A new method is proposed for checking the equivalence of two irredundant logic implementations of a combinational Boolean function. The procedure consists of generation of complete checkpoint fault test sets for both circuits. The two test sets are concatenated and both circuits are simulated to obtain the response to the combined test set. If the responses of the two circuits match for all vectors, then they are d e clared to be e quivalent. We examine a case where this heuristic fails. In such cases, the use of fault simulation is shown to discover nonequivalence even when the two circuits produce the same output. We prove that if the two circuits were di erent, then some faults on the primary inputs of a composite equivalence checking circuit must be detectable. Using the simulation of single stuck-at faults at the primary inputs of that circuit, the new heuristic recommends the use of a vector set in which the Hamming distance between any two vectors does not exceed 3 .
Introduction
The problem of establishing equivalence of two logic circuits frequently occurs in digital design. In a typical scenario, a circuit may undergo changes due to technology mapping or optimization, and must retain equivalence to some previously veri ed version. Theoretically, this problem can posed as a Boolean satis ability problem, which is known to be NP-complete. E ective solutions using binary decision diagrams BDD and other mathematical formulations often work but cannot always guarantee results. Many heuristics have been suggested in the literature some of which are quite e cient. Still the search for alternative solutions continues. An interested reader will nd useful reviews of the current methods in books by Huang and Cheng 6 and Kunz and Sto el 7 .
Alternative procedures, known as formal veri cation, rely on mathematical models of the system and prove that the model has the required attributes. The general application of formal veri cation is in checking the correctness of an implementation against the speci cation. Although it is a di cult problem and the procedures are often complex, signi cant progress has occurred in formal veri cation methods. Some commercial tools have also become available. The reader is referred to the recent book by Kurshan 8 . The focus of the present contribution is the traditional practice of industry where simulation or other forms of veri cation provides no guarantee like the formal veri cation. Our attempt is toward deriving some formal conclusions from simulation. However, as the reader will note in the end that our success, at this time at least, is only partial.
The origin of this work is in the author's experience in designing circuits, as described in this paragraph. For some time, I have used a heuristic to verify the equivalence of combinational circuits. Typical situations are where circuits are synthesized by di erent procedures, or a circuit is modi ed to remove redundant faults or untestable paths or to speed up paths. I a m i n terested in determining that no error was committed to change the function of the circuit. As a quick" check, I separately derive tests for all stuck-at faults for the two circuits and if both tests produce the same response from the two circuits, I presume that they are probably equivalent. When the responses di er on some inputs, the faults detected by those inputs usually help in nding the error. Initially, I started using this heuristics only as a rough check. I also veri ed several small cases by exhaustive simulation, which provided some con dence. Yet, attempts to prove su ciency did not succeed.
In this article, we give examples to show that the simulation strategy is not su cient for establishing equivalence. We then propose, perhaps for the rst time, the use of fault simulation. It is shown that fault simulation can uncover di erences in two circuits even when all applied vectors produce identical outputs. 
Statement of the Problem
Consider two combinational logic circuits, C1 and C2, with an identical set of input variables. For simplicity, only single output functions are considered, though the results can be easily generalized for multiple outputs. Figure 1 shows an equivalence checking setup which is usually analyzed by a logic simulator. If the two circuits are identical, then the output z of the exclusive-OR gate should be 0 for all input vectors. On the other hand, the existence of an input vector that satis es the Boolean variable z i.e., sets it to 1 immediately proves the nonequivalence of C1 and C2.
Other approaches involve the use of a test generation algorithm to nd a test for the stuck-at-0 fault on z, or use of a redundancy identi cation algorithm to prove that the fault is untestable. In either case, a completely reliable procedure will have an exponential complexity.
The present approach relies on test generation but tests are generated for C1 and C2 separately, and never together. Tests are derived for all faults in each circuit. In general, it is required that the implementations be irredundant. The necessity of this requirement stems from the fact that the e ectiveness of the derived tests may become questionable in the presence of redundant faults 1 .
A Heuristic Examined
Suppose TC1 is a set of vectors that detects single stuck-at faults on all checkpoints in C1. Checkpoints are the primary inputs PI and all fanout branches. The following is an important result in digital testing 1 : Theorem 2.1 In a combinational circuit any test set that detects all single stuck-at faults at checkpoints also detects all single stuck-at faults in that circuit.
