We describe a new method for design error diagnosis in digital circuits, that doesn't use any error model. A diagnostic specific pre-analysis of the circuit extracts a subcircuit suspected to be erroneous. Contrary to other published works, here the necessary re-synthesis of the subcircuit need not be applied to the whole function of an internal signal in terms of primary inputs, but may stop at arbitrary nodes inside the circuit. As the subcircuits to be redesigned are kept as small as possible, the redesign procedure is simple and fast. Experimental data also show the high speed of the diagnostic pre-analysis. 
Introduction
Design error diagnosis plays an essential role in providing correct VLSI products. Despite the use of automated synthesis tools to produce correct by construction circuits, experience shows that a phase of design correction is necessary to obtain correct implementations [1] . Initial designs made by automated tools are manually modified to improve some design aspects such as the performance or area requirements, or to carry on small specification changes. During this manual phase, design errors are very likely to be inserted. In these cases, design error diagnosis and logic rectification is needed. Automatic error diagnosis and correction save a lot of design debugging time.
Existing logic rectification approaches can be classified into several categories: error-model based approaches [2] [3] [4] [5] , structural approaches [6] [7] [8] , and re-synthesis based approaches [9] [10] [11] .
In error model based approaches, after error diagnosis, the implementation is rectified by matching the error with an error type in the model. The method is relatively restricted because it may fail in error cases not covered by the model. In this approach, the case of multiple errors has not been investigated because of the problem complexity.
In [6] , a structural approach was proposed for engineering change [12] . In engineering change, in order to re-use the engineering effort spent on the old implementation, logic rectification is performed to realize the new specification by modifying the old implementation. This approach applies verification techniques to narrow down the potential error region in the implementation. Then a heuristic called back-substitution is employed in hopes of fixing the error incrementally. This approach requires that a certain degree of structural correspondence between the specification and the implementation be provided. If this requirement is not fulfilled the method cannot be used.
Re-synthesis approaches are more general; they rely on the symbolic error-diagnosis techniques to find an internal signal in the implementation that satisfies the single fix condition, i.e. the condition of fixing the entire implementation by changing the function of an internal signal. Once such a signal is found, a new function is realized to replace the old function of this signal to fix the error. In the worst case, it may completely re-synthesize every primary output function. In practice, the major drawback of this approach is that it cannot handle larger designs, because it uses Ordered Binary Decision Diagrams (OBDD) [13] .
In this paper, the re-synthesis approach is applied not to the whole function of an internal signal given in terms of input signals, but to internal subfunctions for arbitrary smaller subcircuits of the circuit. By diagnostic preanalysis, a subcircuit suspected to be erroneous is extracted and redesigned to match the verification results. If the redesign of this part of the circuit does not solve the problem (does not correct the circuit), the initial extracted subcircuit is extended either towards the inputs or towards the outputs, and the redesign procedure is repeated. As the subcircuits to be redesigned are as small as possible, the redesign procedure is simple and fast. The size of the subcircuit depends substantially on the quality of diagnostic preanalysis. In the worst case of many design errors, or if the errors are spread all over the circuit it may be needed to redesign all the primary output functions of the circuit, as in the case of known methods [9, 11] .
The rest of the paper is organized in the following way. In Section 2, we give the preliminary and needed definitions. In Sections 3 -6 we describe our method in details. And, finally, in Section 7 we present some experimental results.
Preliminary
Consider a circuit specification, and its implementation, both at the Boolean level. The specification output is given by a set of variables W = {w 1 , w 2 , ... , w m }, and the implementation output is given by a set of variables Y = {y 1 , y 2 , ... , y m }, where m is the number of outputs. Let X = {x 1 , x 2 , ... , x n } be the set of input variables. The implementation is a network of components (gates) with arbitrary functions and Z is the set of internal variables used for connecting the components. Let S be the set of all signal variables in the implementation S = Y ∪ Z ∪ X. The network can be described by a set N of components (its nodes) interconnected by signals (edges between components), such that s = f (s 1 , s 2 , ... ,s h ) where s ∈ Y ∪ Z, s i ∈ Z ∪ X, and f is a Boolean function of the component with output s. Later we use in examples the following notation: if s k is a fanout variable then all the branches of the fanout are denoted by the second index: s k,1 , s k,2 , ..., s k,p , where p is the number of branches of the fanout. Denote the subset of variables in Z which represent the branches of fanout signals as Z B .
Example: In Fig.1 14 should be an AND gate.♦ Definition 1. The cone C(s k ) of the variable s k ∈ S is the subset of all variables s ∈ S from which there exists a path from s to s k (in the direction of the signal flow).
