We describe logic synthesis techniques for designing diverse implementations of combinational logic circuits in order to maximize the data integrity of diverse duplex systems in the presence of common-mode failures. Data integrity means that the system either produces correct outputs or indicates errors when incorrect outputs are produced Design diversity has long been used to increase the data integrity of duplex systems against common-mode failures. The conventional notion of diversity is qualitative and relies on "independent" generation of "dyerent" implementations. In a recent paper, we presented a metric to quantify diversity among several designs. Our synthesis techniques described in this paper use the diversity metric as a cost function and maximize diversity while reducing the area overhead of the resulting diverse duplex system.
Introduction
Concurrent Error Detection (CED) techniques are widely used for designing systems with high data integrity. A duplex system is an example of a classical redundancy scheme that has been used in the past for concurrent error A Duplex System In a duplex system there are two modules (shown in Fig. 1 .1 as Module 1 and Module 2) that implement the same logic function. The two implementations can be the same or different. A comparator is used to check whether the outputs from the two modules agree. If the outputs disagree, the system indicates the presence of an error. Data Integrity means that the system either produces correct outputs or generates error signal when incorrect outputs are produced. For a duplex system, data integrity is maintained as long as both modules do not produce identical erroneous outputs (assuming that the comparator is fault-free).
In any redundant system, common-mode failures (CMFs) result from failures that affect more than one module at the same time, generally due to a single cause [Lala 941 . These include operational failures that may be due to external (such as EMI, power-supply disturbances and radiation) or internal causes. Common-mode failures in redundant VLSI systems are surveyed in [Mitra OOa] . Design diversity has been proposed in the past to protect redundant systems against common-mode failures. In [Avizienis 841 , design diversity was defined as the "independent" generation of two or more software or hardware elements (e.g., program modules, VLSI circuit masks, etc.) to satisfy a given requirement. Design diversity has been applied to both software and hardware systems [Avizienis 77, Lyu 91, Briere 93, Riter 951.
Tohma proposed using the implementations of logic functions in true and complemented forms during duplication [Tohma 711 . The use of a particular circuit and its dual was proposed in [Tamir 841 to achieve diversity in order to handle common-mode failures. The basic idea is that, with different implementations, common failure modes will probably cause different error effects.
In an earlier paper [Mitra 99a ], we developed a metric to quantify diversity among several designs and used this metric to perform reliability analysis of redundant systems. In this paper, we develop techniques to synthesize diverse combinational logic circuits using the diversity metric as a cost function during the synthesis process. Thus, in contrast to "independent" generation of "different" implementations, we guarantee maximum data integrity if the diverse implementations synthesized by our procedure are used in duplex systems.
The problem studied in this paper is as follows: Suppose that we are given the truth table of a combinational circuit to be implemented and one implementation of the combinational circuit. We call the given combinational circuit implementation N I . Our goal is to synthesize another implementation (N2) of the same combinational circuit such that the diversity of N 2 with respect to N1 is maximized.
The faults considered are single-stuck-at faults in the two implementations. Assume that we are given two implementations (logic networks) of a logic function, an input probability distribution and faults f i a n d 4 that occur in the first and the second implementations, respectively.
The diversity di,j with respect to the fault pair (fi, 4) is the conditional probability that the two implementations cb not produce identical errors, given that faults f i and fi have occurred [Mitra 99a ]. In this paper we assume that all input combinations are equally probable.
For every fault f i in N I , we find the fault fj in N 2 such that the value of di,j with respect to the fault pair (fi, 4) is the minimum over all fj's. The fault pair (fi, fj) is defined as a worst-case faultpair. Finally, we calculate the expectation of the di,j's of the worst-case fault pairs assuming the worst-case fault pairs are equally probable to obtain the expected diversity of N; ! with respect to N I .
In the problem statement, we assume that we are given one implementation NI. This assumption is reasonable in a scenario where the user wants to use a particular implementation for area, performance or power consumption reasons. However, our techniques can still be applied in the absence of the above assumption.
