A Symbolic Technique for the Efficient ATPG of Speed ... - CiteSeerX

A Symbolic Technique for the Efficient ATPG of Speed-Independent Circuits y

Marco A. Pe˜nay , Enric Pastory and Jordi Cortadellaz Department of Computer Architecture Universitat Polit`ecnica de Catalunya 08034 Barcelona, Spain marcoa, enric @ac.upc.es

f

g

Abstract This paper presents a new symbolic ATPG approach for stuck-at faults in speed-independent asynchronous circuits. A closed system is built by composing the circuit model and the specification. Then, a fault is injected in the circuit and the closed system is analyzed by symbolic model checking techniques. The fault is manifested if a discrepancy state is reached. A sequence of events to reproduce the failure in a real circuit is generated during the test application phase. Such sequence is transformed into synchronous test vectors, suitable for commercial testers. The main contribution of this work is the use of the circuit’s specification to efficiently drive the analysis, and the assumption of the fundamental mode of operation in order to reduce the state space required for the analysis and test pattern generation.

1 Introduction Major research efforts in the field of asynchronous circuits have been devoted to solve the problems of automatic synthesis and verification of circuits [3]. However, testing is still to be satisfactorily solved. The absence of global synchronization in asynchronous circuits makes controllability and observability significantly more costly than in synchronous ones. A circuit cannot be “single-stepped” through a sequence of states, therefore typical synchronous test techniques cannot be directly applied. Moreover, due to the large amount of feedbacks and state holding elements, design for testability requires a high area overhead [5]. Finally, asynchronous circuits may have hazards or races when faulty, and these delay faults are very difficult to test [6]. Conversely, some asynchronous circuits that use local handshakes to synchronize operations can be easier to test, since a stuck-at fault on a handshake signal causes a communication deadlock, an effect easy to detect. Some classes of asynchronous circuits are self-checking under certain fault models, i.e. a fault halts the circuit while it is in normal operation. Speed-independent, delayinsensitive and quasi-delay-insensitive circuits are selfchecking under the output stuck-at [2], the input stuck-at [5] and the isochronic transition [12] fault models, respectively. For asynchronous circuits designed under certain delay assumptions, the problem of ensuring some bounds for the delay along paths in a fabricated circuit has been considered [14, 7]. Design for testability techniques have been also proposed, such as the insertion of observation and control points [5] or test signals [12], as well as scan-path techniques [7, 1]. Finally, since commercial testers are inherently synchronous, it has been proposed to test asynchronous circuits by synchronous test vectors [1, 11]. In [1], the asynchronous circuit is modeled as a synchronous one by cutting feedback loops with virtual syn-

 Work supported by the Ministry of Education of Spain under contract CYCIT-TIC 98-0410-C02-01.

z

Department of Software Universitat Polit`ecnica de Catalunya 08034 Barcelona, Spain [email protected] chronous flip-flops, such that state-of-the-art synchronous ATPG techniques can be used. However, the obtained test vectors must be validated on the asynchronous circuit by means of simulation. Such validation has been shown to be optimistic [11], thus invalid, in the presence of nonconfluence caused by a fault. In [11], the non-faulty circuit is analyzed to find all input sequences that can be used synchronously, such that neither non-confluence nor oscillation is produced. Then, the behavior of the circuit is abstracted in terms of a synchronous deterministic finite state machine, which is analyzed as follows. As a first step, Random TPG is used to quickly cover a significant number of faults. With the remaining faults a symbolic 3-phase ATPG approach (fault activation, state justification and state differentiation) is used. Finally, each test sequence is efficiently simulated over other faults trying to find all those faults also covered by the same sequence. The results obtained under the input stuck-at fault model, show a very high fault coverage for speed-independent circuits and promising coverage rates for hazard-free circuits with bounded delays. Moreover, since the specification is not used, a wide class of asynchronous circuits can be analyzed with this approach. However, the drawback is found in the 3-phase ATPG approach, being very complex and costly in terms of CPU and memory. This fact is specially noticeable in those circuits where a low fault coverage is achieved by the Random TPG step due to their topology. This paper presents an ATPG technique to produce synchronous test vectors for speed-independent circuits. It might be applied after the Random TPG and prior to the “brute force” 3-phase ATPG, to overcome the complexity problems shown by the approach presented in [11]. The major features of the presented approach are: The specification is used to reduce the complexity of the state space exploration. The analysis is based on known efficient symbolic model checking techniques. Produced test vectors can be used with synchronous testers, thanks to the fundamental mode assumption.