A cone C(s k ) is represented by a function s k = f (s 1 , s 2 , ... ,s p ) with a set of arguments S k = {s 1 , s 2 , ... ,s p } = C(s k ) ∩ X. It is a subnetwork N(C(s k )∩X, s k ) with a set of inputs C(s k ) ∩ X, and with output s k . A subcone C'(s k ) ⊂ C(s k ) of the variable s k ∈ S may have arguments which are not inputs. A component is a smallest subcone.
Example: the cone for the variable s 12 in Fig.1 ∪ X of the given circuit. This set of faults F is a representative set of faults for the circuit: to test all the stuck-at faults in the circuit, it is sufficient to test only the set of faults in F [14] . On the other hand, when testing the set of faults F, we test all the signal paths in all the tree-like subcircuits for transmitting both signals 1 and 0.
Example: The representative set of faults for the circuit in Fig.1 In this paper the stuck-at fault model is not used as a model for design error diagnosis. Its role is to provide a measure for stating that one or another signal path is found to be erroneous. When a signal path has been found faulty, this is the evidence that at least one of the components met on this path is erroneous.
This knowledge of erroneous signal paths (or of detected stuck-at faults) is used later for carrying out diagnostic pre-analysis in order to identify the suspected erroneous areas in the circuit.
Thus, in the rest of this paper, we initially consider a test T = {T i } that detects the representative set of faults F = {s/0 and s/1 for s ∈X ∪ Z B }. This test is obtained by any standard test generation technique for digital circuits. The test is then simulated on the description of the implementation and of the specification. The fault table is a matrix a i,j where a i,j = 1(0) if the test pattern T i is able to detect the fault s j /1(0) of the node s j , and is undetermined otherwise. Let F(T i ) be the set of faults which may be detected by the test pattern T i .
Example: In Table 1 , the first 7 rows give a test of 7 test patterns which covers all the representative stuck-at faults in the circuit of Fig Later in diagnostic pre-analysis we use the following heuristic: the higher the error level of the variable s k , the higher the probability that the cone C(s k ) is erroneous.
Test Patterns (Ti) Fault Table  j Table 1 . A test and its fault table for the circuit in Fig.1 at given test
General description of the method
The procedure for error diagnosis and for circuit correction proposed in the present paper consists of the following steps.
1. Verification test with the goal to find some failed test patterns to get a knowledge about faulty signal paths. This knowledge helps finding the suspected erroneous area of the circuit.
2. Diagnostic pre-analysis in order to compute the error levels E(s) for all variables s ∈ Y ∪ Z to have a knowledge about which subcircuits (cones or subcones) should be suspected to be erroneous.
3. Defining a suspected erroneous subcircuit (subcone or cone) C(s).
4. Rectification of the function of the subcircuit C(s) based on the results of the verification test, generating and executing new test patterns if needed.
5. If the rectification procedure corrects the design the problem is solved. Otherwise, steps 3 and 4 should be iteratively repeated.
In this procedure, for verification and for checking if the circuit is corrected by rectification of the suspected function (step 4), the given set of test patterns T is used. The test T may have been extended by additional test patterns during step 4. It may happen that step 5 gives a positive result, although the verification with an equivalence prover still shows that the rectified circuit is not correct. When this happens, the test T should be extended to find a test pattern which fails during verification test. As there exists no method to generate deterministically such test patterns in the case where no fault model is used, a random search is the easiest way to solve the problem.
The efficiency of the procedure depends highly on the diagnostic quality of test patterns, and on the heuristics used for diagnostic pre-analysis and for defining suspected erroneous areas. The number of iterations in steps 4 and 5 depends on these aspects, and also the complexity of the function of the suspected erroneous subcircuit.
In the paper only combinational circuits with a single output are considered. In the case of multiple outputs, the accuracy of diagnostic pre-analysis increases, and the rectification procedure can be carried out for simpler functions.
Diagnostic pre-analysis
The result of the verification test is a subset FAILED ⊆ T of failed test patterns. If no errors are found during verification test (FAILED = ∅), no diagnosis and no error correction can be made. On the basis of verification test results and the fault table, the error levels for all variables s ∈ Y ∪ Z are computed by the following algorithm. On the basis of the results of Algorithm 1, the suspected erroneous area may be specified.We use here the following heuristics: the higher the error level of the variable s k , the higher the probability that the cone C(s i ) is erroneous. This leads to the main rule for choosing a subcircuit for redesign.
Rule 1.
The cone C(s) for the variable s where E(s) = max over all s ∈ Y ∪ Z should be taken for rectification.
However, this is only the first condition to be taken into account. Because of the fault dominance [14] , the error suspected to be in the cone C(s i ) may also be located in a larger cone C(s k ) where C(s i ) ⊂ C(s k ).
