Model-based diagnosis of hardware designs  by Friedrich, Gerhard et al.
Artificial Intelligence 111 (1999) 3–39
Model-based diagnosis of hardware designs I
Gerhard Friedrich a,1, Markus Stumptner b,∗, Franz Wotawa b,2
a Universität Klagenfurt, Institut für Wirtschaftsinformatik und Anwendungssysteme, Universitätsstr. 65, A-9020
Klagenfurt, Austria
b Technische Universität Wien, Institut für Informationssysteme, Paniglgasse 16, A-1040 Wien, Austria
Received 5 August 1996; received in revised form 24 September 1998
Abstract
The state of the art in hardware design is the use of hardware description languages such as VHDL.
The designs are tested by simulating them and comparing their output to that prescribed by the
specification. A significant part of the design effort is spent on detecting unacceptable deviations
from this specification and subsequently localizing the sources of such faults. In this paper, we
describe an approach to employ model-based diagnosis for fault detection and localization in very
large VHDL programs, by automatically generating the diagnosis model from the VHDL code and
using observations about the program behavior to derive possible fault locations from the model. In
order to achieve sufficient performance for practical applicability, we have developed a representation
that provides a highly abstracted view of programs and faults, but is sufficiently detailed to yield
substantial reductions in the fault localization costs when compared to the current manpower-
intensive approach. The implementation in conjunction with the knowledge representation is
designed with openness in mind in order to facilitate use of the highly optimized simulation tools
available. Ó 1999 Elsevier Science B.V. All rights reserved.
Keywords: Diagnosis; Model-based reasoning; Debugging
1. Introduction
Over the last years, a number of authors have proposed the use of model-based
diagnosis for localizing faults in the designs of artifacts, e.g., bugs in software systems or
I This work was supported by Siemens Austria, under project grant DDV GR 21/96106/4, and the Christian
Doppler Laboratory for Expert Systems.
∗ Corresponding author. Email: mst@dbai.tuwien.ac.at.
1 Email: gerhard@ifit.uni-klu.ac.at.
2 Email: wotawa@dbai.tuwien.ac.at.
0004-3702/99/$ – see front matter Ó 1999 Elsevier Science B.V. All rights reserved.
PII: S0004-3702(99)0 00 34 -X
4 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Fig. 1. The design cycle using VHDL.
communication protocols [7,26]. In this paper, we describe the use of diagnosis techniques
according to the consistency-based approach for identifying faults in hardware design
descriptions. Since a substantial part of the overall effort in hardware design is spent trying
to discover misbehavior and to identify the design errors resulting in this misbehavior, the
use of diagnosis utilities produces a significant return of investment.
Fig. 1 is an overview of the hardware design cycle using a language such as VHDL
(Very High Speed Integrated Circuit Hardware Description Language). We focus on
VHDL because it is one of the most widely used hardware description languages and
an IEEE standard. The initial specification (written in VHDL) delineates the functional
requirements for the hardware to be designed. This is followed by a detailed design on the
register-transfer (RT) level. Once the RTL design has passed all tests, it is automatically
converted (“synthesized”) into a gate-level representation. The design is tested by running
simulations of the VHDL code for a number of test cases. The simulations produce
waveform traces of the values occurring over time on the signal lines in the simulated
hardware (see Fig. 2 for an example). The waveform traces of the program to be tested,
usually comprising several 10,000 signal changes, are compared to the traces generated on
the same input values by the specification or earlier intermediate versions of the design.
A discrepancy indicates the existence of a fault in the design. The design process can
therefore be considered to consist of a sequence of simulate-debug cycles that successively
move the design towards better compliance with the specification.
The average simulation runtime increases strongly throughout the design cycle as
the design becomes more complex and detailed. Conversely, the number of gate-level
simulation runs is lower than on the RT level, since the synthesis process rarely produces
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 5
Fig. 2. A typical waveform trace.
errors, and therefore fewer debugging cycles are necessary. Testing the gate-level design,
however, is still a necessity.
Large hardware designs (comprising multiple ASICs and microprocessors) can reach
dimensions of several 100,000 lines of VHDL code and thousands of components and
signals at the top level. For such designs, typically written by a large team of designers,
fault detection and localization becomes a very time-consuming activity. The use of an
intelligent diagnosis tool for supporting this task therefore carries the possibility for
significant increases in designer productivity, but is constrained by the infeasibility of
hand-crafting knowledge bases for the analysis of individual designs. This suggests the
use of model-based diagnosis [11], which is an approach where a generic model of a
domain can be used for the diagnosis of different, individual systems that are composed
from components of that domain.
The usual model-based system representation in diagnosis postulates a set of compo-
nents, a system description (including the structure of the system and the model describing
the behavior of the individual components), and observations. This view can be adapted to
VHDL programs without much trouble. The system description is derived from the VHDL
program together with part of the semantics of VHDL. The observations are either based
on the traces produced by simulating the specification for a given test case, or on indi-
cations of incorrect signal values entered by the user. Components refer to instances of
specific VHDL constructs occurring in VHDL programs. For a detailed exposition of basic
model-based diagnosis terminology, see [25].
The straightforward approach would consist of converting the VHDL program to a
logical representation according to the semantics of VHDL and using a theorem prover
to compute diagnoses. However, given that even an individual simulation run takes from
6 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
hours to days of real time, diagnosing a complete logical representation of the full VHDL
program and its semantics is not feasible. If diagnosis is supposed to be used in a design
support tool employed as an extension of the standard VHDL development environment,
diagnoses must be delivered within a reasonable response time to enable interactive use.
A strongly abstracted view of the design must be used for diagnosis.
We use abstraction in two dimensions. First, we abstract over signal values, a decision
that was supported by the results of our initial study, which showed that VHDL
programmers typically ignore exact values at least in the preliminary stages of searching
for an error and instead concentrate on analyzing the functional structure of the design.
Second, we abstract over the actual time-scale used in the simulation (which uses
picoseconds as the default base unit), but retain the capability to distinguish between the
initialization phase and operating mode of a circuit, a requirement for handling feedback
loops. Sufficient discrimination between diagnoses is achieved by applying multiple test
cases and measurement selection. In the VHDL context, the term measurement selection
refers to choosing a set of signals which are not contained in the current waveform trace
and which will need to be traced in another simulation run of the same test case. Further
discrimination can be achieved by asking the user to evaluate the correctness of particular
signals.
The diagnosis system described in this article was implemented to fit into the existing
VHDL design environment and is intended for use in all design phases where VHDL is
used. It employs the consistency-based diagnosis approach [10,11,13,14,16,25], i.e., the
diagnosis system looks for a set of assumptions on the correctness or incorrectness of the
components of the VHDL design that is consistent with the observations produced by the
simulation. It provides:
– An actual industrial application of model-based diagnosis.
– The first actual use known to the authors of model-based diagnosis in a design context.
– An abstracted system description that produces diagnoses on actual designs (with
hundreds of thousands of lines of VHDL code, that will result in ASICs containing
hundreds of thousands of logic gates), in a matter of minutes on a single processor
mid-range workstation.
– Automatic derivation of the system description from the source code, and of the
observations from the standard simulation waveform traces. Thus, in this domain,
construction of the model for each application case is for free.
– No requirements for special annotations or formal external specifications in the
diagnosed VHDL programs. Therefore the tool can be easily used by hardware
designers.
The paper is structured as follows: Section 2 introduces the example we will use
throughout the paper and defines the basic terminology required to apply model-based
diagnosis to VHDL. In Section 3, we discuss the abstracted knowledge representation
used in our tool and its complexity. Section 4 introduces an improved system description
reducing the time complexity to a feasible level. Both system descriptions are based on
representing dependencies through directed acyclic graphs (DAGs), for which a wealth of
algorithms is available. This is followed by an overview of the implementation and test
results of the diagnosis system (Section 5) and finally a comparison with related work
(Section 6).
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 7
2. A VHDL example
To give an example of how to design models and find faults in VHDL, we introduce
a simple VHDL program which represents a device we have called D75. The D75 is a




statet + a ∗ b if b > 0,
statet otherwise,
g =






(d + e+ statet−1) after 5 ns if t > 0,3
0 otherwise.
This formal specification can be easily transformed to a specification written in VHDL,
which allows us to simulate the specification and produce a waveform trace.
Fig. 3 shows a possible design of the D75 consisting of four components. A designer who
uses VHDL must now implement a program for every component to get the same behavior
as the specification. The behavior can be tested by checking the waveform traces for every
test case specified by the designer with the specification traces. If this check leads to
discrepancies we want to find the component that causes the misbehavior. The dotted lines
in Fig. 3 show the functional dependencies between inputs and outputs of the components.
The following VHDL code fragment describes the internal topology of the D75 as shown
in Fig. 3.
entity d75_e is
port( signal a,b,c,d,e: in integer;
signal f,g,h: out integer);
end d75_e;
architecture a2 of d75_e is
...
signal s1,s2,s3: integer := 0;
...
begin
i1: c1 port map (a,b,c,s1,s2);
i2: c2 port map (s1,s3,f);
i3: c3 port map (d,e,s3,s3);
i4: c4 port map (s2,s3,g,h);
end a2;
3 The after keyword indicates that the new value is assigned with a delay of 5 ns.
8 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Fig. 3. The D75—diagnosis components.
This VHDL top-level implementation of the D75 shows the most important VHDL
components, entities and architectures. Entities are interface declarations, whereas
architectures are behavior definitions, i.e., they associate a behavior with an entity.
An architecture consists of a set of concurrent statements, so called because they are
executed in parallel (i1 . . .i4 in the example above). Communication between concurrent
statements is achieved by signals. Signals are defined in the (body or interface) declaration
part of the architecture or entity. VHDL is strongly typed. For further details on VHDL
syntax and semantics see, e.g., [4,18,22].
Definition 1. Let Π = 〈A,E〉 be a VHDL program consisting of an architecture A and
an entity E. ConcSt(Π) denotes the set of concurrent statements defined in A. Signals(Π)




i1: c1 port map (a, b, c, s1, s2);
i2: c2 port map (s1, s3, f);
i3: c3 port map (d, e, s3, s3);
i4: c4 port map (s2, s3, g, h);

