Abstract-This paper addresses the problem of locating error sources in an erroneous combinational or sequential circuit. We use a fault simulation-based technique to approximate each internal signal's correcting power. The correcting power of a particular signal is measured in terms of the signal's correctable set, namely, the maximum set of erroneous input vectors or sequences that can be corrected by resynthesizing the signal. Only the signals that can correct every given erroneous input vector or sequence are considered as a potential error source. Our algorithm offers three major advantages over existing methods. First, unlike symbolic approaches, it is applicable for large circuits. Second, it delivers more accurate results than other simulation-based approaches because it is based on a more stringent condition for identifying potential error sources. Third, it can be generalized to identify multiple errors theoretically. Experimental results on diagnosing combinational and sequential circuits with one and two random errors are presented to show the effectiveness and efficiency of this new approach.
I. INTRODUCTION

D
URING the very large scale integration design process, functional mismatches between a given specification and the final implementation often occur. Once a functional mismatch is found by the verification tool, the designer faces the taunting task of design error diagnosis-a process that identifies or narrows down the error sources in the implementation, so as to assist the subsequent error correction process [2] , [8] , [11] , [18] , [20] - [22] . Due to the difficulty of diagnosing a sequential circuit, most previous approaches have focused on the combinational diagnosis. Most of them also assume the circuit under diagnosis is single-signal correctable, i.e., the circuit can be completely corrected by resynthesizing a particular signal as shown in Fig. 1 . Such a signal is called a single-fix signal hereafter.
Most approaches to error diagnosis can be classified into two categories: 1) simulation-based approaches and 2) symbolic approaches. The simulation-based approaches first derive a number of input vectors that can differentiate the impleManuscript received February 6, 1998 ; revised July 16, 1998 . This work was supported in part by the National Science Foundation (NSF) under Grant MIP-9503651 and in part by the California MICRO program through Fujitsu/Rockwell. This paper was recommended by Associate Editor A. Saldanha.
S.-Y. Huang was with the University of California, Santa Barbara, CA 93106 USA. He is now with Worldwide Semiconductor Manufacturing Corp., HsinChu, Taiwan, ROC (e-mail: sy.huang@wsmc.com.tw).
K.-T. Cheng is with the Department of Electrical and Computer Engineering, University of California, Santa Barbara, Santa Barbara, CA 93106 USA (e-mail: timcheng@ece.ucsb.edu).
Publisher Item Identifier S 0278-0070(99)06630-0. mentation and the specification. These binary or three-valued input vectors are called erroneous vectors in the sequel. By simulating each erroneous vector, the potential error region can then be trimmed down gradually. The heuristic for eliminating those signals that cannot be error sources vary from one to another [14] , [16] , [21] , [22] , [25] - [27] , [29] . Pomeranz and Reddy proposed a filter [21] for locating the error sites of an erroneous combinational circuit. The idea is based on the observation that if cannot sensitize a discrepancy from a signal to a primary output , then the erroneous output response of with respect to cannot be corrected by changing the function of . In other words, is not responsible for the erroneous with respect to vector if . As will be discussed later, our approach could be viewed as an enhancement of this method as diagnosing a combinational circuit.
Kuehlmann et al. proposed another heuristic [14] , referred to as back propagation here. Similar to the critical path tracing techniques used in fault simulation [4] , it traces back from each erroneous primary output toward the primary inputs to find candidate error locations. This approach is more general in the sense that it does not rely on an error model that consists of most frequently occurred error types as defined in [1] , (e.g., an inverter is missing). Relatively speaking, this approach is more efficient than the one in [21] , while less accurate. The accuracy of back propagation can be further improved without sacrificing the efficiency through a technique called observability measure proposed by Veneris et al. [27] .
On the other hand, the symbolic approaches do not enumerate any erroneous vector [8] , [17] - [20] , [24] . They primarily rely on ordered binary decision diagram (OBDD) [6] to formulate the necessary and sufficient condition of a singlefix signal. Based on this formulation, the signals that are most responsible for the incorrect output functions can be directly identified. In comparison, the symbolic approaches are more accurate than the simulation-based approaches and also extendible to multiple errors [19] . However, constructing the required BDD representations may cause memory explosion for large circuits. As will be discussed later, our diagnosis algorithm for combinational circuits is quite similar to the symbolic approaches in the concept of what signals should be regarded as error signals. In some sense, it can be viewed as an approximation of the symbolic approaches that achieves the same accuracy if given infinite time.