Suppose, there are two cones C(s i ) and C(s k ) so that C(s i ) ⊂ C(s k ), as represented in Fig.2 . The motivation for the choice suggested by Rule 2 follows from the lower probability of multiple faults, especially in the same close neighbourhood (in the same cone). In the case of a single error there is no cone C(s i ) inside C(s k ), such that F'(s k ) = F'(s i ), and the only possible error is the erroneous top gate of the cone.
If the rectification of the network N(S k ,s k ) does not correct the circuit (for example, because of multiple design errors), the set S k of inputs of the suspected erroneous area must be extended. We do it by increasing the initial subcone C(s k ), including into it another subcone C(s) with E(s) = max, where s∈S k .
Example of using the Rules 1 and 2: consider the circuit in Fig.1 with two design errors. The test set given in Table 1 is good enough for error detection, as it covers all the possible stuck-at faults. On the other hand, the diagnostic resolution for the given test set and for the given erroneous situation (three first test patterns fail), is very low. The failure of test patterns T 1 , T 2 , and T 3 and the non-failure of the other patterns implies that all the representative nodes of the circuit except s 4 remain suspected to be faulty. Variable s 4 is the unique one for which both faults s /0 and s /1 are removed, due to the non-failing of test patterns T 4 , T 5 , T 6 and T 7 (see Table 1 ). Table 2 . Error levels for variables of the circuit in Fig.1 for the given test experiment
Example:
The results of calculating the error levels for the variables of the circuit are shown in Table 2 . The highest value E(s 9 ) = 0,5 suggests to apply Rule 1 to s 9 = OR(s 6 ,s 7 ). However, there is a subset of faults F'(s 12 ) -F'(s 9 ) = {s 5 /0, s 8,2 /0} which does not belong to the cone C(s 9 ), and belongs to another cone C(s 12 ) which includes C(s 9 ). Instead of the function s 9 = OR(s 6 ,s 7 ), the cone C(s 12 ) should be chosen for redesign. Hence, along the Rule 2, we finally choose the function s 12 = XOR(s 8,2 ,s 9 ) for rectification.♦
Rectification of the suspected erroneous part of the circuit
For rectifying the function of a subnetwork N(S k ,s k ), we have to choose test patterns from the initial test set T (or create new ones if the needed ones are missing in T), to put together a set of patterns T' which includes all possible value combinations of the variables s ∈ S k , so that for each T i ∈ T' at least for one y j ∈Y the following holds: ∂y j /∂s k = 1. The last condition makes the variable s k observable at the output(s) and the behaviour of the subnetwork N(S k ,s k ) can be corrected if y j (T i ) ≠ w j (T i ) is observed when applying the test pattern T i to the implementation. The number of patterns in the set T' is 2 p , where p is the number of variables in S k .
Rectifying the circuit. Correction of the chosen subnetwork N(S k ,s k ) means that when extracting the behaviour of s k from the simulation results of T', the value of s k should be changed for all the failed test patterns in T'.
Rule 3.
If there is at least one pattern T i ∈ FAILED such that ∂y j /∂s k = 0 for all y j ∈Y, then the circuit cannot be corrected by rectifying only the subnetwork N(S k ,s k ).
Indeed, because of ∂y j /∂s k = 0 for all y j ∈Y, the cause of failing T i should be somewhere else than the changed value of s k .
Taking into account the correction of the subnetwork N(S k ,s k ), the test verification experiment is repeated for all the patterns T ∪T'. If all the test patterns pass, the new design is correct in relation to the verification test. If at least one test pattern from T ∪T' fails, the rectification procedure should be repeated, and the suspected erroneous area should be extended or moved into another region.
Example: For the circuit of Fig.1 , we chose as the suspected erroneous area the function s 12 = f(s 8 ,s 9 ) for rectification. The rectification results are given in Table 3 in the column s 12 = f(s 8 ,s 9 ). The verification test experiment results are given in the column Out (the left value is for the implementation, the right value for specification). Already the first pattern T 1 shows that along the Rule 3, by rectifying this function the erroneous circuit cannot be corrected: for T 1 we find that ∂y 15 /∂s 12 = 0. Hence, the error in the function s 12 Table 3 .Rectification of suspected erroneous functions
Search for the new function to be rectified
Suppose that the subnetwork N(S k ,s k ), the correction of which did not help to locate the error (or all errors), forms the top or upper part of the cone C(s k ) (see the shaded areas of cones in Fig.2 ). Three possibilities exist to change the suspected erroneous area:
1. Extending the suspected erroneous area towards the outputs, from the cone C(s k ) to the cone C(s j ) where C(s k ) ⊂ C(s j ).