While the main focus of this paper is on combinational logic circuits, the ideas presented can be extended to sequential circuits. Given the specification of a sequential logic circuit and an encoding of the internal states, the problem of synthesizing the sequential circuit can be mapped to a combinational logic synthesis problem. However, if we have the freedom to choose internal state encoding, then diversity can be created by encoding the internal states in different ways. This problem is outside the scope of this paper.
In Sec. 2, we provide a motivation for this work.
Section 3 introduces some basic concepts about stuck-at faults in logic networks.
We present the problem formulation in Sec. 4. Sections 5 and 6 describe two-level and multi-level logic synthesis techniques for designing diverse implementations. We conclude in Sec. 7.
Motivation
As observed in Sec. 1, while the concept of design diversity was well-known since the 1980's, no systematic technique was developed to guarantee sufficient diversity to maximize reliability of redundant systems with diversity. This is mainly due to the fact that the concept of diversity was qualitative. In [Mitra 99a For the rest of this paper, we assume that all failures manifest themselves as single stuck-at faults in the circuit. For example, consider the network shown in Fig. 3 .1. The function implemented by the network is wx + y . Consider a stuck-at-0 (s-a-0) fault on the line y , denoted by y/O. The function implemented by the network, in the presence of the fault, is w x . Thus, wxy = 101, when applied to the input of the logic circuit causes the faulty network to produce a 0 and the fault-free network to produce a 1. Therefore, the fault y/O is detected by the pattern wxy = A fault is said to be equivalent to another fault if and only if the output function realized by the network with only the first fault present is equal to the function realized when only the second fault is present. For example, in the network of Fig. 3 .1, in the presence of the fault nlO, the function implemented is y. In the presence of the fault z/O, the function implemented by the network is also y . Hence, the faults xl0 and z/O are equivalent. If a fault f is equivalent to fault g, the set of test patterns that detect fault f i s the same as the set of test patterns that detect g. A fault f dominates fault g if and only if all input combinations that detect g also detect f (i.e., the set of test patterns that detect g is a subset of the set of test patterns that detect fi. In our example, the set of input 4. Problem Formulation In this section, we formulate the problem studied in this paper. We assume that we are given the truth table of a combinational circuit to be implemented and one implementation of the combinational circuit. We call the given combinational circuit implementation N 1. Our goal is to synthesize another implementation (N2) of the same combinational circuit so that the diversity of N2 with respect to N1 is maximized and the logic area (estimated by calculating the number of logic gates and the literal count) is minimized.
Conventional logic synthesis techniques consist of two steps: (i) two-level minimization [McCluskey 56, Brayton 841 followed by (ii) multi-level transformations [Rajski 92 , De Micheli 941. In this paper, we also follow the same flow for synthesizing implementation N2.
Two-Level Synthesis
In this section, we describe two-level logic synthesis techniques for synthesizing the combinational logic network N2 as stated in Sec. 4. We restrict ourselves to two-level logic circuits in AND-OR form. However, the entire discussion also holds for logic circuits in OR-AND form.
Theorem 1: For single-output functions, for any fault f in NI, any two-level logic implementation of N2 produces the same worst-case fault pair.
Proof: Any internal single-stuck-at fault (that does not affect the primary inputs or the output) in a two-level single-output logic circuit is dominated by or is equivalent to the output stuck-at 0 or the output stuck-at 1 fault. This is because, any single-stuck-at fault at the input of an AND (OR) gate is dominated by or is equivalent to a stuckat fault at the output of the same AND (OR) gate. The dominating fault has a bigger detection set than a dominated fault. Hence, for any stuck-at fault f in the first implementation NI, the dominating single-stuck-at fault in the second implementation has more chance of producing identical erroneous outputs compared to the dominated fault; thus, the fault in the second implementation that produces the worst-case pair with f affects the primary inputs or the output. The set of test patterns for the output or input stuck-at faults is independent of the implementation and only depends on the truth table of the function. Hence, any implementation of N 2 will produce the same set of worst-case fault pairs.
Q.E.D.