Signals(〈a2, d75_e〉)= {a, . . . , h, s1, s2, s3}.
Until now we have not defined the behavior of the concurrent statements in our D75
example. To do this we write down signal assignments that are supposed to describe the
behavior for every concurrent statement i1 . . . i4. We write ini for the ith input and outi
for the ith output of the concurrent statement. For convenience, we have ordered the signals
of the port maps so that input signals come first and outputs last.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 9
– i1 port map(in1, in2, in3, out1, out2)
out1 <= in1 * in2;
out2 <= (-1)*(in2 * in3);
– i2 port map(in1, in2, out1)
out1 <= in1 + in2;
– i3 port map(in1, in2, in3, out1)
out1 <= in1 + in2 + in3 after 5 ns;
– i4 port map(in1, in2, out1, out2)
out1 <= in1;
out2 <= in2;
For simplicity, from here on we will refer to a concurrent statement simply by its label.
Signal a b c d e
Test case 1 1 1 1 3 2
Test case 2 3 −1 1 4 2
The VHDL program can now be tested. In our example, we have two test cases which
stimulate the D75 with the following initial input vectors.
The VHDL simulator produces the waveform trace for test cases 1 and 2 shown in
Fig. 5. The trace can be checked for correctness with regard to our specification or an older
(correct) version of the program. In the D75 example, we have a formal specification that
can be transformed to VHDL. Fig. 4 shows the resulting output, the specification trace of
the D75 example for both test cases. We can thus show the correctness of a VHDL program
for a given input pattern and a certain time interval by comparing (automatically) the trace
from the specification execution with the trace of the VHDL program. The discrepancies
are then used as a starting point for computing diagnoses.
(a) (b)
Fig. 4. D75 example—specification waveform trace. (a) Test case 1. (b) Test case 2.
10 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
(a) (b)
Fig. 5. D75 example—waveform trace of faulty implementation. (a) Test case 1. (b) Test case 2.
More formally, a trace is defined as follows:
Definition 2 (Waveform trace). Let Π be a program. The waveform trace Trace(Π) is
a set of tuples (called events) 〈s, v, t〉 representing that a certain signal s (defined in Π )
changes to value v at time t .
Trace(Π)= {〈s, v, t〉 | s ∈ Signals(Π)∧ v ∈ Type(s)∧ t ∈ Time} with
(i) Type(s) . . . represents the domain of values for signal s.
(ii) Time . . . represents a discrete set of time values > 0.
The value of each signal at an arbitrary point in time can be observed from the waveform
trace:
Definition 3 (Value). Let Trace(Π) be a waveform trace for Π . The value of each signal
s ∈ Signals(Π) at time t , denoted by value(s, t), is the value that s has taken at the
last event before t that changed s, i.e., value(s, t) = v0 if ∃〈s, v0, t ′〉 ∈ Trace(Π) ∧
t ′ 6 t ∧ 6 ∃〈s, v1, t ′′〉 ∈ Trace(Π): t ′ < t ′′ 6 t ∧ v0 6= v1.
Now we are able to formally define discrepancies.
Definition 4 (Discrepancy). The discrepancies of Π , written as DISCR, are the set of
tuples 〈s, v, t〉 where s ∈ Signals(Π), t ∈ Time, v ∈ Type(s) is the expected value of the
signal s, and value(s, t) 6= v. We write Discrepancy(s)↔∃〈s, v, t〉 ∈DISCR.
A signal discrepancy can be found automatically by comparing waveform traces or as
result of an oracle, e.g., input by the designer of the VHDL program. A signal discrepancy
and the description of the VHDL program (e.g., its concurrent statements) are the input
for the diagnosis engine. Fig. 5 shows the program waveform trace for test cases 1 and
2, where discrepancies for signals g and f , respectively, can be detected confirming the
existence of a misbehavior.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 11
3. Computing diagnoses
In this section we formalize the diagnosis knowledge used in our VHDL-diagnosis
system. The complexity of the VHDL programs to be diagnosed precludes analysis down
to the last detail. The goal, rather, must be to compute results that will enable the designer
to pinpoint the actual fault and find it faster.
Because of the complexity of the problem, we have to be content with a significantly
abstracted representation, governed by the following criteria.
– No diagnoses may be excluded due to abstractions.
– Integration with available commercial simulation packages.
– Computational costs must be minimized by requiring very few additional simulation
runs.
The principal idea is to abstract as much as possible over time and signal values on the
one hand, while preserving the capability to discriminate between substantial parts of the
VHDL-code on the other hand.
3.1. Components
VHDL code is partitioned into hierarchies of concurrent statements which usually
bottom out in a sequence of sequential statements. Such a sequence contained in one
concurrent statement typically comprises only a small fraction of the complete VHDL
program, and as a first approximation it is not worth the effort needed to pinpoint individual
sequential statements as the source of a fault. Therefore, identifying faulty concurrent
statements is our main goal.
Definition 5 (Components). The set of components COMP of a program Π = 〈A,E〉
consists of all concurrent statements of A; i.e., COMP(Π)= ConcSt(Π).
Example (Continued). In our D75 example, COMP(〈a2,D75〉)= {i1, i2, i3, i4}.
Components are connected by signals which are defined in the VHDL code. VHDL
distinguishes between in, out, and in-out signals (used for input, output, and both,
respectively). Each component defines how it uses signals which means that three different
sets of ports are specified for a component.
Definition 6 (Input, output, input/output). Let C be a component of entity E and archi-
tecture A. The set of all signals that are used in C and declared as inputs is called the set
of input signals of C denoted by in(C). The sets of output and input/output signals, called
out(C) and inout(C), are defined in the same manner.
Example (Continued). in(i1)= {a, b, c}, out(i1)= {s1, s2}.
External inout signals are represented as a combination of one input and one output
signal. This is necessary since our system description is based on the assumption that
external inputs to the design are always correct, while of course any outputs sent to the
12 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
signal from within the design need not be correct. However, this case typically does not
arise in synthesizable designs.
3.2. Functional system description
Since the simulation is executed by commercial simulation tools we are not able to
compute the dependencies between ports dynamically (except for the trace, the state of the
simulation is not visible). Therefore, we analyze the VHDL code statically and compute
the functional dependencies. The functional dependencies, expressed as logic sentences,
are then used to find the components which are responsible for the discrepancies. We call
the resulting system description Functional System Description (FSD for short).
Definition 7 (Functional dependency). Let C be a component of a programΠ . An output
outi ∈ out(C) depends functionally on a set I ⊆ in(C) if a change of some input signals
inj ∈ I at time t may change the output signal outi at some time t ′ > t . The functional
dependency relation is written as I → outi . The set of all functional dependencies for a
component is denoted by FD(C).
Example (Continued). For component i1 we can see that s1 depends functionally on
signals a and b. So ({a, b}→ s1) ∈ FD(C).
The computation of functional dependencies for sequential statements is described
in [19]. A similar method can be used for VHDL concurrent statements because they can
be viewed as single programs, where their behavior is given using sequential statements.
The main idea of our abstraction is to ignore time and values of the signals. In our
system description we only talk about correct or incorrect signals. Both the time at which
the discrepancy occurred and the expected value are abstracted out. In particular, the output
of a component is correct if the component is correct and the input signals (on which the
output depends) are correct. We use this notion to attempt to attribute faults to system
components and specific concurrent statements if possible.
On one hand this abstraction has the advantage that we do not need to reason about
thousands of time points for hundreds of signals. On the other hand it has the obvious
drawback that we can exclude fewer diagnoses than with a detailed model. However,
programmers use this abstraction during debugging very effectively to identify the faulty
concurrent statement.
So far we have completely abstracted over time and signal values in order to gain
an efficient diagnosis system. However, in order to handle feedback cycles and the
initialization phase of the circuit, at least a simple representation of time must be included
in the model. Consider the following simple model which ignores time completely.
If all input values are correct and the component itself behaves as expected, every output
value of a component has to be correct.
Now assume a circle that contains a feedback loop, i.e., a situation where at least one
signal s that serves as input for a component is indirectly dependent on its own, older value.
This means that we cannot conclude the correctness of s, since s itself would have to be
correct to conclude its correctness. Thus, neither ok(s) nor ¬ok(s) can be derived.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 13
(a)
(b)
Fig. 6. Simplification may lead to unintended results. (a) No observations available. (b) One (negative)
observation.
A simple attempt to solve this problem would be to introduce only two abstract time
points, initialization time and after initialization (or, simply later). In Fig. 6(a) we assume
that we have no information about the behavior. We therefore assume that every signal
value is correctly computed and that every component works as expected. In this case, the
conclusion is that all is well handled by the two-time point model. However, in Fig. 6(b)
we introduce one observation saying that signal S1 has a wrong value. The assumption that
all components, i.e., I1, I2, I3, behave correctly is inconsistent with the observation since
it would lead to the conclusion that all signals are correct at initialization time and at later
time. Since we have three components within one feedback loop we would expect that each
of these could explain the contradiction, i.e., is a single diagnosis. Unfortunately, the model
would only allow to derive the single diagnoses {I1} and {I3}, but not {I2}. To see why, as-
sume that {I1} and {I3} work correctly, but I2 does not, i.e., even though we know that S1
is ok at initialization time, nothing can be stated about the value of S2 either at initialization
time or later. Because I3 is assumed to behave correctly, the value of S3 after initialization
must be correct. From this value, and the assumption that I1 works correctly, we can con-
clude that S1 also has a correct value after initialization which contradicts the observation.
To avoid these problems we first introduce a model which uses the notion of unlimited
linear time and then show that the number of time points we need to consider is bounded.
Definition 8 (FSD part 1: components). Let Π be a VHDL program. The system
description modelling the component behavior of Π is a set of sentences for every