2. Extending the suspected erroneous area in the cone C(s k ) towards the inputs.
3. Starting with a new suspected erroneous area, in a cone C(s j ) disjoint from the previous one i.e. C(s j ) ∩ C(s k ) = ∅.
The first choice will be made when one or several faults from F'(s k ) may influence the variable s j through other branches not traversing the node s k . There are two possibilities: take as the next function to be rectified either the top component of the cone C(s j ), or the subcircuit formed by the top components of both cones, C(s j ) and C(s k ).
Example: after the attempt to rectify the function s 12 = AND(s 8 ,s 9 ) in Fig.1 Leaving the cone C(s k ) after no successful rectification, and starting with a new suspected erroneous area in another cone C(s i ) where C(s i ) ∩ C(s k ) = ∅ (the third possibility to change the suspected area) can be motivated by the following. Consider the circuit in Fig.3 with an erroneous element OR 5 (instead of OR 5 there should be an AND gate ). The test T 1 = 101 will fail because of the erroneous OR 5 . On the other hand, this test pattern detects faults s1 /0 and s2/0 and there is no other test pattern which can distinguish these faults. Hence, from failing of the test T 1 we have to conclude that both OR 4 and OR 5 may be erroneous. If we make as first choice the cone C(s4) on the basis of heuristic measures E(s4) and E(s5), because the error is in OR 5 , we have to switch later to the other cone C(s5) which is disjoint from the cone C(s4).
Experimental data
For carrying out a set of design error diagnosis experiments, the ISCAS'85 benchmarks were used (columns 1,2,3,4 in Table 4 ). Test patterns for detecting stuck-at faults in these circuits were created by the test generator Turbo Tester described in [15] . The fault coverage (column 6) of the tests and the test generation time in seconds (column 11) are presented in Table 4 .
The goals of the experiments were twofold:
-to compare the efficiency (the speed of fault localization) of the new diagnostic approach (diagnostic preanalysis) in comparison with previous results [4] ;
-to evaluate the design error diagnostic properties of test patterns generated by traditional gate-level ATPGs for only stuck-at fault detecting purposes.
Experiments were carried out on the computer platform Sun SparcServer 20 (2 x Ultra Sparc II micro-processors, 75MHz) with Solaris 2.5.1 operating system.
For all circuits all possible single gate errors were inserted. The number of experiments carried out for each benchmark circuit are shown in the column 5. The total diagnosis time (column 13) consists of two components: test generation time (column 11) and fault diagnosis (column 12). The time for rectification is not taken into account in these experiments. Table 5 . Illustration of the best and the worst results of the diagnostic preanalysis
In Table 5 , the diagnostic resolutions for two benchmark circuits (with the best and worse diagnostic resolutions) are shown. To reach higher resolution, additional test patterns should be generated.
Conclusions
In this paper, a new approach to design error diagnosis in combinational circuits without error model is proposed. The procedure combines a diagnostic pre-analysis based on using stuck-at fault diagnosis data for predicting the suspected erroneous area, and re-synthesis for correcting the design.
Differently from the known design error diagnosis methods which apply the re-design technique for randomly chosen cones of the circuit till the right erroneous cone has been found and corrected, in this paper, a diagnostic pre-analysis is carried out to compress the suspected erroneous area as much as possible.
On the other hand, we differ from the known re-design based error diagnosis methods which apply the rectification procedure to the whole cone function of an internal signal given in terms of input signals: we only rectify internal subfunctions for arbitrary subcircuits (in a majority of cases, for very simple gate structures) of the circuit.
This approach has two advantages compared to the other re-design based methods: we can better use the results of diagnostic pre-analysis by concentrating the rectification procedure exactly to the suspected erroneous area, and in a majority of cases, we can avoid the combinatorial explosion of the OBDD manipulations based rectification.
As the subcircuits to be redesigned are as small as possible, the redesign procedure is simple and fast. The size of the subcircuit depends substantially on the quality of the diagnostic preanalysis. In worst cases of many design errors, or if the errors are largely spread out over the circuit, it may still be needed to redesign all the primary output functions of the circuit, as in known methods [9 -11] .
The method also can be applied to sequential circuits if the scan-path technique is used to increase the testability of the circuit. However, we currently have not performed experiments on sequential circuits. The shortcomings of the proposed method are the lack of exact deterministic technique for diagnostic pre-analysis. A lot of heuristics is currently used for selecting the suspected erroneous areas; this is rather natural, because a very general case is considered : (1) all errors including multiple ones are allowed, and therefore no error model is used; (2) no structural similarity is assumed between the specification and the implementation.
Future work will be devoted to the development of deterministic approaches for more exact localization of the erroneous area and to the development of diagnostic test patterns with better resolution.