Thus, TC1 will detect all single stuck-at faults in C1.
There are many e cient automatic test pattern generation ATPG programs available for obtaining such a test set. Next, we obtain a similar test set TC2 for the circuit C2. The equivalence checking set up of Figure 1 is simulated with the combined concatenated vector set, TC1+TC2. If no output from the two circuits di ers, i.e., z = 0 for all vectors, then we heuristically conclude that the circuits are probably equivalent.
The above conclusion is based on a conjecture, i.e., if the tests for all checkpoint faults in both circuits cannot produce a di erent output from the two circuits, then no other vector will. Because of the internal fanout structure within the exclusive-OR gate, we cannot directly conclude the redundancy of the z stuck-at-0" fault.
However, the following discussion builds up arguments to support the heuristic and points to its limitations.
Suppose we apply the combined test set TC1+TC2
to the circuit of Figure 1 and observe that the simulated output z is 0 for all vectors in the set. We would like to conclude that the stuck-at-0 fault on z is untestable for all possible inputs. Notice that only true-value simulation is done here. However, our conclusion will be derived from the known fault detection characteristics of the test set.
In Figure 2 , the exclusive-OR function enclosed in the dotted line box has been expanded in terms of Boolean primitives. Notice that the target fault z sa-0 dominates 1 the two stuck-at-0 faults on z1 and z2. More speci cally, z1 s-a-0 can be detected only if a 10 pattern is applied to the exclusive-OR gate. Similarly, z2 s-a-0 is detectable only by a 01 pattern applied to the exclusive-OR gate. Together, the tests for these two faults represent all patterns that would detect our target fault, z s-a-0.
Our objective is to use simulation-based veri cation and we will not try to prove the fault z s-a-0 as redundant either via test generation or by some redundancy identi cation technique. If we can show that the tests TC1 + TC2 detect all checkpoint faults of the entire circuit in Figure 2 , then z = 0 for the entire test will prove the redundancy of z s-a-0. The status of those checkpoint faults is discussed below:
1. Checkpoints of C1. All single stuck-at faults on these are detected when TC1 is applied. A single fault in C1 means C2 must be fault-free and any fault e ect appearing at the output of C1 is always passed on to z. Notice that the output z = 0 is constantly expected during simulation. Because any deviation from that output immediately proves the non-equivalence of the circuits.
2. Checkpoints of C2. By an argument similar to the above, faults on these are detected at z by TC2. 3 . Checkpoints x1, x2, . . . xn at primary inputs of the equivalence checking circuit. TC1 and TC2, contain vectors that activate faults on xi to the outputs of C1 and C2, respectively. If C1 and C2 w ere equivalent, then these faults will not be detected.
Because, any vector that activates a fault on xi through C1 will also activate the same fault through C2. Thus, the fault e ects will simultaneously arrive at the two inputs of the exclusive-OR gate and cancel each other. If C1 and C2 are not equivalent, then some faults on xi's may be detected, but not all are guaranteed to be detected. In fact, any v ector that activates a fault on xi through one circuit without activating it through the other will prove that the two circuits are not equivalent. 4. Four checkpoints fanout branches in the exclusive-OR function. Since s-a-0 faults around an AND gate can be collapsed together, the relevant set contains six faults: 4 s-a-1 faults at the inputs of AND gates and 2 s-a-0 faults on z1 and z2. When the two circuits are equivalent, only 00 and 11 inputs will be applied to the exclusive-OR. These will detect the four s-a-1 faults and leave two s-a-0 faults shown in Figure 2 undetected. When C1 and C2 are nonequivalent and the vectors TC1 + TC2 produce di erentiating outputs, 01 and 10, applied to the exclusive-OR function, only then the two s-a-0 faults will be detected. Because of the uncovered checkpoint faults at primary inputs and the four s-a-0 faults in the exclusive-OR function, we cannot guarantee a redundant status for the s-a-0 fault on z. We make following observations: Observation A: The uncovered primary input PI checkpoint stuck-at faults in Figure 1 or 2 are responsible for the incompleteness of our equivalence heuristic. Observation B: Only those PI checkpoint faults that produce di erent outputs from C1 and C2 can be detected in the circuit of Figure 2 . We will return to these observations in subsequent sections. We have successfully used the checkpoint test simulation for debugging implementations of 8 and 16 bit adders and many other combinational circuits of varying complexity. As is well known, simulation with properly selected inputs can e ectively detect errors, but it is not su cient for proving equivalence. The following examples show some pitfalls of the method.
