test pattern generation using boolean satisfiability

7/30/2019 Test Pattern Generation Using Boolean Satisfiability

1/12

4 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, VOL. 11 , NO . 1, JANUARY 1992

Test Pattern Generation Using Boolean SatisfiabilityTracy Larrabee, Member, IEEE

Abstract-This article describes the Boolean satisfiabilitymethod for generating test patterns for single stuck-at faults incombinational circuits. This new method generates test pat-terns in two steps: First, it constructs a formula expressing theBoolean diference between the unfaulted an d faulted circuits.Second, it applies a Boolean satisjiability algorithm to the re-sulting formula. This approach differs from previous methodsnow in use, which search the circuit structure directly insteadof constructing a formula from it. The new method is generaland effective: it allows for the addition of heuristics used bystructural search methods, and it has produced excellent re-sults on popular test pattern generation benchmarks.

I. INTRODUCTION0 produce reliable computer systems, defect-free

T omponents must be available. Automatic test patterngeneration (ATPG) systems distinguish defective com-ponents from defect-free components by generating inputsets that cause the outputs of a component under test tobe different if the component is defective than if it is de-fect free. Existing algorithmic ATPG systems for singlestuck-at faults in combinational circuits fall into twoclasses: the structural methods, which perform a topo-logical search of the circuit under test, and the algebraicmethods, which generate test patterns by manipulating al-gebraic formu las.The Boolean satisfiability method is a new algorithmfor test pattern generation for single stuck-at faults incombinational circuits that is neither a purely structuralmethod nor an algebraic one [8], [9]. This method is notonly practical but performs better than most systems nowin use. Before describing the B oolean satisfiability methodin detail we will briefly review the two classes of existingmethods.Structural search methods use a data structure repre-senting the circuit to be tested. To generate a test pattern,they assign values that cause a discrepancy at the faultedline (the fault site) and then search for consistent valuesfor all circuit lines such that the discrepancy is visible ata circuit output. The most successful AT PG systems usestructural search methods. Of these, the most notable arethe D-algorithm, Podem, FAN, and SOCRATES [6], [7],[161, ~ 7 1 .

Manuscript received May 2, 1990. This work was supported by a DigitalEquipment Corporation Student Fellowship. This paper was recommendedby Guest Editor J. Rajski.The author was with the Department of Computer Science, Stanford Uni-versity Stanford, C A. She is no w with the Computer Engineering Board ofStudies, University of California, Santa Cruz, CA 95064.IEEE Log Number 9 103245.

Instead of performing a search on a data structure rep-resenting a circuit, algebraic methods produce an equa-tion describing all possible tests for a particular fault andthen simplify the resulting equation. The most famous al-gebraic method is the Boolean difference method.The Boolean difference of any function F with respectto its variable x i is equal toF(x1, - * * 7 xi-19 0, x ~ + I , 7 xn)

B F ( X l , * * 9 x i - 1 7 1 , X i + l , * , n) .The notation for this quantity is d F / d x i . The set of testsfo r xi stuck at 0 is Xi d F / d x i and the set of tests for xistuck at 1 is xi d F / d x i (where Xi s the function repre-senting the output of the subcircuit with output at xi).

Note that the validity of the formula does not change ifwe introduce intermediate variables for any subformulasof F ( X 1 , * * - ,x,). If we introduce an intermediate vari-able, we do not change the permissible values for theoriginal variables. This changes the solution set, but onlybecause each satisfying binding will also contain bindingsfor the introduced variables that are consistent with theoriginal variables. We could introduce intermediate vari-ables for every line in the circuit.Once the formula using the Boolean difference is ob-tained, it is simplified using the basic laws of Booleanalgebra or by using identities specific to the Boolean dif-ference [11. The tedious nature of the algebraic manipu-lations involved in solving formulas using the Boolean dif-ference led to its disfavor a s a practical tool fo r test patterngeneration [121, [141, [1 1.The Boolean satisfiability method generates a formulaequivalent to that of the Boolean difference method, butinstead of performing symbol manipulation, it runs aBoolean satisjability algorithm on the formula. Nemesis,an ATP G system using the new method, is quite practical:it correctly tests or proves untestable every fault in theISCAS-85 (Brglez-Fujiwara) benchmark set [3].

11. THEBOOLEANATISFIABILITYETHODTo generate a test pattern fo r a single fault, first extracta formula that defines the set of test patterns that detectthe fault and then us e a Boolean satisfiability algorithm tosatisfy the formula.

A . Extracting the FormulaA directed acyclic graph represents the topological de-scription of the circuit. T he nodes of the graph a re circuit

0278-0070/92$03.00 0 992 IEEE


2/12

LARRABEE: TEST PATTERN GENERATION 5

B

Fig. 2 . The formulas for the basic gates.

