Many high-level fault models have been proposed in the past to perform verification at functional level, however high-level automatic test pattern generators (ATPGs) are still in a prototyping phase, while very efficient logic-level ATPGs are available. This paper proposes a strategy to map high-level faults into logic-level faults. Thus, functional verification, based on a high-level fault model, can be performed by exploiting the capability of state of the art logic-level ATPGs.
INTRODUCTION
More and more functional verification [5, 7] is adopted to detect design errors exploiting coverage metrics [3, 11] or high-level fault models. In particular, some high-level fault models [4, 2] have been recently proposed to include the characteristics of traditional coverage metrics [9] (e.g., statement, branch, condition coverage) and logic-level fault models [1] . Such a confluence of coverage metrics and fault models mainly depends on the consideration that hard to detect or untestable high-level faults identify corner cases, which can represent design errors [4] . The analysis of the nature of high-level faults allows an effective verification of the expected and unexpected behavior of the design, particularly when faults are directly injected into HDL code which is very familiar to the designer. Whereas, designers would have a very hard work to investigate about the nature of untestable logic-level faults.
In the literature there are some papers [11, 2, 4 ] that try to correlate high-level with logic-level faults. These works show that test sequences generated to cover high-level faults are also good test cases for detecting logic-level faults. However, high-level automatic test pattern generators are still in a prototyping phase while very efficient logic-level ATPGs have been developed in the past and ported into commercial * Research activity partially supported by the European Community IST-2001-34607 project: SYMBAD Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. tools [8, 13] . This paper proposes a strategy to efficiently perform functional verification, based on high-level faults, by exploiting the potentialities of state of the art logic-level ATPGs. To accomplish the goal, four different approaches for mapping high-level faults into logic-level faults are investigated and compared.
The proposed solution for mapping high-level faults into logic-level faults allows, furthermore, to face the interesting verification problem of providing an efficient and accurate mapping technique to establish correspondence between behavioral/RT level signals and logic-level nets. In some cases designers are interested in identifying which portion of the logic-level implementation corresponds to a slice of the highlevel description. Possible motivations can be: reuse of parts of the implementation, analysis of a design area, etc. Formal equivalence checkers are used to this purpose, however they require a lot of resources in terms of time and memory. In [10] an interesting fault simulation-based approach is proposed. The authors exploit the fact that circuit diagnosis provides an effective method for identifying a fault location in the circuit. However, the work presents some limitations which are avoided by our mapping strategy.
The paper is organized as follows: Section 2 describes the adopted high-level fault model. Section 3 proposes and compares four different approaches for mapping high-level faults into logic-level faults. Section 4 describes how one of the proposed fault mapping strategies allows to identify the correspondence between RT/behavioral signals and logic-level nets. Finally, experimental results are reported in Section 5.
HIGH-LEVEL FAULT MODEL
The high-level fault model adopted in the paper is the bit coverage, which simulates under the single fault assumption: Bit failures. Each occurrence of variables, constants, signals or ports is considered as a vector of bits. Each bit can be stuck-at zero or stuck-at one. Condition failures. Each condition can be stuck-at true or stuck-at false, thus removing some execution paths in the faulty representation.
Bit coverage is chosen since it is related to design errors [4, 7] and it unifies into a single metrics the well known metrics concerning statements, branches and conditions coverage. In addition, paths needed to activate and propagate faults from inputs to outputs of the DUV are also covered. Finally, bit coverage shows a high correlation between stuck-at faults at different levels of abstraction [4] .
Bit coverage faults are automatically injected into an RTL DUV by using AMLETO [5] . It allows to inject faults in VHDL code as well as in SystemC code. For simplicity, in the sequel of this paper we explicitly refer to VHDL examples, but the methodology is actually independent from the adopted language. Fault injection is performed by inserting saboteurs into the DUV. Every occurrence of signals, variables, constants and conditions of the high-level description is replaced by an opportune bit coverage saboteur. We define a saboteur for every language type, i.e., bit, integer, standard logic, boolean, etc. They are functions which can supply the correct or the faulty value of the target object depending on the value of a control signal. Faults are enumerated starting from 0, and a bit vector-type port, named fault, is added to the DUV. The number of elements of the fault port equals the number of faults. The fault port drives the control signals of saboteurs. To activate the fault number i, fault[i] is fixed to '1'. Figure 1 shows the VHDL saboteur function for the bit data type. Saboteurs for other data types are defined by converting the target object to a sequence of bit and referring to the bit case. In this way, changing the definition of the saboteur for bit, the behavior of saboteurs for the other data types changes accordingly. The first parameter of the saboteur function, (object), is the target of the fault, while the second (fault code) is the value of the fault port. Parameters start s0-1 and end s0-1 show the valid range for fault code to activate the stuck-at 0-1 on the target object (end s0-1 are useless for one-sized data types, e.g., bit and boolean, since their value equals start s0-1, but they are necessary for multi-sized data types).