Given an erroneous implementation and a specification described at a higher level of abstraction, e.g., the registertransfer (RT) level, the first step of diagnosis is usually performing the fast-pass synthesis on the specification to derive a gate-level representation of the specification. After that, the gate-to-gate error diagnosis can be conducted. It is likely that one-to-one flip-flop (FF) correspondence between the implementation and the gate-level specification does not exist and, thus, the combinational diagnosis approaches cannot be applied. A sequential error diagnosis approach is needed for this kind of situations. However, due to the even higher difficulty and complexity, only few papers in the literature have addressed the problem of diagnosing design errors in sequential circuits [9] , [23] , [30] . The method discussed in [23] , modeling the error in the state transition table, only targets small controllers. The approach proposed in [9] is not very general in the sense that it only focuses on small feedback-free circuits, or finite state machines that have oneto-one state correspondence with their specifications. Another approach, extending a combinational backward error tracing heuristic [29] to the iterative array model, was proposed in [30] . In this approach, a restricted error hypothesis (containing three types of wrong-gate errors) is used. It has two major limitations. First, it relies on a restricted error hypothesis to reduce the complexity of the diagnosis process, and thus, it may fail when the design error is not modeled in their hypothesis. Second, their approach cannot deal with multiple errors.
In this paper, we perform error diagnosis through a fault simulation process taking a number of erroneous vectors as the inputs. A set of erroneous vectors are generated in advance during the functional simulation process [15] or by verification tools. Our approach is based on a notion called correctable set. A signal's correctable set is defined as the set of erroneous vectors that can be corrected by resynthesizing the signal. Let be an erroneous vector and be a signal in the erroneous implementation. We show that whether is correctable by resynthesizing can be precisely determined by simulating input vector for stuck-at faults at . Like most simulation-based approaches, our algorithm is a monotone filtering process. Initially every signal is considered as a candidate of single-fix signals. We simulate every erroneous vector in the given erroneous vector set for the stuck-at faults at each candidate signal. According to the fault simulation results, if a signal is proven unable to correct the erroneous vector under simulation, then it is a false candidate. False candidates are removed immediately from the candidate list before simulating the next erroneous vector.
Our approach does not incorporate an error model and, thus, is suitable for general types of design errors. The accuracy of our approach is related to the input vectors simulated.
The larger the number of vectors simulated, the higher the accuracy. Theoretically speaking, if we can afford to simulate the complete set of erroneous vectors, then our approach is as accurate as the symbolic methods. The experimental results show that this method is very effective for single-signal correctable circuits. On average, 99% of the signals can be filtered out from the original candidate list after simulating only 32 erroneous vectors.
Another advantage of this approach over the other simulation-based approaches is that: this approach can be generalized for circuits with multiple errors. For diagnosing multiple errors, we search for a set of signals that can jointly fix the erroneous circuit. Also, a two-stage fault simulation procedure is proposed to speed up the multiple error diagnosis process. This two-stage procedure, taking advantage of the topological dominance relation between signals, does not cause any loss of accuracy. In this paper, we present the results of diagnosing one and double errors for every ISCAS'85 combinational benchmark circuit. The larger circuits in this benchmark set can not be handled by the BDD-based symbolic approaches.
This approach is further generalized for sequential circuits. We first derive the necessary and sufficient condition of whether an erroneous input sequence can be corrected by changing the function of a particular internal signal or not. Similar to the combinational cases, we then search for the potential error signals based on this condition through a modified sequential fault simulation process. Experimental results on some of ISCAS'89 benchmark circuits injected with one and two errors will also be presented.
The rest of this paper is organized as follows. Section II gives the basic assumptions and definitions. Section III describes our combinational diagnosis algorithm for singlesignal correctable circuits. In Section IV, we generalize this algorithm for multiple errors. In Section V, we generalize this technique for sequential circuits. We present the experimental results in Section VI, and conclude in Section VII.