and for the initialization
ok(C)→ ok(C,outi )0.
14 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
A predicate of the form ok(C) expresses that the concurrent statement C has a correct
behavior (i.e., produces correct output values in a given case). A predicate of the form
ok(C,outi ) expresses the fact that C produces correct output values for the output signal
outi .
The correct behavior of a single VHDL concurrent statement is described by multiple
rules. It is worth noting that a concurrent statement, i.e., a diagnosis component, does
not directly change the value of a signal. This is due to the VHDL semantics where
multiple concurrent statements can influence the same signal. We therefore say that only
the correctness of the driving signal (C,outi ) should be derived.
Our running example results in a separate rule for each signal assignment:
ok(i1)∧ ok(a)T ∧ ok(b)T → ok(i1, s1)T+1,
ok(i1)∧ ok(b)T ∧ ok(c)T → ok(i1, s2)T+1,
ok(i2)∧ ok(s1)T ∧ ok(s3)T → ok(i2, f )T+1,
ok(i3)∧ ok(d)T ∧ ok(e)T ∧ ok(s3)T → ok(i3, s3)T+1,
ok(i4)∧ ok(s2)T → ok(i4, g)T+1,
ok(i4)∧ ok(s3)T → ok(i4, h)T+1.
As stated above the same signal can be declared as output in different concurrent
statements. In this case a simulator uses a special resolution function to deduce the final
value of a signal at a given time point. This value depends on all the components which
use the signal as output. Components influencing the value of one signal s are drivers for s.
Formally, we define a function Driver associating signals to their drivers such as follows.
Definition 9 (Drivers). Let Π be a program and s ∈ Signals(Π) be a signal. The driver
function associating driving components to signals is
Driver(s)= {c | c ∈ COMP(Π)∧ s ∈ out(c)}.
The following definition adds the behavior of a driver as given by the VHDL semantics
to the functional system description.
Definition 10 (FSD part 2: connections). The system description modelling the connec-
tions of the VHDL program Π is the set of sentences which includes for each signal
s ∈ Signals(Π)∧ s ∈ out(c)∧ c ∈ COMP(Π) the sentence∧
cj∈Driver(s)
ok(cj , s)T → ok(s)T .
Example. Given component i3 from our example the rule
ok(i3, s3)T → ok(s3)T
must be element of the system description.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 15
3.3. Observations
After the programming phase, tests, i.e., simulation runs, are conducted, possibly leading
to the discovery of a misbehavior of the system. Misbehavior is detected by comparing
selected outputs of the program with the outputs of the specification. We will call these
selected outputs together with the stimulated inputs traced signals.
Definition 11 (Traced signals). The set of traced signals TRACED consists of all signals
that are defined in the entity, associated architecture and libraries and that are included in
the waveform trace
TRACED= {s | s ∈ Signals(Π)∧ 〈s, v, t〉 ∈ Trace(Π)}.
Example (Continued). TRACED= {a, . . . , h}.
The traces of the signals in TRACED are used to deduce observations in the sense of
consistency-based diagnosis. If there are no discrepancies in the trace for a signal s, the
ok(s) literal is element of the set of observations. If a discrepancy has been found, then
¬ok(s) ∈OBS.
Signals that are not element of the trace are not observed, but may be included in
an additional simulation, depending on their information content and their observability.
A signal is observable if either a specification for this signal exists or the user is willing to
perform manual inspection.
Definition 12 (Observation). Let TRACED be a set of traced signals. The set of
observations OBS is defined as
OBS= {¬ok(s) | s ∈ TRACED∧Discrepancy(s)} ∪{
ok(s) | s ∈ TRACED∧¬Discrepancy(s)}.
Example (Continued).
Test case 1: OBS= {ok(a), . . . ,ok(f ),¬ok(g),ok(h)}.
Test case 2: OBS= {ok(a), . . . ,ok(e),¬ok(f ),ok(g),ok(h)}.
Next, we need to assign observations to particular points in time since we have associated
time points to the ok predicate declaring a signal to be correct. Since we do not specify the
exact time point when a signal becomes incorrect, we have to choose an assignment of the
observation to a given time point such that no diagnoses are excluded, i.e., every conflict
in our abstraction has to be a superset of (or equal to) a conflict in a “hypothetical most
accurate model”. In other words, we have to make sure that conflicts are not too small.
In the rest of this section we assume that all exogenous quantities, e.g., external input
signals, are assumed to be correct. This removes the need to reason about incorrect behavior
of the outside world. Since we do not consider individual signal values, it follows from
this assumption that it is sufficient to restrict the set of signals represented in the system
description to those that actually are outputs for a component.
16 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Consider the network of components and the signals connecting them. In the following,
for a given pair of components or signals x and x ′, such that a path from x to x ′ exists
in the network, we use the term component distance to denote the number of intermediate
components on the shortest such path.
Example. If the shortest path between signals s and s′ is given by 〈s, c1, s1, c2, s′〉, the
component distance is 2. If the shortest path between components c and c′ is given by
〈c, s1, c1, s2, c′〉, the component distance is 1.
Lemma 13. Given the system description for a program Π , let s, s′ ∈ Signals(Π) such
that the component distance from s to s′ is d . If ok(s)t does not hold for some time
t ∈ {1, . . . , n}, then ok(s′)t+d cannot be derived.
Proof. Note that for the correctness of an output signal to be derived at time t , all
components that assign to the signal must behave correctly, and all input signals of these
components must be correct at time t − 1. Now, let 〈s, c1, s1, . . . , sd−1, cd, s′〉 be the
shortest path from s to s′. Since ok(s)t does not hold, c1 cannot produce a correct value on
its outputs at time t+1, i.e., ok(c1, s1)t+1 does not hold, nor does ok(s1)t+1. In general, for
any signal si on the path, ok(si )t will be derived for t 6 i− 1. At time d − 1, the “missing”
ok value of s reaches sd−1, therefore ok(cd, s′)t+d cannot be derived, therefore ok(s′)t+d
cannot be derived. 2
Corollary 14. Given the system description for a program Π , let c ∈ COMP(Π), s ∈
Signals(Π) such that the component distance from c to s is d . If ok(c) does not hold, then
ok(s)t cannot be derived for t > d .
Proof. Since c is not ok, the output signals of c will not be ok at time 0 (Definition 3.4,
Initialization). If the distance from c to s is d , then according to Lemma 13, ok(s)t will be
derived until time d − 1, but not for t = d . Since the output signals of c will not be ok after
time 0 either, ok(s)t will not be derived for any t > d as well. 2
Lemma 15. Given the system description for a program Π , let s be a signal and let
C = {c1, . . . , cm} be the set of all components in Π for which a path exists from ci to s
(i.e., s is functionally dependent on ci ). If ok(ci) holds for every i ∈ {1, . . . ,m}, then ok(s)t
holds for t > 0 (i.e., s is always correct).
Proof. The proof is by induction over time. For t = 0, for every component c and output
signal s′ of c it follows from Definition 3.4 that ok(c, s′)0, and from Definition 10 that
ok(s′)0. This trivially includes all those output signals s′ that actually lie on the path from
ci to s.
For t > 0, the induction hypothesis is that for all signals s′ that lie on a path from c ∈ C
to s, ok(s′)t−1 holds. From this, we conclude by Definition 3.4 that ok(c,outi )t holds for
all components c and output signals outi , and therefore by Definition 10 that ok(s)t holds
for all signals s. 2
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 17
Theorem 16. Given the system description for a program Π , then for n = |COMP(Π)|
and each signal s ∈ Signals(Π), the value of s is ok for any time t > n iff it is ok at time n:
∀S ∈ Signals(Π),∀t > |COMP(Π)|: ok(S)|COMP(Π)| ↔ ok(S)t .
Proof.
Case 1. (⇒) Assume that all components in the system are ok (∀c ∈ COMP(Π): ok(c)).
This means that for every signal s, all components that s depends on are ok. Therefore,
it follows from Lemma 15 that for all signals, ok(s)t holds for t > 0 (i.e., all signals are
correct forever, which is only to be expected). This proves case 1.
Case 2. (⇐) Assume that there is at least one component in the system that is not
known to be ok. We have to distinguish between signals that are functionally dependent
upon such a component and signals that depend only on components that are ok. For a
signal s that depends solely on components that are ok (which means there cannot be a
path of whatever length traceable to s from a component that is not ok, since functional
dependency is transitive), we can conclude as above that the signal will be ok for all time
points t > 0.
Now consider a signal s that depends on at least one component c for which ok(c) is not
known to hold (without limitation of generality, if there are several, take c to be the one
closest to s). From Corollary 14, we know that ok(s)t cannot hold for t > d , where d is the
distance from c to s. Since there are n components in the system and c cannot be on the
path, it must hold that d < n. 2
Corollary 17. For assigning time to observations, it is sufficient to consider n time points
where n is the number of components:
– (¬ok(s)↔¬ok(s)n) ∈OBS for each s ∈ TRACED∧Discrepancy(s).
– Assert (ok(s)↔∧i=0,...,n ok(s)i) ∈OBS for each s ∈ TRACED∧¬Discrepancy(s).
Example (Continued). Let us consider test case 2 and only signals f and g. We have to
assert