Fig. 1 . A circuit and its associated D A G .

inputs, outputs, ga tes, and fan-out points; the edges of thegraph are circuit lines (wires); the sources of the graphare circuit outputs; and the sinks of the graph a re the cir-cuit inputs. Every edge has a n associated variable. Fig. 1shows a circuit and its associated DAG.Every node of the DA G is tagged with a formula thatrepresents the function performed by the gate or fan-outpoint. For example, an inverter with an input X and anoutput Y will be be tagged with the formula Y = X; nA N D gate with the inputs X an d Y and the output Z will betagged with the formula Z = X * Y. Every node has aformula that contains only variables for its incoming andoutgoing edges.1 ) Translating Formulas into CNF: We will use con-junctive normal form, or CNF (also known as product ofsums). Formulas written in CNF are easily manipulatedprogrammatically. To get the CNF formula for an ANDgate, we start with the formula

Z = X * Y .Because the formula P = Q is logically equivalent to ( P-+Q ) ( Q -+P), we transform ou r original equality into

(2 -+ ( X Y ) ) ( ( X . Y ) + Z ) .Next, we transform all implications into disjunctions- byusing the fact that P -+Q is logically equivalent to P +Q to get the formula

( 2 + X > - ( Z + ) . ( X + Y + Z ) .This formula evaluates to 1 if and only if the values of thevariables are consistent with the truth table for an A N Dgate. For comparison, the disjunctive normal form (sumof products) version of the same formula is

( X * Y 2 ) +(X Y * 2 ) + ( X Y . )+ ( X . . ) .

In CN F formulas, one sum is called a clause. Clauseswith only one, two, or three elements are unary, binary,or ternary clauses, respectively. A formula with no ter-nary clauses is said to be in 2C NF (2-element conjunctivenormal form).The C NF formulas for the basic gates are shown in Fig.2, but the gates need not be basic to be included in thisscheme: With the introduction of new variables, the CNFform of any formula can be produced in time and spacelinear in the size of the original formula. For example,the CN F formula for an AND gate with inputs X , Y , an dWand output 2, is

(2+X ) * (Z + Y ) (2+W )(X+Y + w +Z ) .

The formula for an XO R gate with inputs X an d Y and out-pu t Z is(X+Y +Z ) - ( X +Y +Z ) (X+Y +Z )

* ( X + Y + Z ) .2) Formulas fo r Unfaulted and Faulted Circuits: Be-cause each gate and fan-out point is tagged with a formulathat must be independently satisfied, we can extract a

characteristic formula fo r any circuit output (or subcircuitoutput) by starting at the output and walking the graph,taking the conjunction of all of the formulas for the visitednodes. Since the formula for every component must beindependently satisfiable, the conjunction of the formulasmust also be satisfiable. Fig. 3 shows a circuit with eachgate labeled by its characteristic form ula. Th e formula forthe output of this circuit is( X +B) ( X +E ) (x+D +E )

(D + A ) * (D+B ) * (D +2 +3 )- ( C +E ) * (C +E ) .

We can represent a faulted version of an unfaulted cir-cuit by making a copy of the circuit, renaming the vari-ables, and inserting two new nod es that represent the pre-sumed disrupted connection in the faulted circuit. That is ,if the circuit has the fault we want to test for, one valuewill be generated at the fault site, but another value willbe forwarded on to the rest of the circuit. W e tag the newnodes with unary clauses that indicate the behavior of thefault we are interested in. For example, Fig. 4hows the


3/12

6 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, VOL. 11, NO. 1, JANUARY 1992

x

Fig. 3 . Combinational circuit with labeled gates.

X

Fig. 4 . Circuit of Fig. 2with D tuck at 1.

faulted version of the circuit in Fig. 3. Because wire D isstuck-at 1, we add the formula ( D ) o the node repre-senting the faulted behavior at the fault site, and we addthe formula (0) o the node representing the correct be-havior at the fault site.Because the unfaulted and faulted circuits will haveidentical behavior except at those nodes that are affectedby the fault, only the variables that are associated withwires that lie on a path between the fault site and a circuitoutput need to be renamed.We can extract a formula for the faulted output in thesame way as w e extracted a formula for the unfaulted cir-cuit: by starting at the faulted output, walking the DAG,and taking the conjunction of all encountered nodes of theDA G. T he formula for the faulted circuit of Fig. 4is

( X +D ) * (X +E ) (E+D +E )( D ) * ( C +E ) * ( E +E ) .

We need not include the clause ( E ) n the formula for thefaulted circuit because of the implied discontinuity at thefault site.To test for the given fault, we need only find a set ofinputs that cause the faulted output to differ from the un-faulted output. We will have a formula for all possibletests if we take the conjunction of the two extracted for-mulas and add an additional formula for the XOR of thefaulted and unfaulted output. Using BD to represent theresult of the final XOR, he formula resulting from the XORof the output of the unfaulted circuit of Fig. 3 and the

faulted circuit of Fig. 4is( X +E )

- ( D )* ( X +E )

( X +E ) - (X+D +E )( C +E ) * (c+E )

( X +E ) * (X+D +E )( D +A ) * ( E +B ) * ( D +2 +E )

* (x+X +B D) * ( X +X+B D )(X+X +BD) ( X +X +BD),

where the first line is contributed by the faulted circuit,the second line is contributed by the unfaulted circuit, andthe third line is contributed by the final XOR.Fig. 5showsthe circuit form of the formula to be satisfied. There areseveral clauses that appear in both the formulas for thefaulted circuit and the unfaulted circuit, but they need notbe repeated because AND is idempotent.The extracted formula is equivalent to the formula thatwould be produced by the Boolean difference method, inthe sense that they are both satisfiable or both unsatisfi-able: every set of satisfiable bindings for the formula pro-duced by the Boo lean difference method is consistent witha satisfying binding for the Boolean satisfiability method,and every set of satisfiable bindings for our formula is asuperset of a satisfying binding for the formula producedby the Boolean difference method. The formula extractedby our system is not exactly the same as one that wouldbe produced by the Boolean difference method becauseour formula has extra variables in it. These redundancieswill be helpful in finding a satisfying assignment for theformula.B. Satisfying the Formula

