaluation demonstrated that the dependability parameters of the implementations correlate to a significant degree.
I. INTRODUCTION
The principal way to improve the dependability of a circuit is to introduce redundancy. One possible strategy is to detect errors in output signals and take appropriate measures during circuit operation. This technique is called Concurrent Error Detection (CED [1] ).
Redundancy must be introduced with care, as redundant blocks are also prone to faults, and the point of diminishing return can be reached easily. Numerous schemes were devised to balance redundancy and dependability. To evaluate variant designs, we need to know how much dependability we get for a given investment into redundant circuits. Initially, dependability meant roughly what is today called robustness. In this paper, we adhered to the original meaning from [2] , where dependability parameters were introduced to quantify dependability.
The standard design flow is to design the circuit first, to construct its redundancy afterwards, and then to evaluate its dependability parameters. The underlying assumption is that the actual design, the technology used and its resulting fault models influence the dependability parameters to a large degree. In many studies, the ubiquitous stuck-at (S@) models were used.
Recent Automatic Test Pattern Generation (ATPG) programs [3] and procedures based on solving the Satisfiability Problem (SAT) [4] permit analysis with a variety of fault models suitable for a particular circuit implementation technology. This in turn enables us to see the influence of technology on dependability. In other words, we ask whether there are circuits hard to make dependable or technologies hard to make dependable.
To study this question, we needed a simple framework. Recently, two approaches to robustness analysis and other tasks dealing with faults exist. The first one, represented by [5] and [6] , transforms the task instance to an ATPG task instance. The ATPG program then may or may not convert it internally to one or more SAT instances [7] , [9] . The other approach, most notably represented by [4] and [10] , converts an instance of the task to conceptual hardware (hardware which is not intended for synthesis) and then constructs SAT instances from that hardware.
Both approaches can be seen as special cases of a more general method, which can be summarized as follows. Firstly, transform the task instance into a piece of conceptual hardware together with assertions about the hardware. Secondly, use formal verification methods to prove or disprove the assertions (e.g. [3] , [11] ). If required, transform the assertions into conceptual hardware as well [8] . Thirdly, transform the answers back to the answers to the original task instance. This is a powerful framework, which can even produce answers about sequential behavior in the presence of multiple faults. For our study, combinational circuits (or full-scan circuits) were sufficient. Furthermore, only fault classification was required, without the need to analyze multiple fault impact.
Therefore, we present a simple framework for this limited situation, which constructs conceptual hardware representing the circuit and the assertions directly. We borrowed the term miter from ATPG [7] , although monitor from [8] and other sources has a similar meaning.
We present a method to determine the value of an arbitrary Boolean formula over input vectors, error-free output vectors, and error-stricken output vectors of a combinational circuit. The formula can be quantified over all input vectors or their subset.
Although we cannot overcome the exponential worst case complexity of the SAT problem, we have practical solvers for the Boolean Satisfiability Problem, which solve both satisfiable and unsatisfiable instances effectively. The method also benefits from the fact that the SAT instances encountered during ATPG, and, as it was discovered, robustness analysis, are far simpler to solve than the worst case [11] , [12] , [13] .
We present the method as an extension of SAT ATPG first in its general form. Then we review the class of dependable circuits studied and present their fault classification. We demonstrate application of the proposed method on this problem, and finally show and discuss classification results for two different implementation technologies.
II. PREDICATE EVALUATION

A. The SAT-Based ATPG
Let the circuit in question realize a Boolean function F(x) over input x. The circuit has n primary inputs and m primary outputs. In the application presented below, it is provided by the CED code, where an erroneous output is indicated by one extra output signal. Figure 1 . A circuit F with n inputs and m+1 outputs Denote F flt (x) the Boolean function characterizing the circuit with a given fault. The question whether the fault can be detected is answered by the predicate
This is understood as a circuit, see Figure 2 . The faultfree and faulty circuits provide F(x) and F flt (x), respectively. The predicate itself is also expressed as a circuit called the miter [3] .