The fault injection process generates a unique faulty description of the DUV that includes all bit coverage faults. Figure 2 shows an example of fault-free and faulty VHDL descriptions by using bit coverage saboteurs. It illustrates how the faults are recursively inserted in complex statements as an if-then-else statement. For example, to activate the fault stuck-at 0 on the third bit of the integer signal rmax, the signal fault[56] must be set to '1', since the range for faults stuck-at 0 on rmax is from 54 to 61. On the other hand, to activate the fault stuck-at true on the if-then-else condition the signal fault[73] must be set to '1'.
After fault injection, the fault list is optimized by removing equivalent faults and faults that are untestable without being symptom of design errors (e.g., stuck-at 0 on constants whose value is '0') [6] . Such faults have not a corresponding logic-level stuck-at fault, since the synthesis removes the parts of the functional description, where they are injected in, to optimize the design. Remained faults can be all mapped.
FAULT MAPPING
In past years, some very efficient logic level ATPGs have been developed. A method to map high-level faults into logic-level stuck-at faults is necessary to exploit the potentialities of these ATPGs for detecting high-level bit coverage faults. In the next subsections four different approaches are proposed and compared.
Trivial Method
Given the logic-level network of the DUV and the corresponding fault list, the easier way to map a bit coverage fault into a logic-level stuck-at fault consists of the following naive approach: The saboteur functions activate or deactivate the related faults accordingly to the value of the fault port. During each ATPG session, all the elements but one (element i) of the fault port are fixed to '0', i.e., they are deactivated. Then, the ATPG is forced to detect the stuck-at 1 on the line fault[i]. Thus, for its nature, the ATPG compares two instances of the design: one with a '0' on fault[i] and the other with a '1' on the same position. In the first case all bit coverage faults are deactivated, thus the design is faultfree. Instead, in the second case, the bit coverage fault i is activated. In this way, if the ATPG detects the logic-level stuck-at 1 on fault[i], actually it detects the high-level bit coverage fault i.
Unfortunately, this method is almost infeasible, since the ATPG setup session is very time consuming. For each setup session the ATPG needs to propagate the value of the fault port elements fixed to '0' to minimize the circuit logic before starting test pattern generation. To avoid waste of time, a unique setup phase is needed for all bit coverage faults. In the next three methods the goal is obtained by removing the fault port and the related saboteurs logic from the synthesized faulty DUV.
Topological Method
Given a selected technology library, the synthesis process maps each saboteur function call of the DUV into a network of logic gates. By analyzing the synthesized design it is possible to identify the topology of the saboteur corresponding to a bit coverage fault. Thus, the following algorithm allows to use a logic-level ATPG to detect bit coverage faults:
for each bit coverage fault i do identify the corresponding logic topology according to the selected technology library remove the topology and directly connect its input line (object) and its output line (result) if i is Stuck-at 0 or Stuck-at false add Stuck-at 0 on the corresponding result line else if i is Stuck-at 1 or Stuck-at true add Stuck-at 1 on the corresponding result line set up and run logic-level ATPG In this way only one ATPG set up phase is necessary. Moreover, the time it requires is exactly the same needed for the fault-free design since the saboteur logic and the fault port have been removed. The main problem of this approach is represented by the identification of the saboteur topology. For example, by using a simple technology library composed of a NOT, a 2-inputs AND, a 2-inputs OR, a LATCH and a FLIP FLOP, in the majority of cases the saboteur topology appears as in Figure 3 . A program has been written to identify and remove each occurrence of the saboteur topology from the synthesized faulty description of the DUV. Unfortunately, the algorithm fails every time the saboteur logic is minimized and mixed with the functional logic of the DUV. In all such cases the topological mapping between stuck-at faults and bit coverage faults is almost infeasible. Consider for example the VHDL code of Figure 4 and the corresponding logic-level circuit of Figure 5 . It is evident that the topology of saboteurs for faults 890, 891 and 892 is not recognizable. Another problem can be observed in Figure 5 : the synthesis process can introduce fanouts on the lines of the fault port. This can lead the mapping algorithm to map one bit coverage fault into logic-level multiple faults. However, multiple faults are not managed by traditional ATPG tools, thus removing the advantage of the proposed approach.
Implication Method
The behavior of the saboteur logic, rather than its topology, can be analyzed to map bit-coverage faults into logiclevel faults. The activation of a bit coverage fault allows to identify which nets are directly influenced by the fault. Consider the following algorithm: Faults mapping is performed by computing implications of the fault port elements. This approach avoids the necessity of identifying the saboteur topology, however, it does not resolve the problem of fanouts described in Section 3.2. For example, consider the circuit of Figure 5 driven. Computing the value for all nets of the circuit, we obtain that: A='1', B='1', C='0', D='0', E='0', F='1', G='1', H='0', I='1', L='0', M='X', N='X'. The values of M and N cannot be determined, since they depend respectively on the value of ('1' AND line1) and ('0' OR M). Thus, the bit coverage fault 890 corresponds to the multiple logic-level fault (stuck-at 0 on L, stuck-at 1 on I). The implications for faults 891 and 892 can be computed in a similar way. The fault 891 is mapped to the pair (stuck-at 1 on H, stuck-at 1 on I) and the fault 892 is mapped to the pair (stuck-at 1 on H, stuck-at 0 on M).