  

The paper is organized as follows. In Section 2 the proposed ATPG methodology is outlined. Section 3 briefly introduces the formal models used along the paper. Section 4 introduces the fundamental mode of operation required for testing asynchronous circuits using synchronous testers, and discusses some preliminary results. Section 5 reviews the testability notion in such context. Section 6 illustrates the methodology with a simple example. Finally, Section 7 gives some conclusions and discusses future work directions.

2 Overview The presented approach (see Figure 1) relies on the stuck-at fault model but, unlike in typical ATPG algorithms for synchronous circuits, the structure of the circuit is not used. The functional equivalence of the stuck-at faults is used instead.

Specification (STG)

Circuit Under Test (CUT)

b+

c+

c− d−

p6

Inject a fault ’f’ −> CUT f

p7

p8

p9 b−

Closed System: STG − CUT f

p11

p10

a+

p2

p1

p3 e+

d+

Fundamental Mode Analysis

p4 a−

p5 e−

(a) Discrepancy States : Inhibited Transitions & Premature Firings

00000 s1 a+ d+

Back−Trace

abcde

10000 s2

c+

10010 s3 e+

Sequence of test vectors for fault ’f’

10100 s4 c+

10011 s5

Definition 2.1 (Failures) A signal transition is inhibited if it should occur according to the specification, but it does not occur. A premature firing corresponds to a signal transition that occurs earlier than specified. The detection of a failure is not useful if we cannot extract information about how to reproduce the discrepancy (fault activation). Hence, test patterns which detect the presence of such fault in the circuit under test, must be generated. A back-trace process performed from the discrepancy state to the initial one, generates a sequence of transitions reproducing the failure (state justification). The set of test vectors for fault f is directly derived from such sequence. The procedure continues by choosing a remaining fault and performing the above steps until all faults have been analyzed. Speed-independent circuits are 100% testable under the output stuck-at fault model [2], since faults cause the circuit to halt prematurely in a stable state. In our approach, the main analysis is performed using the fundamental mode of operation (Section 4). Therefore, all stable states are analyzed, and hence all output stuck-at faults are automatically covered. On the other hand, some input stuck-at faults can be left uncovered since their effect might not be observable in a stable state. However, since the approach is intended to be used in a general ATPG framework, like that of [11], the input-stuck at fault model is used, in order to cover as many faults as possible and to leave less work load for the costly 3-phase ATPG.

3 Models State Transition Diagrams (STDs) [15] constitute the lowest level model for the representation of asynchronous circuits. STDs consist in an explicit enumeration of the state space the circuit. An STD is a 5-tuple S; E; AI ; AO ;  , where S is a set of states, E S S is a set of edges (state transitions), AI is a set of input signals, AO is a set of non-input

 

h

i

e−

00010

c+

a−

b+

d+

11010 s15 c−

e+

11011 s18

c−

a−

01011 s20

s19

c−

e−

01010

d−

s11 11000

c−

s17

e−

01110

e+

a−

01111

b+

c−

11111 s14 b+

e−

00110 s16

d+

11110 s10

00111 s13

s12

c+

11100 s7

b+

e+

10111 s9

00011 s8

Test pattern generation is driven by the circuit specification, by means of efficient symbolic model checking techniques for speed-independent circuits [10]. The approach starts by choosing a possible fault f , which is injected in the circuit model. Then, the new model is confronted against the specification of the fault-free circuit. The detection of discrepancy states, is related to the presence of fault f , which causes either a premature firing or an inhibited transition. The detection of such failures is subject to the observability at the primary outputs of the circuit, in a total stable state, i.e. state differentiation (see Section 5).