For the definition of diagnoses we will apply the consistency-based view as defined by
Reiter [25].
Definition 18 (Diagnosis). A diagnosis ∆ for a VHDL program Π is a subset of
COMP(Π) such that
SD∪OBS∪ {ok(c) | c /∈∆}∪ {¬ok(c) | c ∈∆}
is consistent.
18 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Since in our domain in almost all cases predefined tests are applied to a VHDL program,
we incorporate tests in the definition of diagnosis. Note that because the FSD treats values
abstractly, we do not need to transfer knowledge across tests as in [24].
Definition 19 (Diagnosis with respect to tests). Let TOBS be a set of OBSi where each
OBSi represents the observations for a particular test.




ok(c) | c /∈∆} ∪ {¬ok(c) | c ∈∆}
is consistent.
Consider again our example. For test case 1 there exist two minimal single fault
diagnoses: [i1] and [i4] (the conflict is 〈i1, i4〉). For test case 2 there exist three minimal
single fault diagnoses: [i1], [i2] and [i3] (the conflict is 〈i1, i2, i3〉).
Therefore, there is one minimal single fault diagnosis [i1]. Inspecting the definition of
i1, we note that the if statement concerning the value of signal b is missing. Using two test
cases, we have localized the fault.
As mentioned above, the representation was designed according to the safety principle
that no diagnosis may be excluded. On the one hand, this may result in too many diagnoses.
However, this is not a serious problem if multiple test cases are applied, and in addition the
user can be asked to judge the correctness of a signal.
On the other hand, the calculation of diagnoses is simple and fast enough for computing
diagnoses even for large programs. This is exactly the case where assistance for fault
localization has a very high return on investment.
Note that if we were willing to accept lower performance for the sake of more detailed
reasoning about the VHDL program, we still would need to cope with a modelling problem
since often physical hardware components (like microprocessors) are used to speed up the
simulation. For such components a VHDL model or some other formal description would
have to be specified, which would increase the design development costs significantly.
3.5. Complexity issues
Unfortunately the need to introduce discrete time points implies that the size of the
system description does not increase linearly with the size of the system.
Theorem 20. Let Π be a program, COMP(Π) the set of diagnosis components in Π , and
Signals(Π) the set of signals defined in Π . Then the following propositions hold:
(i) The number of rules of the system description SD for COMP(Π) and Signals(Π)
is of order o(|Signals(Π)| · |COMP(Π)|2).
(ii) The number of literals of the system description SD for COMP(Π) and Signals(Π)
is of order o(|Signals(Π)|2 · |COMP(Π)|2).
(iii) The time complexity for deriving a contradiction out of the system description is of
order o(|Signals(Π)|2 · |COMP(Π)|2).
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 19
Proof. Let |COMP(Π)| be the number of components (concurrent statements) of Π and
|Signals(Π)| the number of signals defined in Π .
Since in the worst case all signals are used as input and output for every component
the number of rules is of order |COMP(Π)| · |Signals(Π)| for every time point. Because
of Theorem 16 we have to consider |COMP(Π)| + 1 time points, the number of rules
is of order |COMP(Π)|2 · |Signals(Π)|. With similar arguments we prove the second
proposition. In the worst case all signals are used as input and output for every component,
leading to |COMP(Π)| · (|Signals(Π)| + 1) · |Signals(Π)| literals for every time point.
Since there are |COMP(Π)| + 1 points on the time axis, there are o(|COMP(Π)|2 ·
|Signals(Π)|2) literals. The third proposition follows directly from the second one by using
the following arguments. The time complexity of resolution algorithms for propositional
horn clauses is of linear order related to the number of literals [20]. Therefore deciding
if a contradiction can be derived using the FSD is limited by the squared number of
components multiplied by the squared number of signals. 2
For programs with hundreds of components, the nonlinear size of the system descrip-
tion implies very long runtime for the consistency checks required during the search
for diagnoses. Since usually multiple consistency checks are required, a straightforward
implementation of this system description results in completely unsatisfactory perfor-
mance. Therefore, for implementation purposes this representation is transformed into a
system description that employs a simplified approach for subsystems which are not in-
volved in the kind of cyclic dependencies that led us to introducing distinct time values
in the first case. The modified approach produces system descriptions that grow linearly
in terms of system size. The transformation is presented in the following section (see
also [28]).
4. Reducing time complexity
In this section we introduce a graph theoretic approach of reducing the size of the system
description, i.e., the number of literals. First, the functional dependencies of the underlying
VHDL program are modelled by a graph. The graph is then transformed and mapped to an
improved system description. We conclude the section by discussing the impact of using
standard measurement selection approaches [13] and restrictions resulting from them.
4.1. Functional dependencies as graphs
This section describes the transformation of VHDL program components to a directed
graph.
Definition 21 (Ports). Let COMP(Π) be the components of a VHDL program and
Signals(Π) the set of signals of the program. The set of all ports of a component
C ∈ COMP(Π) is defined by Ports(C) = {(C,out) | out ∈ Signals(Π) ∧ ∃(in→ out) ∈
FD(C)}. We call each pair (C,S) from Ports(C) a port of C.
20 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Note. (C,S) actually represents an output port (as opposed to input port) of C, but in the
following, input ports are never explicitly represented. From here on, we use the term port
to refer to output ports exclusively.
We now define the mapping from a VHDL program to the graph expressing the
dependencies in the program.





The FD graph G = (V ,E) for Π is a directed graph, defined by:
(i) The set of vertices is the set of ports and signals: V = PORTS∪ Signals(Π).
(ii) There is an arc from each port to every signal dependent on that port, and from each
signal to every port depending on that signal:
∀C ∈ COMP(Π): ∀(I → out) ∈ FD(C):(
(C,out),out
) ∈E∧∀ini ∈ I : ((ini ,C,out)) ∈E.
We write COMP(G) for the set of components COMP(Π) occurring in G.
Example. This example shows the component view of a VHDL program and its FD graph.
The associated VHDL program could be, e.g., a clock generator (corresponding to the
VHDL statement S <= not S after 10 ns).
Fig. 7 shows the graphical representation of the VHDL component with connections,
and the associated FD graph G.
The following properties follow immediately from the definition of FD graphs.
Corollary 23 (Properties of the FD graph). Let G = (V ,E) be the FD graph of a VHDL
program Π . The graph G has the following properties:
– The set of arcs contains only arcs from port nodes to signal nodes and from signal
nodes to port nodes. There are no arcs connecting nodes of the same type.
– There exists not more than one arc from a particular port node to a particular signal
node.
– The number of arcs is bounded by 06 |A|6 |Signals(Π)| · (1+ |PORTS|).
– The number of port nodes is bounded by 06 |PORTS|6 |Signals(Π)| · |COMP(Π)|.
(a) (b)
Fig. 7. (a) The structural view. (b) The FD graph representation.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 21
4.2. FD graph and functional system description
The FD graph formalizes the notion of the functional dependency which we used directly
in the first part of this paper. Not surprisingly, the Functional System Description can be
derived directly from the FD graph.
Definition 24 (Functional system description, FSD). Let G = (V ,E) be the FD graph of a













ok(Ci, S)T → ok(S)T
]
∈ FSD,
where T ∈ {0, . . . , |COMP(Π)|}.
To achieve our goal of reducing computational complexity, we want to reduce the FD
graph to an acyclic one. This can be done by identifying cyclic subgraphs, reducing them
to a single vertex (called a “super-vertex”) and computing the new edges. Each cycle
in the graph must be covered by such a subgraph. Reducing a graph to a super-graph
by eliminating all cycles individually is not feasible in general because of the possible
exponential number of cycles. Accordingly, we must search for a super-graph that is
acyclic, where each vertex can be computed in linear time, and which is suitable for
diagnosis. The super-graph presented below is based on reduction of strongly connected
components and is adaptable for diagnosis.
First, we need some standard auxiliary definitions. A sequence of arcs that connects two
vertices of a graph is called a path, and a cycle if it is closed.
Definition 25 (Path, cycle). Let G = (V ,E) be a directed graph, and n,n′ ∈ V . A path
P from n to n′ is a sequence 〈n = n1n2 . . .nk−1nk = n′〉 such that (ni , ni+1) ∈ E for
i ∈ {1, . . . , k − 1}. A path P from n to n′ is called a cycle if n= n′.
Next, we want to identify all pairs of components which are in a cycle of the graph
together.
Definition 26 (Connectivity relation). Let G = (V ,E) be a directed graph. Two vertices
v1, v2 are κ-related (v1Rκv2) iff:
(i) v1 = v2, or
(ii) there is a cycle in G that contains both v1 and v2.
The relation Rκ is an equivalence relation that partitions G into subgraphsGκi = (Vi,Ei).
22 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Definition 27 (Strongly connected component 4). Let G = (V ,E) be a graph and G′ =
(V ′,E′) a subgraph of G. G′ is called a strongly connected component (SCC) of G iff
it is equal to an element of the connectivity partitioning of G as defined by Rκ . If the
connectivity partitioning contains only one component (G), then we say that G = G′ is
strongly connected. The inputs and outputs of a SCC G′ = (V ′,E′) are those outside
vertices which are connected to vertices of G′.
inputs(G′)= {v | (v, v′) ∈E∧v /∈ V ′ ∧v′ ∈ V ′},
outputs(G′)= {v | (v′, v) ∈E∧v /∈ V ′ ∧v′ ∈ V ′}.
Note that the inputs and outputs of a SCC can include both signal and port vertices.
Definition 28 (SCC super-graph). Let G = (V ,E) be a graph. The strongly connected
component supergraph (SCCS) Gs = (Vs,Es) (called SCCS) of G is defined by replacing
every SCC of the given graph by a single vertex and replacing each edge that is incident to
one vertex of the SCC by an edge incident to the new vertex:
(i) Vs = {(Vi,Ei) | (Vi,Ei) is a SCC of G}.
(ii) Es = {((V1,E1), (V2,E2)) | (V1,E1), (V2,E2) are SCCs of G ∧∃(v1, v2) ∈E: v1 ∈
V1∧ v2 ∈ V2}.
Some properties follow immediately from this definition.
Corollary 29 (Properties of the SCCS). Let Gs be the SCC super-graph of a graph G, then:
(i) Gs can be computed from G in linear time [21].
(ii) The number of vertices of Gs is bounded by the number of vertices of G (|Vs |6 |V |).
(iii) Gs contains no cycles.
The following example shows the conversion from a VHDL program to the FD graph
and then to the SCCS.
Example. Fig. 8 shows a schematic depiction of a VHDL program containing a feedback
loop, with the resulting FD graph. (FD graph vertices representing signals are shown in
white, vertices representing ports are shown in grey.)










