The characteristic function of the entire circuit is then constructed in Conjunctive Normal Form (CNF) and its satisfiability is solved. If the instance is unsatisfiable, the fault cannot be tested. If it is satisfiable, all solutions are input vectors testing the fault. For details on the SAT-based ATPGs, see [7] , [8] , [9] .
B. General Predicates
Let x, F(x) and F flt (x) have the same meaning as above. Let
be any Boolean predicate over x, F(x) and F flt (x). Then G can also be understood as a circuit, see Figure 3 . As it has the same role as in ATPG or model checking, we call it the generalized miter. Its characteristic function can be constructed as in the ATPG case, and the SAT instance is solved. A universally quantified predicate
can simply be converted to
The construction of H might seem difficult. When seen as a circuit, however, it suffices to add an inverter. This causes one more variable and two clauses in the SAT instance, which is tolerable.
The predicate can be transformed to CNF by other methods as well; the above case illustrates the advantage of seeing it as a circuit.
The dependency of the general predicate on X is useful in situations where not every input vector is admissible. Let A be the set of admissible input vectors and a(x) the predicate characterizing the set. Then
This feature achieves the same effect as the input encoder in [5] . In the case solved there, code generator and detector for the codes in question are comparable in complexity. For other problems, however, to produce a vector may be more difficult than to check that vector.
III. THE ANALYZED ARCHITECTURE
A. The Structure of the Dependable Block
The CED strategy proposed in [1] , [14] is used in this paper to illustrate principles of the proposed SAT-based predicate evaluation and for the experimental evaluation.
The digital circuit D to be secured by a CED code is supplemented with a predictor P and a checker E, see Figure  4 . The predictor can be understood as a copy of the functional circuit together with an encoder. The encoder transforms the vector on the primary outputs of the circuit into the redundancy bits of a selected error detection code. The primary outputs (POs) of the circuit to be secured and the predictor outputs form the code-word whose correctness is verified by the checker.
Any fault in the functional logic D either does not alter the output for a given input vector, or should be detected by the checker. Faults in the predictor and checker either do not affect the operation, or cause false alarms. This architecture can be apprehended as a kind of modification of the well-known duplex scheme [14] , [16] .
For the purpose of this paper, single parity is used as the error detection code. Thus, the predictor is constructed as a copy of the original circuit supplemented with a XOR tree at its outputs, k = 1 in Figure 4 .
The single parity code offers a low area overhead, however its error detection capabilities are limited. Therefore, the fault coverage can also be lower than in the case of the duplex system, and must be analyzed. 
B. Fault Classification and Dependability Parameters
There are three basic dependability parameters in the field of CED (Concurrent Error Detection) [1] , [2] :
x Fault security (FS) -probability that the erroneous outputs produced for a modeled fault do not belong to the output code-words. x Self-testing property (ST) -probability that an input vector occurring during normal operation produces an output vector which does not belong to the code when a modeled fault occurs. x Totally self-checking (TSC) -The FS and ST parameters of the circuit are equal to 100%. Totally Self-Checking property offers the highest level of protection.
The faults in the secured block cannot be classified only as detectable or undetectable, as for a common circuit. Their detectability by the checker must also be evaluated [4] .
To compute these parameters, an approach based on a fault classification was presented in [4] , [15] . The faults are classified into four groups (A, B, C and D) based on their observability on primary outputs of the circuit and detectability by the checker.
x Class A -These faults do not affect the circuit POs for any allowed input vector. This is the class of redundant (undetectable) faults. They have no impact to the FS property, but circuits with these faults cannot be ST.
x Class B -These faults are detectable by at least one input vector and do not produce an incorrect code-word (a valid code-word, but incorrect) for other input vectors. They have no negative impact on the FS and ST properties, since if such a fault occurs, it is detected by the checker.
x Class C -The faults that produce an incorrect codeword for at least one input vector and cannot be detected by any input vector. This is the class of faults, that can never be detected by the checker and that produce an erroneous output. The circuit with these faults is neither FS nor ST.
x Class D -these faults cause at least one detectable and one undetectable error on the POs. They are detectable, but also may produce an incorrect output, which is not detected by the checker. They do not satisfy the FS property.
The FS property can be computed from the number of faults in these classes as:
The ST property is computed in similar way as:
where A, B, C, and D are the numbers of faults in the respective classes.