10110 s6

c+

a−

Figure 1: ATPG approach for speed-independent circuits

b+

d+

s21

b−

00010

s22

(b) b

c

C

k

d a j

e

(c) Figure 2: (a) Signal Transition Graph, (b) its State Transition Diagram and (c) a Speed-Independent implementation signals, and  : S 0; 1 jAI [AO j is a total labeling function that encodes each state with a binary vector of signal values. Rising (falling) transitions of signal a are denoted a+ (a?), and generic transitions a (see the example in Figure 2 (b)). In every edge connecting a pair of states s1 and s2 , (s1 ) and (s2 ) must differ exactly in one signal value, say signal a. Then, signal a is said to be excited (opposite to stable) in s1 . State s2 is directly reachable from state s1 , if there is an edge from s1 to s2 . More generally, for any pair of states s1 ; s2 S , s2 is reachable from s1 if there is a sequence of transitions leading from s1 to s2 .

!f g

2

3.1 Circuit Model In synchronous circuits the state depends on a subset of signals called state signals, including some input and flip-flop signals. The order of the transitions along combinational paths is not relevant. The only limitation is that they all must occur in a limited cycle time. Conversely, asynchronous circuits can be seen as an arbitrary interconnection of gates and delay elements. Therefore, states must be defined by the values of all signals, since feedback loops are not cut by clocked flip-flops. Speed-independent circuits rely on the unbounded delay model [3], under which the next state of a circuit only depends on its present state. A gate is excited if its output

differs from the function it implements, and is stable otherC C wise. Provided the STD S C ; E C ; AC I ; AO ;  capturing the underlying state space of a circuit, a next-state function C : S C ACO S C can be defined for each gate implementing a non-input signal. Function C (s ; a) returns either the state reached from s by switching signal a if it was excited, or s if it was stable.

h



ss

i

!

ss

h



[ ! f

h

h

i  !



i

g  f ?g

i



sc sc

ss

Signal Transition Graphs (STGs) where introduced by [13, 4] as a specification formalism for asynchronous sequential circuits. An STG is an interpreted Petri net [8], and as such it is capable to explicitly capture the notions of causality, concurrency and choice. A Petri net (PN) is a 4-tuple, N = P; T; F; m0 , where P is a set of places, T is a set of transitions, F (P T ) (T P ) is a flow relation, and m0 : P IN is the initial marking. A marking of a PN is an assignment of a nonnegative integer to each place. The structure of a PN defines a set of firing rules that determine its behavior. Transition t is enabled when each predecessor place is marked. When t fires, one token is removed from each predecessor place and one token is added to each successor place. The PN moves from one marking to another by firing one of the enabled transitions. An STG is a triple N; A;  , where N is a Petri net, A = AI AO is a set of (input and non-input) signals, and  : T A 1; 2; : : : +; is a transition labeling function. Transitions in an STG describe value changes at the signals of a circuit. A signal transition can be represented by aj + (or aj ?) for the j -th rising (falling) transition of signal a, while aj  is a generic name for either a rising or a falling transition. An STG can be directly translated into S S an STD S S ; E S ; AS I ; AO ;  by transforming the reachable markings into states [13, 4]. Figure 2 shows an STG and its corresponding STD. Finally, a next-state function S : S S T S S S can be defined, that transforms a marking (including signal values) by firing a transition. The state space, the next-state functions of the circuit and the specification have been modeled in terms of boolean algebras and characteristic functions, allowing an efficient symbolic manipulation by means of BDDs (see [9]).

!