The problem of satisfying a CNF formula, SAT, is anNP-complete problem [4]. We have transformed oneproblem that in the worst case will take exponential timein the number of its circuit inputs into another problemthat in the worst case will take exponential time in thenumber of its variables. Fortunately, the class of formulasgenerated by combinational circuits is an interesting sub-class of all CNF formulas, and we can use this fact to tryto avoid the worst-case behavior of SAT. Many research-ers have recognized that the average behavior of a SATalgorithm can be improved dramatically if the set of for-mulas to be solved fit a restricted profile [5], [15]. Theset of formulas produced by combinational circuits fitssuch a restricted profile.At least two thirds of the clauses generated for theBoolean difference of a combinational circuit have onlytwo disjuncts (are in 2CNF). This is true because eachtwo-input unate gate contributes two binary (2CNF)clauses and one ternary clause (the basic unate gates arepictured in Fig. 2). Unate gates with more than two inputscontribute more than two thirds binary clauses, and fan-out points, buffers, and inverters contribute only binaryclauses. In practice we have found that 80% to 90% of


4/12

LARRABEE: TEST PATTERN GENERATION

U

IA2 I

Fig. 5. Th e XO R of the faulted and unfaulted circuits must be 1.Fig. 6 . A simple circuit and its implication graph

the clauses are in 2CNF. The problem of satisfying a2CNF formula, 2SAT, is satisfiable in time linear in thenumber of clauses plus the number of variables [2]. Wemay have an exponential number of 2SAT solutions, butwe can use information from the ternary clauses to guid ethe iteration through the 2SAT assignments.1) Using 2SAT to Solve SAT: We use an algorithmfrom the 1970's for satisfying a 2CNF formula [2]. Thefirst step is to construct an implication graph. Each 2CNFclause (X + Y ) can be viewed as two implications: x +Y and ?+X. The implication graph for a 2CNF formulashows all of the constraints imposed by 2C NF clauses onthe logic values of the variables involved.More formally, for each variable X occurring in the2C NF clauses, there are two vertices in the graph , labeledX and x. or every 2 CNF clause (X + Y ) here are two-irected edges in the graph: one from 2 o Y and one from

Y to X. The edge represents the logical implication be-tween the two literals, We can now bind logic values tothe variables in the graph. Any assignment is legal as longas it does not cause a node labeled 1 (true) to precede (orimply) a node labeled 0 (false).Before we label the grap h, we can simplify it by reduc-ing each strongly connected component, a maximal set ofnodes in a graph such that every node in the set is reach-able from every oth er node in the set, to a single node. Ifany strongly connected component contains both a literaland its negation, the formula is unsatisfiable (because eachstrongly connected component represents a set of vari-ables that are in an equivalence class). After eac h stronglyconnected component is reduced to a single node, thegraph will not contain any cycles. Now we can find atleast one satisfying binding for the 2CNF portion for-mula: First we visit the vertices in any topological ord er.For each variable, if the negated variable appears beforethe unnegated variable in the topological order, we bindthe variable to 0 (false); otherwise, we bind the variableto 1 (true). We will discuss the details of iterating throughall 2SAT bindings in the next section.A s an example of how 2SAT works, consider the smallcircuit in Fig. 6 . Imagine that we wished to iterate throughall possible bindings to the variables A , A I , A * , B , an d C.

El ETXIC C

Fig. 7 . The reduced implication graph.

The formula for the circuit is(3+A I ) * ( A +&) (1+A 2) * ( A +%)

- (A,+B ) (A,+B) ( E +A*) * ( E +B )' ( % + B + C ) ,

where the first two lines are the 2 CN F portion of the for-mula and the last line is the ternary portion of the formula.The implication graph of the 2CNF portion of this for-mula is shown in Fig. 6.TJe graph has two strongly con-nected components: {%,A , %, B } and its complement,{ A 2 , A , A I , 3). We replace these strongly connectedcomponents with the unit nodes E , an d F , which resultsin the graph shown in Fig. 7 . The final graph clearly showsthat C mplies e, and therefore Cmust be bound to 0. Inthe circuit from which the formula was extracted, C sequal to A 2, o it is reassuring that the system candetermine that C must be bound to 0. Given the bindingof C, only one unbound node in the graph remains, and itcan assume either Boolean value and remain consistentwith the ternary clause.2) Iterating Through 2SAT Bindings: We have just de-scribed a method fo r constructing a satisfying assignmentfor the 2CNF portion of the formula by assigning valuesto the literals so that no node bound to 1 has a directedpath to a node bound to 0. Clearly there are many suchassignments, but w e want to construct a 2SAT assignmentthat is consistent with the ternary clau ses. We will do thisby defining an order for the 2SAT assignments and thenconstructing each assignment only so far as it is consistentwith the ternary clauses.We order the 2SAT assignments by ordering the vari-


5/12

8 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, VOL. 11 , NO . 1, JANUARY 1992