II. BASIC DEFINITIONS
We assume that the specification and the erroneous implementation are given as gate-level circuits. Both share the same set of primary inputs, denoted as . The primary outputs of the specification and the implementation are denoted as and , respectively.
Definition 1: is called the th primary output pair. Definition 2: Joint network is a network obtained by connecting the primary inputs of the specification and the implementation together as shown in Fig. 2 . For the rest of this paper, we also refer to the specification as and the implementation as . 
III. SINGLE ERROR DIAGNOSIS FOR COMBINATIONAL CIRCUITS
In this section we begin with the introduction of the notion of correctable vector. This is followed by the necessary and sufficient condition for a single-fix signal from a slightly different point of view than the ones in [18] - [20] , and [24] . After that, we present our overall algorithm. to every one of them). At the same time, every originally correct output remains correct (because vector cannot sensitize a discrepancy from to any one of them). On the other hand, it can be shown that if either of the above two conditions are not satisfied, then at least Proof: Here, we make no distinction between a signal and its function. If a signal is a single-fix signal, then by definition every erroneous vector is correctable by . In the following we show that is a single-fix signal if every erroneous vector is correctable by . Let , where is the characteristic function of the entire erroneous vector set. Intuitively, can be interpreted as a function that agrees with on all nonerroneous vectors, while disagrees on all erroneous vectors. It can be shown that is a fix function at by Proposition 1 and, thus, we conclude that is a single-fix signal if every erroneous vector is correctable by .
A. Correctability
(Q.E.D.)
B. Algorithm for Single Error Diagnosis
In this subsection, we describe the general flow for diagnosing a single-signal correctable circuit. In order to handle large circuits, we do not attempt to identify the single-fix signals using BDD. Instead, we employ an iterative filtering process which reduces the number of single-fix candidate signals gradually. The overall flow is shown in Fig. 3 .
This process takes as inputs the erroneous implementation, and a set of erroneous vectors and their expected output responses. At the beginning, we assume every signal in is a single-fix candidate. Then our algorithm starts a two-level loop. The outer loop enumerates every erroneous vector. The inner loop iterates through every single-fix candidate signal. For each erroneous vector and a target single-fix candidate , we examine if is correctable by by fault simulation (will be explained later). If signal cannot correct vector , then cannot be a single-fix signal. Therefore, it is safe to remove from the candidate list. After we have examined every erroneous vector and eliminated false single-fix candidates, a set of potential single-fix signals is derived.
C. Correctability Check via Fault Simulation
Given an erroneous vector and a signal , correctability check is to decide whether is correctable by . It is an operation to verify the following two conditions: 1) if can sensitize a discrepancy from to every erroneous output in response to and 2) if cannot sensitize a discrepancy from to any correct output in response to . Both conditions should be satisfied to assure that can correct . Proposition 3 shows that this can be checked by simulating vector for stuck-at-0 and stuck-at-1 faults at . In the following discussion, we use to represent the faulty implementation with -stuck-at-0 fault. Similarly, represents the faulty implementation with -stuck-at-1 fault.
Proposition 3: A signal can correct an erroneous vector if and only if the faulty circuit or has the same output responses as the specification with respect to the input vector .
Proof: It is obvious that if or is equivalent to with respect to , then is correctable. On the other hand, if neither nor is equivalent to with respect to , then it can be shown that at least one of the two criteria of Proposition 1 cannot be satisfied, and thus, there does not exist a new function for signal to correct . (Q.E.D.)
Based on Proposition 3, we can simulate the generated erroneous the input vector set for the stuck-at faults at each candidate signal to gradually prune out the false single-fix candidates. Based on this formulation, any kind of efficient fault simulation techniques, e.g., differential fault simulation [7] , can be applied to improve the efficiency. This process can be further sped up by exploring the topological dominance relation between signals. Let and dom be two signals, and dom be a topological dominator of . In other words, every path originated from to any primary output passes through signal dom. In [17] , it has been proven that if dom cannot correct an erroneous vector , then cannot correct it, either. Therefore, once a false single-fix candidate is found, we can immediately remove its dominated signals from the candidate list as well. Fig. 4 shows the revised routine of simulating one erroneous vector for correctability check.