4 System analysis 4.1 Specification-Circuit Composition The main part of the analysis is performed on a closed system composed by the circuit and its specification in terms of an STG. Note that an STG not only models the behavior of the circuit, but also the behavior of the environment in which the circuit will work. The closed system establishes a relationship between the interface signals of the circuit and its specification/environment, in a one-to-one fashion. The idea of synchronization between the specification and the circuit is simple. It is assumed that the initial state of the STG is consistent1 with that of the circuit, and it is stable. The reachable states are calculated by means of symbolic breadth-first traversal techniques. The traversal starts by firing an input transition synchronically in both the specification and the circuit. Then, the STG and the circuit are left to stabilize separately according to the fundamental mode of operation. Therefore, output and internal signals of the circuit will switch independently of those of the STG. The 1 Values of the input and output signals of the STG are equal to those of the corresponding signals of the circuit.

Inputs fire synchronically

ss

3.2 Specification Model

[

sc

sc

Non-inputs fire separately Verification of binary codes

Figure 3: Keeping the state along the traversal synchronization is produced again by comparing the values of the interface signals in the total stable states reached. If a discrepancy is found the traversal stops. Then, a backwards analysis, like that used to produce failure traces in formal verification techniques as [10], is started to generate a sequence of transitions which reproduce the fault effect. If no discrepancy was found the process continues by firing a new input transition. The states of the specification and the circuit are kept separately. The state of the specification is represented by a binary vector sS S S , where each ci in sS = (c1 ; : : : ; cjASI [ASO j ) is the value of signal a of the STG. In the same way, the state of the circuit is represented by a binary vector sC S C , where each si in sC = (s1 ; : : : ; sjACI [ACO j ) is the value of signal si of the circuit. Synchronizations between the specification and the circuit are produced when switching input signals and when checking the binary codes of the total stable states reached after the independent stabilization (Figure 3). Internal signals fire independently to each other. Premature firings are manifested by a discrepancy state in which some output signal in sC switched, while its corresponding output signal in sS did not. On the other hand, inhibited transitions are manifested by a discrepancy state in which an output signal in sC did not switch, while its corresponding output signal in sS did.

2

2

4.2 Fundamental Mode The asynchronous behavior of the circuits under test must be adapted to the synchronous operation mode of testers. The adaption can be done by imposing the fundamental mode of operation [3] during test generation. Fundamental mode assumes that the circuit starts in some stable state, i.e. all signals have fixed values and have no tendency to change. By definition, the circuit persists in a stable state until an input change from the environment occurs. After that, the environment is not allowed to change the inputs until the entire circuit stabilizes (a new stable state is reached). Definition 4.1 (Total Stable State) A state s S is a total stable state if only input transitions are enabled on it. That is, neither internal nor output transitions can fire from s : [ (s ; s0 ) E : (s )a = (s0 )a a AI ] : Definition 4.2 (Input Successor State) S and a transition a of an Given a total stable state s input signal a AI excited on s , the Input Successor State, ISS(s ; a) = s0 , is the state reached from s by firing a : [ (s ; s0 ) E (s )a = (s0 )a a AI ] :

2

8

2

6

2

2

2

) 2

^

6

^ 2

Definition 4.3 (Output Burst of States) Given an input successor state s S , the Output Burst of States of s , OBS(s ), is the maximal connected set of states reached iteratively from s , by just firing any sequence of noninput transitions.

2

h

i

/* Let  = C; S be the closed system. */ FM traverse System () Reached := From := initial state; repeat (To1 , To2 ) := traverse step (, From, Reached ); New := (To1 To2 ) Reached; Reached := Reached New; From := total stable states(To2 ); until (New = ) or (From = ); return (no discrepancy); /* Fault not covered. */

abcde

f

00000 s1 a+

f

[

g

;

g

f

traverse step (, From, Reached) Reached 1 := ; foreach (input signal a AI ) Reached 1 := Reached 1  (From; a); From := Reached 1 ; Reached 2 := Reached; /* System stabilization. */ repeat foreach (non-input circuit signal b AC O) From := From C (From; b); foreach (non-input environment signal b AS O) From := From S (From; b); New := From Reached 2 ; Reached 2 := Reached 2 New; From := New; TST := total stable states(Reached2 Reached ); if ( dispcrepancy (, TST) ) then back trace (, TST, Reached1 Reached2 ); exit (discrepancy); /* Fault covered. */

;

2

[

f

?