T h e l o o p i n v a r i a n t :1. Any binding that precedes the current prefix falsifies the formula2. If dir =Backward, any complete binding that extends the current prefix falsifies the

formula.3. If dir =Forward, the current prefix is consistent with t he formula.4. Any variables that a re bound bu t are not part of the current prefix are implied by

the c urrent prefix.V t ll Unbound; i c ; di r t Forward;loop

if dir =Forward thenwhi l e i # size(V) and V[i] is bound d o i + t 1 e n d ;if i =s i ze (V) t h e n e x i t suc c e s sf u l l y e nd ;V[i-1]+0;Se t direct im plications of V[i-11;i c i t l

elsif dir =Backward t he nif i =0 t h e n e x i t unsuc c e ss f u l l y e nd ;temp + V[i-l];Undo direct implications of V[i-11;V[i-l] t Unbound;if temp = 0 t h e n

V[i-11+1;Set direct implica.tions of V[i-l]i t i - 1

a

e l s ee n d

e n d i fif no clause falsified th en dir t Forward el se dir t Backward end

e n d l o o pS e t t i n g or undo ing d i r e c t im p l i c a t i ons : we keep a count of how many t imes each vari-

able is set to 1 or set to 0; a variable with a count of 3 has been forced to 1 threetimes and a variable with a count of -3 has been forced to 0 three times. .4 variableis only bound when it s count changes from 0 an d is only unbound if its count goest o 0 .

Fig. 8. 2SAT iteration loop.

ables that appear in the 2CNF clause s. This defines a totalorder on the 2SAT solutions: One total assignment pre-cedes another if the n-bit binary number representing thevalues of the variables (in the previously fixed order) pre-cedes the n-bit binary number for the other assignment.For partial assignments, we use lexicographic order withunbound variables treated a s less than 0. We can considerthe 2SAT solutions in either ascending or descending or-der, but we will assume (without loss of generality) thatwe consider them in descending order.We start with V , he array of 2CNF variables (initiallyunbound), i, which points to the first unbound variable inthe array (initially set to 0), an d dir , which keeps track ofwhether or not we are backtracking (initially set to For-ward). We call the current prejix of V the sequence ofbound values V[O], V[1], * , V [ i- 13. All elementsof V greater than or equal to 0 and less than i are bound.Our goal is either to find an assignment for the variablesin V that is consistent with the ternary clauses o r to provethat no such binding exists. Fig. 8 shows a loop (withloop invariants) that achieves this goal.Figs. 9through 11 show an exam ple of 2SAT iteration.In Fig. 9 we show an abbreviated version of a familiar

Fig. 9. Place a queen in every row of the board.

constraint problem: the N-queens problem. In this prob-lem, we wish to place two queens on a board with twosquares on one side and three on the other such that nei-ther queen attacks the other. We can translate this prob-lem into CNF in the following manner:Each of the six squ ares is associated with a variable A ,B , C , D, , or F that is bound to 1 if a queen is placed inthe square with the associated label and 0 if no queen isplaced in that square. We can require that a queen beplaced in each row through two ternary placement clauses,and we can prevent a queen from attacking another byadding 13 binary attac k clauses. For example, the attackclause (2+ E ) prevents queens from being simulta-neously placed in squares A an d B . The complete list of


6/12


Fig. 10. The implication graph from the two-queen problem .

B E A C D F

Fig. 11 . A variable order fo r the two-queen problem

clauses is(A +B + C) * (D+E +F )

(A+B) (A+C) (A+0 ) (A+E )* (E +C) ( E + 0 ) ( E +E ) * (E +F )* (C +E ) (C +F ) * ( D +E )* ( D +F ) * ( E +F ) .

Fig. 10 shows the implication graph generated from theattack clauses.From the implication graph w e can see that variables Band E each have five outgoing implications, and variablesA , C , D, and F each have four. Each of the six variablesappears once in the ternary (placement) clauses. W e wantto order the variables so that the variables that place themost constraints on oth er variables appea r first. Since vari-ables B an d E have more outgoing edges, this means thatthey must be assigned values before variables A , C , D,and F. The variable order B , E , A , C, D, F is acceptable.The affect of variable order on the ease of formula satis-fiability is further discussed in subsection 111-C.Having determined a variable order, Fig. 11illustratesan attempt to search for a legal binding by steppingthrough the 2SAT bindings in descending o rder. Th e firstlegal binding for the implication graph, 100000, cannotbe extended to satisfy the placement clauses because itallows for the placement of only one queen. The secondlegal binding, 0 1000 0, is similarly unsatisfactory. How-ever, the third legal binding, 0010 01, satisfies the ternaryclauses, and successfully concludes our search.3) Terminating the Search: We terminate the searchfor a 2SAT binding that satisfies the e ntire formula in on eof three ways:1) We find a satisfying binding.2) We prove that no binding exists.3) We exceed the amount of computational effort weThough we can solve a 2SAT problem in linear time, theremay be an exponential number of solutions. In the ab-

are willing to spend.

sence of significant theoretical advances, there will al-ways be instances of NP-complete problems that takemore time to complete than we want to wait; we wouldrather generate tests for all but one of the faults of a circuitin a small number of seconds than wait four hours andstill not know if we will be given a successful test in thenear future.Practical considerations require that any implementa-tion of our method stop searching for an answer after acertain number of 2SAT solutions have been unsuccess-fully extended to a SAT solution. In the current imple-mentation the number of unsuccessful 2SAT solutions wewill tolerate is equal to the length of the variable arraymentioned in subsection 11-B-2. This backtrack lim it wasdetermined through experimentation and is not derivedfrom the theoretical behavior of the search. In subsection111-C we will discuss modifications to the satisfier so thatinstead of giving up when no solution is found after agiven number of tries, we reorder the variables using adifferent metric and try ag ain.