Examples
We consider two circuits that implement the same Boolean function of four variables:
These are shown in Figures 3 and 4 . The circuit C1 is a minimal multi-level implementation and C2 was obtained by a specialized exclusive-OR transform technique 3 .
Complete checkpoint fault tests were generated for the two circuits by the gate-level test generation program, Gentest 2 . The two test sets, expressed in Figure 5 by the shaded minterms, were quite di erent. When the two test sets were concatenated for simulating the setup of 
Use of Fault Simulation
Fault simulation is normally not used in logic veri cation or equivalence checking. Invoking the Observation B of Section 2, we nd that fault simulation can be useful. The observation is formally stated as follows: V according to the fault. Since the fault is assumed to occur before PI's fanout to C1 and C2, the same vector V 0 is applied to both circuits. Having the same truth table, both circuits will produce an identical output, which can be either same as or di erent from that for V . The output of the exclusive-OR gate will therefore remain 0, as will be the case if no fault were present. Thus, the fault cannot be detected.
This result was observed in fault simulation of several circuits including those of examples in Section 3. Fault C1 and C2 w ere equivalent circuits, 11 faults were not detected: 8 faults on four PI's, s-a-0 faults on z1 and z2, and s-a-0 on z.
When the circuits if Figures 3 and 6 were simulated for comparison, even though a constant output of z = 0 was observed and s-a-0 faults at z1, z2 and z were not detected, three faults, s-a-1 at x1, x2 and x3 were detected. This shows how Theorem 4.1 allows us to decide the non-equivalence of the two circuits. The last example illustrates the strength of the fault simulation method. Notice that logic veri cation based on true-value simulation can only prove the two circuits to be non-equivalent i f at least one vector in the input set produces di erent outputs. Search for such v ectors, when the two circuits are almost identical, can be very di cult. Fault simulation can establish non-equivalence even when the vector that produces di erent outputs is not available. In fact, it is only necessary to simulate faults on primary inputs of the circuit in Figure 1 . The e ect of fault simulation is that besides checking the equivalence for the simulated vectors, we also check equivalence for all vectors that are at unit Hamming distance from the simulated vectors. Unit distance is used because we assume single stuck-at faults. Multiple faults will correspond to larger Hamming distance. In checking for equivalence between the circuits of Figures 3 and 6, the PI s-a-1 faults on x1, x2 and x3 were detected by three test vectors grey shaded up, down and left neighbors of the error minterm marked with cross in Figure 7. 
Target Faults
The four-point analysis of Section 2 indicates that when we simulate the equivalence checking circuit of Figure 1 or 2, all internal faults of C1 and C2 m ust be detectable, irrespective of whether the two circuits are equivalent o r di erent. Thus, fault simulation of internal faults provides no information about equivalence. Nevertheless, the use of vectors that can detect all internal faults is a good, though incomplete, heuristic.
Simulation of faults on primary inputs of the equivalence checking circuit provides additional information about equivalence. This is because the simulation of a fault requires an implicit simulation of two v ectors. If we restrict to the simulation of single stuck-at faults, since that is easily done by the available fault simulators, nonequivalence can be e ectively uncovered in many cases.
Fault Simulation Vectors
Consider fault simulation of the equivalence checking circuit Figure 1 or 2. The circuit has n primary inputs and only 2n single stuck-at faults on these are simulated.
For a given vector V 1, we e ectively evaluate the output for V 1 and n other vectors that are at unit Hamming distance from V 1. An input fault is found detectable showing non-equivalence only if the outputs of C1 and C2 w ere to di er. Having evaluated the circuit for these n+ 1 v ectors, we should then select the next input vector that is at a Hamming distance 3 from V 1. Similarly, the next vector V 3 should be at Hamming distance 3 from both V 1 and V 2.