First, we sort the candidate list in a fanout-first order, (i.e., every signal is after its transitive fanout signals). Given an erroneous vector, we examine each signal according to this order. Then differential fault simulation [7] is performed for the stuck-at-0 and stuck-at-1 faults for each target signal, say . The simulation results are compared with prestored output responses of the specification to decide the correctability. If the target signal fails to correct , then we drop not only but also every signal dominated by from the candidate list. The correctability check iterates until every signal remaining in the candidate list has been checked. In this revised routine, some candidate signals may be dropped without fault simulation because one of their dominators has been proven unable to correct the given erroneous vector. 
IV. MULTIPLE ERROR DIAGNOSIS
FOR COMBINATIONAL CIRCUITS In this section we generalize the approach for dealing with circuits with multiple errors. In general, the number of errors introduced in the erroneous implementation is not known during the diagnosis process. Therefore, we first try to find a potential single-fix signal. . Among them, defines a faulty circuit with a doublefault ( stuck-at-0 and stuck-at-0). Proposition 4 shows that in order to decide whether an erroneous vector is -correctable by a set of signals , fault simulation needs to be performed on every one of the faulty circuits defined over . Proposition 4: Let be a set of signals and be one of enumerations defined over , . An erroneous input vector is -correctable by if and only if there exists a faulty circuit that has the same output responses as the specification with respect to , where denotes the faulty implementation defined by the enumeration . Fig. 5(a) shows an implementation where signals and are replaced by two new functions, denoted as and , so that every output response with respect to is correct. Suppose the signal response at in the circuit in Fig. 5(a) is , then we can create the circuit shown in Fig. 5(b) from the circuit in Fig. 5(a) by the following two steps.
1) Remove the new function at and reconnect signal . 2) Resynthesize signal with a new function that maps to , i.e., . 
B. Two-Stage Algorithm for Multiple Errors
Based on Proposition 5, we propose a two-stage fault simulation algorithm for diagnosing multiple-errors. For the sake of simplicity, we discuss the case of = 2. That is, we assume that the implementation is double-signal correctable. The overall algorithm is shown in Fig. 6 . If any one of these four faulty circuits have the same output response as the specification with respect to , then is two-correctable by . Otherwise, is a false candidate pair and should be removed from the candidate list. After the fault simulation process has iterated through every erroneous vector and candidate pair, we obtain a set of survivor key signal pairs that are potential to be fix pairs. However, these pairs are only a subset of the potential fix pairs. Every subordinate pair of each of them is also a possible fix pair. For example, suppose is a potential fix pair after the first stage. Let and be the sets of signals dominated by and , respectively. Then , , , , are possible fix pairs, too. However, they are not examined in the first stage. Note that only the subordinate pairs of those surviving key signal pairs need to be further checked in the second stage. The subordinate pairs of those false key signal pairs filtered out in the first stage are guaranteed not fix pairs. Usually, the number of subordinate pairs that need to be checked in the second stage is very small as will be shown in Section V.
C. Complexity Analysis
In general, the number of errors introduced in the implementation is not known prior to the diagnosis process. The complexity of the search for multiple-fix signals may grow rapidly. For example, for a circuit that can only be fixed by resynthesizing at least signals, we may need to check every set of signals with cardinality less than or equal to . Also the complexity of each correctability check may go exponentially in terms of the cardinality of the candidate set under consideration. Thus, the overall complexity of multipleerror diagnosis in the worst case is
Comb
Comb Comb where is the number of signals in the implementation , and Comb represents the combination number of choosing signals from signals. In Section V, we will show the experimental results of diagnosing circuits injected with two random errors. However, in practice, the identification of the multiple-fix signals may become too time-consuming for large circuits with more than two errors. The approach proposed in [14] , approximating each signal's probability of being an error source using heuristics, may become more appropriate to allow the designer to locate-and-fix one error at a time.