111. MINIMIZINGHE SEARCHREEThe algorithm we have just described is complete: Ifno test pattern for a fault exists, we will eventually proveit; if a test pattern ex ists, we will eventually find it. How-ever, we can speed up the satisfier tremendously by fig-uring out how to quickly determine that some portions ofthe search tree contain no solutions. Like structural searchATPG systems, we can take advantage of topological in-formation to avoid searching unprofitable sections of thesearch tree: w e believe that any heuristic that can be statedin the structural search domain can be translated into amodification of th e formula to be satisfied.In this section we will describe how we translate sev-eral structural search heuristics into modifications to thebasic Nemesis system described in Section 11. The effectthat these mod ifications hav e on the efficiency of the baselevel system has been described in detail in a previouspublication [9], [101.Each of the heuristics we will discuss is implementedin our system by adding to o r subtracting from the formulato be satisfied. By adding or subtracting clauses we canavoid portions of the search tree. When we subtract vari-ables we are making the search tree shorter, and when w eadd certain restrictive clauses we ignore branches of thesearch tree. In either case, we mu st ensure that the changepreserves satisfiability .A . Adding Clauses to the Formula

We can take the basic formula and add clauses that ex-plicitly state information that the satisfier can eventuallyderive, but perhaps only after a great deal of search. Thesimplest example of such redundant information is thevalue of the faulted line with the unfaulted circuit. Forexample, the formula for the fault shown in Fig. 5con-tains the unary clause (D) (in English, the faulted valueof the line is 1). The satisfier can derive that the variable


7/12

10 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, VOL. 11, NO . I , JANUARY 1992

D must take on the value 0 (for the XO R of the faulted andunfaulted circuits to be equal to I ) , bu t Fe add that infor-mation explicitly by adding the clause D to the formula.Adding this kind of derivable information can speed upthe satisfier by an o rder of magnitude.1) Nonlocal Implications: As noted by the designersof the SOCRATES system, it is possible to explicitly de-rive nonlocal implications by examining the reconvergentfan-out in a circuit [17]. In Fig. 12, we see that if line Bhas the value 1, line F has the value 1; conversely, if lineF has the value 0, line B has the value 0. SOCRATESdiscovers this implication by performing a structural anal-ysis of the circuit; we find it by analyzing the formularepresenting the circuit.Given the formula for an unfaulted circuit, we can listall the nonlocal implications of a given variable assign-ment by binding the variable and then noting the directimplications that use a ternary clause. Any implicationthat involves a ternary clause must come from reconver-gent fan-out. For example, the complete formula for thecircuit in Fig. 12is

(F +b) (F +E ) * ( F +D +E )* ( D + A )* ( D + A ) ( D + E )

( D + E ) * ( D + A +B )(D + A +B ) .

Binding B to 1 causes the binary clauses ( D +8) nd ( E+E ) to be promoted to the unary clauses ( D ) and ( E ) .When D an d E are bound to 1, the ternary clause ( F +D+E ) is promoted to a unary clause, which caused F tobe bound to 1. The fact that a ternary clause was used toderive the direct implication that B bound to 1 implies Fbound to 1 means that it is a nonlocal implication. Byadding the explicit clause (B + F ) we ensure that anytime F is bound 0, B will also be bound to 0 without hav-ing to do any case splitting.We could add all the nonlocal implications for a circuitto every formula that we try to satisfy, but we only addthe nonlocal implications if the satisfier fails on the orig-inal formula. Th e process of finding the implications canbe time consuming, and we do not want to spend the timewhen the formula is easy to solve without the added in-formation.The great majority of patterns can be generated withoutnonlocal implications, but the few that could not be gen-erated easily without nonlocal implications could not begenerated even when the satisfier was allowed to run 1000times as long as it normally does. Nonlocal implicationsare vital when it co mes to processing difficult faults.2) Active Clauses: When the D algorithm was intro-duced, Roth concentrated on trying to get a discrepancyto a circuit output [16]. We can modify our formula sothat the explicit need for a sensitized path can be used tospeed up the satisfier. But there is a difference betweenthe sensitized path of the D algorithm and a sensitizedpath that we need for our formula: The D algorithm

A

-B

C

Fig. 12 . Nonlocal implications: Add ( E +F )searches for a solution by explicitly enumerating all pos-sible combinations of sensitized Saths, but we are onlyspeeding up our search by taking advantage of the exis-tence of at least one sensitized path for any detectablefault.If a fault is detectable, there must be at least one sen-sitized path from the fault site to a circuit output. Theremay be more than one path, but we need find only one:we will call this particular sensitized path the active path.Each line that is a mem ber of the active path is an activeline. Every active line must hav e a discrepancy, but sincethere may be oth er sensitized paths, not all lines with dis-crepancies are active lines.To find an active path, we add clauses that describehow we would go about finding such a path manually:First, we know that the fault site is on the active path (ifone exists). As for the other lines, if a line is on an ac-ceptable active path and it is an input to a single-outputgate, the output must also be on the active path; if it is aninput to a multiple-output gate, one of the outputs mustbe on the active path . T o put it formally, fo r each line thatlies between the fault and a circuit output we allocate avariable (called the active variable for the line), and foreach gate that lies between the fault and a circuit outputwe add several clauses (called the active clauses for thatgate). W e will use the notation that if a line has the name(variable) X , its active is Actx. For each si ng ls ut pu t gatewith input X and output Y we add the clause (Actx +Acty)(in English, if X is active, Y is active). For each multiple-output gate with input X and outputs Y an d Z, we add theclause ( E x +Acty +ActZ) (in E nglish, if X is active,either Y is active or Z is active). Figs. 13 an d 14 showexamples of these clauses.If we only added the clauses we have described so far,we would find any path from the fault site to a circuitoutput and call it the active path (whether or not it waspossible to sensitize it). W e must also add clauses the en-sure that the path is made up entirely of lines with dis-crepancies. Fo r each potentially active linz X , we add theformula (Actx +X +X ) * (Actx + +X ) (in English,if X is active, the unfaulted value of X differs from thefaulted value of X ) . For example, for the circuit in Fig.5 we allocate the variables ActD and Actx, and add the