In a di erent context, covering the n dimensional 0,1 space with vectors that are a minimum Hamming dis- Number of code words 2 n n + 1 2 where 2 n is the total number of points in the n dimensional binary code space. It is also the number of vectors in our vector space. A c o d e w ord vector and its n unit-distance neighbors form a sphere of volume n+ 1 .I n order to satisfy the minimum Hamming distance requirement, actual codes leave out some points when the space is not fully covered by non-overlapping spheres of radius 1. In our case, the requirement is on maximum Hamming distance. Therefore, the numberofvectors will be generally larger than that given by the above relation. Thus, Number of vectors 2 n n + 1 3
Example: For n = 4 , we obtain a set of four vectors: 0000, 0111, 1011, 1100. These are shown in Figure 8 as shaded minterms. Notice that some distances between these vectors are less than 3. This is because n = 4 does not permit a perfect code with distance 3. In a perfect In those cases where perfect codes exist, relation 3 will also be an equality. For the message coding problem, the Hamming distance between codes must not be less than 3 and one would use fewer codes, strictly following the relation 2. We h a ve more vectors because we must not allow a Hamming distance greater than 3, but smaller distances are acceptable. Notice that every vector in the entire space is within the distance 1 from some selected vector. Thus, simulation of single stuck-at faults will actually examine the entire space. Several such sets are possible. Fault simulation with these four vectors correctly checks the equivalence for the circuits discussed in Section 3. We can prove the following result: Proof: Simulation of primary input single stuck-at faults with a vector V means that the output z must be computed for V and n other vectors at a unit Hamming distance from V . It is given that z = 0 when V is applied. That is, C1 and C2 agree on V . Each of the n neighboring vectors represents the transformation of V by a single stuck-at fault on a PI. Only when a neighboring vector produces identical response from C1 and C2, will the corresponding fault remain undetected. If V does not detect any PI stuck-at fault, then the equivalence of C1 and C2 i s c hecked for V and its unit distance neighbors. Since the vectors in the set and their unit distance neighbors cover the entire vector space, after the simulation of the vector set if always z = 0 and no input fault is detected, then the two circuits must have agreed on all vectors in the space.
An important contribution of Theorem 4.2 is that it requires the true-value simulation of the circuit. Additionally, only the faults on primary input lines of the circuit of Figure 1 need be simulated.
The use of maximum Hamming distance vectors for random testing and methods of generating such v ectors have been proposed by Wu et al. 13 . In their application, the main interest was the overall fault coverage, which included the internal faults of the circuit. In the present application, we are interested in covering the entire vector space using the concurrent simulation capability of a fault simulator.
There are existing algorithms for nding codes with given minimum Hamming distance. For our application, however, the existing coding theory algorithms 10, 1 1 will require modi cation because we need a set of vectors with maximum Hamming distance o f 3 t o c over the entire vector space. The vectors in the preceding example were manually obtained.
Recent methods provide e cient simulation of multiple stuck-at faults 9, 12 . If multiple stuck-at faults on the PI's of the equivalence checking circuit are simulated, then the numb e r o f v ectors to be simulated can be reduced. This is because multiple fault detection will cover a larger distance around the vector being simulated. Thus, vector complexity will be traded down with with the increased complexity of multiple fault simulation.
Summary of Contributions
This paper proposes the following procedures for logic veri cation:
Checkpoint tests. Tests that cover the checkpoint faults in both circuits can uncover many di erences in the circuits. Although not investigated here, these tests may allow diagnosis of observed di erences. This is a good strategy but, as shown, can fail.
Fault simulation. Fault simulation, especially for PI faults of the equivalence checking circuit can discover di erences in circuits even when logic simulation does not give di erent outputs.
Vectors for fault simulation. Simulation of PI faults of the equivalence checking circuit can prove the logic equivalence of the two circuits when a complete set of vectors with maximum Hamming distance of 3 is used.
Conclusion
A proper selection of vectors can improve the debugging capability of simulation-based veri cation process. The potential of checkpoint tests for diagnostics should be explored. Algorithms for nding the minimal vector sets with maximum Hamming distance 3 are needed. Finally, complexity trade-o s between reduced vector set for larger Hamming distance and multiple fault simulation may be examined.