V. EXPERIMENTAL RESULTS OF COMBINATIONAL DIAGNOSIS
We have implemented our algorithm in C language in the environment of SIS [28] . The program is named ErrorTracer, which incorporates a differential fault simulator as described in [7] . Our experiments for combinational diagnosis are performed on every ISCAS benchmark circuit. For each circuit, we first optimize it by the optimization script, script.rugged, to obtain the implementation. Then we decompose it into AND/OR gates using SIS command " -5 -5." For generating erroneous implementation, gate type errors are injected using an error injection program [14] . This program randomly selects a logic gate and then randomly scrambles its truth-table. Note that, similar to symbolic approaches, our approach is based on the notion of resynthesis, and thus, is not restricted to the types of errors introduced in the implementation. Table I shows the results of single-error diagnosis. The program is run 20 times for each benchmark circuit; each of them uses a different single-error implementation. In the preprocessing stage, we run random simulation until 32 erroneous vectors are collected, or 16 000 random patterns have been simulated. For very few cases, no erroneous vector is found after simulating 16 000 random patterns. For each of these cases, our formal equivalence checker, AQUILA [10] , successfully proves that the error-injected implementation is actually functionally equivalent to the specification. Table I shows the average results for those real erroneous implementations. The meaning of some columns are explained as follows.
1) Number of Potential Fix Signals:
This is the number of potential single-fix signals delivered by our program. On average, our algorithm outputs 6.6 potential single-fix signals for ISCAS'85 benchmark circuits. Among these single-fix signals, a signal that does not dominate any other single-fix signals is even more likely to be the real location where the error occurs. Although this heuristic is not always true in our experiments, it is helpful in most cases in predicting the real error sources among the reported potential single-fix signals. Fig. 7 shows the curve of the number of potential singlefix signals versus the number of erroneous vector simulated during the diagnosis process for a single-error implementation of C6288. Initially, every signal is regarded as a potential single-fix signal, so there are totally 2339 candidates. Only simulating one erroneous vector, our approach narrows down the error region to only six signals. After simulating six erroneous vectors, we precisely pin-point the location of the injected error. This curve indicates that our criterion for a signal to be a potential single-fix signal is very stringent, and thus, is able to filter out most false candidates rapidly. In our experience, the numbers of potential single-fix signals for most cases saturate quickly after simulating less than ten erroneous vectors. Fig. 8 shows the final numbers of potential single-fix signals after simulating 32 erroneous vectors for 20 single-error implementations of C6288 and C7552. It can be seen that, C7552 has a large variation from one erroneous implementation to another. On the other hand, the potential single-fix signals of C6288 are always small. This may indicate that C6288, as a 16-b multiplier, is easier to diagnose.
2) Lower Bound: This is a pessimistic lower bound on the total number of single-fix signals. It is obtained by counting the number of dominators of the injected error signal plus one.
This number is pessimistic because some single-fix signals may not dominate the injected error signal and, thus, could be ignored in this calculation.
3) Hit Ratio: This indicates the probability that the injected error signal is included in the delivered set of potential fix signals. Our program will not overlook the real error signal, so the hit ratio is always 100%.
4) Suspect Ratio:
This is ratio of the number of potential fix singles to the total number of signals in . The average obtained by our program is 1.06%, which means almost 99% signals are disqualified as a single-fix signal.
5) CPU Time:
The CPU time on 150 MHz Sparc20 consists of the random simulation time and the fault simulation time. The random simulation time for generating 32 erroneous vectors (the average is 40 s) is a more dominating factor than the fault simulation time (the average is 8 s). For large circuits, the heuristic proposed in [14] can be used as a fast pass before ErrorTracer to further reduce the CPU time. Table II shows the results of diagnosing circuits injected with two random errors. Since this is a more time-consuming process, we only diagnose one erroneous implementation for each benchmark circuit. Each of these erroneous implementation is proven not single-signal correctable by our program (i.e., every signal is disqualified as a single-fix). Note that if an implementation is single-signal correctable, then the number of potential double-fix pairs would be huge. For example, if is a single-fix, then the signal pair , where is any signal in , would be a double-fix pair. This leads to an even more timing-consuming double-error diagnosis process because our false-candidate dropping technique is not effective for such cases. Several columns of Table II are discussed as follows.