2

[ [

2

[

f

g g until (New = ;);

g

d+

return (Reached1 , Reached2

?

[

? Reached);

Figure 4: Symbolic algorithm for state space traversal in FM An approach for the state space exploration of a circuit, can be easily derived in terms of these definitions. Let us assume s0 S be the initial state, which is a total stable state2 . For this state, and for each input transition a enabled on it, ISS(s0 ; a) is computed. Then, the corresponding OBS set is calculated for each input successor state (note that an OBS set could lead to more that one total stable state in cases of non-determinism, for example). The process repeats again starting from the total stable states in the computed OBS set. Thus, given a stable state, an input transition is fired. Then, the circuit is left to stabilize, and no new input transition is allowed until all possible internal and output transitions have happened. Figure 4 depicts the symbolic traversal algorithm according to the fundamental mode of operation, while figure 5 shows the resulting state space exploration for the example in Figure 2. Notice that the visited states are a subset of the full state space. This is due to two main factors derived from the fundamental mode assumptions [9]: Only total stable states are used as “source” for further explorations. Given a total stable state, only one input transition is allowed to fire at a time. It is important to note that in a conventional traversal for the verification of the speed-independence, the full state

2

 

2 If s is an unstable state, the system must be left to stabilize 0 prior to beginning the state exploration. This means to compute OBS(s0 ) and then use the total stable states in it as the source for the state exploration procedure

c+

10010 s3

? [

;

10000 s2

e+

c+

10011 s5

c+

00010 s12

11100 s7 b+

e+

a−

b+

00110 s16

c−

e−

e+

ISS(s9,b+)

11011 s18

c−

a−

01011 s20

01110 s19 c− d−

11000

d+

11010 s15

11111 s14 01111 s17

b+

c− s11

c−

e+

b+ a−

e−

d+

11110 s10

00111 s13

c+

b+

10111 s9

00011 s8 e−

d+

10110 s6

c+

a−

OBS(s2)

10100 s4

e−

01010

s21

b−

00010

s22

Figure 5: Example of FM state space traversal space is analyzed [10]. Conversely, in our ATPG methodology, though based in similar principles, the check for discrepancy states is done only on total stable states. No check is done in the unstable states because they will not be observable during the test application phase. Moreover, since the intermediate unstable states are no longer needed, there is no need to keep them along the traversal. These two facts result in an important improvement in CPU and memory cost. Tables 1 and 2 summarize some results about the fundamental mode traversal obtained with an experimental tool running on a SUN Ultra 170E workstation with 265Mb of main memory. Data in Table 1 is organized as follows. Columns ‘X’, ‘Y’ and ‘Z’ contain, the total number of states, the number of states reached by the fundamental mode traversal algorithm, and the number of total stable states, respectively. Note that an important reduction in the number of visited states is achieved by the fundamental mode algorithm and that the reduction is even greater if only total stable states are taken. Thus, visited states and total stable states only represent the 27% and the 7% of the total number of states, respectively. Table 2 contains data for benchmarks with a huge state space, where those percentages are even better. Columns ‘A’, ‘B’ and ‘C’ contain respectively the number of states of the complete state space, the number of BDD nodes required to represent them, and the seconds of CPU employed. Similarly, columns ‘D’, ‘E’ and ‘F’ contain the number of total stable states, the number of BDD nodes, and the CPU seconds, if a fundamental mode analysis is done. Notice that some circuits could only be analyzed in the second case due to memory limitations. CPU time is slightly bigger although in cases like par 16 it is lower due to better variable reordering along the traversal.