8/12

LARRABEE: TEST PATTERN GENERATION I 1

Fig. 13 . If X is active, Y must be active:(E,Act,)

I

x2Fig. 14. If X is active, either X, or X, must be active: (E,Act,, +Act, ).formula(G+Actx) * (Act, +D +0 ) (wD +D )

* (Actx +x +X) (Act,+x +X)to the basic formula we mentioned in Section 11.Adding the active implication clauses greatly increasesthe efficiency of our system. Without the implicationclauses we abort on many of the faults.3) Requiring Noncontrolling Values: If a gate is on theactive path, we know that it must propagate the discrep-ancy. This means that the gate inputs not on the activepath must take on certain noncontrolling values that willallow the fault to be propagated. Fo r example, if an A N Dgate is on the critical path, none of its nonactive inputscan take on the value 0: if they did, the AND gate wouldalways have the output 0, and no discrepancy could bepropagated. On the other hand, a nonactive input to anA N D gate on the active path could have a discrepancy. Inthis case, if the nonactive discrepancy is the same as theactive discrepancy, the fault is propagated (0/ 1 A N D O / 1is O / l ) ; if the discrepancy is the opposite of the activediscrepancy, the fault is not propagated (0/1 A N D 1 O isO / O ) . Fig. 15shows two legal critical assignments for afour-input A N D gate (the active path is shown by a boldline), and Fig. 16shows illegal assignments for the samegate.We can come up with similar rules for all the basicgates: Nonactive inputs to gates implementing m onotonicfunctions must either have a discrepancy identical to thatof the active input or have no discrepancy and assume anoncontrolling value. Fo r XOR an d XNOR gates on the ac-tive path, we must require that their nonactive inputs haveno discrepancies (0/1 XO R 1 O is 1 an d 0/1 XOR 0/ 1 is

We can add clauses requiring noncontrolling values fo revery gate between the fault site and a circuit output. Forexample, the OR gate in Fig. 4s on the active path, andits in p u te a n n o t car ry a discrepancy. We could add theclause (ACtD +E ) (in English, if D is active, E must be0) to the formula to be satisfied.

0).

1/ 0; 1/ 0 1/0 1/ 0Fig. 15 . Legal critical assignments.

Fig. 16 . An illegal critical assignment.

Explicitly requiring noncontrolling values for gatespropagating a discrepancy is of great value for the topo-logical ATPG systems; in our case, the added clauses arenot as valuable. T he added clauses not only add redundantinformation, but the information they add is usually de-rived by the satisfier in a few simple steps. Adding thenoncontrolling clauses is inexpensive, and they can neverretard the search for a solution, so we add the noncon-trolling clauses to our base level syste m.4 ) Determine Unique Sensitization Points: We canbuild a preprocessor that identifies all of the unique sen-sitization points for each possible fault site by generatingthe active clauses for every gate in the circuit and deter-mining the nonlocal implications of the active clauses. Forexample, looking at Fig. 12 again, just as we generatedthe nonlocal implication ( E +F ) rom the formula for thecircuit, we can also generate (Act,+Act,). That is, wecan derive that if B is active, F must be active.Many authors of structural search ATPG systems placegreat importance on preprocessing the circuit structure toderive the unique sensitization points (points of total re-convergence) in the circuit [ 6 ] , [17], but such a prepro-cessing step is not necessary for us. En the process of find-ing an active path, our satisfier will always find all theunique sensitization points without explicitly searching forthem. W e have never found a case where explicitly deriv-ing the unique sensitization points improved the perfor-mance of our system.5 ) Removing Clauses from the Formula: We can re-move a variable from the formula (along with all theclauses containing the variable) if we are guaranteed thatremoving the variable will not cause a satisfiable formulato appear to be an unsatisfiable one (even if removing avariable will remove some satisfying bindings from thesolution set for the original formula). We do not need tofind all satisfying bindings-we only need to find one .We can avoid searching fan-out-free portions of the cir-cuit by removing variables and clauses corresponding tofan-out-free portions of the circuit. To explain ourmethod, we must first explain the determines relation.We say the variable V determines variable W if an as-signment of either 0 or 1 to V will cause W to appear inthe formula only negated o r only unnegated. In this case,we may remove all clauses containing W from the formula


9/12


10/12


n

11100 001 010 011 100 101 110

Fig. 20. The search tree fo r the third strategy.

the variable is bound to 1. An additional differencewith strategy 1 is that this ordering is a lexico-graphic ordering: variables that force an equal num-ber of other variables through 2SAT implications areordered by their occurrence in the ternary clauses.We step through the 2SAT solutions in descendingorder. Fig. 20 shows the search tree for our exam-ple. First we bind B to 1, which will force A and Cto be bound to 0, leaving us a solution consistentwith the ternary clause: A =0, B = 1, C =0. Byusing this strategy, we are also attempting to assertthe strongest possible constraints at every opportu-nity, but this time we will trigger the most con-straints only if the variables are bound to 1 . Sincewe are stepping through the bindings in descendingorder, the constraints triggered by binding a vari-able to 1 are more likely to come into play.