6) Number of Candidate Pairs Checked:
This is the total number of candidate pairs checked by two stages of fault simulation. Usually the number of candidates in the second stage is negligible compared to the one in the first stage. This number also implies the speedup factor by exploring the set dominance relation. Consider C432 for example. The number of signals in is 175, hence, the total number of candidate pairs without using dominance relation is . In our algorithm, the total number of candidate pairs is reduced to only . Therefore, the dominance relation reduces the number of candidate pairs that need to checked from 15 225 to 1048, and the speedup is 14.5 times. The average speed up factor for the entire set of benchmark circuits is 21.
7) Hit
Ratio: This is also 100% for double-error diagnosis using our program.
8) Number of Potential Fix Pairs:
This number is found to be larger than the number of potential single-fix signals in the single-error implementations.
9) CPU Time: In these cases, the CPU times are mostly dominated by the fault simulation times here. It is proportional to the number of candidate pairs. C6288 is particularly timeconsuming because a high percentage of its signals have multiple fanout branches, and thus, the dominance relation does not reduce the number of candidate pairs substantially.
VI. GENERALIZATION FOR SEQUENTIAL CIRCUITS
In this section we extend the above idea to diagnose a sequential circuit. First, we show the necessary and sufficient condition of whether an erroneous input sequence can be corrected by resynthesizing a particular signal. Then, we discuss how to check this condition via fault simulation. The approach is then generalized for multiple errors.
A. Correctable Input Sequence
Definition 11-Correctable Sequence: An erroneous input sequence is called correctable by signal in if there exists a new function for signal in terms of the primary inputs and the present state lines of such that is not an erroneous sequence for the resulting new circuit (as illustrated in Fig. 9 ).
Based on this definition, we assume that the errors only affect combinational logic. Similar to the combinational cases, we assume that an error source should be able to correct every erroneous input sequence. Once a signal is found unable to correct any erroneous sequence, it can be excluded from the candidate list of potential error sources. It is worth mentioning that, for combinational circuits, if a signal can correct every erroneous input vector, then it is a single-fix signal. However, this statement is not true for sequential circuits. The reason is as follows. For a combinational circuit, every erroneous vector can be fixed independently, i.e., the requirement to fix every erroneous vector can be satisfied at the same time as shown earlier in Proposition 3. But for sequential circuits, some conflict may occur as deriving the fix function that corrects every erroneous sequence, even though each of them can be fixed individually. 
B. Necessary and Sufficient Condition
In the following discussion, we assume that both and have a known reset state, and , respectively. The implementation is represented by the iterative array model as shown in Fig. 10 .
The number of the copies of the combinational portion duplicated in the time-frame expansion model equals the length of the input sequence under consideration. Consider an erroneous input sequence with three input vectors,
. Suppose brings through a sequence of states , where is the initial state of . Then we call the pseudoinput vector for the first timeframe. Similarly, and are the pseudoinput vectors for the second and the third time-frames, respectively. Based on this model, it follows directly that if signal can correct an erroneous input sequence , then there exists a new function of such that every primary output at every time-frame becomes error free, (i.e., every primary output has the same response as their corresponding primary output of with respect to the input sequence ). We define a term called injection before we derive the necessary and sufficient condition of correcting an erroneous input sequence.
Definition 12-Injection: Given a signal in , a t timeframe injection at is a set of value assignments to the signal for the first time-frames. For example, , , represents a three time-frame injection that injects value "0" at for all three time-frames, where the superscript denotes the index of a time-frame.
An injection defines a new circuit. The output responses of the resulting new circuit are computed by treating the injected signal as an independent pseudo primary input line, taking the injected value as the input. Since we can inject either "0" or "1" to a signal at each time-frame, there are different combinations for a time-frame injection. The number of injections grows exponentially with the number of time-frames. Based on the above definition, we have the following proposition. not vice versa. In other words, to correct an erroneous input sequence, it is necessary to find a cure injection. However, a cure injection is not sufficient to assure that the input sequence is indeed correctable. This is due to a fact that, for every fix function at , there always exists a cure injection. Conversely, not every cure injection can be realized by a function.