4 The term “component”, as used in this context, stems from graph theory and in general does not correspond
to any actual component of the VHDL program. If needed, we will make the distinction explicit in the text below.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 23
(a) (b)
Fig. 8. (a) Schematic view. (b) FD graph.










We now eliminate the cycle via the SCC super-graph transformation, resulting in the
SCCS Gs (see Fig. 9). The white-colored vertices of the SCCS are those which contain no
port vertices of the original graph (which implies that they contain a single signal vertex).
24 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
(a) (b)
Fig. 10. (a) FD graph. (b) Strongly connected component super graph.
The next example is somewhat smaller and we can give the VHDL code instead of a




architecture N6 of TESTER is
signal S1, S2, S3: std_logic := ‘0’;
begin
S1 <= ‘1’ after 5 ns; -- C1
S2 <= not S1; -- C2
S1 <= S3 and S1 after 3 ns; -- C3
S3 <= ‘0’, ‘1’ after 2ns , ‘0’ after 4 ns; -- C4
end N6;
Computing the FD graph results in the directed graph shown in Fig. 10(a), with the






































(SCC1,SCC2), (SCC3,SCC2), (SCC4,SCC3), (SCC2,SCC5),
(SCC5,SCC6)
}
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 25
4.3. A system description with linear complexity
Unfortunately, the size of a FSD is of order n4 where n is the number of nodes
in the graph (see Theorem 20). We now examine some properties which enable us to
transform the FSD to an equivalent system description with linear complexity. The FSD
considers no actual values of signals, merely whether they are observed to be correct or not.
Furthermore, such signal observations only occur as positive ok literals in the lefthand sides
of FSD rules. Therefore, preprocessing the FSD for a given system and set of observations
by removing all such literals from the system description does not alter the correctness of
the FSD for this system and these observations.
Definition 30 (Reduced observations FD graph). Let G = (V ,E) be a FD graph as defined
above, TRACED the set of traced signals, and DISCR the set of discrepancies. The reduced
observations FD graph GRO is the subgraph of G induced by removing all signals occurring
in TRACED \DISCR from V .
In other words, all signals that are observed to be correct and all incident arcs are
removed from the graph. The following example (Fig. 11) shows the effect of the
transformation for an example with two observations. Note that in general, the reduced
observations FD graph may be not connected even if the original FD graph was.
Theorem 31. Given G, TRACED, DISCR, and GRO be defined as above. Then
FSD(G,TRACED,DISCR)≡ FSD(GRO,DISCR,DISCR).
Proof. Removing signal nodes and arcs means that a syntactically different FSD is
produced when Definition 24 is applied. The removal of signals from the graph reduces
Fig. 11. Transformation to the reduced observations FD graph.
26 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
the number of antecedent nodes for ports and therefore is equal to applying modus ponens
to rule (i) of Definition 24. For the given set of observations, the affected part of the FSD
is therefore equivalent to the outcome of rule (i) from Definition 24 when applied to the
original graph. Rule (i) is the only FSD rule where signals as input propagate their value
to component outputs, so no other rules are affected. 2
If all signals that are observably correct are removed from the graph, all observations
concerning these signals, i.e., all positive observations, are no longer needed. From here
on, the set of observations under FSD is defined as OBSRO = {¬ok(s)n | s ∈ DISCR}. We
continue to write simply OBS for the set of reduced observations if the use of GRO is
understood.
Given the altered graph, we can now define the altered system description, derived from
the SCC super-graph, which we call SCCS_SD. Intuitively, it is based on the idea that if a
SCC remains in the reduced observations graph, no signals observed to be correct remain
inside. Given our abstract handling of time, that means that if any member of the SCC
is involved in a conflict, all of them are (since each is dependent on all others, it is not
possible to distinguish which of them was responsible).
The figure below shows the transformations involved.







The original VHDL program Π is converted to its functional dependency set FDSet
and then to the associated FD graph G. The FSD was derived from the graph directly.
Instead, we convert G to GRO depending on OBS according to Definition 30. The SCCS of
GRO is used as basis for computing the improved linear system description SCCS_SD. To
formally define the SCCS_SD, we need to extend the signal connection functions to SCC
super-graphs.
Definition 32 (SCC signal connections). Let Gs = (Vs,Es) be an SCCS, and σ =
(Vσ ,Eσ ) be an SCC of the original FD graph G. We define Ports in the same manner
as for the original graph: ∀σ ∈ Vs , Ports(σ )= {(C,S) | (C,S) ∈ Vσ }.
Definition 33 (System description SCCS_SD). Let GRO = (V ,E) be the reduced obser-
vations FD graph of a VHDL program, and Gs = (Vs,Es) the SCCS of GRO. For every
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 27
node σ ∈ Vs , let (Vσ ,Eσ ) be the subgraph corresponding to σ in GRO. The SCC System
Description (SCCS_SD) is given by
(i) The outputs of a SCC are correct if the SCC behaves correctly and all inputs are
correct.