5 Testability Due to the synchronous nature of testers, only stable states can be observed during the test application phase. Thus the notion of fault detectability can be defined by: Definition 5.1 (Testable fault) A fault is testable in an asynchronous circuit if there exists a sequence of test vectors  = t1 ; t2 ; : : : tn such that, all potential sequences of total stable states generated by  from t t the initial state s0 ( s0 1 s1 2 s2 : : : sm ), end up into a total stable state sm in which the failure can be observed at the primary outputs.

!

!

Circuit alloc atod chu150 chu172 dlatch ebergen nak-pa nowick fc.det PMR full wxyz half hybridf i2c mp-fwd IMR input irred trimos-s MR SMR meng7

X 21 24 26 12 10 18 58 20 15 18856 16 11 14 80 28 22 21848 16 324 336 8932 2108 32

Y 21 23 20 12 10 16 36 20 13 3982 16 8 13 56 28 22 4200 16 82 199 2520 1092 26

Z 8 10 8 6 8 8 12 7 3 768 8 6 7 20 14 8 768 10 20 54 768 333 10

Circuit rcv-ifc send-ifc qr42 2 rread rcvs roberto rpdft rwrite read-ctl send-ctl send-pkt BMR t1 tsbmSI tsbmsi vbe10b vbe4a vbe5a vbe5b vbe5c vbe6a wrdata wrdatab TOTAL

X 65 117 64 39 14 66 22 64 21 27 28 2254 151 4730 1024 256 20 44 24 24 192 24 216 62385

Y 63 81 30 37 14 36 22 43 21 27 28 1107 113 1328 752 192 16 28 18 20 160 13 170 16757

Z 15 37 8 17 8 30 16 18 7 10 13 333 37 432 432 64 8 13 11 12 64 4 66 4551

Table 1: Experimental results about the traversal Circuit par 8 par 16 phil 5 phil 10 phil 15 phil 20 phil 25

A 1.6E6 2.8E12 85536 7.4E9 6.4E14 — —

B 1005 3817 1525 34374 36145 — —

C 5 1926 2 93 6188 — —

D 6562 4.3E7 352 125952 4.4E7 1.5E10 2.2E10

E 565 1793 817 1399 9051 2203 3678

F 7 684 5 148 8507 7013 9401

Table 2: More experimental results about the traversal Many of the faults in asynchronous circuits introduce hazards, i.e. undesired switching activity not considered in the original specification of the circuit. Hazards are a potential source of circuit malfunction and —what is more relevant for the test purposes— non-determinism and oscillation [11]. A hazardous circuit may or may not deviate from its expected behavior depending on the working conditions and particular delays in the circuit. Figure 6 pretends to clarify this point for some particular cases. Shaded circles correspond to discrepancy states. Figure 6 (a) shows an example in which a given fault cannot be tested with a test sequence t1 ; t2 ; t3 ; t4 . In this example, after applying the test vector t2 from state s1 the circuit may non-deterministically, either evolve correctly through states s2 , s3 and s4 , or may end up into a discrepancy state. Hence, it is impossible to ensure the fault detection because it can be done only sometimes. Figure 6 (b) shows a typical example of successful test in presence of hazards. Corresponding to the inherent non-deterministic nature of hazards, from state s1 at every new test vector (t2 and t3 ) the circuit may evolve into a discrepancy state or a correct one, finally ending up into a discrepancy state after vector t4 . In the example of Figure 6 (c), the same test sequence may evolve into two different circuit behaviors. After applying vector t2 the circuit evolves to discrepancy states through state s4 in one case, and states s2 and s3 in the second case. In both examples (b) and (c) the fault can be successfully tested. The main difference between asynchronous and synchronous circuits is that in the former, time is continuous, while in the latter time is discrete with the clock period being an indivisible unit of time. This period is chosen in such a way that it is longer than the critical path delay of the combinational logic. A similar reasoning can be done in order to set the clock period of the test machine when testing an asynchronous circuit. That is, the clock period must be set to the

s0

s0

s0 t1

t1

t1 s1

s1 t2

s1 t2

t2 s2

t2

s2 t3

t3

s3

t2

t2

s4 t3

s2 t3

t3

s3 t4

s3 t4

t4

s4

(a)

(b)

(c)

Figure 6: Three situations of testability analysis

maximum time required for the circuit to stabilize given an input signal transition. This time is related to the length of the sequences of states between two total stable states, and strongly depends on the delays of the gates responsible of the state changes along such sequences [9, 11].