Given a fix function at that can correct an erroneous input sequence , the corresponding cure injection can be derived as follows: Let the response of with respect to in the resulting new circuit is , , , , where , is a binary value. Then , , is a cure injection. On the other hand, there exists some injection that is not realizable. Fig. 11 shows an example.
In this example, the pseudoinput vectors for the first and second time-frames are the same:
. But the injected values at for these two time frames are different ("0" and "1," respectively). A function realizing this injection needs to map the same pseudoinput vector, , to "0" and "1" at the same time, which is impossible. It follows that there does not exist a new function for in terms of primary inputs and present state lines to realize this injection. Whether an injection is realizable or not can be checked easily by simulating the input vector for the resulting circuit with the injection. After collecting the sequence of states encountered in the resulting circuit, the pseudoinput vector for each time-frame and the injected value can then be derived. If no conflict exists, then the injection is realizable.
Proposition 7-Necessary and Sufficient Condition: Let be an erroneous input sequence with input vectors, . A signal in can correct if and only if there exists a realizable t time-frame cure injection.
Proof: As described above.
C. Correctability Check via Fault Simulation
Based on the above proposition, we can determine if an erroneous input sequence is correctable by a signal by a twostep checking: 1) check if there exists a cure injection and 2) check if it is realizable. Given an injection, determining whether it is a cure injection can be done via a modified sequential fault simulation process. Traditionally, sequential fault simulation assumes that the target signal is stuck at the same binary value for every time-frame. In our application, we need to modify the fault simulation algorithm, so that a signal is allowed to be stuck at different binary values at different time-frames to account for the fact that an injection may inject different values at different time-frames.
Theoretically, we need to enumerate every possible injections in the worst case to find a cure injection, or to conclude that there does exist one. However, like most branchand-bound procedures, some criterion can be used to cut down the search space. In our application, the search space can be represented as a binary injection tree shown in Fig. 12 .
The meaning of this tree is explained as follows: 1) Each node corresponds to a resulting circuit with a partial injection (i.e., time-frame injection where ). The root node (level 0) corresponds to the original implementation .
2) The level of each node corresponds to the current time-frame being considered for value injection.
3) The upper (lower) branch of each node represents injecting value "0" ("1") to the signal under consideration in the current time-frame and 4) a path from the root node to a leaf node represents a complete time-frame injection. Based on this injection tree, it follows that if a node's corresponding partial time-frame injection cannot produce the correct responses for the first time-frames, then the subtree of this node need not be explored. This simple bounding criterion is useful to speed up the search for a cure injection. Once a cure injection is found, the pseudoinput vectors of the resulting circuit with respect to this injection can be derived. The realizability check can then be followed to determine if the erroneous input sequence is indeed correctable by the target signal.
D. Diagnosing Multiple Errors
For diagnosing circuits with multiple errors, our algorithm searches for multiple signals that can jointly correct every generated erroneous input sequence. Fig. 13 shows an example of a three time-frame injection defined over a set of signals . Similar to the case of single-error diagnosis, if this injection is a realizable cure injection for the applied erroneous sequence then is correctable by this set of signals. Again, this condition can be checked primarily via a modified fault simulation process. Given a set of signals, , and an erroneous input sequence with input vectors, , the worst case complexity of deciding if can correct is proportional to the number of possible injections. There are possible value combinations for each time-frame and, thus, the total number of possible time-frame injections defined over is . 
VII. EXPERIMENTAL RESULTS OF SEQUENTIAL DIAGNOSIS
Our experiments of sequential diagnosis are performed on ISCAS'89 sequential benchmark circuits. The erroneous implementations are generated as in the combinational cases. For sequential diagnosis, our algorithm does not require the knowledge of the number of FF's or the state encoding of the specification. Only the input/output functional behavior of the specification is needed. Table III shows the results of single-error diagnosis. In the preprocessing stage, we run random simulation to collect erroneous input sequences. We set ten as the maximum limit on the length of the sequences. The random simulation terminates when 32 erroneous input sequences have been collected, or 32 000 sequences have been simulated. The meanings of some columns are as follows.
A. Results of Diagnosing Single-Error Circuits
1) E-length (min):
The minimal length of the erroneous input sequences found in our preprocessing step.