X1
+ equivalent to Z/1. Thus, the set of test patterns that detect Z/1 is a superset of the set of test patterns that detect X1/1. Following the definition of d1,2, the d1,2 value of the fault pair v, Xl/l) is greater than or equal to that of the fault pair (f, Z/l) because the set of test pattems of X1/1 is a subset of that of Z/1. Hence, the diversity with respect to the fault pair cf, Z/1) is less than or equal to that with respect to (f, Xl/l). Since Z/l is detected by all input combinations for which the logic function in Fig. 5 .1 produces a 0, the set of test patterns for U 1 is independent of the two-level implementation of the logic function.
It may be noted that Theorem 1 is not true for twolevel multi-output logic circuits. For two-level multipleoutput logic circuits we can control the amount of sharing of the AND gates among the outputs. Thus, we can effectively control the fanout structure of the implementation N2 and enhance diversity between the two implementations. This corroborates our earlier observation in [Mitra 99a ] that the fanout structure of a logic network plays a primary role in determining its diversity with respect to a given implementation. We explain this fact using the example in Fig. 5 .2.
In Fig. 5 .2a, we have two identical implementations NI and N2 where the AND gate abcd is shared by Z1 and Z2. Let us consider a stuck-at-1 fault on signal line p , the output of the AND gate. For a duplex system with identical implementations, the fault in N2 that creates the worst-case fault pair is also p stuck-at-1. The two implementations produce identical erroneous outputs €or any input combination that either produces an error at Z1
(Z2) and the fault-free value of Z2 = 1 (ZI = 1) or produces errors at both Z1 and Z2. The set of input combinations of a, b, c and d that produce identical errors is: {ubcd = 001 1, 0111, 0001, 0101, 0010, 0110, 0000, 0100, 1000, 1001, 1010,1011,1100,1101,1110). Next, we consider the duplex system in Fig. 5 .2b. In the first implementation, the AND gate abcd is shared by Z1 and Z2, while in the second implementation, it is shared by 2 2 and Z3. We consider the same fault (p/l) in N1 andN2. Fault p/l in N1 always produces Z1 = 1 and Z2 =I; however, output Z3 is not affected by the fault.
Fault p/l in N2 always produces Z2 = 1 and Z3 =I; however, output Z1 is not affected by the fault. Hence, The two implementations produce identical errors in response to any input combination that produces an error at Z2 and the fault-free value of Z1 = 1 and Z3 = 1. It is clear from Fig. 5 .2b that there is no input combination other than abcd = 1111 that produces fault-free value of Z1 = 1 andZ3 = 1. However, with abcd = 1111, the fault is not I excited and no error is produced at Z2. Thus, because of diversity in the fanout structure, the fault effect propagates Hence, there is no input combination for which the two implementations produce identical errors in the presence of these two faults. Thus, diversity in the fanout structure of the two implementations can be utilized for enhancing the data integrity of the duplex system against common-mode failures. Classical algorithms for two-level logic synthesis can be used for creating diversity in the fanout structures of the two implementations in a duplex system. The Suppose that the minterm 1111 is in the 1-sets of output functions Z1, 2 2 and Z3, 1101 is in the 1-set of output function Z1, 1100 is in the 1-sets of output functions Z1 and Z3, and 1110 is in the 1-set of Z1. Assuming there are only 3 outputs, the tag of 11 11 is { 1, 1, I ) , the tag of 1101 is { l,O, 0) and the tags of 1100 and 11 10 are { 1, 0, 1) and { 1,0,0}, respectively. We can find that 11 11 and 1101 can be combined to form the implicant 11-1 with tag equal to { 1, 0, 0). Since the tag of 11-1 is the same as that of 1101, we can cancel 1101. Similarly, we can combine 1100 and 1110 to form 11-0 with tag equal to { 1,0, O } . Finally, we can combine 11-1 and 11-0 to form 11--with tag equal to { 1, 0, O}. Since the tag of A simple high-level pseudo-code for the entire process of synthesizing the best implementation of N2 given N1 and maximizing the diversity with respect to the worst-case fault pairs and minimizing the area overhead is shown next. Note that, we implement the function with complemented outputs for N2 and then add inverters at the outputs of the implementation. This is mainly because the cost function evaluation becomes computationally very intensive otherwise. Moreover, there are some potential gains because there is no apparent correlation between the MOPIs of a given function and the MOPIs of the same function with complemented outputs. Appendix 1 shows the cost function evaluation step for the case when we implement the given truth table without complemented outputs for N2 and explains why it is computationally intensive.