(iii) A signal cannot be correct and incorrect at the same time.
ok(S)∧¬ok(S)→⊥ (3)
Note. In the case of a SCC that is a singleton set containing a signal (such as SCC5
and SCC6 in our example), some of the sentences above are trivially true. For example,
according to rule (ii), such a SCC always behaves correctly (since the antecedent is empty).
Under the new SD, the derivation of observations from traces is straightforward. Note
again that since SCCS_SD is derived from the reduced observations graph, no positive
observations are possible.
Definition 34 (Observations under SCCS_SD). For a given set TRACED and DISCR,
the set OBS according to SCCS_SD (also written as OBSSCCS) is given by OBS =
{¬ok(S) | S ∈DISCR}.
Example. To show how the improved system description works, consider the following
example graph (see Fig. 12). The three strongly connected components are SCC1 =
({S1, S2, (C1, S1), (C2, S2)}, . . .), SCC2 = ({(C3, S3)},∅), and SCC3 = ({S3},∅).
We give a number of examples with differing traced signals and discrepancies.
(i) TRACED=DISCR= {S3}. From the definition of the FSD, it follows that all three
components C1,C2,C3 are single diagnoses.
Fig. 12. Example FD graph.
28 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Fig. 13. Reduced observations FD graph.
(ii) TRACED= {S1, S3}, DISCR= {S3}. The only possibility for a single diagnosis is
C3.
(iii) TRACED= {S2, S3}, DISCR= {S2}. In this case there are two single diagnoses, C1
and C2.
The reduced observations graph for case (i) is the same as the original graph. The
reduced observations graph for case (iii) is created by removing node S3 and all incident
arcs. The reduced observations graph for case (ii) is created by removing node S1 and all
incident arcs and is depicted in Fig. 13.
In all cases, diagnosis with SCCS_SD generated from the appropriate reduced
observations graph will answer the same results as the FSD. Note that omission of this
step (i.e., generating the SCCS_SD from the original FD graph) would produce incorrect
results.
4.4. Equivalence of SCCS_SD and FSD
Our next goal is to prove that the SCCS_SD system description produces the same
results as FSD. To do this, we examine the possible derivations that occur using the two
system descriptions. This requires considering sets of components that are merely potential
diagnoses. We call ∆ a diagnosis candidate iff it is of the form {c1, . . . , cn} such that
ci ∈ COMP(Π), for i ∈ {1, . . . , n}. In addition, we define a graph representation of the
potential derivations produced using SCCS_SD. Such a graph is defined for every ok(s)
fact, where s is a signal in the program under consideration.
Definition 35 (Derivation graph). Let G = (V ,E) be a FD graph, SCCS_SD its system
description for a set of observations OBS′, with Gs = (Vs,Es) the resulting reduced
observations super-graph, and OBS the set of reduced observations from OBS′, and let
s be a signal from G. The derivation graph D = (VD,ED) of ok(s) is defined as follows:
(i) ok(s) ∈ VD.
(ii) For every v ∈ VD such that v is of the form ok(s) or ok(c, s) with s being a
signal, let σ ∈ Vs be the SCC including s (respectively (c, s)). Then, it holds that
ok(σ ) ∈ VD, and there is an arc (ok(σ ),ok(v)) in ED. In addition, for every input
I of σ , ok(I) ∈ VD, and there is an arc (ok(I),ok(v)) ∈ ED.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 29
Fig. 14. A derivation graph.
(iii) for every SCC σ ∈ Vs such that ok(σ ) ∈ VD, and for every port (c, s′) in σ , it must
hold that ok(c) ∈ VD, and there is an arc (ok(c),ok(σ )) ∈ ED.
Before we go on to use the graph to show the equivalence of derivations in FSD
and SCCS_SD, we list some basic properties of the graph in relation to the system and
observations. Note that it is not possible that ok(s) ∈ OBS, since there are no positive
observations in OBS. Also, note that D must be finite, since Gs contains no cycles.
Furthermore, all source vertices of D are of the form ok(c) or ok(σ ). A source vertex of
the form ok(σ ) only occurs if σ is a singleton SCC containing a single signal. Remember
that in the latter case, ok(σ ) holds automatically (see note to Definition 33). Finally, every
component C for which a path exists in Gs from a port (c, s′) to s is a source vertex of D.
Example. Consider again the last example (below Definition 34) with TRACED =
{S1, S3} and DISCR= {S3}. The derivation graph for ok(S3) is depicted in Fig. 14.
We continue by first showing that the derivation graph represents the consistency of a
signal being ok with a set of correctness assumptions for components.
Lemma 36. Let D be the derivation graph for ok(s). SCCS_SD ∪OBS |= ok(s) iff ok(c)
holds for all c such that ok(c) is a source vertex of D.
Proof. The structure of the graph D corresponds directly to a sequence of applications of
rules (i) and (ii) from Definition 33 (SCCS_SD).
For the if direction, all antecedents are true. The facts of form ok(c) are true
by assumption, and the facts of form ok(σ ) are automatically true (see the note to
Definition 33). Therefore the derivation described by the graph is valid.
The only if direction follows immediately from the observation that if ok(s) is derivable,
the derivation graph describes the only way in which it can be derived using the Horn clause
rules (i), (ii), and (iii) of Definition 33. Only ok(c) facts can be used to start the derivation,
since there are no positive observations in OBS. 2
Lemma 37. Let GRO = (V ,E) be a reduced observations graph, and D be the derivation
graph for ok(s). For every component c such that there is a path from ok(c) to ok(s) in D,
there is a path from some port (c, s′) (s′ ∈ V ) to s in GRO.
30 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Proof. We designate the SCC of s by σs , and the SCC of (c, s′) by σc . Note that in FDRO
there exists a path between any two vertices in a SCC σ since σ is strongly connected.
First, assume that σc = σs . Then, there exists a path between (c, s′) and s since they are
in the same SCC. Second, if σc 6= σs (i.e., there is no port of c in σs ), there must exist a
sequence of SCCs in D of the form 〈σc = σ1, σ2, . . . , σn = σs〉. Note that every arc in D
that connects vertices corresponding to different SCCs corresponds to at least one arc in
FDRO, since these arcs are defined in terms of inputs to SCCs (rule (i) of Definition 33).
Therefore, for every SCC σi in the sequence except σ1, there is an arc from some vertex in
σi−1 to some vertex vi1 in σi , and for every σi except σn there is an arc from some vertex
vi2 to a vertex in σi+1, and because σi is an SCC, there is a path from vi1 to vi2, as well as
a path from (c, s′) to v12 in σ1 and a path from vn1 to s in σn. Therefore, there is a path in
FDRO from (c, s′) to s. 2
Next, we show (in three steps) the equivalence we are looking for. First, we prove that
SCCS_SD maintains consistency with regard to FSD, then that it maintains inconsistency,
from which it follows easily that it produces the same minimal diagnoses.
Lemma 38. Let COMP(Π), Signals(Π), and FD be the description of a VHDL program
Π , G = (V ,E) its FD graph, TRACED a set of traced signals and DISCR a set of
detected discrepancies, with GRO being the resulting reduced observations SCCS, and
OBSFSD,OBSSCCS the resulting sets of observations. Given a diagnosis candidate ∆, if
∆∪ FSD∪OBSFSD is consistent, then ∆∪ SCCS_SD∪OBSSCCS is consistent.
Proof. Assume that C(∆) ∪ SCCS_SD∪OBSSCCS is inconsistent. In that case, it follows
that there is some S ∈ Signals(Π) such that ¬ok(S) ∈OBS, but ok(S) can be derived. Let
C = {C1, . . . ,Cm} be the set of all components Ci such that a path exists in GRO from a
port (Ci, S′) to S, for some S′ ∈ Signals(Π). Now, since ok(S) can be derived, we know
from Lemma 36 that ok(Ci) holds for every Ci ∈ C. From the definition of OBSFSD, we
know that¬ok(S)n holds, and from Theorem 16, we know that ok(S)n can be derived since
ok(Ci) holds for every Ci ∈ C. Therefore, C(∆) ∪ FSD ∪OBSFSD would be inconsistent
as well, which contradicts our initial assumption. 2
Lemma 39. Let COMP(Π), Signals(Π), and FD be the description of a VHDL program
Π , G = (V ,E) its FD graph, TRACED a set of traced signals and DISCR a set of detected
discrepancies, with GRO being the resulting reduced observations SCCS graph. Given
a diagnosis candidate ∆, if ∆ ∪ FSD ∪ OBSFSD is inconsistent, then ∆ ∪ SCCS_SD ∪
OBSSCCS is inconsistent.
Proof. If C(∆)∪FSD∪OBSFSD is inconsistent, we know that for some signal s such that
¬ok(s)n ∈ OBSFSD, C(∆) ∪ FSD ∪OBSFSD |= ok(s)n. From Corollary 14, we know that
all components c for which a path exists from a port (c, s′) to s must be ok. Therefore,
according to Lemma 37, all components which are source vertices in the derivation graph
D for ok(s) using SCCS_SD are ok as well. This implies C(∆)∪ SCCS_SD∪OBSSCCS |=
ok(s), which produces the desired inconsistency since ¬ok(s) ∈OBSSCCS. 2
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 31
Theorem 40. LetΠ be a VHDL program and COMP(Π) the set of concurrent statements,
Signals(Π) the set of signals, and FD a function associating functional dependencies to
every concurrent statement. Further let G = (V ,E) be the FD graph of Π , TRACED a set
of traced signals and DISCR a set of detected discrepancies. For every ∆ ⊆ COMP(Π)
it holds that ∆ is a minimal diagnosis under FSD(G,TRACED,DISCR) iff it is a minimal
diagnosis under SCCS_SD(GRO,TRACED,DISCR).
Proof. We first prove that ∆ is indeed a diagnosis for both system descriptions.
From Lemma 38, we know that ∆ is a diagnosis for SCCS_SD if it is a diagnosis for
FSD. For the only if direction, assume that∆ is a diagnosis for SCCS_SD but not for FSD.
That means that C(∆)∪FSD∪OBSFSD is inconsistent. But then, according to Lemma 39,
C(∆) ∪ SCCS_SD ∪ OBSSCCS is inconsistent as well, which contradicts the assumption
that ∆ is a diagnosis for SCCS_SD.
Since the set of diagnoses for both system descriptions is the same, it follows that the
set of minimal diagnoses is equal as well. We show only one direction. Assume ∆ is a
minimal diagnosis for SCCS_SD but not for FSD. That implies there exists a ∆′ ⊂∆ that
is a diagnosis for FSD. From Lemma 38 it follows that∆′ is also a diagnosis for SCCS_SD,
and therefore∆ is not minimal for SCCS_SD, which contradicts the assumption. 2
Finally we show that the new system description indeed results in better time complexity
than the old one.
Theorem 41 (Time complexity of SCCS_SD). LetΠ be a VHDL program and COMP(Π)
the set of concurrent statements, Signals(Π) the set of signals, and FD a function
associating functional dependencies to every concurrent statement. Further let G = (V ,E)
be the FD graph of Π , TRACED a set of traced signals and DISCR a set of detected
discrepancies. The time complexity for computing a contradiction out of the associated
system description SCCS_SD is of order |COMP(Π)| multiplied by |Signals(Π)|.
Proof. Let c be the number of components (c = |COMP(Π)|) and s be the number of
signals (s = |Signals(Π)|). To prove the theorem we investigate the number of literals
used for the SCCS_SD in the worst case.
First consider rule (ii) of Definition 33. The number of SCCs nscc is bounded by s + c
and is at least 1 (unless there were no components), i.e., 16 nscc 6 c+ s. We further know
that nscc can be computed by adding the number of all components used within a SCC.
Assume that the number of components for the ith SCC is given by ci . Then the number
of literals that occur as a result of rule (ii) (l2) is given by l2 =∑nscci=1(ci + 1). From this
follows l2 =∑nscci=1 ci +∑nscci=1 1, l2 = c+ nscc, and finally l2 6 2 · c+ s .
Second, consider rule (iii). The number of literals for this rule (l3) is proportional to the
number of signals, i.e., l3 = 2 · s.
Finally, the number of literals for rule (i) (l1) is given by the number of inputs and the
number of vertices used in a SCC, such that l1 =∑nscci=1(1 + inputi + verticesi ). We just
give an upper bound. Since an input of one SCC can only be a vertex of another SCC the
sum of inputs and vertices must be limited by the maximum number of vertices of G. This
number is given by s · c. So there must be a constant k such that l1 6 k · s · c.
32 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Because the number of literals is of order s · c and the time complexity is linear in the
number of literals, the theorem holds. 2
In summary, the SCCS_SD system description has a linear time complexity depending
on the number of components, while producing the same diagnoses as the FSD.
5. Practical experience and evaluation results
VHDLDIAG parses VHDL source files to generate a set of diagnosis components and
their interconnections. Diagnoses are computed with standard techniques described in
[12,15,25]. The diagnosis generator uses the component description and a set of
discrepancies to build a hitting set DAG and compute all minimal diagnoses.
To prune the hitting set DAG, we allow only the generation of the DAG up to a fixed
size or depth. Only diagnoses with size up to the DAG depth are computed. To restrict the
set of diagnoses to a relevant focus, we also allow the insertions of fault probabilities for
each diagnosis component computed by simple heuristics based on its complexity.
Additional measurements for discrimination are selected using the minimum entropy
approach as described in [13], together with a graph-based algorithm. In our context,
making additional measurements means specifying additional signals to be traced in
the next simulation cycle. The graph-based algorithm is used for computing optimal
measurements in strongly connected components since inside such components, traditional
approaches do not provide distinguishing information due to the abstract nature of our
model. The algorithm searches for signal vertices which, when removed, cause the
originally cyclic structure to become acyclic. Such a signal set is said to be optimal if
its removal from the graph removes all cycles and is a minimal set with that property.
Our diagnosis approach has been tested on a number of examples, including actual full-
size ASIC designs. The VHDLDIAG system has been used in various design projects.
Although developers are only just learning how to use the system effectively, we can report
the following impacts on the design cycle: The total effort spent on the simulation-design-
debug cycle has been reduced by 25%. Higher savings are expected as users become more
familiar with the tool. Computation costs for simulation runs were reduced by 15%.