Black Box Method
To avoid the disadvantages of the last two methods, the synthesis of the faulty DUV should not minimize the logic of saboteur functions into the functional logic of the DUV. Actually, the saboteur logic is useless for the logic-level ATPG, since we force it to detect logic-level stuck-at faults which are internally modeled by the ATPG. The correspondence between logic-level and bit coverage faults is based only on the position of the logic-level net affected by the saboteur. Thus, saboteur functions can be considered as black boxes with an activation signal for stuck-at 0, an activation signal for stuck-at 1, a fault-free input and a faulty output.
A state of the art synthesis tool [12] allows to map a function into a corresponding design entity, which is considered as a basic component of the selected technology library. Thus, a "dummy" saboteur function is defined (Figure 6) ; during synthesis it is mapped into a "dummy" entity which acts as a black box. The bit saboteur is modified ( Figure 7 ) in order to use the dummy saboteur. This is a placeholder which simply assigns input to output; the same operation is performed by the corresponding entity. By using the dummy saboteur, the synthesized faulty design behaves exactly how the fault-free design does. However, after synthesis, a stuck-at 0 (1) on the output of an instance of the dummy entity corresponds to the bit coverage fault indicated by the name of the signal assigned to the fault index s0 (fault index s1) port. Thus, the sabo- teur logic is removed and each bit coverage fault is mapped to a single logic-level stuck-at fault. Consider the example of Figure 4 and the corresponding logic-level circuit obtained by using the black box method (Figure 8 ). The two instances of inject fault dummy entity are not minimized with the functional logic of the DUV and the fanouts on fault port lines disappeared. To use a logic-level ATPG for testing bit coverage fault the following algorithm can be applied:
for each bit coverage fault i do search inject fault dummy entity connected to fault [i] if i is Stuck-at 0 or false add Stuck-at 0 on the output of inject fault dummy entity elsif i is Stuck-at 1 or true add Stuck-at 1 on the output of inject fault dummy entity set up and run logic-level ATPG
DESIGN MAPPING
The black box method described in the previous section allows to map signals of a high-level description to the corresponding nets of the logic-level implementation. In particular it supplies a unique net for every signal. In fact, given a signal occurrence of the RT/behavioral level description, the output line of the instance of the inject fault dummy entity related to the fault affecting the signal is the desired net.
The strategy proposed in [10] works in a similar way. The authors introduce a stuck-at fault at the signal of interest in the RTL description. Then, they simulate the faulty RTL description to generate the responses for a selected testbench. Lastly, they propose to use a fault diagnosis engine for looking at these faulty responses and the original fault-free logic-level implementation to identify the desired logic-level net. However, this approach presents two main limitations: (1) The mapping succeeds only for signals related to detectable faults. Thus, low testable circuits represent a problem. (2) If a fault on signal S1 is equivalent to a fault on signal S2 the mapping could be not able to distinguish between the net corresponding to S1 from the net corresponding to S2. This problem is particularly acute when both stuck-at 0 and stuck-at 1 on S1 are equivalent to stuck-at 0 and stuck-at 1 on S2. In such cases the technique supplies more than one nets for the selected RTL signal.
The black box method overcomes the previous limitations since: (1) inject fault dummy entity can be inserted both for detectable and undetectable faults. No information related to the testability of circuit are required for signal to net mapping. (2) Equivalent faults correspond to well distinguished inject fault dummy entity instances. Then, no ambiguities can arise to discriminate different signals affected by equivalent faults.
The time required by the black box method to provide the pair (RT/behavioral signal, logic-level net) is the synthesis time. Given a signal occurrence and the related bit-coverage fault it is extremely easy finding the corresponding instance of inject fault dummy entity in the synthesized design: it is the only instance connected to the line fault[i].
EXPERIMENTAL RESULTS
Experimental results, performed on a workstation SunFire-280R equipped with 4GB of RAM, are reported in Table 1. Columns 2-4 show respectively the number of gates, memory elements and injected bit coverage faults. Columns 5-8 show how many bit coverage faults are mapped into logic-level faults by using the four methods investigated in Section 3. It is evident that both trivial and black box methods are able to map every bit coverage fault into a logic-level fault. However, as explained in Section 3, the first method is inapplicable in order to use a logic-level ATPG to detect such mapped faults, since the required ATPG setup time is unacceptable. On the contrary, the black box approach allows to efficiently exploit the potentialities of a logic-level ATPG as reported in the last three columns, which report respectively the black box mapping time (indeed, it is the time required by the synthesis process), the achieved fault coverage and the ATPG time by using the algorithm proposed in Section 3.4.
ACKNOWLEDGMENTS
We would like to thank Cristina Marconcini for her contribution in performing experimental results.