The MOPI generation step is the same as in conventional synthesis. Finding a MOPI cover is also very similar to the covering step in classical two-level minimization.
The above pseudc-code performs an exhaustive search to obtain the best cover for implementing N2. The covering problem has exponential complexity in the worst-case and may be impractical for large circuits. However, heuristic algorithms for covering [ Generate next cover C 7.
Calculate cost of C: # Gates = G, # Literals = L Expected diversity with respect to N1 = E If Cost of C "better" than Min. cost 8 . Diversity */ 9.
Min. # Gates = G 10.
Min. # Literals = L 11.
Max. Diversity = E 12.
Best-Cover = C 13. Endif 14. Endwhile 15. Return Best-Cover with inverters at the outputs for implementing @ /* e.g., G c Min. # Gates, L < Min. # Literals, E > Max.
It is clear from the pseudo-code that the cost function has two major components: (i) the area of the circuit (estimated by the number of gates and the number of literals) and (ii) the diversity component. The weights associated with these two components in the final cost function are flexible and depend on the application. For area constrained designs, it may be required to obtain the minimal area implementation and diversity can be a secondary component of the cost function. For some applications, there may be a bound on the maximum area that can be used for implementing N2 and the diversity component may be maximized for all designs with the area cost less than the predetermined bound.
In classical two-level minimization of multiple-output logic circuits, we can reduce the size of the covering table by establishing dominance relationships among the rows and columns of the table. Column C1 dominates C2 if the prime implicants that cover the minterm corresponding to C2 is a subset of the set of prime implicants that cover the minterm corresponding to C1. If C1 and C2 correspond to minterms of the same logic function, then the dominating column C1 can be removed. This rule can be used for our current synthesis technique too. However, unlike the conventional synthesis procedure, we cannot remove equivalent rows from the table. If area (gate count and literal count) minimization is our primary goal, then we can remove dominated rows with higher area costs from the table.
For evaluating the cost of a MOP1 cover, we have to do some extra processing in order to find the worst-case fault pairs and calculate the diversity with respect to the worst-case fault pairs. In Sec. 5.1, we describe techniques to calculate the cost function of a given cover consisting of multiple-output prime implicants. Choose an f2 so that ( f i , f2) has the least dl ,2 (fl , f2) constitutes a worst-case fault pair Let us consider the example in Fig. 5.3 . Consider the fault fi to be p/O. We have to find faultfi in N2 such that (fi,fi) is the worst-case fault pair. Since N2 implements the truth table with complemented outputs, f2 cannot be a stuck-at-0 fault. Sincefi is pl0 in NI, the value on Z1 (or Zl) may be changed from the fault-free value of 1 to the faulty value 0 (but not the other way). Similarly, iffi is a stuck-at-0 fault at the output of an AND gate (or input of an OR gate) in N2, then the values on the outputs of N2 can get changed from the fault-free value of 1 to the faulty value of 0 (but not the other way). Since the outputs of N2 are complements of the outputs of N I , the two implementations will never produce identical erroneous outputs when& is a stuck-at-0 fault. Thus, f2 must be a stuck-at-1 fault at the output of a gate in N2. Let f2 = 411 be a candidate for the worst-case fault pair. This fault produces Z2 = 0 and Z3 = 0 in N2. Since the output Z1 is not affected by qll in the second implementation, N2 will not produce any error on Z1. This means that, NI can produce an error only at 2 2 with the fault-free values Z1 = 1 (for the fault to be excited p must be equal to 1; this means that the fault-free value of Z1 is 1) and Z3 = 0 that can be identical to an erroneous response from N2. The computation of the d1,2 value of the fault pair cfi, fi) = @IO, q/1) is shown next. The reader is reminded that N2 is implemented by synthesizing the truth table obtained by complementing the outputs in the truth table of N1 and then adding inverters at the outputs of the synthesized design. Since we are considering only two-level logic circuits (in AND-OR form), for a given faultfi in NI, the candidates forf2 are faults at the outputs of the AND and the OR gates. This is because, any fault at the input of an AND (OR) gate is equivalent to or dominated by a fault at the output of that AND (OR) gate.