IV. SAT-BASED FAULT CLASSIFICATION TECHNIQUE
To apply the SAT-based classification on the above outlined architecture, we must characterize the classes by binary predicates and apply the general scheme form Figure 3 .
A. Predicates
To compute the dependability parameters of the given architecture, each fault must be classified into one of the classes A, B, C, and D. Four classes need at least two binary predicates to distinguish. In this case, they are easy to derive from the specifications. In principle, the classes are defined by the ability of the fault to cause a detected or an undetected error, which can be formalized as follows:
x J(x) is true iff the input vector x gives an erroneous output D(x) of the faulty circuit and the error is detected (E(x) is true.)
x K(x) is true iff the input vector x gives an erroneous output D(x) of the faulty circuit and the error is not detected (E(x) is false.)
Then the given fault belongs to
Hence, two SAT instances must be solved to classify a fault.
B. Generalized Miters
To construct a miter for the J and K predicates, we have to apply the general process leading from the circuit in Figure 1 . to the circuit in Figure 3 . on the discussed architecture. The output F(x) is in our case decomposed into D(x) and E(x), giving the circuit in Figure 5 . Bringing in the internal structure of F and F flt from Figure 4 . , we obtain the circuit in Figure 6 .
The actual predicates apply to all input vectors x, therefore x does not enter into the miter circuits. Furthermore, we are interested in faults in the secured circuit D only, not in the predictor or checker. Therefore, we can omit E flt (x) from the miters and, therefore, P flt and E flt from the circuit. The final optimized circuit is in Figure 7 . 
V. EXPERIMENTAL TECHNOLOGY COMPARISON Using the above described framework, we compared robustness of a set of benchmarks, implemented either structurally (as a network of gates) with S@ faults, or implemented as a set of Look Up Tables (LUTs) , considering Single Event Upset (SEU) in the LUT configuration memory as the primary fault mechanism.
The experiments have been performed on 65 ISCAS'85 [17] , ISCAS'89 [18] , ITC'99 [19] and LGSynth [20] benchmark circuits.
For the S@ faults, the original structural description was used. The fault lists were generated by Atalanta [21] and were free from dominated faults.
The LUT implementations were synthesized by ABC [22] using the command sequence strash; dch; if; lutpack as recommended by the authors.
A. Measurements and Metrics
The gate implementation and the LUT implementation of a circuit have different number of possible faults. To compare them in a practically relevant manner, we decided to count points of vulnerability, that is, the number of faults which can cause dysfunction of the circuit. The coefficients FS and ST, which indicate distance to the Totally Self Checking goal, are of minor importance here. The metrics used were Not Fail Safe NFS = C+D and Not Self-Testing NST = C. TABLE II. shows the number of faults classified by the above described method. The statistical properties are summarized in the following TABLE I. , using standard correlation and least square linear regression. It is apparent that the values, with the exception of Class A fault number, are correlated. The values NFS, NST, which give the number of points of vulnerability, are most tightly correlated. From the correlation it follows that the dependability, or, more precisely, the ability to become dependable using the MDS architecture, does not depend on architecture and fault model. Rather, it is a property of the circuit itself.
B. Measured Numbers of Faults
From the coefficient of total fault number, it would seem that the LUT technology has twice the number of potential faults. From the coefficient of the A Class faults, it would further seem that many of them are caused by redundancy. This comparison, however, is influenced by the construction of the fault list for gates. A single fault there can represent more than one dominated fault and hence more than one point of vulnerability.
VI. CONCLUSIONS
A method for proving arbitrary predicates quantified over input vector of a combinational circuit has been presented. The method combines elements from SAT ATPG and SAT-based property checking. The Modified Duplex System architecture, which requires classification into four classes, has been selected for demonstration of the method.
A set of benchmark circuits was constructed using the MDS redundancy architecture. The circuits were implemented both in gates and LUTs. Their self-checking characteristics were evaluated by the described method under the stuck-at and single event upset fault models, respectively. The characteristics were found to be correlated, which suggests that the ability to become dependable under the MDS scheme is an intrinsic property of the circuit itself.