6 A simple example Suppose we want to generate a test pattern for a stuck-at-0 fault on internal node k of the circuit in Figure 2. The fault is injected in the circuit model which is then confronted against the specification. Provided the initial state, input transition a+ can fire. If the circuit is left to stabilize, output transitions c+, d+ and e+ can fire concurrently. Thus, total stable state s9 = (10111) is reached. In this state two input transitions may fire, namely a? and b+. Let us assume that b+ fires. In such case, the specification expects output transition c? to occur, but it will never happen in the faulty circuit, because the NOT-AND gate will never switch due to the stuck-at-0 on node k (transition c? is inhibited). In other words, according to the specification the circuit should have reached total stable state s18 = (11011). Instead of this, it halts (i.e. stabilizes) in state s14 = (11111). Using the subset of states visited along the traversal (Figure 7 (a)), a back-trace process is done from the expected final state s18 to the initial state s1 . This process yields a sequence of signal transitions which reproduce the fault effect (see Figure 7 (b), where subsequences in brackets represent concurrent alternatives). If the unstable states are removed, the sequence of Figure 7 (c) is obtained, which can be used to calculate test vectors for checking the fault (see Figure 7 (d)). As an example of premature firing detection, consider test pattern generation for a stuck-at-0 fault on the internal node j of the same circuit. Again, transition a+ can fire from the initial state and the total stable state s9 = (10111) is reached after stabilizing the circuit. In this state, input transitions a? or b+ can fire. If b+ fires, output transition c? should occur, reaching total stable state s18 = (11011) according to the specification. Instead of this, the faulty circuit stabilizes not only producing transition c?, but also transitions d? and e?, and reaching state (11000). That is, transitions d? and e? fire prematurely according to the specification, because e? requires transition a? to happen before, and d? requires b?, but none of them have fired yet. Since the same state traversal than in previous example has been done before finding a discrepancy state, the same set of test vectors will allow the detection of the stuck-at-0 fault on internal node j .

00000 s1 abcde

a+ d+

10000 s2

10010 s3 e+

10100 s4 c+

10011 s5

d+

10110 s6

c+

abcde

c+

e+

10111 s9

2 4

a+

#

d+

d+

c+

e+

c+

d+

c+

e+

e+

# #

# #

#

# #

3 5

00000 s1 a+ [d+ : e+ : c+]

10111 s9

b+

#

b+

c-

11111 s14 c−

b+ [c−]

ab cde

< 00 000 > a+ < 10 111 > b+ < 11 011 >

11011 s18

11011 s18

(a)

(b)

(c)

(d)

Figure 7: Test pattern generation for a stuck-at-0 fault on node k of Figure 2 (c): (a) visited states, (b) sequence of transitions generated by the back-trace process, (c) after removing unstable states, and (d) sequence of test vectors