Components at top level 379
Number of interface signals at top level 210
Number of signals at top level 412
Maximum number of levels 5
Average number of levels ∼ 2
Size of source code 6 MB
Number of gates in produced circuit > 100,000
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 33
Table 2
Fault localization runtimes
Simulation time 10 minutes
Compare time 20 minutes
Diagnosis time 2 minutes
Diagnosis cycle 32 minutes
To illustrate the capability of our diagnosis approach, we show two test situations. In
the first case, we used two different versions of the ASIC implementation, which are
structurally equivalent, and compared them by applying test cases. Discrepancies are
detected using waveform comparison algorithms developed as part of the project [29],
and then converted into observations which the diagnosis tool uses to find the faults in the
program. Table 2 shows the runtime measured (on a SPARC 10/30) for locating a fault.
Because of the knowledge of all signal values over time, VHDLDIAG computes exactly
one minimal diagnosis per level. This diagnosis was always the expected one. A complete
regression test lasts about one hour per test case, whereas manual examination of test
results lasts several hours for only the top level of an ASIC. VHDLDIAG can diagnose
faults at all levels of the ASIC design due to the ability to incorporate all traced signals in
the solution (which is far beyond the ability of a human studying a trace). In general,
we have found a top-down approach to diagnosis most effective from the designer’s
perspective, i.e., after the top level of the test case has been examined, a deeper level will
be examined. The times above list the search for an error at all levels of the design.
In the second case, we used only one ASIC implementation and user input about signal
correctness to find the faults. Every question VHDLDIAG presented to the user reduces the
number of diagnoses. Debugging time can again be saved since VHDLDIAG focuses the
designer’s attention on the relevant signals (in particular by using automatic measurement
selection).
In addition, we show the results of applying VHDLDIAG to 10 test cases based on 4
other real-world ASIC designs. The size of the designs is given excluding the code of the
standard libraries used (which we always assume to be correct). However, the examples
only examine the top level of these designs (i.e., the hierarchical approach described
above would involve further steps to examine lower-level components once the top-level
component is isolated).
Table 3 gives the size and the test cases for the different VHDL designs. Table 4 gives
an overview of the test cases. As mentioned above, we only describe the diagnosis of the
top level of the design. Each test case consists of exactly one VHDL design unit, i.e., an
entity together with an architecture, whose source code contains a single bug. For example,
the top level of the AM ASIC (test case AM_TOP) consists of 493 concurrent statements,
while the BOT component of the AM design (test case AM_TOP) only consists of 14
concurrent statements. The figure gives the number of concurrent statements (Stmnts),
the number of lines of code (LOC) without declarations and comments, the number of
input signals (Inputs), the number of output signals (Outputs), the number of all signals
(Signals) including inputs and outputs, and finally the sccsRatio. The sccsRatio ∈ [0,1]
which describes the fraction of cyclic structure occurring in the test program. It is defined
34 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
Table 3
Real-world VHDL designs
VHDL Design Test cases Design size
(kByte)
MU MU_KERN, MUR_KERN, MUR_CLKGEN 952
UL UL_TOP, UL_FSM, UL_SYN 1,474
TL TL 13
AM AM_TOP, AM_M, AM_BOT 2,553
Table 4
The VHDL test cases
Test case Stmnts LOC Inputs Outputs Signals sccsRatio
MU_KERN 90 469 85 60 290 0.80
MUR_KERN 102 1122 81 52 297 0.56
MUR_CLKGEN 33 354 16 12 71 0.64
UL_TOP 25 174 11 10 46 0.97
UL_FSM 13 455 5 7 25 0.84
UL_SYN 14 144 8 4 30 0.77
TL 2 138 3 5 10 0.84
AM_TOP 493 1248 222 30 493 0.49
AM_M 2 11 7 6 15 1.00
AM_BOT 14 83 7 6 19 0.94
by the ratio between the number of vertices of the SCCS graph and the number of vertices
of the original functional dependency graph, i.e.:
sccsRatio= vertices of the SCCS for G − 1
vertices of the graph G − 1 .
A value of 1 means that the graph is acyclic and 0 means that the graph consists of
a single SCC. (Note that because of the properties of the abstract diagnosis model, the
number of diagnosis candidates will typically be higher for a smaller sccsRatio.)
The empirical data were obtained through a three-step iterative procedure.
(i) The (compiled) VHDL program was loaded into VHDLDIAG, together with the
initial observations.
(ii) The diagnosis engine was run, and the test was finished if the resulting diagnosis
candidate was a single concurrent statement. Otherwise, measurement selection
was performed and those signals with the highest utility number included in the
next iteration.
(iii) This measurement-diagnosis cycle was repeated until no further measurements
could be added or one candidate remained.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 35
Table 5
Summarized results for VHDLDIAG
Test case LOC OBS1 OBS2 Cycles Time DTime
[Seconds] [Seconds]
MU_KERN 160 87 230 5 360.1 4.7
MUR_KERN 29 83 229 3 224.6 2.0
MUR_CLKGEN 108 17 40 6 10.4 0.3
UL_TOP 16 13 21 3 1.9 < 0.1
UL_FSM 13 7 10 2 0.6 < 0.1
UL_SYN 10 10 16 3 1.0 < 0.1
TL 84 5 5 1 < 0.1 < 0.1
AM_TOP 22 223 416 3 327.5 6.0
AM_M 9 8 10 2 0.1 < 0.1
AM_BOT 11 8 13 3 0.5 < 0.1
In every case except MUR_CLKGEN, one single concurrent statement was correctly
identified as faulty by VHDLDIAG. In the MUR_CLKGEN test case, two statements
remained which could be only distinguished by using temporal information. Table 5 shows
the resulting data for the different test cases: The lines of code (LOC) of the identified
statement(s), the number of initially observed signals (OBS1), the signals observed at
the end (OBS2), the number of diagnosis cycles (diagnosis and measurement selection)
necessary to reduce the candidates, and the total amount of time Time (including diagnosis
and measurement selection time) as well as the pure diagnosis time DTime.
The total diagnosis time alone remained below 10 seconds in all tests. Three cases show
larger overall runtimes due to the (worst case) quadratic time complexity of the graph-based
measurement selection algorithm. Note that “larger” is relative, since the largest such time
is a minute over 5 steps combined.
Finally, we consider the number of signals examined. Because input signals are assumed
to be correct until otherwise specified, we only relate the number of measurement selection
results to the number of remaining signals and use this number for classification. Formally,
we define the number as
obsRatio= OBS2 −OBS1
Signals−OBS1 .
An obsRatio= 1 means that all signals must be known to minimize the candidate space.
If no additional measurements are necessary, then obsRatio= 0. Fig. 15 shows the result
for the test cases.
We see that the sccsRatio has an influence on obsRatio. However we can only identify
the upper and lower bound of a range describing this influence, because of other parameters
that are involved. For example, the bug location is important, since a bug occurring in
a large strongly connected component needs more signals to be observed than a bug
occurring in a circuit with an acyclic graph. In all cases the obsRatio was less than 0.8
36 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39