The strategies we have just described are only three ofthe many possible search strategies we could have used.In practice, we have found that the three strategies workwell in concert. Strategy 2 will often find a solution whenstrategy 1 will not. Since they explore the same solutionspace, but in opposite orders, it is easy to see that theyare orthogonal searching strategies. Strategy 3 builds amarkedly different tree from the first two only in caseswhere the assumptions used to build th e first tree was in-valid. That is, strategy 1 may place a variable high in theordering because it causes many constraints when it isbound to 0, but if the variable is only ever bound to 1,those constraints do not direct the search. By switching toan ordering that will strongly direct the search in the ex-pected case, we can com e up with a different solution set.

IV. RESULTSBefore we can present the measurements taken fromNemesis we must provide further information about howthe features described in this paper fit into the system asa whole as well as what kind of input we are using to

evaluate Nemesiss performance. Nemesis is written in Cand runs on a Sun Sparcstation 1+. We used the ten sam-ple circuits collected by Brglez and Fujiw ara, and distrib-uted at the 1985 ISCAS Conference, as input to Nemesis[3]. W e used the Tegas Description Language (T DL) ver-sion of the ISCAS circuits.Before test pattern generation begins, Nemesis trans-

lates the TD L into an internal form and produces a col-lapsed fault list. After wire-list translation and fault col-lapsing, two phases of test pattern generation follow:random and algorithmic.The first phase*of est pattern generation is the randomphase: We use the logic word operations of the computerto simulate 32 pseudorandom patterns against one targetfault. T he simulator is m odeled after the parallel-pattern,single fault propagation (PPSFP) simulator reported byWaicukaski et a l . [18]. In this way we generate patternsfor the easily tested faults (generally 80% to 99% of thetotal faults). When one complete PPSFP pass producesfewer than a predetermined number of patterns (currently2) the second phase, algorithmic pattern generation, be-gins.The algorithmic test pattern generation uses the Bool-ean satisfiability method described in this article in con-junction with all of the heuristics described except for theheuristic that avoids search of fan-out-free subtre es. Dur-ing the algorithmic pattern generation p hase, e ach patterngenerated is simulated (using a simple sing le pattern, sin-gle fault propagation simulator) so that any faults detectedby the new pattern may b e removed fro m the fault list. Ifthe system backtracks too many times during the 2SATiteration, the fault is abandoned.Table I shows the time spent fo r each individual circuitduring each of six phases: translation of the wire list intointernal form, generating and simulating semirandom testpatterns, extracting formulas, satisfying formulas, simu-lating the patterns found by formula satisfaction, andcompaction of the resultant vectors. For all circuits butthe C6288, Nemesis spends most of its processing timesatisfying extracted formulas.Table I1 shows the number of faults that require testpatterns, the number of faults after fault collapsing, thenumber of faults covered by the semirandom test patterngeneration and simulation, the number of faults coveredby extracting and satisfying a form ula, and the number offaults proved redundant by extracting and falsifying a for-mula.Table I11 shows the number of patterns produced byeach phase and the percentage of faults covered, provedredundant, or aborted by the complete system. Nemesiswas the second system to successfully produce tests foror prove redundant every fault in the benchmark circuits.

V. CONCLUSIONSThe Boolean satisfiability method for generating testpatterns for single stuck-at faults in combinational cir-cuits-extracting a formula fo r the test set of a fault and

then satisfying that formula-is gen eral , flexible, and ef-fective. By separating th e solution from the exact form ofthe problem, we can solve a larger class of problems thancan more restrictive systems. Not only can we translatetraditional structural heuristics into our domain; we canalso incorporate heuristics that would be difficult to im-plement in a structural search system.


11/12

14 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN, VOL. 11, NO. 1, JANUARY 1992

TABLE INEMESISI M I N GTime in Seconds

Circuit Parse PPSFP ExtractCO432CO499CO880C1355C1908C2670C3540C5315C6288C7552

0 .50 . 60 .91 .42 . 02 .93 .75 .56. 28 .1

0 . 4 0 . 40 . 4 0 . 60 . 5 1 . 41 . 4 2 . 22 . 8 6 . 12.8 22.16.9 42.45 . 1 9 . 435 O 30.68 . 2 53 . 7

Satisfy7 .01 .934.1

15.056.4339.6204.150.639.8668.0

SPSFP Compact0.0 0 .30.0 0 .40 . 2 0 . 40.2 1 .80 . 7 1 . 82 . 1 1 . 71 . 6 6 . 00.6 3 .60.0 35.98.2 6 .5

Total8 .53 .937 . 5

22.069.8371.2264.774.8147.6752.6

TABLE I1NEM ES I SU M B E RF F AULTSFaults in Circuit Faults covered by ProvedCircuit Uncollapsed Collapsed Random Algorithmic Redundant Aborted