2) Number of Potential Fix Signals: The number of potential single-fix signals delivered by our program. On average, the number of potential single-fix signals produced by our program is 7.1 for those ISCAS'89 benchmark circuits listed in Table III . The curves of the number of potential singlefix signals versus the number of simulated erroneous input sequences for s1196 and s5378 are shown in Fig. 14 . It is very common in our experience that only a small number of erroneous input sequences are enough to drop most false single-fix candidates. Again, our algorithm will not overlook the real injected error signal. Our program fails on seven circuits: s208, s400, s444, s15850, s35932, s38417, and s38584. The reasons will be discussed later. 3) Lower Bound: There is a pessimistic lower bound on the total number of single-fix signals. It is obtained by counting the number of dominators of the injected error signal plus one. For ISCAS'89 benchmark circuits listed in Table III , the average is 2.2. we search for signal pairs that can jointly correct the implementation. Among the 15 circuits in Table IV , four of them are classified as single-signal correctable. For these circuits, there exists signals that can fix every erroneous sequence. But it may not guarantee that implementations are indeed single-signal correctable because we do not exhaustively simulate every erroneous sequence. On the other hand, the other 11 are proven not single-signal correctable by our program (the number of potential single-fix signals is zero). For these circuits, we report the number of the potential double-fix pairs. The run time is longer than the case of diagnosing single error due to the rapid growth of the number of candidate signal pairs and the number of possible injections that need to be checked for correctability.
B. Results of Diagnosing Double-Error Circuits
C. Future Work
Based on this approach, there are several issues that need to be further addressed in the future.
1) Erroneous Input Sequence Generation:
For combinational circuits, random simulation [15] or advanced automatic test pattern generation (ATPG) based techniques [2] have provided satisfactory solutions to generate erroneous vectors even for fairly large circuits. However, these techniques may not be adequate to generate erroneous input sequences for some sequential designs. Random simulation cannot find any erroneous input sequences for single-error circuits s15850, s35932, s38417, and s38584 in our experiments. For these large designs, if manually crafted functional sequences are available for simulation-based design validation, then most design errors are likely to be exposed and the erroneous sequences can be generated as a by-product. In that case, our approach is then applicable. Another possible solution to this problem is to explore the FF correspondence or internal structural similarity between the specification and the implementation. If a large number of corresponding FF's exists, then the sequentiality of the circuit can be reduced by treating the inputs (outputs) of some FF's as pseudoprimary outputs (inputs). In this way, the difficulty of generating erroneous input sequences can be reduced.
2) High Complexity for Long Erroneous Input Sequences:
If the errors occur in a highly sequential module (e.g., a counter) and cannot be detected by any input sequence with reasonable length (e.g., 30 vectors), then our approach may become too time-consuming. For s208, s400, and s444, our approach fails due to this reason. To address this problem, new techniques are under development to deal with long erroneous input sequences for circuits that are manageable by BDD techniques.
3) Difficulty for Circuits with Larger Number of Errors:
In practice, the complexity of diagnosing circuits with more than two errors is prohibitively high. Some heuristics are under investigation to estimate each signal's error probability and help the designer to locate one error at a time.
VIII. CONCLUSION
We present a new approach to design error diagnosis. Our algorithm searches for the potential error sources that are most likely responsible for the incorrectness of the implementation. Unlike symbolic approaches, we do not rely on BDD to search for such signals. Instead, we prove that fault simulation can precisely decide if a signal can be held responsible for a particular erroneous vector. This formulation allows us to exclude most signals from being potential error sources efficiently by performing fault simulation with a number of erroneous input vectors. In order to speed up the process, we further propose a two-stage algorithm that can take advantage of the topological dominance relation between signals. Compared to other simulation-based approaches, our algorithm has two advantages. First, it is more accurate because it is based on a more stringent condition for identifying potential error sources. Second, it can be generalized to multiple errors. We also show how to generalize this idea to sequential diagnosis. Although the complexity of this generalization may still be high for some cases, it can serve as a basis for future improvement. The experimental results of diagnosing ISCAS benchmark circuits injected with one or two random errors are presented to demonstrate its effectiveness.