Fig. 15. Number of necessary observations depending on structural design properties.
and the average value was 0.4. Hence the number of signals to be considered as compared
to a full trace was always reduced by at least 20% and by 60% on the average. The average
sccsRatio was 0.78. Again, as in the initial large example, debugging time can be saved
since VHDLDIAG focuses the designer’s attention on the relevant signals (in particular by
using automatic measurement selection).
In summary, VHDLDIAG has shown that:
– A simple model used for model-based diagnosis is good enough for achieving
significant savings in the VHDL design process.
– Especially in the domain of regression tests, fault-finding time can be reduced and
quality can be increased.
– Using VHDLDIAG while implementing a new program helps the designer by
focusing on relevant signals and components.
– At the same time, the diagnosis runtime achieved by the VHDLDIAG prototype is
short enough to permit its use in interactive diagnosis sessions even for very large
VHDL programs.
6. Related work
A number of previous publications dealt with issues related to model-based software
diagnosis, influenced by [7]. However, in our case we had to exploit abstractions in order
to handle large VHDL programs.
A complete abstraction over signal values that only distinguishes between correct and
faulty values in the domain of electronic devices is also proposed in [6], but there is
no analysis of functional dependencies. In contrast, we can generate these dependencies
automatically and use them to construct the model without user interaction. The use of
functional dependencies reduces the set of inputs influencing a given output, resulting in
stronger restrictions on the set of diagnoses.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 37
A different approach to diagnosis and repair of hardware designs is presented in [9]. Due
to restrictions to single faults and gate level designs (nowadays normally automatically
synthesized from high-level designs) its applicability is limited. The Aspect system
developed by Jackson [19] uses functional dependencies between program variables for
checking a less restrictive (and therefore more generally applicable) form of program
correctness than usual in verification systems. However, it also requires explicit program
annotations that contain the specifications for the dependencies, and it does not search for
the source of any differences encountered. An Aspect implementation for the language
CLU exists and has been tested on specially written example programs.
More important, with a long research history in the hardware design community, is
formal design verification (see, e.g., [1,8], for just two examples of the huge body of
work in this area). Implementations of these algorithms have been used with success
on small circuits with limited functionality, but are subject to size and expressiveness
limitations (not all circuits can be verified). It is interesting to note that verification and
diagnosis are complementary rather than contradictory. Verification techniques require a
separate specification that, as discussed, is often not available. If one is available though,
techniques such as model checking, while they do not pinpoint the piece of code that is the
direct source of a problem, can produce counterexamples for violated properties. These
counterexamples could then be used to generate input for diagnosis for actually localizing
the fault. This is the topic of future research.
A number of authors have presented methods and algorithms for error diagnosis in logic
programs [27], commonly referred to under the heading of Algorithmic Debugging or
Declarative Debugging. This approach is originally based on exploiting proof properties of
Prolog programs and is therefore not directly applicable to imperative programming lan-
guages. Derivatives of the Shapiro approach for functional languages using dependencies
between functions have been proposed in, e.g., [17,23]. Advantages of the model-based
approach over the declarative debugging approach were pointed out in [7]. In [5], it was
proven that model-based and declarative debugging are part of the same spectrum of ap-
proaches if a logic program is used as the system description.
The DAACS system presented in [2,3] combines path analysis with probabilistic
reasoning. The probability estimates required for diagnosis depend on programming
style, programming language, program structure, and a number of other parameters. The
Bayesian Networks used by DAACS were developed in sessions with domain experts. The
approach is feasible in their environment (a huge legacy system undergoing maintenance),
but the benefits in the development of new systems are not discussed.
7. Conclusion
We have developed a model-based diagnosis tool for the hardware design process,
resulting in significant savings in terms of overall design effort. In this paper, we
have presented the underlying, computationally feasible approach to diagnosing very
large hardware design descriptions. We used the VHDL language as the basis for our
implementation, but the results can also be used with other hardware description languages.
The model is based on an abstract representation of signal dependencies which are
38 G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39
computed automatically by analyzing the VHDL source code. The process is described
in more detail in [30]. The representation is simple but effective to reason with and lets the
user focus the search for failure locations on a small fraction of the total VHDL code.
A particularly notable feature of our approach when compared with other existing
techniques for debugging VHDL code is that it requires no annotations or specifications
external to the language. It works exclusively on the source code and trace files of the
VHDL program. Not only is it the first successful (in terms of cost saving) application
of model-based diagnosis to software debugging that we know of (some experimental
approaches were discussed in the previous section), but the approach seems, within limits,
to be applicable to other languages and software in general.
Finally, our project shows some important parameters for an application of model-based
diagnosis which are central to our success:
– A simple model was sufficient to achieve significant utility.
– The models are generated automatically, thus no extra effort is needed and the domain
experts can easily apply the tool.
– Last but not least, the diagnosis tool must be tightly integrated into the design
process (e.g., by providing automatic data conversion) so that its use does not impose
organizational overhead on the users.
These points raise interesting issues for further research projects in several areas, such
as in modelling, where the problems of automatic modelling or of finding the “right”
abstractions are of interest. Also, the view of diagnosis as an integral part of the work
process, expressed in the notion of design for diagnosis or the interrelationship of diagnosis
and repair, is deserving of further study.
Acknowledgement
The authors would like to thank Gitti Walder, Cristinel Mateis, and Markus Zanker for
proofreading and the anonymous referees for their helpful comments.
References
[1] M.S. Abadir, J. Ferguson, T.E. Kirkland, Logic design verification via test generation, IEEE Trans.
Computer-Aided Design 7 (1) (1988).
[2] L. Burnell, E. Horvitz, A synthesis of logical and probabilistic reasoning for program understanding and
debugging, in: Proc. International Conference on Uncertainty in Artificial Intelligence, Washington, DC,
1993, pp. 285–291.
[3] L. Burnell, E. Horvitz, Structure and chance: Melding logic and probability for software debugging, Comm.
ACM (1995) 31–41.
[4] J. Bhasker, A VHDL Primer, Prentice Hall, Englewood Cliffs, NJ, 1992.
[5] G.W. Bond, Top-down consistency based diagnosis, in: Proc. DX-96 Workshop, Val Morin, Canada, 1996.
[6] R.R. Bakker, D.C. van Soest, P.A. Hogenhuis, N.J.I. Mars, Fault models in structural diagnosis, in: Proc.
International Model-Based Diagnosis Workshop, Paris, 1989.
[7] L. Console, G. Friedrich, D. Theseider Dupré, Model-based diagnosis meets error diagnosis in logic
programs, in: Proc. IJCAI-93, Chambéry, France, 1993, pp. 1494–1499.
[8] E.M. Clarke, O. Grumberg, D.E. Long, Model checking and abstraction, ACM Trans. Database Systems 16
(5) (1994) 1512–1542.
G. Friedrich et al. / Artificial Intelligence 111 (1999) 3–39 39
[9] Pi-Yu Chung, Yi-Min Wang, I.N Hajj, Logic design error diagnosis and correction, IEEE Trans. VLSI
Systems 2 (3) (1994).
[10] R. Davis, Diagnostic reasoning based on structure and behavior, Artificial Intelligence 24 (1984) 347–410.
[11] R. Davis, W. Hamscher, Model-based reasoning: Troubleshooting, in: H.E. Shrobe (Ed.), Exploring Artificial
Intelligence, Morgan Kaufmann, San Mateo, CA, 1988, Chapter 8, pp. 297–346.
[12] J. de Kleer, Focusing on probable diagnoses, in: Proc. AAAI-91, Anaheim, CA, 1991, pp. 842–848.
[13] J. de Kleer, B.C. Williams, Diagnosing multiple faults, Artificial Intelligence 32 (1) (1987) 97–130.
[14] R. Davis, H. Shrobe, W. Hamscher, K. Wieckert, M. Shirley, S. Polit, Diagnosis based on structure and
function, in: Proc. AAAI-82, Pittsburgh, PA, 1982, pp. 137–142.
[15] R. Greiner, B.A. Smith, R.W. Wilkerson, A correction to the algorithm in Reiter’s theory of diagnosis,
Artificial Intelligence 41 (1) (1989) 79–88.
[16] W.C. Hamscher, R. Davis, Diagnosing circuits with state—An inherently underconstrained problem, in:
Proc. AAAI-84, Austin, TX, 1984, pp. 276–282.
[17] J.E. Hazan, R.G. Morgan, The location of errors in functional programs, in: Proc. International Workshop
on Automated and Algorithmic Debugging, AADEBUG, Linköping, Sweden, 1993, pp. 134–170.
[18] IEEE Standard VHDL Language Reference Manual LRM Std 1076-1987, 1988.
[19] D. Jackson, Aspect: Detecting bugs with abstract dependencies, ACM Trans. Software Engineering and
Methodology 4 (2) (1995) 109–145.
[20] M. Minoux, LTUR: A simplified linear-time unit resolution algorithm for Horn formulae and computer
implementation, Inform. Process. Lett. 29 (1988) 1–12.
[21] B.M.E. Moret, H.D. Shapiro, Design and Efficiency, Vol. I, Algorithms from P to NP, Benjamin/Cummings,
Redwood City, CA, 1991.
[22] Z. Navabi, VHDL Analysis and Modeling of Digital Systems, McGraw-Hill, New York, 1993.
[23] H. Nilsson, Declarative Debugging for Lazy Functional Languages, Ph.D. Thesis, Linköping University,
1998.
[24] O. Raiman, J. de Kleer, V. Saraswat, M. Shirley, Characterizing non-intermittent faults, in: Proc. AAAI-91,
Anaheim, CA, 1991, pp. 849–854.
[25] R. Reiter, A theory of diagnosis from first principles, Artificial Intelligence 32 (1) (1987) 57–95.
[26] M. Riese, Model-based diagnosis of communication protocols, Ph.D. Thesis, EPFL Lausanne, 1993.
[27] E. Shapiro, Algorithmic Program Debugging, MIT Press, Cambridge, MA, 1983.
[28] M. Stumptner, F. Wotawa, Modeling VHDL programs for diagnosis with linear computational complexity,
Technical Report DBAI-MBD-TR-95-03, Technische Universität Wien, 1995.
[29] M. Stumptner, F. Wotawa, A model-based tool for finding faults in hardware designs, in: Proc. Artificial
Intelligence in Design, Stanford, CA, 1996.
[30] F. Wotawa, Applying model-based diagnosis to software debugging of concurrent and sequential imperative
programming languages, Ph.D. Thesis, Technische Universität Wien, 1996.