CO432CO499CO880C1355C1908C2670C3540C5315C6288C7552

86 499 8166027 10381653407080106301257615104

420 410652 64 1765 7271444 13891740 16432516 20903150 293 14909 48287619 75857 194 6566

6338478830 99 0220497

TABLE 111NEM ES I SA T T E R N S

4808911 712 9593413 1

0000000000

~ ~

Number of PatternsCircuit Random Algorithmic CompactedCO432CO499CO880C 1355C1908C2670C3540C5315C6288C7552

70539490649519 019 14729 7

719211811 0817927014 6

6860729213 814 920 216 14524 5

The Nemesis system using the Boolean satisfiabilitybH Xh lar k circuits: it was the Wand system (after sot-RATES) to correctly process all the faults. T he structuralsearch methods have had the benefit Of more than a de -cade of program development and craftmanship; the

[2] B. Aspvall, M . Plass, and R . Tarjan, A linear-time algorithm fortesting the truth of certain quantified Boolean formulas, Inform.Process. Lett. , vol. 8, pp. 121-123, 1979.[3] F. Brglez and H. Fujiwara, A neutral netlist of 10 combinatorialbenchmark circuits and a target translator in fortran, in Proc. Int.Symp. Circuits Syst. , June 1985.[4] S . A. Cook, The complexity of theorem proving procedures, inProc. Third Annual ACM Symp. Theory of Computing, 1971.

method achieves total test coverage of the ISCAS-85

strength of our model leads us to believe that we will gainsignificant performance improvements as the system ma- [5] M . Davis and H . Putman, Acomputing procedure fo r quantificationtheory, J . Ass. Compur. Mach., vol . 7 , pp. 201-215, 1960.[61 H . Fuiiwara and T. Shimono, On the acceleration of test generationtures.REFERENCES

- _ algori;hms, IEEE Trans . Comput . ,vol. C-31, pp. 1137-1144, 1983.[7] P. Goel, An implicit enumeration algorithm to generate tests forcombinational logic circuits, IEEE Trans . Comput . , vol. C-3 1, pp.215-222. 1981.[ l ] S . B. Akers, O n a theory of Boolean functions, J . Soc. Ind. and [8] T. Larrabee, Efficient generation of test pattems using Boolean dif-ference, in Proc. Inr. Test Conf., Aug. 1989. Also available as partppl ied M ath. , vol . 7 , 1959.


12/12


of Digital Equipment Corporation Western Research Lab ResearchReport WRL-9013.191 T . Larrabee, A fram ework for evaluating test pattern generationstrategies, in Proc. Int. Con& Computer Design, Oct. 1989. Alsoavailable as part of Digital Equipment Corporation Western ResearchLab Research Report WRL-9013.I O] T. Larrabee, Efficient generation of test patterns using Boolean sa-tisfiability, Ph.D. thesis, Stanford University, 1990. Also availableas Stanford Tec hnical Rep ort STA N-CS-90- 1302 and as DigitalEquipment Corporation Western Research Lab Research Report WRL-9012.[ I I] E. J . McCluskey, Logic Design Principles. Englewood Cliffs, NJ :Prentice-Hall, 1986.1121 A . Miczo, DigitulLogic Testing and Simulation. New York: Harperand Row, 1986.[I31 H. B. Min and W. A. Rogers, Search strategy switching: An alter-native to increased backtracking, in Proc. Int. Test Conf., 1989.[141 D. K. Pradhan, Fault-Tolerant Computing Tlreory and Techniques.Englewood Cliffs, NJ: Prentice-Hall, 1986.

1151 P. W. Jr . Purdom and C. A. Brown, Evaluating search methodsanalytically, in Proc. Nat. Con& Artifical Intelligence, 1982, pp.[I61 J . P. Roth, Diagnosis of automata failures: A calculus and amethod, IBM J . Res. Deve lop. , vol. 10 , pp. 278-291, 196 6.[171 M . H. Schulz, E. Trischler, and T. M. Sarfert, Socrates: A highly

124- 127.

efficient automatic test pattern generation system, IEEE Trans.Computer-Aided Design , vol. 7 , pp. 126-137, Jan. 1988.[18] J . A. Waicukauski, E. B . Eichelberger, D. 0. Forlenza, E. Lind-bloom, and T. McCarthy, Fault simulation for structured VLSI,VLSI Design, vol. VI, pp. 20-32, 1985.

Tracy Larrabee (S89-M90) received the B.S.degree in engineering from the California Instituteof Technoogy in 1979 and the M S . and Ph.D.degrees in computer science from Stanford Uni-versity in 198 7 and 1 990 , respectivelyBefore entering graduate school she held full-time positions in computer-aided design groups atSilicon Systems and Helwett Packard Labs. W hileworking on her doctorate she held summer posi-tions at the Xerox Palo Alto Research Center andthe Digital Equipment Corporations Systems Re-search Center and Westem Research Lab. From 1983 to 1988 she was therecipient of a Digital Equipment Corporation Student Fellowship. Cur-rently she is an Assistant Professor of Computer Engineering at the Uni-versity of Califomia, Santa Cruz In 1991 she received a Presidential You ngInvestigator award. Her research interests include theoretical computer sci-ence, test pattern generation and simulation, and fault modeling.

test pattern generation using boolean satisfiability

Documents