7 Conclusions The paper has presented a novel efficient approach for the automatic generation of test patterns for speed-independent asynchronous circuits, under the input stuck-at fault model. The approach is based on a symbolic model checking strategy, and employs native asynchronous techniques along all its steps. Since asynchronous circuits can only be stopped in stable states, the fundamental mode of operation is assumed along the analysis. Therefore, the produced test vectors can be used with current synchronous testers. Unlike in other typical ATPG approaches, the structure of the circuit is not used. The functional equivalence of the stuck-at faults is used instead. The circuit and its specification are represented by means of boolean functions and relations, allowing an efficient symbolic processing by using BDDs. Test generation is driven by the circuit specification which, together with the fundamental mode assumption, provides an important complexity reduction. This has been shown by means of memory and CPU results, for normal size and huge examples. Since the targeted circuits are speedindependent, 100% output stuck-at fault coverage is guaranteed, event under the fundamental mode assumption. However, the input stuck-at fault model is used, in order to cover as many faults as possible and reduce the work load left to other costly but more exhaustive ATPG approaches. Therefore, the approach can be complementary used to overcome the complexity problems shown by some ATPG approaches for asynchronous circuits, like that in [11], thus, allowing the generation of test patterns for larger circuits in a reasonable amount of time. Signal Transition Graphs are commonly used by several synthesis and verification tools. STGs have been also used in this approach, allowing the completion of such tools. Currently, only an experimental tool implementing the fundamental mode traversal of the closed system is developed. It has been used to perform the described experiments. Future work includes the development of a complete CAD tool covering the whole approach. It also comprises the analysis of fault coverage rates under the input-stuck at fault model. It is not expected to be too high but enough for the complementary purpose of this work. Provided the preliminary results about the efficiency of the traversal, the

reliability of the complete approach is expected to be proved over a large set of benchmarks.

References [1] S. Banerjee, S. T. Chakradhar, and R. K. Roy. Synchronous test generation model for asynchronous circuits. In Proc. of the International Conference on VLSI Design, Bangalore, Jan. 1996. [2] P. A. Beerel and T. H.-Y. Meng. Semi-modularity and testability of speed-independent circuits. Integration, the VLSI journal, 13(3):301– 322, Sept. 1992. [3] J. A. Brzozowski and C.-J. H. Seger. Asynchronous Circuits. Monographs in Computer Science. Springer-Verlag, 1995. [4] T.-A. Chu. Synthesis of Self-timed VLSI Circuits from Graph-theoretic Specifications. PhD thesis, MIT, June 1987. [5] P. J. Hazewindus. Testing Delay-Insensitive Circuits. PhD thesis, California Institute of Technology, 1992. [6] H. Hulgaard, S. M. Burns, and G. Borriello. Testing asynchronous ciruits: A survey. Technical Report FR-35, Dept. of Comp. Sc. and Eng., Univ, of Washington, Seattle, Mar. 1994. [7] L. Lavagno, M. Kishinevsky, and A. Lioy. Testing redundant asynchronous circuits. In Proc. European Design Automation Conference (EURO-DAC). IEEE Computer Society Press, Sept. 1994. [8] T. Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541–574, Apr. 1989. [9] M. Pe˜na, E. Pastor, and J. Cortadella. Symbolic Techniques for the Automatic Test Pattern Generation for Speed-Independent Circuits. Technical Report RR-97/04, UPC/DAC, Jan. 1997. [10] O. Roig, J. Cortadella, and E. Pastor. Verification of asynchronous circuits by BDD-based model checking of Petri nets. In 16th International Conference on Application and Theory of Petri Nets, volume 935 of Lecture Notes in Computer Science, pages 374–391, Torino, June 1995. [11] O. Roig, J. Cortadella, M. Pe˜na, and E. Pastor. Automatic generation of synchronous test patterns for asynchronous circuits. In Proceedings of the 34th Design Automation Conference, pages 620–625, Anaheim, CA, June 1997. [12] M. Roncken and R. Saeijs. Linear test times for delay-insensitive circuits: a compilation strategy. In S. Furber and M. Edwards, editors, Asynchronous Design Methodologies, volume A-28 of IFIP Transactions, pages 13–27. Elsevier Science Publishers, 1993. [13] L. Y. Rosenblum and A. V. Yakovlev. Signal graphs: From self-timed to timed ones. In International Workshop on Timed Petri Nets, pages 199–206, July 1985. [14] G. L. Smith. A model for delay faults based on paths. In Proc. International Test Conference, pages 324–349, Sept. 1985. [15] A. Yakovlev, L. Lavagno, and A. Sangiovanni-Vincentelli. A unified signal transition graph model for asynchronous control circuit synthesis. In Proc. of the IEEE/ACM International Conference on Computer Aided Design, pages 104–111. IEEE Computer Society Press, Nov. 1992.