Compute Expected Diversity

Cost Function Computation
Careful analysis of the above computation shows that in this case V = V4. The case wherefi is a stuck-at-1 fault is symmetric because, in that casef2 must be a stuck-at-0 fault in N2. It is clear from the above discussion that, for both stuck-at-0 and stuck-at-1 faults, we have to consider only one erroneous output combination with all 1's at the outputs affected by the stuck-at-1 fault. This implies a potential decrease in the number of input combinations for which both N1 and N2 produce identical erroneous outputs.
Example
In this section, we illustrate the above technique with the help of an example. Consider the truth table of the combinational logic function shown in Table 5 .2. Figure  5 .4 shows the implementation N1 of the logic function of Table 5 .2.
Our aim is to synthesize the second implementation N2 for the above logic function in order to maximize diversity. For using our technique, we first list all the MOPIs for the logic function in Table 5 .3 which is obtained by complementing the outputs of Table 5 .2. For the logic function of Table 5 .3, the MOPIs together with the tags are shown in Table 5 .4. We have to choose a set of MOPIs that minimizes the cost of the implementation and maximizes diversity between the implementations. Table 5 .2.
As shown in Table 5 .4, there are 6 MOPIs for the logic function of Table 5.3. The MOP1 covering table is  shown in Table 5 .5. Note that MOPIs B, C, E and G must always be selected for implementing the function 81. Let us consider a set of MOPIs that correspond to the implementation shown in Fig. 5 .5. Table 5 .3.
Let us consider the faults in the implementation of Fig. 5 .4. The "interesting" faults are the ones at the outputs of the AND gates that have fanouts. This is because, by Theorem 1, the faults at the output leads of the implementation in Fig. 5 .5 form worst-case pairs with the faults at the inputs or outputs of the AND gates without any fanout in Fig. 5 .4. Consider a stuck-at-1 fault at the output of the AND gate a'bc in implementation N1 (Fig.  5.4) . The set of input combinations for which N1 produces incorrect output combination 11 is {000, 001, 010, 100, l l l } . For implementation N2 (Fig. 5.5) , the candidate faults that produce the worst-case fault pairs are g1/0, g2/0 and stuck-at-0 faults at the outputs of the AND gates a'bc' and ab'c'. For g1/0, the set of input combinations for which N2 produces incorrect output combination 00 is given by { 111). For g2/0, the set of input combinations for which N2 produces incorrect output combination 00 is given by {OOO}. The set of input combinations for which the N2 produces erroneous output combination 00 in the presence of a stuck-at-0 fault at the output of the AND gate a'bc ' is (010). Similar case holds for a stuck-at-0 fault at the output of the AND gate a'bc'. Thus, if we use the implementation in Fig. 5 .5 for the second module instead of replicating the implementation in Fig. 5.4 , we find that the di,j value for the worst-case fault pair with a stuck-at-1 fault at the output of the AND gate a'bc in NI, changes from 0.375 (1--) to 0.875 (1--) in the worst-case.
5
1 . 8 8
Multi-Level Logic Synthesis
Conventional techniques for synthesis of multi-level logic circuits rely on a set of logic transformations that ate applied systematically to the input Boolean network to obtain a final network.
Since the multi-level transformations change the structure of the Boolean network under consideration, they can potentially increase or decrease the degree of diversity between two logic networks. Hence, it is important to examine the effects of these transformations on a Boolean network as far as its diversity with respect to a given Boolean network is concemed. There are four main types of transformations that are used during multi-level logic synthesis. They are: (i) Single-cube extraction, (ii) Double-cube extraction, (iii)
Re-substitution and (iv) Vertex elimination [Rajski 92, De
Micheli 941. These transformations are also present in the widely used rugged script that is provided by the Sis [Sentovich 921 logic optimization system. In this paper, we analyze each of these logic transformations. For most of the cases, we will follow the definitions in [Rajski 921 . Our goal is to identify a set of transformations that we can use safely without sacrificing the gains obtained from twolevel synthesis.
By applying some of these transformations, we can possibly increase the diversity between two implementations. This observation leads to interesting optimization problems not studied in here.
6.1. Single-Cube Extraction "Single-cube extraction is the process of extracting cubes which are common to two or more cubes" [Rajski 921 . For example, let us 'suppose that we have a logic stuck-at faults are tested by the same set of input combinations as the original circuit. This observation is very significant. Suppose that, we have a network K as a possible implementation of module N2 in a duplex system.
With respect to the first module NI, the implementation K has a particular value of diversity. If we apply single-cube extraction on network K to obtain a new implementation for N2, for any fault g in NI, the fault in N2 that forms the worst-case pair remains unchanged. This notion is somewhat (but not fully) similar to the notion of test-set preserving transformations [Rajski 921 . 6.2. Double-Cube Extraction "The double-cube extraction transformation consists of extracting a double cube from a single-output sum-ofproducts sub-expression, AC + CB * C(A + B)" [Rajski 921 . Figure 6 .2 shows an example of double-cube extraction. It is very easy to see from Fig. 6 .2 that all faults in the original network and the transformed network ate dominated by or equivalent to stuck-at faults on f. Thus, for any fault g in NI, the fault in N2 that forms the worstcase pair remains unchanged.
6.3. Re-substitution Re-substitution is a transformation that replaces all nodes corresponding to a particular logic function with a single node. It has been proved in [Rajski 921 that resubstitution is not test set preserving in general. It can be shown that, under the re-substitution transformation, it is not guaranteed that the diversity of the transformed network will not decrease. Thus, it is tricky to apply the resubstitution transformation for generating multi-level logic networks while preserving the diversity measure between two designs. However, application of synthesis scripts with and without the re-substitution transformation shows that fairly area-efficient logic circuits can be without using the re-substitution transformation [Mitra OOc] .
6.4. Elimination In the elimination transformation, an internal node of a logic network is eliminated from the Boolean network and the variable corresponding to that node is replaced by the corresponding expression in all its occurrences in the logic network [De Micheli 941. This transformation guarantees that the diversity with respect to the worst-case fault pairs in the transformed circuit is never less than that in the circuit on which the transformation is applied. Intelligent use of this transformation can possibly increase diversity. This is a new optimization problem not considered in this paper. 
84
Summary and Conclusions
In this paper, for the first time, we have developed systematic techniques to synthesize diverse implementations of combinational logic circuits for duplex systems so that the data integrity of the resulting diverse duplex system is maximized. Unlike conventional logic synthesis (where the cost function of logic minimization is mainly determined by the area and delay of the resulting logic), our cost function has a diversity component that has to be maximized.
Unlike previous approaches for designing diverse implementations that depended on independent generation, we have identified a concrete diversity cost function in this paper. We modified the conventional two-level logic synthesis procedure to maximize the diversity component of the cost function without drastically affecting the area component. Next, we identified a set of multi-level logic transformations that can be applied without sacrificing diversity in the resulting logic structure with respect to a given implementation. We observed that there are further opportunities to increase diversity in the resulting implementation through multi-level transformations. Future research should focus on identifying new multi-level logic transformations and using the conventional multilevel transformations (that do not preserve diversity) appropriately to enhance the diversity in the resulting I f implementation.
The cost function for diversity, considered in this paper, is based on the di,j value of the worst-case fault pairs. However, consider the case where, for a fault f i in NI, there are 5 possible A's in N2 and 2 possible A's in another implementation N3 that produce the same diversity with respect to the worst-case fault pairs. In our current analysis, for faultfi in NI, the diversity between N1 and
